Microsoft Forefront Security for Exchange Server Evaluation Guide

 

Applies to: Forefront Security for Exchange Server

Summary: Designed especially for technology evaluators, this guide provides instructions and evaluation materials for Microsoft® Forefront™ Security for Exchange Server. It is intended to help evaluators assess the scope and functionality of Forefront Security for Exchange Server through a hands-on feature review.

Executive Summary

In Microsoft® Exchange Server, viruses can enter the environment in e-mail file attachments, e-mail bodies, and Public Folder posts, but traditional antivirus technology cannot monitor or scan the contents of the Exchange database or the Exchange Transport stack. Exchange environments require an antivirus solution that can prevent the spread of viruses by scanning all messages in real time with minimal impact on server performance or message delivery times. Microsoft® Forefront Security™ for Exchange Server is the solution for protecting Exchange environments.

Forefront Security for Exchange Server is uniquely suited for Exchange Server 2007 environments. It uses the Exchange Virus Scanning Application Programming Interface (VSAPI) to deeply integrate with Exchange servers to provide comprehensive protection.

Forefront Security for Exchange Server provides powerful features that include:

  1. Antivirus scanning using multiple, integrated antivirus scan engines that are included with the product.

  2. Premium antispam protection through a license to enable the antispam services that are built into Exchange 2007.

  3. Distributed protection on all storage and transport Exchange server roles—namely, at all Edge, Hub, and Mailbox/Public Folder servers.

  4. Protection against new threats with heuristics technology and file filtering by file name, extension, true file type, and file size.

  5. Performance controls for optimizing server speed and availability.

  6. Easy management of product configuration and operation, automated signature updates, and reporting across the enterprise.

Forefront Security for Exchange Server provides comprehensive protection for your messaging servers and is the antivirus solution for Exchange 2007 environments.

This guide provides a step-by-step explanation of how to configure Forefront Security for Exchange Server, along with best practices, tips, and tactics to help ensure successful implementation.

How the Guide Works

Following introductory material, Forefront Security for Exchange Server is explained in a series of “Required Tasks,” which are steps that must be taken to ensure the software is properly running and that basic antivirus protections are in place. This is not an exhaustive review of product features, but a focus on key product areas.

Benefits of Using Multiple Scanning Engines

Antivirus vendors all try to release signatures as soon as possible, but with every virus threat there is variation among antivirus research labs in how quickly virus samples are obtained and analyzed, and when signatures are released. By using the multiple antivirus scan engines of Forefront Security for Exchange Server, customers can realize the benefit of diversification. If all messages are scanned with five engines, it is more likely that one of the engines is equipped to handle a recently released virus than if only one antivirus engine is being used.

Forefront Security for Exchange Server offers configuration settings to allow a user to balance performance needs and the relative level of protection. Administrators can run up to five engines at once, and select a bias setting to determine if all engines will scan every message, or if a subset of the selected engines will be used to scan each message. The recommended bias setting is “Favor Certainty.” This setting configures Forefront Security for Exchange Server to scan with all available engines that have been selected unless an engine is temporarily unavailable, such as when it is offline receiving an update to its signatures.

Forefront Security for Exchange Server Scanning Overview

Forefront Security for Exchange Server supports Exchange Edge Transport, Hub Transport, and Store (Mailbox/Public Folder) server roles. By distributing the scanning workload over the various Exchange servers, the impact on individual servers is reduced and duplicate scanning is eliminated. Reducing antivirus scanning at the Store was a specific design goal of Forefront Security for Exchange Server.

Forefront Security for Exchange Server incorporates new scanning logic that does not scan e-mail that has already been scanned. By default, e-mail scanned at an Edge Transport or Hub Transport server does not get scanned again when routed or deposited into mailboxes. This approach minimizes antivirus scanning overhead to maximize mail system performance. This feature also:

  • Significantly reduces scanning impact at the Store.

  • Can be turned off to allow scanning at all points.

To identify mail that has already been scanned, a secure antivirus header stamp is written to each e-mail when it is first scanned at the Edge or Hub server. Later scanning operations (e.g., at the Hub or Store for incoming mail) check for this stamp and if it is present the mail is not re-scanned. When the message is submitted to the Store, the antivirus stamp properties are added to a MAPI property and maintained.

To best utilize this “scan once” capability, all Exchange Transport server roles should be set to the same configuration settings, so scanning is the same at all Transport points.

There are a number of scanning scenarios based on network topologies. Here are several of the most common:

Scanning of Inbound Mail

Inbound mail from the Internet is scanned at the Edge server. It is not re-scanned at the Hub or when first deposited in a Store. However, after the messages reach the Store server, the Background Scan Job process can be configured to periodically re-scan all or some of the mail with newer signatures.

Scanning of Outbound Mail

By default, outgoing mail is not scanned at the Store role, but is scanned in transit at the Hub role. If an Edge server is deployed in the Exchange organization, the mail is not re-scanned at the Edge server because it has already been scanned at the Hub.

Scanning of Internal Mail

Mail is scanned at the Hub server as it is routed internally. By default the mail is not scanned at the Store server where it originated, nor is it re-scanned at the destination Store server.

In all of these scenarios, processing time and load is saved on the Store servers.

The Antivirus (AV) Stamp

There are three conditions that must be met before the Antivirus Transport Agent of Exchange 2007 places an AV stamp on a message:

  • The message must be scanned with at least one virus engine.

  • Either no virus must be found or if a virus is found it must be cleaned or deleted.

  • If the message was updated, Forefront Security for Exchange Server must successfully write the updated message back to Exchange.

The Skip:detect mode of Forefront Security for Exchange Server will not write the AV stamp into a message.

Store Scanning

Store scanning is handled by:

  • Realtime Scan Jobs and Background Scan Jobs

  • Manual scan jobs

Proactive scanning (scan when messages and files are written to the Store) is turned off by default. This is a major change from previous versions of Exchange.

By default, messages that arrive at a Store server carry an AV stamp and are not re-scanned by the Realtime Scan Job process. The Transport Hub that has scanned these messages can either be located on a separate server or co-located with the Store server. Content that has never been routed through a Transport Hub will not have an AV stamp and will be scanned when first retrieved from the store during On-Access Scanning.

By default, On-Access Scanning is used to scan a message when it is accessed only if it has not been scanned before. An “access” can include opening a message, viewing it in the preview pane, and performing content-indexing operations. Most interactive retrieval has no impact on the Store since messages have already been scanned in transit.

However, messages in the Sent Items folder, the Outbox, and Public Folders have not been routed through a Hub role and therefore have not been scanned. They will be checked with On-Access Scanning because the database does not list them as having been scanned before.

Optional high-security configuration settings can be enabled on the Store server to scan a message on access if new signatures have arrived since the message was last scanned. (See “Scan on Scanner Update” in Settings-General Options.) This is considered a high security or “outbreak mode” setting. It is meant to be used in the event of a serious threat that requires constant re-scanning of mail to protect users from a quickly proliferating attack.

Background scanning now provides incremental background scanning to enhance server performance. This functionality allows administrators to configure Background Scan Jobs to scan messages based on certain criteria, such as a message’s age. For example, administrators can configure Forefront Security for Exchange Server to schedule a Background Scan Job to run at off-peak hours and to scan only messages received in the past two days. Administrators can also run a background scan job to clean the Store server in response to a known event that has deposited infected items in the store.

