Forefront Security for SharePoint (FSSP) includes a number of registry settings that control most of the configuration settings. The charts below provide information about the various settings.
· The first table gives information about several registry settings that are recommended and/or frequently used to improve FSSP’s performance.
· The second table gives information about registry settings related to blocking unwanted files.
· The third table gives information about registry settings used to set file size limits.
· The fourth table gives information about registry settings used to control the actions FSSP takes when infected files are detected.
Please Note: You should only make changes to registry settings if you are comfortable working in the registry. If you are uncertain, you should open a support case for assistance.
Recommended settings to maximize performance
SumInternalSizesOfCompressedArchive DWORD set to 1
MaxUnCompressedFileSize (Default 100MB, represented in the registry as 100,000,000 decimal.)
DeleteCorruptedCompressedFiles Set to ON
A combination of these three settings will allow compressed files that expand to less than 100 MB to be scanned, while ensuring that those that expand to over 100 MB are blocked.
SkipLargeCompressedFileDeletion DWORD set to 1
User discretion. Enabling this setting will allow large compressed files to bypass antimalware scanning. This will improve server performance, but it will reduce security.
By default this option is off (0). If set to on (1), then compressed files that expand to over 100MB will be bypassed instead of being blocked.
RecycleSPScanJobs DWORD set to 345,600 (decimal)
In the event that the scan process has leaked any memory or resources, we recommend restarting scan processes every 4 days. The restart will reclaim any lost resources. Recycle Forefront scan processes every 4 days (345,600 seconds equals 96 hours equals 4 days)
Interim workaround: to be used only if necessary.
In Service Pack 3, compressed files should only be reported as corrupted compressed if they are truly corrupted. If for some reason files are mistakenly identified as corrupted compressed, the workaround is to set this setting to 0 (zero), which is OFF. After changing this setting, it is a good idea to contact support for help diagnosing the root cause of the problem.
In Service Pack 3, all known engine errors are resolved. In the event of these errors, the workaround is to set ActionOnEngineError to 0 (zero), which is “Ignore”. Other possible settings are 1 (detect/skip) and 2 (delete). After changing this setting, it is a good idea to contact support for help diagnosing the root cause of the problem.
This section details the various settings that FSSP uses to block specific files. This section is provided as a quick reference on how to configure FSSP to bypass these settings in the event of unexpected behavior. It is not recommended that you make any changes to these settings unless you are experiencing a particular problem that is leading to detections that you think are in error.
What does this mean
How to set to skip detect
FSSP does not fully understand how to parse a container file.
Uncheck “Block/Delete Corrupted Compressed files” in the General Options work pane.
FSSP does not fully understand how to parse a UUENCODE file.
Uncheck “Block/Delete Corrupted Compressed Uuencode files” in the General Options work pane.
FSSP encounters an error updating a container file.
This error will only occur when FSSP is updating a container file. There is no need to set this to Skip/Detect because FSSP was going to update the contents of a file, but instead FSSP will block the file.
A specific read error condition when reading a container file
Highly Compressed Files
There are two categories of highly compressed files:
1) Highly compressed formats that FSSP is aware of, but is unable to parse.
2) Highly compressed formats that FSSP is unaware of.
In either case, FSSP does not understand the compression algorithm used in a container file.
Case 1: Uncheck “Treat Zip archives containing highly compressed files as Corrupted Compressed” in the General Options work pane.
Case 2: These files are always reported as CorruptedCompressed. Uncheck “Block/Delete Corrupted Compressed files” in the General Options work pane.
Multipart RAR files
RAR files that are split across multiple archives cannot be scanned by FSSP.
Uncheck “Treat multipast RAR archives as Corrupted compressed” in the General Options work pane.
Concatenated Gzip files
FSSP cannot completely scan concatenated Gzip files.
Uncheck “Treat concatenated gzips as corrupted compressed” in the General Options work pane.
FSSP cannot scan a container file because it is password protected.
Uncheck “Block/Delete Encrypted Compressed files” in the General Options work pane.
EngineError, EngineExceptionError, EngineLoopingError
A third-party engine encountered an error scanning a file, or in the case of a looping error, has exceeded the maximum number of reads imposed by FSSP.
Set the DWORD registry key named “ActionOnEngineError” to 0 (zero).
This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.) It indicates that FSSP has exceeded the number of milliseconds in the MaxContainerScanTime registry key when scanning a container file.
There is no way to configure FSSP to ignore a compressed file that is taking too long to scan, but FSSP can be configured to avoid this error by increasing MaxContainerScanTime to a maximum value of 0x7FFFFFFF. As long as MaxContainerScanTime is longer than the SharePoint timeout value, this error will never occur. If a compressed file takes a long time to scan, then FSSP will return “ExceededRealtimeTimeout” during the scan.
