Risorse per professionisti IT >
Home page del forum
>
Forefront Security for SharePoint
>
"ScanTimeExceeded" on manual scans : Need to _NOT_ delete files that timeout
"ScanTimeExceeded" on manual scans : Need to _NOT_ delete files that timeout
- Hello:
I'm running ForeFront for Sharepoint v 10.1.0802.0, SP2, against an existing series of content datbases that total about 2.5 TB of data. This data was NOT previously protected by any antivirus software, so I would now like to go back through to scan existing documents to be sure we are completely clean. I plan to do this with scheduled Manual scans of the existing data. I also have a requirement to avoid making changes to the data before I know what viruses, if any are present.
What I'm finding is the "ScanTimeExceeded" message for large compressed files. I have the default setting of 10 minutes for Manual scans, I have set the manual scan to "Skip: detect only", and I have disabled all the "Block/Delete" options for compressed files. To my mind, I should only be getting reporting, not action on the data. However, when a large container file exceeds the timeout, it is deleted from the SharePoint site. I do not want this to happen.
I can understand the need for the timeout, since ForeFront does not want DoS from 'zips of death', as they put it. I think 10 minutes is a reasonable time to try, given all the data I need to check,a nd would not want to make it much longer, given the data I have to deal with.
How can I prevent ForeFront from removing files when the time limit is exceeded? I'd like to simply be notified of timeouts, and address them on a case by case basis. I would have thought the "Skip" option would not be disobeyed, but it seems that it is.
Thanks for your help,
Mark Schlegel
Tutte le risposte
- Hi Mark,
This is probably because the file have already experienced a timeout. When Forefront experiences a Timeout during scanning, by default, it marks the file as containing a virus. This is simply because Forefront is not able to ensure that the file is virus free due to the timeout and so to provide maximum security it sets the virus (infected) flag within Sharepoint. The problem with this is that if Sharepoint see that this file has been marked as having a virus, then it will not submit the file to be rescanned and will block all access to this file. To work around this we must force Sharepoint and Forefront to scan all files regardless of the virus flag within Sharepoint, also it is usually recommendable to stop Forefront from flagging timeouts as viruses during this process. To do this:-
1) Create this reg key to work around these timeouts that flag files as infected:
Location: "HKEY_LOCAL_MACHINE\Software\Microsoft\Forefront Server Security\SharePoint"
Create: UploadDocNoTimeout (Dword) and give it the value 1 - Still you will see errors in the event log but Forefront will not flag those objects as infected
Restart Sharepoint services.
2) Select "Scan on Scanner Update" and force an engine download. - this should be performed during the quietest period of the week as it normally has a large performance hit as it must scan the entire database.
Finally you must decide whether you wish to keep the Reg Key enabled that was created in Step 1. This is obviously a security risk as the files have not been successfully scanned and therefore could contain a virus.
Personally I would recommend disabling the reg key by setting it to 0 and restarting the services, and then increasing the Timeout periods - Max Container Scan Time (Realtime/Manual) - within the general options page.
I hope this helps
Alex