Incremental background scanning dramatically reduces Store overhead and provides a significant level of protection for the latest messages that may have been received on the Exchange server before the corresponding signatures for that virus were received. Background Scan Jobs use the same configuration settings that are configured for Realtime Scan Jobs.

Required Tasks for Forefront for Exchange Server

This chapter discusses the steps needed to provide basic antivirus protection using Forefront Security for Exchange Server. It is critical to complete all of the steps as they are outlined to provide the necessary protection for your environment. A checklist of steps is provided, so you can mark your progress as you configure the system.

A Note on Installation and Use of Forefront Security for Exchange Server

This guide assumes that you have already successfully installed the Forefront Security for Exchange Server software. For detailed installation instructions, please consult the Forefront Security for Exchange Server User Guide. It also assumes you are familiar with how to log in to the built-in Forefront Server Security Administrator console.

Required Tasks Checklist

The following checklist provides a brief overview of all the tasks necessary for successfully deploying Forefront Security for Exchange Server for antivirus protection. Use the left column to mark when you have completed each step. Until each step below is completed, your Forefront system is not optimized to protect your environment. This may result in a failure to adequately protect your environment.

Check Steps – Click the topic to jump to the instructions Description
 

Step 1: Configuring the Transport Scan Job

Set the scanning parameters for the Transport scanning job.

 

Step 2: Configuring Scan Engine Updates

Enable all scan engines to update automatically at pre-set intervals.

 

Step 3: Configuring Engine Bias Settings

Set the number of engines to be used in each scan.

 

Step 4: Configuring Engine Actions and WormPurge

Set the action to take in the event of detecting a virus. Also includes an explanation of the Forefront Worm List.

 

Step 5: Configuring the Realtime Scan Job

Set the scanning parameters for the Realtime Scan Job (Store).

 

Step 6: Configuring the Background Scan Job

Set the time and options for incremental background scanning in a Background Scan Job.

 

Step 7: Configuring File Filtering

Set filtering parameters to block specific file types.

 

Step 8: Setting Notifications

Configure notifications for senders, recipients, and administrators.

 

Step 9: Incident Log Options

Review and update options for the Incident Log.

 

Step 10: Quarantine Options

Review and update options for the Quarantine in Forefront Security for Exchange Server.

 

Step 11: General Options Review

Review and update General Options settings as needed.

Step 1: Configuring the Transport Scan Job

Why the Transport Scan Job Is Important

The Transport Scan Job is your first layer of defense. It is also the most efficient layer in terms of processing and should be seen as the defense workhorse, the point where most scanning gets done and the majority of dangerous and unwanted content is eliminated.

The Transport Scan Job can be run at various points in the environment, depending on the configuration of your network. It can be run on an Exchange 2007 Edge Server or Hub Role, and ideally should be run on all Edge and Hub roles. However, in all cases the Transport Scan Job should take place at the outermost Exchange Server.

Configuration Steps for the Transport Scan Job

When you first open the Forefront Server Security Administrator, you are on the screen that you will use to set up the Transport Scan Job. Go to Settings > Scan Job to get to this screen.

958152da-7cb1-414c-8f92-4009ee92d9da

The following steps should be taken on this screen to properly set up the Transport Scan Job.

cea58c86-ec0f-4952-aceb-36f2758bcba4

Verify that the Transport Scan Job “State” is set to Enabled, and that Virus Scanning, File Filtering, and Keyword Filtering are listed as On. If they are not on, click on Operate > Run Job to activate them. Note that Content Filtering, which includes Subject Line filtering, is not available on the Transport Scan Job. Subject Line filters can be created using Exchange 2007 Transport Policy rules.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Verify the Transport Messages scanning direction settings. By default, the product will scan inbound, outbound, and internal messages. Make sure these are all turned on.

Note

Do not deselect Inbound scanning unless you have very specific reasons to do so! Doing so will open your environment to viruses!

Inbound

Scans messages coming from an external server (for example, Internet-based e-mail).

Outbound

Scans any mail that leaves your Exchange server or Exchange organization. Messages are designated as outbound if at least one recipient has an external address.

Internal

Scans mail that is being routed between users inside your domain. Messages are designated as Internal if they originate from inside your domain and ALL the recipients are located inside your domain.

2517cbb3-40a7-4dc4-aa3c-dabb8d3dca7f

Configure your Deletion Text. When Forefront Security for Exchange Server deletes an infected attachment, it will replace it with deletion text that tells the recipient the virus was deleted. The deletion text can be customized. By default it says:

Microsoft Forefront Security for Exchange Server removed a file since it was found to be infected.

File name: "%File%"

Virus name: "%Virus%"

The text can be changed as needed to reflect any information you may want to provide to your users. There are two dynamic keywords that will be filled in based on the virus detected:

%File% — the name of the file that was removed

%Virus% — the name of the virus it was infected with

Additional dynamic keywords can be added to the message, such as the name of the sender or recipient. To insert a dynamic keyword, right-click in the Deletion Text window and choose Paste Keyword.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect.

Tips, Considerations, and Best Practices

  • It is considered good Internet etiquette to scan your outbound mail for viruses. In addition, this can protect you from legal liability should an infected PC in your organization attempt to send out viruses (a common behavior of worm viruses).

  • When configuring your Deletion Text, you may want to offer advice to your users about what to do. Users often get nervous when they receive a virus message, even though the virus has been deleted. For example, you may add wording such as: “The infection has been removed and your computer has not been infected with a virus.”

Step 2: Configuring Scan Engine Updates

Why Scan Engine Updates Are Important

Timely updating of your scan engines is critical in the fight against viruses and unwanted e-mail. The antivirus engines provided within Forefront Security for Exchange Server are created by third-party vendor labs that work 24 hours a day to provide virus detection signatures in a timely fashion. If you don’t update your engines frequently, you lose the benefit of their efforts.

Proxy Server Configuration

If Forefront Security for Exchange Server accesses the Internet through a proxy server, you must enter information about the proxy server by going to the General Options panel and entering the required information. See Step 11: General Options Review for details.

Configuration Steps for Scan Engine Updates

By default, all your engines are set to check for updates once an hour. You can increase that time to as often as once every 15 minutes. In any case, do not set the update interval to longer than once an hour unless you have specific reasons for doing so.To access the scan engine updates, click on Settings > Scanner Updates.

72a78e8d-a610-49bb-b798-06c5c39c785d

cea58c86-ec0f-4952-aceb-36f2758bcba4

Verify that all your engines are Enabled. If for any reason you choose not to use a particular engine, you can disable the update process by highlighting the engine and clicking the Disable button.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Configure your Update Path and Times. Forefront Security for Exchange Server can pull engine updates via HTTP or a UNC path. HTTP is the default setting which uses the update path:

https://forefrontdl.microsoft.com/server/scanengineupdate

If you accidentally delete this, right-click the path box and choose Default HTTP Path.

