Microsoft KB Archive/940473

= Quarantine options in Forefront Security for Exchange Server =

Article ID: 940473

Article Last Modified on 9/11/2007

-

APPLIES TO


 * Microsoft Forefront Security for Exchange Server

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista



INTRODUCTION
This article contains information about the quarantine options in Microsoft Forefront Security for Exchange Server. This article describes the quarantine options for the following operations:
 * File storage
 * Database use and delivery



How to quarantine messages and attachments
Forefront Security for Exchange Server performs the following quarantine operations:
 * Quarantine complete messages

Note When quarantine is enabled, complete messages are quarantined for content filters and for file filters that are set to purge. When an item is purged, it is deleted and cannot be recovered.
 * Quarantine only attachments

When you set the Quarantine Messages option in the General Options setting to Quarantine as Single EML File, the messages are quarantined in the Outlook Express Electronic Mail (EML) file format. This configuration applies only to the Transport Scan Job operation. If you want to view the attachments in the EML file, you must save the file from the Quarantine database. You can use Outlook Express to view the contents of the file.

If you do not have Outlook Express, you cannot easily separate the attachments in the message from the EML file. However, you can set the Quarantine Messages option to Quarantine Message Body and Attachments Separately to quarantine the messages in segments. Forefront Security quarantines messages as separate bodies or as attachments. These segments are saved to the hard disk drive from the Quarantine database. In this manner, you can more easily view the messages and attachments.

You can forward the quarantined messages to a mailbox. When you set the Quarantine Messages option to Quarantine Message Body and Attachments Separately, you must forward each segment of the quarantined message. The recipient can see the complete content of the original message. If you set the Quarantine Messages option to Quarantine as Single EML File, you can forward the quarantined EML file alone. The recipient receives the original message and the attachments as a single attachment to a new message.

How Forefront Security removes an attachment from a message and replaces it with a text file
Forefront Security queries the FILE_OBJECT_CAN_DISPLACE MIME property. This property confirms that an attachment can be deleted. If the query is not successful, Forefront Security for Exchange returns an error code. If the query is successful, Forefront Security uses the MIME_OBJECT_DELETED MIME property to delete the attachment. A text file is created and then attached to the message by using the FILE_OBJECT_NAME MIME property. The text file contains the deleted text. Finally, Forefront Security for Exchange completes the transaction.

How Forefront Security updates the quarantine database with quarantined attachments, and then stores the file on the local hard disk drive
Typically, Forefront Security creates a copy of all the detected files before a clean action, a delete action, or a skip action occurs. The detected files are stored in an encoded format in the Quarantine folder. The Quarantine folder is in the Forefront Security installation folder. Forefront Security uses the XOR algorithm to encode the file in the Quarantine folder. Each detected file is saved as File, where  is the ID number of the file. Forefront Security performs the same process for the complete quarantined EML file. If you select the QuarantineAsMessage check box, Forefront Security quarantines the complete message. Otherwise, Forefront Security quarantines every attachment separately.

The details of the detected attachment are stored in the Quarantine database by using the Quarantine.mdb file name. The following details are stored:
 * The file name of the detected attachment
 * The name of the infecting virus or the name of the file filter
 * The associated ID value
 * The subject field of the message
 * The name of the sender
 * The address of the sender
 * The names of the recipients
 * The addresses of the recipients
 * Other bookkeeping information

The Quarantine database consists of two tables. These tables are stored in the Quarantine.mdb Microsoft Jet database file. The Microsoft Jet database is configured as a system data source name (DSN) that is named Forefront Quarantine.

How Forefront Security delivers a file or a message from the Quarantine folder
If the algorithm is used two times on the same file, it generates the same original file. The attachment is converted back into the original file.

Forefront Security uses data from the Quarantine.mdb file and from the files in the Quarantine folder. Forefront Security creates a message that lists the original senders, the original recipients, and the attachments. You can manually change the recipients in the Antigen client. The message is copied to the Pickup folder and delivered. Forefront Security uses the same process for all the EML files.

How to perform database compaction and purge files and messages from the Quarantine folder
Typically, Forefront Security uses the Microsoft Jet engine API to compact the database. By default, this compaction is set to occur daily at 2:00 A.M.

Database purging is also set to occur every morning at 2:00 A.M. When Antigen Service starts, it sets up a timer for 2:00 A.M. To enable database purging, you must enable the Purge settings in Forefront Client Security.

Antigen Service connects to and queries the database based on the data. The Antigen Service accesses the records row by row. Antigen Service creates a list of file names that are to be deleted from the Quarantine folder. Then, the files are deleted from the database.

How to manually change the time that the Quarantine database and the Incidents database compact and purge
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.  Click Start, click Run, type regedit, and then click OK. Locate and then click one of the following registry keys.

On 32-bit computers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server

On 64-bit computers

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

 On the Edit menu, point to New, and then click String Value. Type CompactDatabaseTime, and then press ENTER. Double-click CompactDatabaseTime. In the Value data box, type a new time, and then click OK.

Note You must enter the time value by using the 24-hour (hh:mm) format. For example, type 21:00. Enter the time value that is based on the local time in which you want the compaction functions to run. Exit Registry Editor.</li> Restart the FSCController service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type services.msc, and then click OK.</li> In the list of services, right-click FSCController, and then click Restart.</li></ol> </li></ol>

<div class="references_section">