SQL database fields used by Sharepoint Server for virus scanning with Symantec Protection for Sharepoint Servers

book

Article ID: 152971

calendar_today

Updated On:

Products

Protection for SharePoint Servers

Issue/Introduction

You want to know how does Sharepoint 2007, 2010 and 2013 update SQL database fields for documents scanned by Scan Engine via its Protection for Sharepoint Servers connector.

 

Resolution

Database fields

In your MS-SQL database holding your Sharepoint site (AllDocs table), there are four fields containing virus-related information of each document stored, as also described in this Microsoft's MSDN article:

  1. VirusVendorID: The identifier of the virus scanner that processed this document. This value MUST be NULL if this document has not been processed by a virus scanner.
     
  2. VirusStatus: An enumerated type specifying the current virus check status of this document. This value MUST be NULL if the document has not been processed by a virus scanner. See Virus Status in the Flags section for a list of valid values.
     
  3. VirusInfo: A string containing a provider-specific message returned by the virus scanner when it last processed the document. This value MUST be NULL if the document has not been processed by a virus scanner.
     
  4. HasStream: A calculated bit indicating whether the document has an associated document stream. This MUST be set to "1" if:
                        - The SetupPath is NULL and the document's Document Store Type is 0 (file) and it is allowed to contain a stream.
                        - If neither condition applies, the value MUST be "0".

 

 

Please note that the above  database fields are always present in a SharePoint database even if no antivirus for SharePoint is installed.

 

 

Conditions for scanning

All objects in a Sharepoint database where values "VirusStatus"="NULL" and "HasStream"="1" will require a virus scan, should this be realtime or manual.

 

 

Sample SQL query

If you want to see the "VirusStatus" value of a specific document of which you know (part of) the name, the following SQL query can be used:

select LeafName,VirusVendorID,VirusStatus,VirusInfo from WSS_Content.dbo.AllDocs where (LeafName like '%<keyword>%');

Note: replace <keyword> with part of the document's file name.

 

 

The VirusStatus field

The following table shows additional information for each of the values the "VirusStatus" database field can contain, as also described in this Microsoft's MSDN article:

"Virus Status" is a 4-byte, integer enumerated type that specifies the current virus scan status of a document. The following are valid values for Virus Status.

Value Description
0 This document is reported as clean from viruses
1 This document had a virus reported by the virus scanner plug-in
2 This document had a virus reported by the virus scanner plug-in, which the scanner determines that it can remove
3 This document had a virus previously reported, but the virus scanner determines that it successfully removed it
4 This document had a virus reported, and the virus scanner attempted to clean it but failed
5 This document had a virus reported, and the scanner requested that the document be deleted
6 This document had a timeout from the virus scanner when it was last processed

 

 

 

 

 

 

 

Case scenarios: infected files

Notes

After each test involving the upload of an infected file to Sharepoint, the same file was then removed from *all* Recycle Bins (User + Site collection).
As long as the file exists on the Sharepoint database (i.e. it's still in a recycle bin) and has already received a virus "verdict", its virus-related information will remain on the database.

SPSS: Symantec Protection for Sharepoint Servers
SSE: Symantec Scan Engine

The scenarios below are based on the following deployment:
- Sharepoint Server 2007 installed on two farm servers.
- Scan Engine installed on one server.
- Symantec Protection for Sharepoint Servers 5.1.4 installed on both servers. 

 

Results matrix

Scan Engine SPSS Scan on upload Scan on download Bypass scan Eicar upload Eicar download VirusStatus
running running disabled enabled disabled ok error: virus found 2
running not running disabled enabled disabled ok error: virus scanner not available  6
not running running disabled enabled disabled ok error: virus scanner not available  6
not running running disabled enabled enabled ok error: virus scanner not available  6

 

 

Details on scenarios reproduction

 

 

Scenario A

Configuration:

  • SPSS connector and SSE scanner are available
  • Sharepoint Server Antivirus settings: disabled on upload and enabled on download 
  • No bypass options set in SPSS

Steps:

  1. Upload eicar.com.txt file to a document library
  2. Check "VirusStatus": NULL
  3. Attempt to download the file: message "virus found" is displayed
  4. Check database: 

     

_____________________________________________________________________________________________________________

Scenario B

Configuration:

  • SPSS connector and SSE scanner are available
  • Sharepoint Server Antivirus settings: disabled on upload and enabled on download 
  • No bypass options set in SPSS

Steps: 

  1. Upload eicar.com.txt file to a document library
  2. Stop SPSS service on one server only
  3. Attempt to download the file: message "virus found" is displayed
  4. Check VirusStatus: (note the different VirusVendorID) 
     

_____________________________________________________________________________________________________________

Scenario C

Configuration:

  • SPSS connector and SSE scanner are available
  • Sharepoint Server Antivirus settings: disabled on upload and enabled on download 
  • No bypass options set in SPSS

Steps: 

  1. Upload eicar.com.txt file to a document library
  2. Stop SPSS service on both servers
  3. Attempt to download the file: message displayed: "The installed virus scanner is currently unavailable."
  4. Note that the file cannot be downloaded
  5. Check VirusStatus:
     
    VirusInfo = The connection to the Symantec SharePoint Security Service cannot be established. Please check the status of the Symantec SharePoint Security Service or contact your administrator for more information. Code:8000
  1. Start SPSS service on both servers and wait at least 5 minutes.
  2. Attempt to download the file: message "virus found" is displayed
  3. Check VirusStatus: (note again the different VirusVendorID)

     


_____________________________________________________________________________________________________________

Scenario D

Configuration:

  • SPSS connector and SSE scanner are available
  • Sharepoint Server Antivirus settings: disabled on upload and enabled on download 
  • No bypass options set in SPSS

Steps: 

  1. Upload eicar.com.txt file to a document library
  2. Stop SSE service on the (only) server
  3. Attempt to download the file: message displayed: "The installed virus scanner is currently unavailable."
  4. Note that the file cannot be downloaded
  5. Check VirusStatus:

    VirusInfo =  All virus scanners are at maximum load. Please try again later. The file has not been saved. Please contact your administrator for more information.   Code:8003

 

_____________________________________________________________________________________________________________

Scenario E

Configuration:

  • SPSS connector and SSE scanner are available
  • Sharepoint Server Antivirus settings: disabled on upload and enabled on download 
  • SPSS set to: "Bypass scanning when all scan engines are busy or offline"

Steps: 

  1. Upload eicar.com.txt file to a document library
  2. Stop SSE service on the (only) server
  3. Attempt to download the file.. message displayed: "The installed virus scanner is currently unavailable."
    • Note that the file cannot be downloaded
  4. "VirusStatus" value = 6
  5. Antivirus settings in Sharepoint/CA makes it mandatory scan on download, therefore the setting takes priority on SPSS bypass settings.
    • Note that this behavior is not effected by the "Bypass scanning when all scan engines are disabled" setting in SPSS either.
  6. Start SSE service
  7. Attempt to download the same eicar.com.txt file uploaded at step 1. The message "virus scanner unavailable" is still displayed.
    • Also the VirusStatus value hasn't changed ("6")
  8. Enable the option "Allow users to download infected documents" in the global Sharepoint Antivirus settings
  9. The file can now be downloaded, and a "virus found" message is also displayed
    • VirusStatus value also changes to "2"