Use of the UNC share allows one server to pull updates from another. This is an efficient update mechanism that saves on Internet bandwidth consumption if you have multiple servers running Forefront Security for Exchange Server. One server only will pull the signatures from the Internet, while the other servers copy the files over the LAN. If you wish to use this configuration, please consult the Forefront Security for Exchange Server User Guide for details.

Important

Each engine must have its update path configured separately!

You must also set the time that each engine will check for updates. To do this, click the Daily button and then click the Repeat Every check box and enter a timeframe.

By default, the Time field is staggered by five minutes for each engine. This is a good idea, because to avoid bandwidth contention you don’t want all your engines checking for updates at the same time.

Important

Each engine must have its update time configured separately!

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect. You must click the Save button separately for each engine you configure!

Tips, Considerations, and Best Practices

  • Be aware of the engines you are using. Some virus labs release signatures more frequently than others on a regular basis (all labs will respond to a major outbreak with more frequent updates). For example, the Kaspersky lab releases a new update nearly every hour. The update schedule for that engine should be set accordingly.

  • You should stagger your update times so they do not all happen at once. In addition, you may want to use a time that does not end in 0 or 5. Many users will set their updates at 1:05 or 1:30 etc. which can lead to contention at the download site. To avoid this possibility, pick a time such as 1:09 or 1:42.

  • Even if you aren’t using a particular engine, you should set it to update regularly, so if you need to activate it the signatures will be up to date.

  • If you have more than one server running Forefront Security for Exchange Server, use a distributed update mechanism. This allows a single machine to download signatures, which can then be distributed to other Microsoft Forefront servers (see the User Guide for details on setting this up). Or, you can use the Microsoft® Forefront™ Server Security Management Console to provide this functionality. Either method will save greatly on Internet bandwidth and make your updates quicker and more efficient.

Step 3: Configuring Engine Bias Settings

Why Engine Bias Settings are Important

Engine Bias settings allow you to adjust the performance parameters of Forefront Security for Exchange Server to achieve the best balance between protection and performance. Ideally, you would scan every piece of e-mail with all available scan engines, but realistically this is not always possible.

How Engine Bias Works

Engine Bias determines how many engines will be used in each e-mail scan. The settings range from Maximum Certainty, in which all engines are used, to Maximum Performance, which uses only one engine. This chart describes the available settings:

Bias Mode Description

Maximum Certainty

The product must use 100% of selected engines to scan.

Favor Certainty

The product uses all available selected engines to scan. This is the default setting.

Neutral

The product uses 50% of available/selected engines to scan.

Favor Performance

The product uses 25% of available/selected engines to scan.

Maximum Performance

The product uses one of the available/selected engines to scan.

Scan Engine Bias Settings

The specific engines used from the available engines are determined by the Multiple Engine Manager (MEM). Engines are selected based on their engine ranking. Characteristics such as most recent signature update and past performance are taken into consideration, as well as a random selection when appropriate.

For example, if four engines and a Neutral bias setting are selected, each piece of e-mail will be scanned by two engines. The MEM will select the most appropriate engines for the job. If one engine has been updated recently, that engine will likely be one of the two engines used. Other performance characteristics are taken into account as Forefront Security for Exchange Server attempts to use the two engines that will be most effective at the time of scanning.

Configuration Steps for Engine Bias Settings

When configuring a scan job, you must select the engines to use and the bias setting to use. From the Forefront Server Security Administrator, select Settings > Antivirus.

bf62eb3f-1802-40ec-92d4-071e1ad320b6

cea58c86-ec0f-4952-aceb-36f2758bcba4

Check the engines you want to use. You can select up to five engines for each scan job. Five are selected by default. To change an engine, deselect one first before selecting the next.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Choose your Bias setting. Use the dropdown box to pick the Bias setting you want to use. Bias settings are explained in the table above.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect. You must click the Save button for your settings to take effect!

Tips, Considerations and Best Practices

  • When using the Maximum Certainty setting, mail will be held up any time a scan engine is being updated. By definition Maximum Certainty requires that every message be scanned by every scan engine. To provide 100% scan engine coverage, mail is queued until the scan engine update is finished (typically less than 30 seconds but it can take several minutes). To avoid this, you can lower the bias to Favor Certainty, in which case scanning and mail flow will continue while an engine is updated. Favor Certainty uses all available engines; most of the time e-mail is scanned by all selected engines, unless one happens to be unavailable, such as during an update. For this reason, Favor Certainty is considered the Best Practice setting.

  • A common practice is to use different bias settings at different points in the scanning process. Because the Transport Scan Job is less resource-intensive than a Realtime or Manual Scan Job, Microsoft generally advises to use Maximum Certainty or Favor Certainty for the Transport Scan Job with five engines enabled, at least as a starting point. If you run into performance issues, you can make adjustments.

  • To enhance performance, Forefront Security for Exchange Server allows additional processes to be created for the Transport and Realtime Scan Jobs. If the first process is busy scanning a file, the second process will begin to scan, and so on. By default there are four Transport Scan Job processes running. This can be increased up to ten by changing the Transport Process Count field found under General Options > Scanning. However, be cautious when increasing the number of processes. Each process will consume additional server resources. It is best to increase them one at a time and evaluate the performance at each step. The Forefront Service will need to be recycled for the change to take effect.

Step 4: Configuring Engine Actions and WormPurge

Why Engine Actions and WormPurge Are Important

Engine Actions and WormPurge determine what happens to a virus when it is detected. The way you configure this can affect performance and security, as well as the user experience. In addition to the specific action taken on the virus, you may also choose to quarantine detected files and to send notifications to senders, recipients, or the virus administrator(s).

Available Engine Actions

Three actions are available when a virus is detected, as described in the following table.

Action Description

Skip: detect only

Make no attempt to clean or delete. Viruses will be logged, but the files will remain infected. This setting does not provide any security. This should only be used in specific testing situations.

Clean: repair attachment

Attempt to clean the virus. If successful, the infected attachment will be replaced with the clean version. If cleaning is not possible, the attachment will be deleted but the body of the message will remain. A text file containing deletion text will be inserted in place of a file that cannot be cleaned.

Delete: remove infection

Delete the attachment without attempting to clean. The infected file will be removed and a text file containing deletion text will be inserted in its place.

Configuration Steps for Engine Actions

To configure Engine Actions, from the Forefront Server Security Administrator, select Settings > Antivirus.

efcad4cc-261e-4bbc-ae61-af91c6146dd2

cea58c86-ec0f-4952-aceb-36f2758bcba4

Choose the Action. After verifying that the Transport Scan Job is selected, choose the desired engine action using the dropdown menu. This action will be applied across all scan engines for the Transport Scan Job.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Select Notifications, if desired. If you wish to send notifications when a virus is detected, click the Send Notifications check box. For details on how to enable and customize specific notifications, see Step 8: Setting Notifications.

2517cbb3-40a7-4dc4-aa3c-dabb8d3dca7f

Select Quarantine, if desired. If you want to save copies of infected files for inspection, select the Quarantine Files option. While rare, it is possible that a scan engine will falsely identify a message as a virus. This option saves a copy of the message and/or attachment into the Quarantine list, where it can be examined and, if need be, released.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect.

