Scanning email archives

Continuing in the registry key series, let’s talk about DisableEmailScanning.

By default, the antimalware engine included with FCS will not scan email archives (email archives are file-based containers that contain email messages). FCS is an enterprise-level product – and in an enterprise (business) environment, it’s expected that you are protecting email at the mail server level (using, for example, Forefront Protection 2010 for Exchange Server).

FCS is designed for host-based (client-level) protection. The fact that the email scanning feature is disabled by default is suitable for most customer situations. However, there may be scenarios when email archive files enter the business environment through some means other than the email transport (a saved email message on a USB drive, for example, or POP-based email).

NOTE: Remediating a malware detection in an active email archive can, in some cases, carry the risk of loss of new messages, (these messages would not be recoverable from quarantine). For example, there is a risk of loss of new messages if you attempt to clean a DBX archive while it is open in Outlook Express.

Scanning (and cleaning) of email archives while they are actively open in a program will carry a risk of email loss. Ensure you need this feature before you enable it.

Some of the file-based containers can be directly modified; that is, the engine can open the container, remove the malware, and then recreate the container with no data loss. Some of the file-based containers cannot be directly modified, and depend on the user to manually remove the infected file within the container.

In some cases, the mail archive itself might be quarantined, which may make it appear that the whole of the email archive has been lost. In this instance, this is not the case, and the infected messages will have to be manually removed.

The following table summarizes the file-based containers that would be scanned if you (double negative time) disable the DisableEmailScanning setting), as well as how the containers are treated in the instances of malware detection:

File Type Can files inside the container be fixed?
Mime Yes
BinHex No
Box No
Base64 No

Note: the information above reflects the current antimalware engine behavior; this behavior is subject to change.

The DisableEmailScanning registry key is a double negative key – you must disable the disable in order for email scanning to be enabled.

Permissions on this key prevent direct editing, so you must use one of the two methods described in the KB article referenced below (

For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:

              POLICY !!DisableEmailScanning_Name
                     KEYNAME “SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan”
                     EXPLAIN !!DisableEmailScanning_Explain
                     ;; Note that instead of disabling a disable we flip-flop the logic to make it proactive
                     VALUENAME DisableEmailScanning
                       VALUEON NUMERIC 0
                       VALUEOFF NUMERIC 1
              END POLICY
FCSCategory=”Microsoft Forefront Client Security”
DisableEmailScanning_Name=”Enabling email scanning”
DisableEmailScanning_Explain=”This setting instructs the FCS antimalware client to scan email archives during full scans”

Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use EmailScanning.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2,  in the KB article.

If you want to deploy the DisableEmailScanning key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]


Comments (2)

  1. Hi Bob,

    Yes, it does – but FEP provides an ADMX file (via the FEP Security Management Pack) that you can use to manage this setting in your organization. For more information about the ADMX settings, see…/gg412481.aspx.

    Thanks for your question!

  2. Bob Hyatt says:

    This article references FCS.  Does it also apply to FEP 2010?