Come and Check our BETA Alpha version of Powershellcenter.net
Send me your comment to Powershell@powershellcenter.com

Synopsis

Enables you to set the configuration for the transport scan.

Syntax

Set-FseTransportScan [-AVStamping <Boolean>] [-Bypass <Boolean>] [-DocFilesAsContainers <Boolean>] [-Enabled <Boolean>] [-EnableFileFiltering <Boolean>] [-EnableHeaderFiltering <Boolean>] [-EnableKeywordFiltering <Boolean>] [-EnableKeywordFilteringCaseSensitive <Boolean>] [-EnableKeywordFilteringInbound <Boolean>] [-EnableKeywordFilteringOutbound <Boolean>] [-EnableScanningInbound <Boolean>] [-EnableScanningInternal <System.Nullable`1[System.Boolean]>] [-EnableScanningOutbound <Boolean>] [-EnableSpywareScan <Boolean>] [-EnableVirusScan <Boolean>] [-EnableVirusScanInbound <Boolean>] [-EnableVirusScanOutbound <Boolean>] [-EnableWormPurge <Boolean>] [-EngineUsagePolicy <EngineUsageEnum>] [-FileFilteringDeletionText <string>] [-FileFilteringSkipScanOfCompressedFiles <Boolean>] [-IllegalMIMEHeaderAction <IllegalHeaderActionEnum>] [-IllegalMIMEHeaderQuarantine <Boolean>] [-IPMReplicationMessages <Boolean>] [-MalwareDeletionText <string>] [-MaxContainerScanTime <int>] [-ProcessCount <int>] [-PurgeMessageIfBodyDeleted <Boolean>] [-RescanFromHostedService <Boolean>] [-SenderInformation <SenderInformationEnum>] [-SpywareAction <SpywareActionEnum>] [-SpywareQuarantine <Boolean>] [-SuppressMalwareNotifications <Boolean>] [-TagTextHeader <string>] [-TagTextSubject <string>] [-Timeout <int>] [-TimeOutAction <TransportScanErrorActionEnum>] [-VirusAction <VirusActionEnum>] [-VirusQuarantine <Boolean>] [-VirusRescan <Boolean>] [<CommonParameters>]

Detailed Description

Enables you to customize the transport scan. Parameters you can set include: enabling virus scanning, directional scanning, number of processes, AV stamping, container scanning, time-out time and action, engine usage policy, virus detection action, quarantining, and filtering. In addition, you can enable or disable the transport scan.

Parameters

-AVStamping [<Boolean>]

Indicates whether messages are stamped with an AV Stamp during an antivirus scan. Optional. If a message or file is virus-free, or if a virus was deleted, or if the message or file was successfully cleaned, the stamp is applied. The possible values are $false and $true. The default of $true means that messages contain an AV Stamp if not infected.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-Bypass [<Boolean>]

Specifies whether transport scanning of all e-mail messages should be bypassed. Optional. When you configure Microsoft Forefront Protection 2010 for Exchange Server (FPE) to bypass transport scanning, no virus scanning or filtering will be performed by the transport scan job. When in bypass mode, the transport scan stamps the messages as "virus-free" UNLESS the -AVStamping parameter is disabled. The possible values are $false and $true. The default of $false means that -Bypass is not in effect.

NOTE: This setting should ONLY be used for troubleshooting. In that respect, it is convenient because there is no need to recycle services. However, when -Bypass is set to $true, there is no protection from viruses.

Required?   false
Position?   named
Default value?   false
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-DocFilesAsContainers [<Boolean>]

Specifies whether the transport scan should scan files that use structured storage and the OLE embedded data format (for example, .doc, .xls, .ppt, and .shs) as container files. Optional. The possible values are $false and $true. The default of $false means that files that use structured storage are not scanned as container files.

Required?   false
Position?   named
Default value?   false
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-Enabled [<Boolean>]

Enables or disables the transport scan. Optional. The possible values are $false and $true. The default of $true means that the transport scan is enabled. If this parameter is set to $false, the transport scan does not perform any virus or filter scanning, regardless of the settings of -EnableVirusScan, -EnableScanningInbound, -EnableScanningOutbound, -EnableScanningInternal, -EnableFileFiltering, -EnableHeaderFiltering, and -EnableKeywordFiltering. See the -Bypass parameter for help in troubleshooting the transport scan without disabling it.

NOTE: When the value of this parameter is changed, the services must be recycled before the change takes effect.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableFileFiltering [<Boolean>]

Enables or disables file filtering by the transport scan. Optional. The possible values are $false and $true. The default value of $true indicates that file filtering by the transport scan is enabled. However, if the -Enabled parameter is set to $false, file filtering does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableHeaderFiltering [<Boolean>]

Enables or disables header filtering. Optional. Header filtering includes subject line and sender-domain filters. The possible values are $false and $true. The default of $true indicates that header filtering takes place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   false
Accept wildcard characters?   false

-EnableKeywordFiltering [<Boolean>]

Enables or disables keyword (message body) filtering by the transport scan. Optional. The possible values are $false and $true. The default of $true means that keyword filtering is enabled for the transport scan. If this parameter is set to $false, the transport scan does not perform any keyword scanning, regardless of the settings of -EnableKeywordFilteringInbound and -EnableKeywordFilteringOutbound. For a value of $true to work, -Enabled must be set to $true.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableKeywordFilteringCaseSensitive [<Boolean>]

Enables or disables case-sensitive keyword (message body) filtering by the transport scan. Optional. The possible values are $false and $true. The default of $false means that keyword filtering is normally not case-sensitive.

Required?   false
Position?   named
Default value?   false
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableKeywordFilteringInbound [<Boolean>]

Enables or disables inbound keyword (message body) filtering by the transport scan. Optional. The possible values are $false and $true. The default of $true means that messages inbound from the transport stack are scanned for keyword filter matches. However, if the -Enabled parameter is set to $false, keyword filtering does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableKeywordFilteringOutbound [<Boolean>]

Enables or disables outbound keyword (message body) filtering by the transport scan. Optional. The possible values are $false and $true. The default of $true means that that messages outbound from the transport stack are scanned for keyword filter matches. However, if the -Enabled parameter is set to $false, keyword filtering does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableScanningInbound [<Boolean>]

Enables or disables inbound scanning by the transport scan. Optional. The possible values are $false and $true. The default of $true means that messages inbound from the Transport stack are scanned. If this parameter is set to $false, the transport scan does not perform any inbound scanning, regardless of the settings of -EnableVirusScanInbound and -EnableKeywordFilteringInbound. However, if the -Enabled parameter is set to $false, inbound scanning does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableScanningInternal [<System.Nullable`1[System.Boolean]>]

Enables or disables internal scanning by the transport scan. Optional. The possible values are $false and $true. The default of $true means that internal messages from the Transport stack are scanned. However, if the -Enabled parameter is set to $false, internal scanning does not take place.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableScanningOutbound [<Boolean>]

Enables or disables outbound scanning by the transport scan. Optional. The possible values are $false and $true. The default of $true means that messages outbound from the Transport stack are scanned. If this parameter is set to $false, the transport scan does not perform any outbound scanning, regardless of the settings of -EnableVirusScanOutbound and -EnableKeywordFilteringOutbound. However, if the -Enabled parameter is set to $false, outbound scanning does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableSpywareScan [<Boolean>]

Enables or disables spyware scanning. Optional. The possible values are $false and $true. The default of $true indicates that the transport scan uses the Microsoft Antimalware Engine to scan for spyware. A value of $false disables spyware scanning.

If spyware scanning is enabled, you should ensure that the Microsoft Antimalware Engine has been enabled for definition updates. This is done with Set-FseSignatureUpdate.

NOTE: If scanning for spyware is disabled, filtering may still be enabled.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-EnableVirusScan [<Boolean>]

Enables or disables virus scanning as data is being transported to and from the mailbox Store. Optional. The possible values are $false and $true. The default of $true means that the transport scan uses the specified antivirus engines in order to scan for viruses. If this parameter is set to $false, the transport scan does not perform any virus scanning, regardless of the settings of -EnableVirusScanInbound and -EnableVirusScanOutbound. However, if the -Enabled parameter is set to $false, virus scanning does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableVirusScanInbound [<Boolean>]

Enables or disables inbound virus scanning by the transport scan. Optional. The possible values are $false and $true. The default of $true means that messages inbound from the Transport stack are scanned for viruses. However, if either -Enabled or -EnableVirusScan is set to $false, inbound virus scanning does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableVirusScanOutbound [<Boolean>]

Enables or disables outbound virus scanning by the transport scan. Optional. The possible values are $false and $true. The default of $true means that messages outbound from the Transport stack are scanned for viruses. However, if either -Enabled or -EnableVirusScan is set to $false, outbound virus scanning does not take place.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EnableWormPurge [<Boolean>]

Enables or disables worm purging in the transport scan. Optional. The possible values are $false and $true. The default of $true means that if a virus is detected, FPE looks up the virus name in the Worm List. If the virus name is found in the Worm List, the item is purged; otherwise, the normal virus action is taken. If this value is $false, the normal virus action is taken, regardless of whether the virus appears in the Worm List.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-EngineUsagePolicy [<EngineUsageEnum>]

Specifies the intelligent engine selection policy that FPE uses to decide how many engines are to scan content. Optional. Using more engines increases the likelihood that all viruses will be caught. However, the more engines used, the greater the impact on system performance. Engines are specified with Set-FseEngineManagement.