Tips, Considerations, and Best Practices

  • You may want to consider not using the option to “Clean: Repair Attachment.” This feature was more useful some years ago when cleanable viruses were more common and valid documents were often infected. The virus world has changed over the years, and the vast majority of viruses today are not cleanable (some estimates are that less than 10% of viruses can be cleaned). Also, a valid infected file is much less common. Most of the time the entire attachment is a virus and has no valid content. Because the attempt to clean the virus requires additional processing resources, many organizations decide to simply use the “Delete: Remove Infection” option.

  • If you choose the “Clean” option, Forefront Security for Exchange Server will pass the file to each of the selected scan engines for cleaning. If one is not able to clean the file, it gets passed to the next scanner which will attempt to clean it. If none of the engines can successfully clean the file, it is deleted.

  • Consider whether you wish to use the Quarantine feature. It does provide an added level of security because you can retrieve a message that has been incorrectly tagged as a virus. However, there is overhead involved in quarantining files, particularly if many viruses are captured each day. Large organizations may block millions of viruses in a month. Many of these, however, may be worm viruses, which are not quarantined under any circumstance (see Why WormPurge Is Important, below). Ideally, you would want to Quarantine detected viruses, but you may determine that the better course is to simply delete them.

  • There are various considerations around sending notifications. Please see Step 8: Setting Notifications to better understand your options.

Why WormPurge Is Important

Prior to the advent of worms, viruses were typically infected attachments that were sent along with a legitimate e-mail message. That is, the message body of the e-mail contained information valuable to the recipient, but the attachment was infected and had to be blocked. Because of this, the e-mail message body was delivered to the recipient so they would be aware that someone had communicated with them.

A worm virus, however, is entirely useless. The message body itself is part of the virus and contains no useful data. Yet antivirus software would deliver these messages to the end user, typically with some kind of warning that caused confusion and concern. To make matters worse, worm attacks would hit in massive e-mail storms, with thousands or even millions striking in a day. This caused tremendous clutter in mail stores, slowdowns on networks, increased help desk calls, and a flood of user notifications (which in themselves formed a new problem). To eliminate all these problems, WormPurge was introduced.

WormPurge works by means of a Worm List. This is a list of known worm viruses and virus families. When a scan engine detects a virus, the virus name is compared to the names in the Worm List. If there is a match (for example, any variant of the Netsky virus) the message is tagged as a worm and the following actions are always taken:

Action Benefit

The entire worm message is deleted, including the full message body.

The worm is stopped before it enters the network. Network impact is minimized; there is no impact on the mail store or the e-mail services.

The worm message or attachment is never quarantined, even if you select the Quarantine option.

The Quarantine is kept much smaller and runs more efficiently.

No notifications are sent, and users do not receive anything.

Users are not even aware that a worm has been detected and blocked, so there are no help desk calls. Users are not alarmed. Notification floods are stopped. Note that there is an option to send Worm Notifications to specific Worm Administrators.

The Worm List is updated periodically in the same manner as any other scan engine. Because worms now form the vast majority of viruses in the wild, the WormPurge feature in Forefront Security for Exchange Server is an exceptionally valuable tool in network security.

The WormPurge feature also works on outbound and internal e-mail. This is important if a machine in your network is infected and begins sending worm messages outbound. Sending viruses could lead to legal liabilities for your company. WormPurge helps ensure this does not happen. Internal protection is important to prevent an infected mailbox from infecting other mailboxes in your organization.

Configuring WormPurge in Forefront Security for Exchange Server

WormPurge is configured by default. There is no need to turn it on. Just make sure you set the Worm List to periodically update along with the rest of your scan engines as explained in Step 2: Configuring Scan Engine Updates. WormPurge can be deactivated by setting a registry key (as described in the User Guide). This is highly discouraged and is considered a violation of security best practices.

TIPS, CONSIDERATIONS, and BEST PRACTICES

  • Some organizations want to simply delete all viruses—worms or otherwise—even at the risk of losing valid e-mail message content. They also do not want to Quarantine items or send any notifications. This can greatly simplify your virus management, but realize that it does contain a risk of losing e-mail communications that users may want to receive.

    If you wish to do this, you can create a Custom Worm List. This list defines any virus as a worm, and treats it in the same way. The list contains a single asterisk (*), which will match any virus name. The procedure for creating a custom worm list is explained in the Forefront Security for Exchange Server User Guide in the section “Creating a Custom WormPurge List.” Note that if you update the existing Worm List, it will get overwritten the next time a new list is released. The Custom Worm List can only be updated manually.

  • While you may not want to delete all viruses as described above, you may want to add some non-worm virus types to your WormPurge list. For example, some of the antivirus engines will detect phishing e-mails and denote them by using the term “Phish” in the virus description. Adding *Phish* to your Custom Worm List will treat these messages as if they were worms. Other virus definitions you may consider adding include *Backdoor*, *Trojan*, *Troj*, *Rootkit*, and *Exploit*.

Step 5: Configuring the Realtime Scan Job

Why the Realtime Scan Job Is Important

The Realtime Scan Job protects the mail store itself. This is the second line of defense against Internet viruses and the first line of defense against viruses that may be introduced via the desktop. The Realtime Scan Job protects the Store (Mailboxes and Public Folders).

The Realtime Scan Job also gives you protection against viruses that may have slipped through the Edge or Hub servers. For instance, it is possible that a virus may get into your Store because it strikes before your scan engines are updated. Later on, after the engines update, the Realtime Scan Job will be able to catch the virus that was missed earlier.

The parameters you set for the Realtime Scan Job are also used for Background Scan Jobs, which is a key component of protection with Forefront Security for Exchange Server.

Configuration Steps for the Realtime Scan Job

Open the Forefront Server Security Administrator and go to Settings > Scan Job to get to the Scan Job Settings screen. Make sure that one of the Realtime Scan Jobs is highlighted. These settings will apply to all of your Exchange storage groups.

90f37b43-38b0-439a-a1fb-3797e3a93ef1

cea58c86-ec0f-4952-aceb-36f2758bcba4

Verify that the Realtime Scan Job “State” is set to Enabled and that all scanning types are listed as On. If they are not on, click Operate > Run Job to activate them. (Note that for the Realtime Scan Job, Keyword Filtering is not available.)

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Choose what you want to scan. The Realtime Scan Job works on both Mailboxes and Public Folders. However, you may choose not to scan every Mailbox and/or Public Folder. Forefront Security for Exchange gives you the options to scan All, None, or Selected Mailboxes and Public Folders.

If you choose Selected, click the icon under Selected to open the selection window. From there, choose the objects you wish to have included in each scan. For example, if you open Public Folders, you would see a screen similar to this:

c5eaa9c8-b0c4-430a-a1f3-d193237b8117

Note

Choosing all Mailboxes or Public Folders in the selection window is not the same as choosing the All option button in the previous window. An inclusion list is built from the specific selections made in this window. New Mailboxes or Public Folders added after making this selection will not automatically be included. To include new items automatically, make sure you select All.

2517cbb3-40a7-4dc4-aa3c-dabb8d3dca7f

Configure your Deletion Text. When Forefront Security for Exchange Server deletes an infected attachment it will replace it with deletion text that tells the recipient the virus was deleted. The deletion text can be customized. By default it says:

Microsoft Forefront Security for Exchange Server removed a file since it was found to be infected.

