Configuring e-mail notifications
Applies to: Forefront Protection 2010 for SharePoint
E-mail notifications are useful for keeping SharePoint users informed about changes that have occurred to their attachments due to virus cleaning and filtering, as well as informing users of infections that exist when a virus is detected and not cleaned. E-mail notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.
Configuring notifications
Microsoft Forefront Protection 2010 for SharePoint (FPSP) uses two types of notifications:
Incident notifications—Notifications that FPSP sends about a malware or filter incident. You can customize these notifications and configure them to be sent to the file's author. For more information about each type of incident notification, see About incident notifications.
Event notifications—Notifications that FPSP sends to an administrator about its status. You can disable or customize these notifications. For more information about each type of event notification, see About event notifications.
To configure notifications
In the Forefront Protection 2010 for SharePoint Administrator Console, click Monitoring, and then click Notifications.
The Configuration - Notifications pane contains the default notifications, listed under their notification type. Each notification is configured individually.
Right-click the notification (or notifications) you want to configure, and then click Edit Notification. For more information about the purpose of each notification, see About notifications.
In the Edit notification dialog box, select the notification role for which you are configuring the notification by clicking one of the following:
Administrator—Configures event notifications to be sent to administrators when an incident or event occurs. You can configure all notification types for administrators. This is the default notification role.
Author—Configures incident event notifications to be sent to the author of a document that generated an incident. This role is only available for incident notifications.
Last Modified User— Configures incident event notifications to be sent to the last person who modified a document that generated an incident. This role is only available for incident notifications.
Configure the following settings for the selected notification role:
Enabled—Selecting this check box enables the notification. By default, all incident notifications are disabled (except for Maximum file size exceeded), and all event notifications are enabled (except for Engine updated). For more information about suppressing individual enabled notifications for antimalware scans and filters, see the “Related Topics” section at the end of this topic.
To—A semicolon-separated list of people and groups who will receive the notification. This list can only be changed for the Administrator notification role. It can include Exchange names, aliases, and groups. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.
Cc—A semicolon-separated list of people and groups who will receive a "carbon copy" of the notification. This list can include Exchange names, aliases, and groups. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.
Bcc—A semicolon-separated list of people and groups who will receive a "blind carbon copy" of the notification. This list can include Exchange names, aliases, and groups. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.
Subject—The message that is sent on the subject line of the notification. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.
Message body—The message that is sent as the body of the notification. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.
You can optionally configure additional notification roles for an incident notification.
Click OK to return to the Configuration - Notifications pane and then click Save.
About notifications
The following sections describe the various notifications for each notification type.
About incident notifications
Incident notifications are typically used for reporting the who, what, where, and when details of an infection, including the disposition of the malware or the document. You can also use incident notifications to keep track of the results of filtering. The following types of incident notifications are available:
**Virus found—**Sent when malware is detected.
**Spyware found—**Sent when spyware is detected.
**File filter matched—**Sent when a file filter is matched.
**Keyword filter matched—**Sent when a keyword filter is matched.
**File Error—**Sent when a configured file setting is encountered during scanning (for example, if a file is found to be ExceedinglyNested or a CorruptedCompressedFile). For more information about the types of incidents that may trigger this notification, see Incidents reported.
**Scan Error—**Sent when an error occurs during scanning. For more information about the types of incidents that may trigger this notification, see Incidents reported.
**Maximum file size exceeded—**Sent when the maximum file size is exceeded.
About event notifications
Event notifications report on FPSP functionality and issues. They include events like scan startup, licensing warnings, engine updates, and engine selections. The following are the available event notifications:
Scan process initialization—Sent whenever a scan is started.
License warning—Sent when the product license nears expiration.
License expired—Sent when the product license has expired.
Database size warning—Sent when the incidents database nears its maximum configured size. For more information, see "Configuring the incidents database size warning" in Managing incidents.
Engine updated—Sent when any engine has been successfully updated.
Engine update failed—Sent when any engine encountered an error while updating.
**Engine update not available—**Sent when an engine update attempt found no new definitions.
Critical error—Sent when FPSP encounters a critical error.
Health change to green—Sent when a health monitoring point changes to green. This indicates good health and that no action is required.
Health change to red—Sent when a health monitoring point changes to red. This indicates an error that may require fixing.
Health change to yellow—Sent when a health monitoring point changes to yellow. This indicates a less than ideal situation that likely bears close monitoring.
Changing the From address for notifications
FPSP utilizes SMTP messaging for notification purposes, sending the message through an SMTP server. By default, the server profile used for identifying notifications is: ForefrontServerProtection@servername.server. However, you can change this server profile by modifying the FromAddress registry value.
To modify the FromAddress registry value
Open the Registry Editor and navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\
Modify the default value of FromAddress to the sender name you would like. Alphanumeric characters are acceptable. You may also use the at sign (@) or a period (.), but these characters cannot be the first or last character. Any illegal characters will be replaced with an underscore (_).
You must restart the Microsoft Forefront Server Protection service in order for this change to take effect.
Note
To ensure that notifications are always delivered to the inbox and are not mistakenly detected as spam by Microsoft Outlook, the FromAddress of the notifications must be added to the safe senders list of all mailboxes that expect to receive these notifications. (To access the safe senders list in Outlook 2007, click Tools and then Options, click the Junk E-mail button, and then click the Safe Senders tab.)
Configuring SMTP server settings
You can specify which SMTP server settings to use when sending e-mail notifications. You can either use the default SMTP server settings in SharePoint or enter your own SMTP server settings.
To configure SMTP server settings
In the Configuration - Notifications pane, in the SMTP server settings section, select from the following options:
Use the SMTP server settings in SharePoint—This is the default. If your SharePoint server has been configured with an outbound SMTP server address, it is displayed for you.
Specify your own SMTP server settings—If you want to specify your own SMTP server settings, enter the following data:
Server address—The SMTP server address. It can be either an IP address or a fully-qualified domain name. It cannot contain spaces.
Port—The SMTP server port. Enter a whole number between 1 and 65535. The default is 25.
User name—Click Edit Credentials to open a dialog box where you can enter the name of a user with access rights to the SMTP server specified in the Server address field. Enter a string of no more than 128 characters; it cannot contain any spaces. The default is blank. If required, enter a password, and then click OK to return to the Configuration – Notifications pane.
Transport Layer Security (TLS) required—Specifies that Transport Layer Security (TLS) is required.
Click Save.
See Also
Concepts
Configuring the realtime scan
Configuring the scheduled scan
Configuring the on-demand scan
Creating a file filter list
Creating a keyword filter list