File Filtering for Specific Users in FSE

  • Article

Good day everybody,

some weeks ago I dealt with a request that took me quite sometimes and lots of tests, I thought I should share this on our blog as to save someone´s head hake.

The request was: I want to set a File Filter to prevent Standard Users from sending or receiving any BMPattachment . Ialso have the Managers who should not be restricted by this filter, that is, Managers should be able to send and receive any file ”.

Now, there are some points to be aware of in Forefront for Exchange (FSE):

- Unlike Antigen, in FSE there´s only one RealTime Scan Job. You can choose which mailboxes the RealTime scan job should apply to.

- All mails, even between users on the same Storage Group, will go through a Hub server (and therefore a Transport Scan Job).

- “…After scanning each message on the Exchange 2007 Transport role, FSE applies a secure antivirus stamp. This prevents duplicate scanning on the Mailbox server role when the message is deposited into the Store…” (see Ex_Best_Practices.doc )

We first took these steps:

- We created a File Filter to block all files called “*” on the Real Time Scan Job , where “File Types” is “BMP”

File FilteringFSE-1.jpg 

be aware that we didn’t create any File Filter at the Transport Scan Job level, otherwise we wouldn’t be able to differentiate between standard users and Managers.

- We also, disabled Virus Scanning and Content Filtering from the Real Time Scan Job (in Operate/Run Job), so that Real Time Scan Job would only check for File Filtering.

File FilteringFSE-2.jpg

- We then applied the Real Time Scan Job to Standard Users, and made sure Managers were excluded (in Settings/ScanJob, highlight Realtime Scan Job, under Mailboxes check Selected, hit the icon…

File FilteringFSE-3.jpg

…and choose which users the scan job should apply to.

File FilteringFSE-4.jpg

What we achieved with these was:

- Managers were able to send and receive BMP files (AS REQUESTED)

- Standard users could not send any BMP file (AS REQUESTED * )

- All users (both Managers and Standard Users) could receive incoming mail with any attachment (NOT AS REQUESTED).

By analyzing the logs we noticed that messages were scanned and Stamped at the SMTP level, then once in the mailbox server no Real Time Scan Job was performed.

- In order for the Real Time Scan Job to be performed, and File Filtering be applied we had to set the registry key DisableAVStamping to 1 (see Ex_Best_Practices.doc )

DisableAVStamping [registry]

After scanning each message on the Exchange 2007 Transport role, FSE applies a secure antivirus stamp. This prevents duplicate scanning on the Mailbox server role when the message is deposited into the Store.

It is recommended that you use the secure antivirus transport stamp as designed. You should turn it off only if you plan to use different engines or filtering settings on the Transport server and the Mailbox server. Otherwise, needless duplicate scanning occurs.

The "DisableAVStamping" registry key permits you to override the recommended default setting. This causes the Transport stamp to be suppressed, and the Mailbox server to treat the message as not having been previously scanned.

To override the default, add a new DWORD, called "DisableAVStamping" with a value of "1". This value is not present by default and is assumed to be "0" (the default).

FSE stores registry values in the following locations:

For 32-bit systems:

·      HKLM\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server

For 64-bit systems:

·      HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

After that we managed to achieve what we wanted.

Final consideration: this filter would add some extra load on the mail box server, which is what the FSE design tries to avoid, performing all scanning at the Transport Scan Job,

however as it is just a File Filter the additional scan load is not so great, and this solution allowed us to achieve both our goals.

* Be aware that a mail may or may not be scanned by the Realtime scanjob, depending on the load on the server (especially on busy servers). This is behaviour is due to race conditions. The impact of race conditions is beyond the scope of this blog article. Maybe I’ll save that for another time J .

Regards

Fulvio Spanedda

Senior Support Engineer Antigen/Forefront

Microsoft CSS Security