File name: "%File%"

Virus name: "%Virus%"

The text portion can be changed as needed to reflect any information you may want to provide to your users. There are two dynamic keywords that will be filled in based on the virus detected:

%File% — the name of the file that was removed

%Virus% — the name of the virus it was infected with

Additional dynamic keywords can be added to the message, such as the name of the sender or recipient. To insert a dynamic keyword, right-click in the Deletion Text window and choose Paste Keyword.

Note

This is different than the Deletion Text you set for the Transport Scan Job.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect.

Configure Engine Bias and Engine Actions

The Realtime Scan Job also requires you to set the Engine Bias and Engine Actions. These are configured separately for each Realtime Scan Job. The steps are the same as shown previously in Step 3: Configuring Engine Bias Settings and Step 4: Configuring Engine Actions and WormPurge. Follow these same steps, but make sure you highlight the Realtime Scan Job when making your settings.

TIPS, CONSIDERATIONS and BEST PRACTICES

  • Be aware of the engines you are using. Some virus labs release signatures more frequently than others on a regular basis (all labs will respond to a major outbreak with more frequent updates). For example, the Kaspersky lab releases a new update nearly every hour. The update schedule for that engine should be set accordingly.

  • You should stagger your update times so they do not all happen at once. In addition, you may want to use a time that does not end in 0 or 5. Many users will set their updates at 1:05 or 1:30 etc. which can lead to contention at the download site. To avoid this possibility, pick a time such as 1:09 or 1:42.

  • Even if you aren’t using a particular engine, you should set it to update regularly, so if you need to activate it the signatures will be up to date.

  • If you have more than one server running Forefront Security for Exchange Server, use a distributed update mechanism. This allows a single machine to download signatures, which can then be distributed to other Microsoft Forefront servers (see the User Guide for details on setting this up). Or, you can use the Microsoft® Forefront™ Server Security Management Console to provide this functionality. Either method will save greatly on Internet bandwidth and make your updates quicker and more efficient.

  • Ideally you would always use five engines and set them to Maximum Certainty. This would provide the best possible level of detection. However, depending on the characteristics of your server, you may or may not be able to run five engines. Each additional engine does add to scanning time and resource usage. This is particularly true at the Realtime Scan Job.

  • A common practice is to use different bias settings at different points in the scanning process. Microsoft recommends using the Favor Certainty setting for the best combination of security and performance. As you monitor performance, you can make adjustments if needed to the bias setting.

  • To enhance performance, Forefront Security for Exchange Server allows additional processes to be created for the Realtime Scan Job. If the first process is busy scanning a file, the second process will begin to scan, and so on. By default there are four Realtime Scan Jobs running. This can be increased up to ten by changing the Realtime Process Count field found under General Options > Scanning.

However, be cautious when increasing the number of processes. Each process will consume additional server resources. It is best to increase them one at a time and evaluate the performance at each step. The Forefront Service will need to be recycled for the change to take effect.

Step 6: Configuring the Background Scan Job

Why the Background Scan Job is Important

The Background Scan Job provides a key protection mechanism by periodically scanning the mail Store with the latest signature updates. This provides a “clean up” mechanism to catch any viruses that may have been missed during a Transport Scan Job. Microsoft recommends that you run the Background Scan Job once each day, preferably at a time of low mail activity.

Unless set otherwise, the Background Scan Job does not recognize the previously scanned status of a message. It scans based on its own parameters. This is because the Background Scan Job is meant specifically for re-scanning messages that have been scanned before and applying the latest scan engine signatures to them.

The Background Scan Job has various configurable parameters that allow for incremental background scanning. This reduces the extent of the scan, providing a balance between protection and performance. The engines and bias settings used by the Background Scan Job are the same as those set in the Realtime Scan Job.

Configuration Steps for the Background Scan Job

Open the Forefront Server Security Administrator and go to Operate > Schedule Job to get to the correct screen. All you need to do here is set the time for the Background Scan Job to begin each day.

c8070994-c015-47f5-8600-3fdbf6f5d0f3

cea58c86-ec0f-4952-aceb-36f2758bcba4

Enable the Background Scan Job. Click on the Background Scan Job and then click the Enable button.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Select the Background Scan Job start time. In the Calendar, set the Time and Frequency for the Background Scan Job. Microsoft recommends running setting it for “Daily,” at a time when your mail server is less active than usual.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect.

Setting the Background Scan Job parameters

There are several parameters that control the behavior of the Background Scan Job. These are defaulted to the best-practice options; however you may wish to modify them to suit your own environment. These settings are found under Settings > General Options, in the section titled Background Scanning.

Option Description

Enable Background Scan Job if “Scan On Scanner Update” Enabled

Indicates that Forefront Security for Exchange Server should initiate a background scan every time a scan engine is updated if the General Option setting Scan on Scanner Update is enabled. This setting is enabled by default. See the Tips section below for more details.

Scan Only Messages With Attachments

Indicates that the Background Scan Job should only scan messages that include attachments. This setting is enabled by default.

Scan Only Unscanned Messages

Indicates that the Background Scan Job should only scan messages that have not already been scanned.

Scan Messages Received Within The Last <x> Hours/Days

Places limits on background scanning by allowing administrators to configure Forefront Security for Exchange Server to scan messages based on their age. The options are: Anytime, 4 hours, 6 hours, 8 hours, 12 hours, 18 hours, 1 Day, 2 Days, 3 Days, 4 Days, 5 Days, 6 Days, 7 Days, and 30 Days.

If background scanning is scheduled to run daily, the recommended setting is to scan the previous two days’ worth of mail. However, the time should be set based on both security and performance considerations.

TIPS, CONSIDERATIONS, and BEST PRACTICES

  • As mentioned above, the general recommendation is to scan the past two days of e-mail. This is because within two days it is very likely that a new virus is being caught by at least one of the scan engines. It serves little purpose to continually re-scan messages that are many days, or even weeks and months, old. By applying scoping parameters to the scanning process, Forefront Security for Exchange Server strikes a sensible balance between performance and security.

  • In past versions of Exchange, the Background Scan Job could only scan the entire Store. This made background scanning impractical due to the serious amount of overhead incurred in scanning large mail stores. The new incremental background scanning features now make Background Scan Job a feasible and sensible layer of protection.

  • During periods of virus outbreaks, an even higher level of protection may be desired. By selecting the option Enable Background Scan if “Scan On Scanner Update” Enabled, you are telling Forefront Security for Exchange Server to restart background scanning every time a new scanner update is received (this is typically many times a day). The Background Scan Job moves along scanning folder after folder, and after a restart it continues scanning where it left off. This ensures that all folders will get scanned. Keep in mind that turning this feature on means background scanning will likely be a continuous process, and it may impact mail system performance. However, this provides the most significant level of protection as it repeatedly applies the latest signatures to messages in the Store. The scoping parameters are still respected during this process, so the number of messages scanned is still limited.

Step 7: Configuring File Filtering

Why File Filtering Is Important

Even with the excellent protection provided by the multiple scanning engines in Forefront Security for Exchange Server, there is always a risk that a dangerous file will not be detected by the scan engines. To add another, proactive layer of protection to your enterprise, it is considered a security best practice to block certain file types that are considered potentially dangerous. File attachments can be detected by their name, type, size, or any combination of the three.

