.doc files quarantined by mistake...how to restore?

All Replies

• Monday, July 06, 2009 3:22 PMAndy S. Day

   
  

  0

  Sign In to Vote
  Hello Johan,
  
  This detection from the Command engine indicates that a document uses a remote template (i.e. not within the mail), which cannot be scanned. Command considers this to be a risk, and therefore .
  As this detection isn't necessarily indicative of an actual virus, Microsoft gives you the option to disable it via the registry. See KB963033 for more details. Once you've implemented this, you will need to get FSSP to scan the mails again. You can do this with the Realtime scanjob as follows:
  
  1. Enable the 'Scan on Scanner Update' option under SETTINGS>General Options in the Forefront Administrator UI.
  2. Update a scan engine under SETTINGS>Scanner Updates in the Forefront Administrator UI. The engine must update - a failed update, or an engine with no new updates available will not work. If you prefer to force an update see ‘Forcing Updates’ below.
  3. Once the engine has been updated, Forefront will need to scan each document again upon access. Try accessing a few of the blocked documents to confirm that this is working.
  4. Disable the 'Scan on Scanner Update' option under SETTINGS>General Options in the Forefront Administrator UI. Keeping this option enabled will otherwise cause a high level of extra scanning.
  
  Forcing Updates
  An engine update can be forced by deleting its update.ini file and then triggering an on-demand update through the Forefront Administrator:
  1. Delete the file: %Program Files (x86)%\Forefront Security Server\Sharepoint\Data\Engines\x86\<engine>\Bin\Update.ini
  ...where <engine> is the name of the scan engine that you are going to update.
  2. Update the scan engine through SETTINGSScanner Updates, by selecting the engine and clicking on the ‘Update Now’ button.

  ---

  Kind Regards, Andy Day | CSS Security, Sr. Support Engineer (Antigen/Forefront Server Security)
  • Reply
  • Quote