Scan Jobs Within Forefront Security For SharePoint

There are several types of scan jobs that exist within the Forefront for SharePoint framework, each of which may be appropriate for an arbitrary task depending on your requirements. The three scan jobs that exist within Forefront for SharePoint are:

  • Quick Scan
  • Manual Scan
  • Realtime Scan

Quick Scan

The first type of scan job offered is the quick scan. This is a useful scan job when you have a single entity that you wish to scan quickly or if you want to trip a one time scan of your environment using varying engines (those engines outside of those which are tripped by other job files). Quick scan will bring a treeview of your site hierarchy and the relevant available document libraries into its dialog, where you can navigate to the varying assets of the site in order to select the one that is currently of interest to you. If you want to scan the entire environment, you can simply choose the highest parent element which will allow you to trip a scan with the arbitrary engine on the entire environment. Once you find the entity that you wish to implement the scanning on, highlight it, and choose the engine that you wish to implement the scanning against. This is typically an engine that would not have already gone scanned the entity during another job, which would be somewhat useless. You will see that there is a Bias threshold option that is also available through the interface that will allow to set baselines on performance factors depending on whether you are selecting multiple engines for the scan job. You can set the arbitrary action that you wish to commit against files found out of compliance with your selections, as well as the option to trip the notifications option (as discussed in other articles) which can either send notifications to the Forefront for SharePoint WebParts or route an email request (with or without the replacement macros, it depends on whether you have custom configuration within your notification macros).

Manual Scan

A manual scan interacts with the pre-created jobs, and therefore if you haven’t gone through the job creation dialog it is rather useless. There are three main options that are displayed with each arbitrary job, not related to whether the service is currently running or not:

  • Virus Scanning
  • File Filtering
  • Keyword Filtering

If you have not created a job yet, now would be an excellent time to.

To create your first job, on the main menu within the FSSP client, select the jobs option and then create job, which will bring up a small WinForms dialog. This dialog will allow you to create a new job based on whatever task criteria that you currently need within your environment, with you want to update a scan engine, grab a log o violation incidents, perform a manual scan, and several other important options. These created jobs are run similar to the services.msc snap-in, in the initial grid that was unpopulated previously when invoking the ForeFront For SharePoint Manager client you will find your created job which you can simply start by using the start green button.

In the job creation menu, there is one confusing item. The product file located above the task field might make you think that there are multiple products that you can work with, however this selection should only be used for uninstalling and installing jobs. The option options outside of the task dropdown that you will see are the add and remove buttons used within this dialog to be certain that the jobs you are concerned about are the only job files being deployed are those which you have selected, the schedule which will allow you tag a schedule flag to your selected job, and the options menu which has general faculities for working with your selected jobs. Most of the options that you will see are specific to the task that are being run, however there are some options that are common between all jobs, such as the authentication you want to use when running the job.

Once you have your job selections as you want them, the job files have to be deployed to appropriate server. In the following dialog, you will have the option to select a server for which the jobs will run, simply select the server under the Available servers, and move the appropriate servers to the left hand side dialog so that the job files are deployed to the appropriate machines.

Now you should be able to tag your deployed job files to your Manual Scan instance. You can either run that job now, and reuse that job as much as you would like in the future with other scan instances as the need arises.

Real-time Forefront for SharePoint Scan Job

The last type of job within the Forefront for SharePoint framework is a real-time scan job, which is arguably the most important type since it allows real-time scanning into documents that are loaded into the Forefront for SharePoint framework at runtime. Whenever a document is uploaded or downloaded from a Forefront for SharePoint protected document library, it has the ability to go through a scanning process that is tripped. This is the most needed scanning configuration needed within a SharePoint environment since it allows the user the option to be protected as files are transferred between various parties, therefore a file is not arbitrarily scanned by some scheduled or manually tripped scan job but rather is constantly checked and cleared for malware as it works its way through your communications and collaborations environment.

This is important because Forefront for SharePoint’s purpose is to protect the data that lives within a SharePoint repository, not the data as it exists within your client machine. The purpose of SharePoint is to build virtual teams built out of various groups of information workers, and keeping critical business data within an accessible and richly featured collaborations environment, Forefront for SharePoint is built to protect content repositories at this level. 

There are several important differences between a real time scan engine and the other scanning options already discussed. Since the service exists when certain criteria is trip (such as a download or upload of a document out of a SharePoint document library), there are certain thresholds that can be set which allow you to tailor your environment accordingly.

  • Some of the options that are available are:
  • Scan document on upload
  • Scan document on download
  • Allow users to download infected documents
  • Attempt to clean infected documents
  • Time out scanning settings
  • Scanner threading options