Scanning email archives
Continuing in the registry key series, let’s talk about DisableEmailScanning.
By default, the antimalware engine included with FCS will not scan email archives (email archives are file-based containers that contain email messages). FCS is an enterprise-level product – and in an enterprise (business) environment, it’s expected that you are protecting email at the mail server level (using, for example, Forefront Protection 2010 for Exchange Server).
FCS is designed for host-based (client-level) protection. The fact that the email scanning feature is disabled by default is suitable for most customer situations. However, there may be scenarios when email archive files enter the business environment through some means other than the email transport (a saved email message on a USB drive, for example, or POP-based email).
| NOTE: Remediating a malware detection in an active email archive can, in some cases, carry the risk of loss of new messages, (these messages would not be recoverable from quarantine). For example, there is a risk of loss of new messages if you attempt to clean a DBX archive while it is open in Outlook Express. Scanning (and cleaning) of email archives while they are actively open in a program will carry a risk of email loss. Ensure you need this feature before you enable it. |
Some of the file-based containers can be directly modified; that is, the engine can open the container, remove the malware, and then recreate the container with no data loss. Some of the file-based containers cannot be directly modified, and depend on the user to manually remove the infected file within the container.
In some cases, the mail archive itself might be quarantined, which may make it appear that the whole of the email archive has been lost. In this instance, this is not the case, and the infected messages will have to be manually removed.
The following table summarizes the file-based containers that would be scanned if you (double negative time) disable the DisableEmailScanning setting), as well as how the containers are treated in the instances of malware detection:
| File Type | Can files inside the container be fixed? |
| DBX | Yes |
| MBX | Yes |
| Mime | Yes |
| BinHex | No |
| Box | No |
| PST | No |
| TBB | No |
| TNEF | No |
| Base64 | No |
| MSG | No |
Note: the information above reflects the current antimalware engine behavior; this behavior is subject to change.
The DisableEmailScanning registry key is a double negative key – you must disable the disable in order for email scanning to be enabled.
Permissions on this key prevent direct editing, so you must use one of the two methods described in the KB article referenced below (https://support.microsoft.com/default.aspx/kb/971026#moreinformation).
For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINE
CATEGORY !!FCSCategory
POLICY !!DisableEmailScanning_Name
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"
EXPLAIN !!DisableEmailScanning_Explain
;; Note that instead of disabling a disable we flip-flop the logic to make it proactive
VALUENAME DisableEmailScanning
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END POLICY
END CATEGORY
[strings]
FCSCategory="Microsoft Forefront Client Security"
DisableEmailScanning_Name="Enabling email scanning"
DisableEmailScanning_Explain="This setting instructs the FCS antimalware client to scan email archives during full scans"
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use EmailScanning.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the DisableEmailScanning key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
"DisableEmailScanning"=dword:0