Elczar Adame's Shared Points on SharePoint


SharePoint Keyword Filtering in ForeFront

With the aid of Microsoft ForeFront Server Security for SharePoint we could easily identify unwanted and prohibited contents in our SharePoint web application, including Word, Excel, PowerPoint, and other document types. By defining keyword filters, we can sort out documents based on words, phrases, and sentences.

This paper attempts to guide us on the two major steps in creating keyword filter in Microsoft ForeFront Security for SharePoint: creation and configuration of keyword list. Likewise, a demonstration video is available for download in a limited number of days.

Keyword List Creation

1.      Let us start by opening our Microsoft ForeFront Server Security for SharePoint.

2.      In the Filtering section of the shuttle navigator, click the Filter Lists icon.

3.      In the List Types pane, as illustrated below, select Keywords.


4.      Let us click the Add button in the List Names pane. For demonstration purposes, let us name our new list as Prohibited, and then press Enter.

5.      With the Prohibited list selected, let us click the edit button. Notice that the Edit Filter List dialog box will appear.

6.      In the Edit Filter List dialog box, as illustrated below, let us click the Add button in the Include In Filter section. For demonstration purposes, let us type a word Malevolent, and then press Enter.

We can include a word, a phrase, or an expression in a filter list. In an expression, a query contains operators that separate text tokens, including _AND_, _NOT_, _ANDNOT_, et al. There must be a space between an operator and a keyword. Example: Malicious<space>_AND_<space>Horrible.

The Help file of ForeFront provides us comprehensive channel in formulating a filter expression. In addition, to aid us in filtering for profanity, filter lists in various languages are included with the product. I will try to provide you a guide on this in my subsequent paper.

Moreover, we can create our filter list offline in Notepad or a similar text editor and then import it to an appropriate filter list. And with same token, we can export our existing filter list to Notepad using the Forefront Server Security Administrator.



7.      Finally, let us click the Add button. We will have now a keyword Malevolent defined under a keyword list Prohibited.

Keyword List Configuration

The next step is to configure the keyword list we have created.

1.      Still in the Filtering section of the shuttle navigator, click the Keyword icon. Below is the illustration.


2.      In the top pane, for demonstration purposes, let us select the SharePoint (Manual Scan Job) as a scan job for which we will enable our Prohibited keyword filter list.

3.      In the Keyword Fields section, let us select Text/HTML/Word/PowerPoint Documents. And in the Filter Lists section, let us select Prohibited filter list.

4.      In the right section of our keyword window, set the Filter field to Enabled, the Action field to Skip: Detect Only, uncheck the Send Notification, and check the Quarantine.

The Maximum Unique Keyword Hits in the Filter Lists section enables us to specify the number of times a keyword much match for the action to be taken.

The following table describes the Action options we could set of each keyword list:

Skip: Detect Only

Logs the messages that meet the filter criteria. However, if Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is selected in General Options, as illustrated below, a match to any of those conditions will cause the item to be deleted.

Block: Prevent Transfer

Prevents the transfer of a file that meets the filter criteria. This action is for Realtime scans only.

Delete: Remove Infection

Deletes the contents of the file and replaces it with the Deletion Text. This action is for Manual scans only.



5.      To confirm the configuration, let us click Save.

To check the filter we have defined, let us create a Word document having a word Malevolent in its content, and then upload it in a document library in our SharePoint site. Subsequently, let us open our ForeFront Server Security Administrator, and in the Operate shuttle navigator, let us click the Quick Scan icon. Select the corresponding Web application in the explorer pane, select corresponding File Scanners, set the Bias field to Favor Certainty – notwithstanding that it is not used in file filtering, and the Action field to Skip: Detect Only. Lastly, uncheck the Send Notifications option, and check the Quarantine Files. Below is the illustration.


The bias setting directs the number of engines are needed to provide you with an acceptable probability that our SharePoint Web application is protected. It only applies to virus scanning and not used in file filtering. Below are the possible bias settings:

Maximum Performance

For fastest performance, it scans with only one of the selected engines.

Favor Performance

Fluctuates between scanning with one of the selected engines and half of them.


For a balance security and performance, scans with at least half of the selected engines.

Favor Certainty

Scans with all available selected engines. If an engine is not available because it is being updated, it continues to scan with all of the remaining engines.

Maximum Certainty

Scans with all of the selected engines. If an engine is not available because it is being updated, files are queued until the engine is once again ready to scan them.


And there we go! Let us just click the Run button and the malicious document we have uploaded will be detected and it will be logged in the Quarantine under the Report shuttle navigator.

Hoping this piece would help.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Tag Cloud

%d bloggers like this: