Configuring Edge Transport Rules to Manage Viruses
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2006-09-15
This topic provides an overview of how Microsoft Exchange Server 2007 uses the Edge Rules agent and transport rules to help you protect your organization from viruses.
New viruses threaten organizations everyday. Antivirus vendors and administrators must react to these virus threats as they appear. To minimize the damage caused by viruses, antivirus vendors and administrators must respond to virus threats as soon as possible. However, inevitably, there will be a gap between the time that a virus threat appears and the time that a solution becomes available. This gap, when a virus threat remains unknown and unresolved, is called a zero-day virus threat.
At the same time, viruses that have been circulating on the Internet for many years also continue to pose a significant threat to organizations. Although the vast majority of these viruses can be identified by antivirus scanners, antivirus scanners may be taken offline by mistake, updated with out-of-date definitions, or experience other problems that make them unavailable.
The transport rules that run on computers that run the Edge Transport server role are designed to help you manage and control zero-day virus threats and pre-existing or ongoing virus threats.
For more information about transport rules, see the following topics:
Most viruses contain unique characteristics that identify them as a virus, such as a specific e-mail address in the From: message header field a specific subject, or an attachment. You can configure transport rules to identify potentially harmful messages by these unique characteristics and perform a specific action on them. Available actions include sending the message to a quarantine mailbox, deleting it completely, or simply adding a warning to the subject.
It's important to maximize the number of infected messages that you identify in your perimeter network on Edge Transport servers to reduce the cost of processing the messages after they have entered the Exchange organization. If you can identify an infected message on Edge Transport servers and either reject or delete it, you don't incur the cost of storing the message on your internal servers or the cost of scanning the message for viruses.
When you create a new transport rule to identify virus threats, you should examine the reports that are published about the virus and look for unique characteristics that identify the virus and that could be used in a transport rule. The following list describes some unique characteristics that a virus may contain:
A limited number of strings in the subject or message body
A specific e-mail address in either the From: header field or To: header field
A specific message header field that has a specific value
|While you may be able to identify unique characteristics about a particular virus, you must make sure that these characteristics do not match any content that may exist in legitimate messages.|
For more information about the types of message content that can be examined by transport rules on an Edge Transport server, see Transport Rule Predicates.
After you have identified the unique characteristics of a virus, you can create a transport rule to perform actions on it. The actions that you perform on specific messages depend on your organization's policies.
|If you decide to drop an SMTP connection, delete a message, or reject a message, you can't retrieve it. If you want to prevent the message from being delivered, but do not want to delete it, configure the rule to deliver the message to a quarantine mailbox.|
For more information about the actions available on transport rules on an Edge Transport server, see Transport Rule Actions.
For more information about how to manage and configure transport rules that are used to identify and perform actions on messages that may be infected with viruses, see the following topics:
The following topics provide additional information that will help you manage and enhance transport rules:
Transport messaging policies are enhanced by or are also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:
Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
Hosted Archive, which helps them satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.