The possible values are:

All - Scan with all of the selected engines.

Available - Scan with all the selected engines that are available; this is the default.

Dynamic - Scan with a dynamically-chosen subset of the selected engines.

One - Scan with one dynamically-selected engine.

The difference between "All" and "Available" is: if an engine is taken offline to be updated, "All" queues the mail flow until the engine is returned to service; "Available" continues scanning with the rest of the engines.

NOTE: The -EngineUsagePolicy used to be called "Bias".

Required?   false
Position?   named
Default value?   Available
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-FileFilteringDeletionText [<string>]

Specifies the text used to replace the contents of a file that was deleted because it matched a file filter. Optional. The default deletion text informs the recipient that a file was removed, and provides the name of the file and the name of the filter that it matched.

The FileFilteringDeletionText parameter enables you to enter your own custom text, including keyword substitution macros, which must be enclosed in apostrophes (for example: -FileFilteringDeletionText "'%File%' was deleted because it matched the '%Filter%' filter").

You can have up to 8,192 characters of deletion text, surrounded by quotation marks.

The default is: "Microsoft Forefront Protection for Exchange Server removed a file since it was found to match a filter. File name: '%File%' Filter name: '%Filter%'"

Required?   false
Position?   named
Default value?   see description
Accept pipeline input?   false
Accept wildcard characters?   false

-FileFilteringSkipScanOfCompressedFiles [<Boolean>]

Specifies the behavior of the "SkipDetect" action when this action is applied to a file filter for a compressed file type. Optional. Use Set-FseTransportFilter to configure filters for the realtime scan. The possible values are $false (the default) and $true.

The standard functionality of FPE is to scan the content of compressed files, applying file filters. If you do not want to apply file filters to the content of compressed files, you can create a file filter and set the action to "SkipDetect". However, this only works, by default, for .zip, JAR and OPENXML files.

To enable this functionality for self-extracting executables, IMCMIME files, .gzip archive files, .rar archive files, TAR archive files, and MACBIN binary files, set the value of this parameter to $true. In that case, if the container matches a file filter whose action was set to "SkipDetect", file filtering does not occur within these additional file types.

See the examples for a detailed description of how the commands work together.

Required?   false
Position?   named
Default value?   false
Accept pipeline input?   false
Accept wildcard characters?   false

-IllegalMIMEHeaderAction [<IllegalHeaderActionEnum>]

Specifies the action to be taken if an illegal MIME header is encountered. Optional. An illegal MIME header has multiple Content-Type, Content-Transfer Encoding, or Content-Disposition headers. This also applies to messages where the Content-Disposition header is longer than 1,024 characters or the Content-Type header is longer than 260 characters.

The possible values are Purge (the default) and Ignore. "Purge" eliminates the message, and "Ignore" allows it to be delivered.

Required?   false
Position?   named
Default value?   Purge
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-IllegalMIMEHeaderQuarantine [<Boolean>]

Specifies whether the transport scan should quarantine messages that have illegal MIME headers. Optional. The possible values are $false and $true. The default of $true means that messages with illegal MIME headers are quarantined.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-IPMReplicationMessages [<Boolean>]

Specifies whether the transport scan should scan interpersonal message (IPM) replication messages. Optional. Exchange uses "Winmail.dat" files for several purposes, for example, facilitating replication between servers (IPM replication messages). You can allow FPE to scan these files for viruses. However, if the transport scan detects an infection and modifies a Winmail.dat file, the public folder replication process fails.

The possible values are $false and $true. The default of $false means that IPM replication messages are not scanned.

Required?   false
Position?   named
Default value?   false
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-MalwareDeletionText [<string>]

Specifies the text used to replace the contents of an infected file during a "Delete" action. Optional. The default deletion text informs you that a file was removed, and provides the name of the file and the name of the malicious software that was found.

The MalwareDeletionText parameter enables you to enter your own custom text, including keyword substitution macros, which must be enclosed in apostrophes (for example: -MalwareDeletionText "This file was infected: '%File%' by the '%Malware%'").

