Continuing in the registry key series, let’s talk about DisableEmailScanning.
By default, the antimalware engine included with FCS will not scan email archives (email archives are file-based containers that contain email messages). FCS is an enterprise-level product – and in an enterprise (business) environment, it’s expected that you are protecting email at the mail server level (using, for example, Forefront Protection 2010 for Exchange Server).
FCS is designed for host-based (client-level) protection. The fact that the email scanning feature is disabled by default is suitable for most customer situations. However, there may be scenarios when email archive files enter the business environment through some means other than the email transport (a saved email message on a USB drive, for example, or POP-based email).
Some of the file-based containers can be directly modified; that is, the engine can open the container, remove the malware, and then recreate the container with no data loss. Some of the file-based containers cannot be directly modified, and depend on the user to manually remove the infected file within the container.
In some cases, the mail archive itself might be quarantined, which may make it appear that the whole of the email archive has been lost. In this instance, this is not the case, and the infected messages will have to be manually removed.
The following table summarizes the file-based containers that would be scanned if you (double negative time) disable the DisableEmailScanning setting), as well as how the containers are treated in the instances of malware detection:
Note: the information above reflects the current antimalware engine behavior; this behavior is subject to change.
The DisableEmailScanning registry key is a double negative key – you must disable the disable in order for email scanning to be enabled.
Permissions on this key prevent direct editing, so you must use one of the two methods described in the KB article referenced below (http://support.microsoft.com/default.aspx/kb/971026#moreinformation).
For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINECATEGORY !!FCSCategory POLICY !!DisableEmailScanning_Name KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan" EXPLAIN !!DisableEmailScanning_Explain ;; Note that instead of disabling a disable we flip-flop the logic to make it proactive VALUENAME DisableEmailScanning VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICYEND CATEGORY[strings]FCSCategory="Microsoft Forefront Client Security"DisableEmailScanning_Name="Enabling email scanning"DisableEmailScanning_Explain="This setting instructs the FCS antimalware client to scan email archives during full scans"
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use EmailScanning.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the DisableEmailScanning key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
This article references FCS. Does it also apply to FEP 2010?
Yes, it does - but FEP provides an ADMX file (via the FEP Security Management Pack) that you can use to manage this setting in your organization. For more information about the ADMX settings, see technet.microsoft.com/.../gg412481.aspx.
Thanks for your question!