Available File Filtering Actions

There are four actions available when a file is detected, as described in the following table.

Action Description

Skip: detect only

Records the number of messages that meet the filter criteria, but allows messages to route normally. This setting does not provide any protection. However, you may want to use this setting to log instances of specific file types being sent or received without taking action on them.

Delete: Remove contents

Deletes the file attachment. The detected file attachment is removed from the message and a text file is inserted in its place. The text file contains the text you configure using the “Deletion Text” button. The user receives the original message, with the unwanted file(s) removed.

Purge: eliminate message

Deletes the message from your mail system. The user never sees the message. If you wish to keep a copy of the e-mail, choose the Quarantine File option.

Identify: tag message

Writes a customizable prefix into the message subject line or a custom X-header in to the e-mail header. This mode is not commonly used for file filtering.

Configuration Steps for File Filtering

Open the Forefront Server Security Administrator and go to Filtering > File to get to the correct screen. File Filtering can be applied to Transport Scan, Realtime Scan and Manual Scan Jobs. Make sure you are on the correct scan job when setting the file filters. Setting a File Filter requires that you create the filter, enable it, set the associated Action and define Deletion Text as appropriate.

dde2b3a9-894f-4fcc-bd06-3207c3db0188

cea58c86-ec0f-4952-aceb-36f2758bcba4

Select the Scan Job that the filter will apply to. File Filtering is available across all Scan Jobs. Each Scan Job can have its own set of File Filters.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Create the File Filter. Create the file filter by clicking the Add button and entering the proper syntax. You have a number of ways to enter a File Filter. The filters work by a combination of name and file type. You must select both elements to complete the filter.

File Name/Extension—this will match on the actual name of the file. You can use a full file name (for example, file.doc) or use wildcards (*.doc). This is shown under the File Names section.

File Type—in the File Types section you must associate the File Name filter with file types. For instance, to block anything with a name of *.doc, enter *.doc in the File Names section, and under File Types choose All Types. To block only actual DOC files, then enter *.doc under File Names, and under File Types clear the All Types option and choose DOCFILE from the list of file types.

Keep in mind that the File Names and File Types sections work together for every filter you create.

For more details on acceptable wildcard usage, see the Forefront Security for Exchange Server User Guide. For details on other ways to block files, see the “Tips” section below.

2517cbb3-40a7-4dc4-aa3c-dabb8d3dca7f

Enable the Filter and Choose the Actions and Notifications. Using the drop-down make sure the filter is set to Enabled. This provides a quick way to turn a filter off as well.

Set the Filter action and Quarantine options, as desired. To notify senders or recipients that their file has been blocked, check the Notifications box and then customize the notification messages in the Notifications section.

Keep in mind that Actions, Quarantine, and Notification are set individually for every filter you create.

867aed03-4cfd-4090-9ae4-2e38bfc858b3

Configure your Deletion Text. When a file is deleted based on a File Filter, Forefront Security for Exchange Server replaces it with text that tells the recipient the file was deleted. By default it says:

Microsoft Forefront Security for Exchange Server removed a file since it was found to match a filter.

File name: "%File%"

Filter name: "%Filter%"

The text can be customized, as needed, to reflect any information you may want to provide to your users. There are two dynamic keywords that will be filled in based on the virus detected:

%File% — the name of the file that was removed

%Filter% — the name of the filter used to remove the file

Additional dynamic keywords can be added to the message, such as the name of the sender or recipient. To insert a dynamic keyword, right-click in the Deletion Text window and choose Paste Keyword.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect.

TIPS, CONSIDERATIONS, and BEST PRACTICES

  • File Filters can be created to work only on inbound or outbound messages. This is useful in order to establish different rules for what enters your organization and what leaves it. To set a filter for inbound or outbound messages, prefix the filter with <in> or <out>. For example:

    <in>test.doc — detects the file test.doc only if it is entering the organization

    <out>test.doc — detects the file test.doc only if it is leaving the organization

  • File Filters can be set to block files of a certain size, using standard comparison operators ( =, <, >, <=, >=) and file size designations (KB, MB, GB). These can be combined with file name and type conventions. For example:

    *.bmp>=1.2MB — detects any BMP file equal to or greater than 1.2 Megabytes

    <in>*.com>150KB — detects any inbound COM file greater than 150 Kilobytes

    *.*>5GB — detects any file greater than 5 Gigabytes

  • The file filtering of Forefront Security for Exchange Server provides excellent flexibility for blocking files based on size. Rather than have a single rule that applies across all file types, you can apply file type-specific rules.

  • File filters are applied before virus scanning. Therefore, if a message contains a virus and is also included on the list of blocked file types, it will be stopped by the File Filter rule. If you then release this message from the Quarantine, it will go to the virus engines for scanning and be caught as a virus.

  • Be aware of product behavior when a message has more than one attachment type. For example, if a message has two different attachments and one corresponding filter rule was set to Delete and the other to Purge, the entire message will be purged.

  • Each scan job has unique Deletion Text. You may want to design different text for Transport Scan Job file filters and Realtime or Manual Scan Job file filters.

  • You may want to use the Skip: detect only feature to identify specific files without blocking them. This may be done for corporate compliance or monitoring reasons. For example, you may want to filter for any spreadsheet files leaving the organization to create an Incident Log event.

  • In addition to direct File Filtering rules, Forefront Security for Exchange Server allows the use of Filter Lists that can contain multiple filtering rules. Lists can also be activated quickly to provide protection. Consult the User Guide for information on creating Filter Lists.

  • Forefront Security for Exchange Server can unpack and repack ZIP and other container files while removing specific contents from within them. For example, if a ZIP file contained a DOC file and an EXE file, and a File Filter were created to block EXE files, then Forefront Security for Exchange Server will unpack the ZIP, remove the EXE file, replace it with a text place marker, repackage the ZIP, and deliver it to the user. This way, the user still is able to receive the DOC file, while the EXE is blocked.

Step 8: Setting Notifications

Why Notifications Are Important

E-mail notifications play a critical role in keeping Exchange users informed about changes that occur to their attachments due to virus cleaning and file filtering. E-mail notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.

Note that by design, Forefront Security for Exchange Server never sends any notification for worm viruses. This is because worms are never legitimate communication and often come from spoofed addresses.

The product offers an extensive collection of customizable notification options. You should review this list and decide which of these notifications you wish to use.

Notification Type Description

Virus Administrators

Default: on (administrator address must be entered)

Alerts administrators of all viruses being detected on the server being protected by Forefront Security for Exchange Server. Typically, the notification is used for reporting the who, what, where, and when details of the virus, including its disposition.

Virus Sender (internal)

Default: on

Alerts the sender of the infection if the sender is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user’s own machine, who to call, and how to proceed

Virus Sender (external)

Default: on

Alerts the sender of the infection if the sender is not a user in your organization.

Virus Recipients (internal)

Default: off

Alerts the recipient of the infection if the recipient is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the users own machine, who to call and how to proceed.

Virus Recipients (external)

Default: off

Alerts the recipient of the infection if the recipient is not a user in your organization.

