Article ID: 906031 - Last Review: January 7, 2008 - Revision: 2.2

Description of the scan order in Antigen 8.0, in Antigen 9.0, and in and Forefront Security for Exchange Server

View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This article describes the scan order that Antigen and Forefront Security use when they scan a file or an e-mail message.

MORE INFORMATION

When Antigen scans a file or an e-mail message, the following tasks are performed in the order that they appear:
  • The Sender Whitelist scan (in Antigen 8.0) and the Allowed Senders scan(in Antigen 9.0)
    If the Sender Whitelist/Allowed Sender functionality is enabled, Antigen examines the message sender's domain or address against the Sender Whitelist/Allowed Sender list. If a message is from a domain or from an address that is listed on the list, the message is delivered to the recipient. Therefore, the rest of the scanning tasks that are described in this list are bypassed. You can configure the Sender Whitelist/Allowed Sender list functionality to bypass one or more filters, such as File Filtering and Content Filtering. Or, you can configure the Sender Whitelist/Allowed Sender functionality to bypass all filters.

    Note The Allowed Senders option only provides the ability to skip scanning for the following items :
    • The Keyword Filtering scan
    • File Filtering in the Attachment scan
  • The SpamCure engine scan
    The SpamCure engine examines the message contents against a database of known spam.
  • The Mailhost Filtering scan
    Mailhost Filtering filters messages from specific IP addresses or from specific server names. Mailhost Filtering consists of three lists:
    • The RBL servers list
      This list contains server names and IP addresses that are known either to originate spam or to be spam open relay hosts. Antigen examines the message sender against the RBL servers list to determine whether the message sender is a spam server.
    • The Allowed mailhost list
      This list contains server names and IP addresses that are considered "safe." Antigen examines the message sender against this list to determine whether the message sender is considered safe. If a message is from a server or an IP address that is in the Allowed mailhost list, the message is delivered to the recipient. Therefore, the rest of the scanning tasks that are described in this list are bypassed.

      Note The Allowed Senders option only provides the ability to skip scanning for the following items:
      • The Keyword Filtering scan
      • File Filtering in the Attachment scan
    • The Rejected mailhost list
      This list contains server names and IP addresses that have been blocked. Antigen examines the message sender against the Rejected mailhost list to determine whether the message sender has been blocked.
  • The Content Filtering scan
    Content Filtering includes the following filters that are created by the Antigen administrator:
    • Sender-domain Filtering
      When Sender-Domain Filtering is enabled, Antigen examines the message sender against the senders and the domains that an Antigen administrator has added to the Sender-Domain Filtering list. If the message does not match any entries in the Sender-Domain Filtering list, Antigen examines the message against the Subject Line Filtering list.
    • Subject Line Filtering
      When Subject Line Filtering is enabled, Antigen examines the contents of the message's subject line against the words that an Antigen administrator has added to the Subject Line Filtering list.
  • The Keyword Filtering scan
    Antigen examines the contents of the message against the Keyword Filtering list. By default, the Keyword Filtering list contains most forms of profanity. The Keyword Filtering list also contains words and phrases that refer to racial discrimination, to sexual discrimination, and to spam. The Antigen administrator can add words or phrases to this list.
  • The Attachment scan
    If the message has an attachment, Antigen uses the following features to scan the attachment for worms and viruses:
    • Worm Purge
      The Worm Purge tool maintains the WormPrge.dat file. This file contains a list of known worms. This list is regularly updated and maintained by Antigen. Antigen examines the contents of the message against the list that is maintained by Worm Purge.
    • File Filtering
      When File Filtering is enabled, Antigen examines the contents of the message against the File Filter list. The File Filter list is a list of known worms that is maintained by the Antigen administrator.
    • Virus cleaning
      Virus cleaning will ALWAYS be performed. If the attachment does not contain a worm, Antigen scans the attachment for viruses. Antigen uses multiple virus scan engines to determine whether the attachment contains a virus.
  • The Body scan
    Antigen examines the body of the message against the worm list that is maintained by Worm Purge. Then, Antigen scans the body for viruses.
Note Forefront Security for Exchange Server performs the same scanning order as Antigen. However, it does not perform spam scanning because those features are not available in Forefront Security.
APPLIES TO
  • Microsoft Forefront Security for Exchange Server
  • Microsoft Antigen for Exchange
  • Microsoft Antigen for SMTP Gateways
  • Sybari Antigen 8.0 for Microsoft Exchange
  • Sybari Antigen 8.0 for SMTP Gateways
Back to the top
Keywords: 
kbhowto KB906031
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations