Microsoft KB Archive/906031

= Description of the scan order in Antigen 8.0 and in Antigen 9.0 =

Article ID: 906031

Article Last Modified on 1/7/2008

-

APPLIES TO


 * Microsoft Antigen for Exchange
 * Microsoft Antigen for SMTP Gateways
 * Sybari Antigen 8.0 for Microsoft Exchange
 * Sybari Antigen 8.0 for SMTP Gateways

-



INTRODUCTION
This article describes the scan order that Antigen uses when it scans a file or an e-mail message.



MORE INFORMATION
When Antigen scans a file or an e-mail message, the following tasks are performed in the order that they appear:
 * The Sender Whitelist scan (in Antigen 8.0) and the Allowed Senders scan(in Antigen 9.0)

If the Sender Whitelist/Allowed Sender functionality is enabled, Antigen examines the message sender's domain or address against the Sender Whitelist/Allowed Sender list. If a message is from a domain or from an address that is listed on the list, the message is delivered to the recipient. Therefore, the rest of the scanning tasks that are described in this list are bypassed. You can configure the Sender Whitelist/Allowed Sender list functionality to bypass one or more filters, such as File Filtering and Content Filtering. Or, you can configure the Sender Whitelist/Allowed Sender functionality to bypass all filters.
 * The SpamCure engine scan

The SpamCure engine examines the message contents against a database of known spam.
 * The Mailhost Filtering scan

Mailhost Filtering filters messages from specific IP addresses or from specific server names. Mailhost Filtering consists of three lists:
 * The RBL servers list

This list contains server names and IP addresses that are known either to originate spam or to be spam open relay hosts. Antigen examines the message sender against the RBL servers list to determine whether the message sender is a spam server.
 * The Allowed mailhost list

This list contains server names and IP addresses that are considered &quot;safe.&quot; Antigen examines the message sender against this list to determine whether the message sender is considered safe. If a message is from a server or an IP address that is in the Allowed mailhost list, the message is delivered to the recipient. Therefore, the rest of the scanning tasks that are described in this list are bypassed.
 * The Rejected mailhost list

This list contains server names and IP addresses that have been blocked. Antigen examines the message sender against the Rejected mailhost list to determine whether the message sender has been blocked.
 * The Content Filtering scan

Content Filtering includes the following filters that are created by the Antigen administrator:
 * Sender-domain Filtering

When Sender-Domain Filtering is enabled, Antigen examines the message sender against the senders and the domains that an Antigen administrator has added to the Sender-Domain Filtering list. If the message does not match any entries in the Sender-Domain Filtering list, Antigen examines the message against the Subject Line Filtering list.
 * Subject Line Filtering

When Subject Line Filtering is enabled, Antigen examines the contents of the message's subject line against the words that an Antigen administrator has added to the Subject Line Filtering list.
 * The Keyword Filtering scan

Antigen examines the contents of the message against the Keyword Filtering list. By default, the Keyword Filtering list contains most forms of profanity. The Keyword Filtering list also contains words and phrases that refer to racial discrimination, to sexual discrimination, and to spam. The Antigen administrator can add words or phrases to this list.
 * The Attachment scan

If the message has an attachment, Antigen uses the following features to scan the attachment for worms and viruses:
 * Worm Purge

The Worm Purge tool maintains the WormPrge.dat file. This file contains a list of known worms. This list is regularly updated and maintained by Antigen. Antigen examines the contents of the message against the list that is maintained by Worm Purge.
 * File Filtering

When File Filtering is enabled, Antigen examines the contents of the message against the File Filter list. The File Filter list is a list of known worms that is maintained by the Antigen administrator.
 * Virus cleaning

If the attachment does not contain a worm, Antigen scans the attachment for viruses. Antigen uses multiple virus scan engines to determine whether the attachment contains a virus.
 * The Body scan

Antigen examines the body of the message against the worm list that is maintained by Worm Purge. Then, Antigen scans the body for viruses.

Keywords: kbhowto KB906031

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.