We recently installed Forefront Security for SharePoint with SP1 in our SharePoint Office Server 2007 farm. Forefront Security for SharePoint protects the SharePoint servers from viruses, unwanted files, and inappropriate content.
With the default settings we had a couple interesting issues during our first manual scan. We had documents quarantined based on the following incidents:
- Large uncompressed size
- Exceedingly compressed size
- VIRUS= is based on a remote template (Command)
When files are quarantined they are removed from SharePoint, and in their place a text file is left that lets the user know the file was quarantined and why. On libraries that have versioning enabled, the text file becomes a new version of the file, and this actually allows the end user to restore the version containing a virus. That’s not good!
But that is not the reason for this blog. I was more concerned with why we had so many virus-free files quarantined during the scan.
To fix the first error, it is documented in TechNet that on 32-bit systems the registry value HKLMSOFTWAREMicrosoftForefront Server SecuritySharePointMaxUncompressedFileSize can be edited to set the max uncompressed file size, but I didn’t find this registry value in my implementation. I tried creating this value, but it didn’t allow me to upload those files that had been removed.
Since I couldn’t figure out how to increase the uncompressed and compressed size limits, to prevent compressed files from being quarantined, I unchecked the following option in Settings > General Options of the Forefront Server Security Administrator GUI.
Removing this setting fixed the first two errors.
I was interested to know what triggered these quarantines, so I tested uploading various files to find out exactly what the size limits are. A file quarantined with the incident:
- Large uncompressed size means that the .zip file contains a file that when uncompressed exceeds 100MB in size.
- Exceedingly compressed size means that the .zip file contains compressed files that are over 20MB in size.
The size of the overall zipped file does not matter; only those files contained in that .zip cause the quarantine.
Interesting when I removed the Block/Delete Corrupted Compressed Files setting, the number of registry values in HKLMSOFTWAREMicrosoftForefront Server SecuritySharePoint doubled.
Before:
After:
Unfortunately there was still no MaxUncompressedFileSize value, but there was a MaxCompressedSize. I tried increasing this value, but it had no effect on preventing zipped files that contained compressed files over 20MB to not be quarantined.
The third incident, VIRUS= is based on a remote template (Command), is an interesting error as well. During setup you are asked to select 5 of 8 included antivirus scan engines: Microsoft, Norman, Sophos, Command, Kaspersky, VBuster, AhnLab, and Computer Associates. These engines are used during the real-time and manual scans.
The Authentium Command Antivirus engine was the culprit in this case. I’m not sure why, but this engine quarantined over a dozen of our Word documents before we stopped the scan. I replaced this engine with another one and re-ran the scan without any problems.
I hope if you run into any of these problems, the above workarounds help you.
