Where’s my worm gone?

As I’m writing this blog, the Antigen/Forefront Worm List was last updated over 3 months ago. Don’t be alarmed – this is quite normal. The Worm List isn’t really a “scan engine” you see, and doesn’t need to update so often.

And why might that be? Well, let’s examine what the Worm List is used for first.

The Worm List does what it says on the tin: it’s a list of worms. When a scan engine detects a virus and returns a virus name to Antigen/Forefront, it’s compared to this Worm List to see if the virus is a worm or a non-worm virus. If there is a match between the detected virus’ name and the Worm List, Antigen/Forefront will perform a ‘Purge’ (as opposed to a ‘Delete’) action. ‘Purge’ removes the entire mail, whereas ‘Delete’ removes only the infected content (e.g. the attachment), by the way.

If you ever open the Worm List (wormprge.dat) in Notepad, you’ll notice that not only are there many virus names here, but some include asterisks (*) that represent wildcards. The entry *sdbot.*, for example, will match all manner of ‘SDBot’ detections, including:

· Win32/SDBot.ZD (Microsoft)

· Backdoor.Win32.SdBot.aad (Kaspersky)

· WORM_SDBOT.EXT (Trend Micro)

· W32/Sdbot.worm.gen.t (McAfee)

Different variants of the viruses can therefore be matched to a single Worm List entry by using wildcards. Not only is this more efficient for processing, but also means that the Worm List does not need to be updated as nearly as often as other scan engines. You will typically see an update of the Worm List only once every few months.

Incidentally, if you ever need to add to the Worm List yourself, we recommend that you create a Custom Worm List, as outlined in the following User Guides (see the ‘Creating a custom worm purge list’ section):

Purging messages infected by worms (Antigen for Exchange Server User Guide)

Purging messages infected by worms (Forefront Security for Exchange Server User Guide)

You might want to do this if a new virus is detected, but not purged, for example. Use of this custom list is recommended over amending the normal Worm List, since subsequent engine updates will not overwrite it.

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)

Comments

  • Anonymous
    June 07, 2011
    Hello, How does it work on a Cluster? I have a Exchange Cluster with Forefront Security Server for Exchange but the fss-Worms-List task exists on bith nodes and run doesn't matter of the Node is active or not... this is causing an issue as it is starting the FCSMonitor/FCSController  Services on a inactive node which is detected as a critical error by SCOM... Any clue on this matter... Thanks, Dom