File Administrators

Default: on (administrator address must be entered)

Alerts administrators of all files that satisfy the filtering criteria on the server being protected by Forefront Security for Exchange Server. Typically, the notification is used for reporting the who, what, where, and when details of the filtering performed, including the disposition of the attachment. This notification is also used for messages that are purged by a File Filter.

File Sender (internal)

Default: on

Alerts the sender of the filtered attachment if the sender is an Exchange user in your organization. This notification is also used for messages that are purged by a File Filter.

File Sender (external)

Default: on

Alerts the sender of the filtered attachment if the sender is not a user in your organization. This notification is also used for messages that are purged by a File Filter.

File Recipients (internal)

Default: off

Alerts the recipient of the filtered attachment if the recipient is an Exchange user in your organization. This notification is also used for messages that are purged by a File Filter.

File Recipients (external)

Default: off

Alerts the recipient of the filtered attachment if the recipient is not a user in your organization. This notification is also used for messages that are purged by a File Filter.

Worm Administrator

Default: on (administrator address must be entered)

Alerts administrators of all worm messages that are detected/purged by Forefront Security for Exchange Server.

Content Administrator

Default: on (administrator address must be entered)

Alerts administrators of all messages that are blocked by content filtering.

Content Sender (internal)

Default: on

Alerts the sender that a message was filtered by Sender or Subject Line Filtering if the sender is an Exchange user in your organization.

Content Sender (external)

Default: on

Alerts the sender that a message was filtered by Sender or Subject Line Filtering if the sender is not a user in your organization.

Content Recipients (internal)

Default: off

Alerts the recipient that a message was filtered by Sender or Subject Line Filtering if the recipient is an Exchange user in your organization.

Content Recipients (external)

Default: off

Alerts the recipient that a message was filtered by Sender or Subject Line Filtering if the recipient is not a user in your organization.

Keyword Administrators

Default: on (administrator address must be entered)

Alerts administrators of all messages that are filtered by Keyword Filtering.

Keyword Sender (internal)

Default: on

Alerts the sender that a message was filtered by Keyword Filtering if the sender is an Exchange user in your organization.

Keyword Sender (external)

Default: on

Alerts the sender that a message was filtered by Keyword Filtering if the sender is not a user in your organization.

Keyword Recipients (internal)

Default: off

Alerts the recipient that a message was filtered by Keyword Filtering if the recipient is an Exchange user in your organization.

Keyword Recipients (external)

Default: off

Alerts the recipient that a message was filtered by Keyword Filtering if the recipient is not a user in your organization.

Configuration Steps for Setting Notifications

Setting notifications is a two-step process. The Notification itself must be enabled and customized as needed. Then, the specific scan job or filter must have Notifications enabled. You must remember to check the Notifications box on each particular scan job in order to activate the Notifications.

The steps below describe configuring Notifications only. Open the Forefront Server Security Administrator and go to Report > Notification to get to the correct screen.

fb32aa26-2358-4374-9408-5db24c01158c

cea58c86-ec0f-4952-aceb-36f2758bcba4

Enable or disable the Notifications. Check that the Notifications you wish to use are enabled and those you don’t wish to use are disabled. To change a setting, highlight the Notification and click the appropriate Enable or Disable button.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Enter addresses for administrator notifications. All administrator notifications must have recipient e-mail addresses defined for them. Enter one or more addresses in the To:, cc:, or bcc: address lines.

2517cbb3-40a7-4dc4-aa3c-dabb8d3dca7f

Customize the Notification Subject line and Body text. While default notification text is provided, you may want to customize each message. Edit the text in the appropriate areas to customize the text. You can enter additional automatic keyword fields by right-clicking and choosing Paste Keyword.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect. You must also activate Notifications from within each specific scan job or filter.

TIPS, CONSIDERATIONS, and BEST PRACTICES

  • Notifications are an important way to inform your users about what has happened to their e-mail and/or file attachments. By carefully crafting your notification messages, you can help your end users understand what is happening, help alleviate any concerns, inform them who to contact for more information, etc. A well-crafted Notification can reduce help desk calls.

  • Consider the positive impact well-crafted notifications can have on security. If an internal user is detected as sending a virus, that means their machine is infected in some way. You may want your notification to provide explicit instructions such as “Please turn off your computer immediately and call the Emergency Virus Hotline at…” This will help stop the spread of viruses from that machine, or perhaps shut down the machine before files are lost or other damage is done.

  • If you are an administrator, you may not want to receive all the administrator notifications in your personal e-mail account. Instead, consider creating a special mailbox just to receive notifications from Forefront Security for Exchange Server. You may also want to use a Public Folder to provide access to multiple administrators or help desk staff. You can send notifications to multiple recipients, as needed.

  • When constructing your notification messages, you may wish to consult your Human Resources or Legal Departments about the message contents. This is particularly true for notifications that are designated for people outside of your organization, as there may be legal ramifications involved, as well as for notifications that are generated based on policy violations, such as from Keyword Filters.

  • Consider carefully if you want to send notifications to External Virus Senders. Viruses may be sent from spoofed or stolen e-mail accounts, resulting in Forefront Security for Exchange Server sending messages to people who have nothing to do with sending the virus in the first place. To reduce this impact, Forefront Security for Exchange Server never sends a notification for a virus designated as a worm, because these are always from either false or spoofed addresses.

Step 9: Incident Log Options

Why the Incident Log Is Important

The Incident Log keeps a record of any detection made by Forefront Security for Exchange Server, whether virus, file filter, etc. This provides a critical record of information should you need to search for a particular event, such as checking if a message to a particular user was purged.

The Incident Log screen allows you to view incidents, search among them, export the log, view statistics, and set purge times.

Configuration Steps for the Incident Log

The Incident Log is activated by default. However, there are settings you may wish to make and functions you should be aware of. Open the Forefront Server Security Administrator and go to Report > Incidents to get to the correct screen.

cb46398d-8083-4b2a-888d-eacd9e4447f2

cea58c86-ec0f-4952-aceb-36f2758bcba4

View and sort incidents. Incidents will be displayed on the screen. By clicking the columns you can sort data based on that column heading.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Set the Incident Log Purge time. The Incident Log can grow very large. When this happens, performance can be affected. To keep the log from growing too large, you can set a Purge time. Click the Purge After check box and choose how many days of Incident Log data you wish to retain.

2517cbb3-40a7-4dc4-aa3c-dabb8d3dca7f

Use the filter to locate items. When searching for a specific Incident, the Filtering field can be very helpful. Mark the check box, select a column category, and then enter specific filter text. Wildcards are available for the Filtering field. Consult the Forefront Security for Exchange Server User Guide for details. You must click the Save button for your filter settings to take effect. For example, you may wish to examine only virus incidents. To do so, set the Filter Column to “Incident” and enter “Virus” in the Filter box. Click Save and the result will be a list of all virus detections.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect.

TIPS, CONSIDERATIONS, and BEST PRACTICES

  • The Incidents Log provides the ability to export the log into a TXT or delimited file (for viewing in a spreadsheet). To export, click the Export button. Note that if you are using a filter on the Incident Log, only the filtered data set will be exported. This allows you to greatly reduce the amount of data exported, allowing for easier data analysis. For example, you may wish to examine only virus incidents. To do so, set the Filter Column to “Incident” and enter “Virus” in the Filter box. Click Save and the result will be a list of all Virus detections, ready for exporting.