You can have up to 8,192 characters of deletion text, surrounded by quotation marks.

The default is: "Microsoft Forefront Protection for Exchange Server removed a file since it was found to contain malicious software. File name: '%File%' Malware name: '%Malware%'".

Required?   false
Position?   named
Default value?   see description
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-MaxContainerScanTime [<int>]

Indicates how long, in seconds, before the transport scan times out when scanning a compressed attachment. Optional. The valid values are between 60 and 86400 seconds, inclusive. The default value is 120 seconds (two minutes).

Required?   false
Position?   named
Default value?   120
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-ProcessCount [<int>]

Indicates the number of processes you want running per Transport server. Optional. The possible values are integers between 1 and 10. The default value is 4.

Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step.

NOTE: The Microsoft Exchange Transport service must be stopped and then started again for changes to this setting to take effect. Do not use the Restart function.

Required?   false
Position?   named
Default value?   4
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-PurgeMessageIfBodyDeleted [<Boolean>]

Specifies whether the transport scan should delete the entire message if the message body was deleted because of detected malware. Optional. The possible values are $false and $true. The default of $false means that the recipient receives a message containing the deletion text. If the value is $true, the entire message is purged, and the recipient receives nothing.

Required?   false
Position?   named
Default value?   false
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-RescanFromHostedService [<Boolean>]

Specifies whether e-mail is rescanned when it is received from a hosted service, such as Forefront Online Protection for Exchange (FOPE). Optional. The hosted service uses a stamp to indicate if the e-mail has been scanned by the hosting service. The possible values are $false and $true. The default value of $true means that FPE rescans the mail even if the stamp is present. If the value of -RescanFromHostedService is $false, FPE rescans the mail only if the stamp is not present.

Required?   false
Position?   named
Default value?   True
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-SenderInformation [<SenderInformationEnum>]

Indicates the header sender address to be used for the transport scan. Optional. The possible values are "MIME" and "SMTP". The default is "MIME", which means that FPE uses the "MIME FROM: Header" sender address for the transport scan. When MIME is selected and a MIME Sender header is also present, the MIME Sender header information is used.

You can change the value to "SMTP" to use the SMTP Protocol "Transport Protocol MAIL FROM" sender address. When SMTP is selected, the address in that field is used anywhere the sender address is used (for example, for sender or domain content filtering, notifications, or reporting in the UI).

Required?   false
Position?   named
Default value?   MIME
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-SpywareAction [<SpywareActionEnum>]

Indicates the action that should be taken if spyware is detected. Optional. The possible values are SkipDetect, Delete (the default), and Purge.

NOTE: "Delete" causes the contents of an infected file to be replaced with the malware deletion text.

Required?   false
Position?   named
Default value?   Delete
Accept pipeline input?   false
Accept wildcard characters?   false

-SpywareQuarantine [<Boolean>]

Indicates whether a message or file should be quarantined if spyware is detected. Optional. The possible values are $false and $true. The default of $true indicates that a message or file should be quarantined if spyware is found.

NOTE: Messages or files can be quarantined regardless of the value of the -SpywareAction parameter.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-SuppressMalwareNotifications [<Boolean>]

Indicates whether virus or spyware notifications should be sent when malware is detected by this scan job. Optional. The possible values are $false and $true. The default of $false indicates that if virus or spyware notifications are enabled, they are sent. If they were disabled with Set-FseNotification, this parameter has no effect.

Required?   false
Position?   named
Default value?   $false
Accept pipeline input?   false
Accept wildcard characters?   false

-TagTextHeader [<string>]

Specifies the text added to the header of a message (tag text) if it is caught by a filter whose filter action is set to "Identify". Optional. The default header tag text is "Junk-Mail". You may have up to 36 characters of text. Spaces are not allowed.

Required?   false
Position?   named
Default value?   "Junk-Mail"
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-TagTextSubject [<string>]

Specifies the text added to the subject line of a message (tag text) if it is caught by a filter whose filter action is set to "Identify". Optional. The default subject tag text is "SUSPECT:". You may have up to 36 characters of text. If the string contains spaces, surround it with quotation marks.

Required?   false
Position?   named
Default value?   "SUSPECT:"
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-Timeout [<int>]

Indicates the time, in seconds, before the transport scan times out. Optional. The minimum value is 60 seconds, the maximum value is 86400 seconds (24 hours), and the default value is 300 seconds (five minutes).