Indicates that FSSP has timed out while scanning a file. The time limit is specified in the SharePoint administrator console.
Create a DWROD registry key named “UploadDocNoTimeout” and set it to 1. If you set this key, files that would have been blocked by a timeout will instead be uploaded without being scanned.
Indicates SharePoint has timed out waiting for FSSP to scan a file. In this case, SharePoint kills the thread in the w3wp.exe process that originated the scanning request. The user’s http request will fail. The user will have to resubmit a duplicate http request to recover.
Currently there is no way to set FSSP to skip these limit checks, but the limits can be increased if necessary. If a file exceeds these limits, then the file will be blocked.
This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.). It indicates that one of the compressed files within a container file has a compressed file size that is greater than the default value set by FSSP. The default value is 0x01312d00 (20,000,000 decimal or approximately 20 MB) and is stored in the DWORD registry key MaxCompressedArchivedFileSize. This value can be increased, but increasing it could cause Denial of Service attacks, more timeouts, and/or performance issues.
When set to 1, ExceedinglyCompressedSize errors will be ignored, effectively allowing these large files to be bypassed. The default is 0 (zero).
This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.). It indicates that one of the compressed files within a container file has an uncompressed file size that is greater than the default value set by FSSP. The default value is 0x05F5E100 (100,000,000 decimal or approximately 100 MB) and is stored in the DWORD registry key MaxUnCompressedFileSize. This value can be increased, but increasing it could cause Denial of Service attacks, more timeouts, and/or performance issues.
This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.) It indicates that a container recursively nests other container files more than then maximum nesting value set by FSSP. FSSP has a default MaxNestedCompressedFile value of five, and a default MaxNestedAttachments value of 30. These values can be increased, but it recommended to limit the increases to 10 and 60 respectively. Increasing these values further could result in stack overflow crashes, Denial of Service attacks, more timeouts, and/or performance issues.
These settings control the action FSSP takes for large infected container files and exceedingly nested container files.
This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.) When this error occurs, it means FSSP was attempting to update a file within a container file, but the container file is too big. Instead of replacing one file in the container, the entire container will be replaced with deletion text.
FSSP has a default value to only clean compressed files under 25 MB, stored in the registry value MAX_COMPRESSED_FILE_SIZE. Increasing this value could cause Denial of Service attacks, more timeouts, and/or performance issues.
This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.) When this error occurs, FSSP has detected numerous viruses within the same container file, and rather than continuing to scan this container file, the entire container file is blocked. FSSP uses a default of five, stored in the registry key MaxContainerFileInfections. Increasing this value could cause Denial of Service attacks, more timeouts, and/or performance issues.
Another important consideration when evaluating the performance of your SharePoint servers running FSSP is the impact of the antivirus scanning engines. Forefront utilizes many third-party virus scanning engines and components to provide virus and keyword filtering of the SharePoint server. The Forefront team has automated backend systems that are constantly stressing these 3rd party components to ensure that they are behaving correctly and utilizing memory as efficiently as possible. There have been incidents in the past, however, where a memory leak has been introduced through the update of one of our third-party engines. We are continually improving our back end tests to be able to detect these memory leaks before they are published.
If FSSP is unable to allocate memory while scanning a file, it currently does not differentiate between a large memory allocation that failed (because it is just too big) vs. a small allocation that failed (because a leak has consumed all usable memory). Depending on the type of file being scanned, and where in the scanning the memory allocation failure occurs, FSSP may report the problem as a “corrupted compressed” file, as an engine error, or as a scanning process exception.
A new feature has been added to FSSP SP3 to provide an additional layer of protection in the event a third-party vendor releases an update with a leak that is not detected by our back-end testing. The new feature is to periodically recycle the FSSP scanning processes in a controlled manner. This new registry key (named RecycleSPScanJobs) limits the life of our scanning processes to a finite time. By recycling the FSSP scanning processes, any leaked memory is recovered, thus reducing the probability of encountering a memory allocation failure. This feature will sequentially restart one scanning processes at a time, and the scanning load is shared among the other scanning processes during the recycle. We recommend setting this new registry key to 96 hours.
The registry key is a DWORD named “RecycleSPScanJobs” and is specified in seconds. To set this value to 96 hours, you will need to create the key and enter a value of 345,600 (which is 60 seconds * 60 minutes * 24 hours * 4 days). This will cause Forefront to reset its scanning processes every 4 days.
John Oesterle Senior Development Lead
Michel LaFantano Senior Writer - BPSG iX