Step 10: Quarantine Options

Why the Quarantine Is Important

Quarantine allows you to store messages and/or attachments that Forefront Security for Exchange Server has detected as infected or matching a particular filter. The quarantined items can be inspected and, if need be, released to the intended recipient, redirected elsewhere, or deleted. Quarantined files are stored in an encoded format in the Quarantine folder in the Forefront Security for Exchange Server installation folder.

The Quarantine screen allows you check for items, search among them, deliver them, export them for viewing, and set purge times.

Configuration Steps for the Quarantine

The Quarantine itself does not need to be activated. Whether or not items are quarantined is set on every specific scan job or filter. However, there are settings you may wish to make and functions you should be aware of on the Quarantine screen. Open the Forefront Server Security Administrator and go to Report > Quarantine to get to the Quarantine screen.

002e106b-e7c1-4253-888f-db6c5e93db48

cea58c86-ec0f-4952-aceb-36f2758bcba4

View and Sort Quarantined items. Quarantined items will be displayed on the screen. By clicking the columns you can sort data based on that column heading.

6bdc9fd9-ba2b-4b4f-8553-9fd937c4e384

Set the Quarantine Purge time. The Quarantine can grow very large, especially if you are quarantining spam. When this happens, performance can be affected. To keep the log from growing too large, you can set a Purge time. Click the Purge After check box and choose how many days of Quarantine data you wish to maintain.

2517cbb3-40a7-4dc4-aa3c-dabb8d3dca7f

Use the filter to search for items. When searching for a specific Quarantine item, the Filtering field can be very helpful. Mark the check box, select a column category, and then enter specific filter text. Wildcards are available for the Filtering field. Consult the User Guide for details. You must click the Save button for your filter settings to take effect.

For example, you may wish to examine only virus incidents. To do so, set the Filter Column to “Incident” and enter “Virus” in the Filter box. Click Save and the result will be a list of all Virus detections.

867aed03-4cfd-4090-9ae4-2e38bfc858b3

Deliver items as needed. If a particular message or attachment needs to be delivered, highlight the item and click the Deliver button. The pop-up window will allow you to deliver the item to the original recipient(s) or redirect it elsewhere. All items released from Quarantine will be re-scanned for viruses, to prevent release of a known virus. If the release from Quarantine releases a virus, the item will return to the Quarantine. See the “Tips” section below for other aspects of released items.

a0ecd6fa-b072-4df3-86d8-90d9f9806562

Click the Save button to have your settings take effect.

TIPS, CONSIDERATIONS, and BEST PRACTICES

  • Entire messages are stored only for File Filters (when the filter is set to Purge) and Content Filters. For virus-infected attachments, only the attachment is stored (the message is delivered). A worm message is purged and never quarantined.

  • There are two delivery modes for the Quarantine. Secure Mode will re-scan items with content filters when they are released. Compatibility Mode will not. For instance, if you have set a File Filter to block EXE files and you release an EXE file from the Quarantine, Secure Mode will cause the item to be re-blocked and Compatibility Mode will allow the item to be delivered. In all cases, anything released from the Quarantine is re-scanned for the presence of viruses and the message or attachment is blocked if a virus is detected. The Mode setting is changed in the General Options panel.

  • The Quarantine can store items in two ways: as a single EML file or as separate messages and attachments. When storing as an EML file, Microsoft® Outlook Express is needed to view the message and attachment (after saving it to a separate file outside the Quarantine). Without Outlook Express, it will be very difficult to extract the file from within the EML format. If you do not wish to use Outlook Express, then by storing items separately you can view the message body as a text file and/or retrieve the attachment directly. To set how items are stored, go to the General Options panel and use the drop-down list under Quarantine Messages.

Step 11: General Options Review

Forefront Security for Exchange Server provides many settings through the General Options panel. Many of these are used only in specific instances or for specific needs. This section provides a brief overview of the General Options. For full details, consult the Forefront Security for Exchange Server User Guide.

Security administrators should review the General Options carefully because they may help address specific security needs. Where appropriate, best practices have been outlined below. However, these are general guidelines only. Consider all the options available as they may be needed in your particular environment.

The General Options are located under the “Settings” menu.

Diagnostics

The Diagnostics section allows you to turn on advanced logging for troubleshooting situations. These diagnostics should only be used when directed by Microsoft support. An Archive feature allows copies of all inbound and outbound mail to be saved to an archive folder. Critical Notifications provides e-mail notifications in the event of a key Forefront service failure or restart.

Best Practices:

  • Select the Notify on Startup option.

  • The e-mail addresses of appropriate recipients should be added to the Critical Notification List.

6af69c43-5661-4bf9-86b1-130a2acff375

Logging

The Logging settings allow Forefront Security for Exchange Server to generate detailed logging information. While not as detailed as the Diagnostics logging, these logging functions retain important historical information about the program’s environment. Best Practices:

  • Make the same selections as shown below.

  • Enter a value for Max Program Log Size. If kept at 0, the Program Log may grow too large and begin to cause performance issues.

18adbd61-68b5-4e15-915a-ddc6121c131f

Scanner Updates

The Scanner Update settings are used to customize how engine updates are performed, as well as providing notifications about updates. The majority of these settings are used on an as-needed basis.

Best Practices:

  • Choose Perform Updates at Startup. This ensures that if any server running Forefront Security for Exchange Server is inoperative for a long period of time, the program will immediately begin to download new scan engines upon startup.

1247563a-3590-4131-b141-f3f4f6cb59c3

Scanning

The Scanning settings are a critical part of Forefront Security for Exchange Server and should be carefully reviewed by security administrators. This extensive portion of the General Options covers areas such as what kind of message scanning should be performed, how certain file types should be handled (such as compressed files, corrupt files, nested ZIP files, etc.), scanner time-out settings, quarantine behavior, and some important infrastructure settings, such as entering lists of internal domains to help distinguish internal from external e-mail. The default values provided will work in most environments. The “Best Practices” section below refers only to items that are not defaulted but may be desirable in your network.

96031826-b45d-4c0d-84c5-af284b6b8d8c

This shows only a portion of the Scanning settings.

Best Practices:

  • Choose Scan Doc Files as Containers on both the Transport Scan Job and Realtime Scan Job. This provides deep scanning of .doc files and others that use the OLE embedded data format (such as .xls, .ppt). These files may have other files embedded in them. There is a performance impact associated with this practice, but it provides a more complete level of scanning.

  • Choose Purge Message if Message Body Deleted – Transport. In some instances, part or all of a message body will be deleted because it is considered a virus, but the message may still be delivered with Deletion Text replacing the removed contents. This can cause confusion or concern among recipients. By selecting this option, the entire message is deleted and the user never sees it. It is not very likely that the message contains any valid information.

  • Make sure to fill out the Internal Address field with all of your internal mail domains. This is necessary for Forefront to properly determine email direction.

Background Scanning

These settings are discussed in the Step 6: Configuring the Background Scan Job.