NOTE: The Microsoft Exchange Transport service must be stopped and then started again for changes to this setting to take effect. Do not use the Restart function.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-TimeOutAction [<TransportScanErrorActionEnum>]

Indicates the action to take if the transport scan times out while scanning a file. Optional. The possible values are Ignore, SkipDetect, and Delete.

The default of "Delete" indicates that the incident is reported and that the contents of the infected file are replaced with the deletion text. "Ignore" means that the file is passed without being scanned.

Required?   false
Position?   named
Default value?   Delete
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-VirusAction [<VirusActionEnum>]

Indicates the action that should be taken if a virus is detected. Optional. The possible values are SkipDetect, Clean (the default), and Delete.

Required?   false
Position?   named
Default value?   Clean
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-VirusQuarantine [<Boolean>]

Indicates whether a message or file should be quarantined if a virus is detected. Optional. The possible values are $false and $true. The default of $true indicates that a message or file should be quarantined if infected.

NOTE: Messages or files can be quarantined regardless of the -VirusAction specified.

Required?   false
Position?   named
Default value?   true
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-VirusRescan [<Boolean>]

Indicates whether the transport scan should rescan messages that have already been scanned. Optional. The possible values are $false and $true. The default of $false indicates that the transport scan does not rescan messages. This setting is used to configure FPE to scan or to skip scanning for messages that were previously scanned by any instance of FPE. Messages that have been scanned and were found to be free of viruses contain an AV Stamp (see the -AVStamping parameter).

Required?   false
Position?   named
Default value?   false
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

Input Type

Return Type

Notes

Examples

EXAMPLE 1

PS> Set-FseTransportScan -ProcessCount 6 There is no output if the command completes successfully.

Description

-----------

Sets the number of processes used by the transport scan to 6 (the default value is 4).

EXAMPLE 2

PS> Set-FseTransportScan -TimeoutAction Ignore -Timeout 600 There is no output if the command completes successfully.

Description

-----------

Changes the time-out action to "Ignore" (the default is "Delete") and indicates that the

transport scan should time out after 600 seconds (10 minutes).

There is no output if the command completes successfully.

EXAMPLE 3

PS> Set-FseTransportScan -TagTextSubject "I DON'T LIKE THIS MESSAGE:" -TagTextHeader "Neither-Do-I" There is no output if the command completes successfully.

Description

-----------

The phrase "I DON'T LIKE THIS MESSAGE:" is added to the subject line of any message caught by a filter that has an action of "Identify". The phrase "Neither-Do-I" (note that there are no spaces) is added to the header.

EXAMPLE 4

PS> Set-FseTransportScan -MalwareDeletionText "The '%Malware%' was found in the file named '%File%'." There is no output if the command completes successfully.

Description

-----------

The Deletion Text is changed to the indicated text string. Note the use of the keyword substitution macros '%Malware%' and '%File'. These are surrounded by percent signs and apostrophes.

EXAMPLE 5

PS> This requires a combination of several commands: New-FseFilterList -File -List "RahRah" -Item "*.rar" New-FseFilterList -File -List "Ghi" -Item "ghi.exe" Set-FseTransportFilter -File -List "RahRah" -Action SkipDetect -Enabled $true Set-FseTransportFilter -File -List "Ghi" -Action Delete -Enabled $true Set-FseTransportScan -FileFilteringSkipScanOfCompressedFiles $false -VirusAction "Delete" -Enabled $true There is no output if the command completes successfully.

Description

-----------

An example of filtering .rar files. Assume a .rar file called "Innocent.rar". It contains three files:

eicar.com

abc.def

ghi.exe

Set up a filter called "RahRah" to look for all files with an extension of ".rar". The filter is assigned to the transport scan with an action of "SkipDetect" if matched.

Set up a filter called "Ghi" to look for all files named "ghi.exe". The filter is assigned to the transport scan with an action of "Delete" if matched.

The -FileFilteringSkipScanOfCompressedFiles parameter is set to $false. Because this is the default, it does not have to be explicitly set.

These are the results when Innocent.rar is scanned:

1) It is caught by "*.rar", but because the action is SkipDetect, it is just noted.

2) The contents are scanned for viruses. Eicar.com will be deleted, because that is the virus action that was set.

3) The contents are subjected to file filters; therefore, "ghi.exe" will be deleted.

Now, assume the -FileFilteringSkipScanOfCompressedFiles parameter had been set to $true.

Everything is exactly the same, except for result 3), which is now: The contents are not subjected to file filters; therefore, "ghi.exe" will not be deleted.