Chapter 1 - Introducing Microsoft Antigen for Exchange
Applies to: Microsoft Antigen
Topic Last Modified: 2010-02-25
In Microsoft® Exchange Server, viruses can enter the environment from file attachments to e-mail messages, e-mail bodies, and public folder posts, but traditional antivirus technology cannot monitor or scan the contents of the Exchange database or the Exchange SMTP stack. Exchange environments require an antivirus solution that can prevent the spread of viruses by scanning all messages in real-time, with minimal impact on server performance or delivery times of messages. Microsoft Antigen for Exchange Version 9 is the solution for protecting Exchange environments.
Antigen is uniquely suited for the Microsoft Exchange 2000 Server and the Microsoft Exchange Server 2003 environments. Antigen uses the Exchange VSAPI to tightly integrate with the Exchange servers to provide seamless protection.
Antigen provides powerful content filtering features that include:
Keyword message body filtering.
Mail host filtering with Real-Time Blackhole List (RBL) integration.
File and content filtering that includes filter lists to help administrators manage large groups of filters.
Antigen also supports the optional Antigen Spam Manager. This add-on module helps administrators to minimize the number of spam e-mail messages that enter their Exchange environments.
The Antigen Spam Manager enhances Antigen’s content filtering by providing:
Support for the Cloudmark anti-spam engine.
Support for Exchange 2003 anti-spam features.
- Identify: Tag Message options for suspected spam message tracking and identification.
Keyword filter options.
Junk Mail folders for Microsoft Office Outlook® users.
Antigen also integrates with the Microsoft Antigen Enterprise Manager (AEM). The AEM provides administrators with central installation and reporting functionality and central administration of Antigen on all servers in their environments.
Antigen provides powerful protection for your messaging servers and is the antivirus solution for Exchange 2000 and 2003 environments.
When performing a file-level antivirus scan on a server operating system, you must omit the following program folders from the scan to prevent corruption of Antigen:
Drive:\Program Files\Sybari Software\Antigen for Exchange
- Drive:\Program Files\Exchsrvr
- Drive:\InetPub\Mailroot (Exchange 2003 only)
The file-level antivirus scan can also cause a conflict when Antigen tries to scan e-mail messages.
When Antigen scans a file or an e-mail message, the following tasks are performed in the order that they appear:
Allowed senders scan—If the allowed senders list functionality is enabled, Antigen compares the message sender's domain or address to the allowed senders list. If a message is from a domain or address in the allowed senders list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.
You can configure the allowed senders list functionality to bypass specific types of filters, such as keyword filters, file filters, and content filters, or you can bypass all filters.
For more information about allowed senders lists, see "Creating allowed senders lists" in Chapter 15 - Using keyword filtering.
Cloudmark engine scan—The Cloudmark engine compares the message contents against a database of known spam. For more information about the Cloudmark engine, see Chapter 17 - Antigen Spam Manager overview.
Mailhost filtering scan—Mailhost filtering filters messages from specific IP addresses or from specific server names. Mailhost filtering consists of the following lists:
- RBL servers list—Contains server names and IP addresses that are known to originate spam or are spam open relay hosts. Antigen compares the message sender to the RBL servers list to determine whether the message was sent from a spam server.
- Allowed mailhosts list—Contains server names and IP addresses that are considered safe. Antigen compares the message sender to this list to determine whether the message sender is considered safe. If a message is from a server or IP address in the allowed mailhosts list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.
- Rejected mailhosts list—Contains server names and IP addresses that have been blocked. Antigen compares the message sender to the rejected mailhosts list to determine whether the message sender has been blocked.
For more information about mailhost filtering, see Chapter 14 - Using mailhost filtering.
Content filtering scan—Content filtering includes the following filters:
- Sender-domains filtering—When sender-domain filtering is enabled, Antigen compares the message sender to the senders and domains that are in the sender-domains filter list.
- Subject line filtering—When subject line filtering is enabled, Antigen compares the contents of the message's subject line to the words in the subject line filter list.
For more information about content filtering, see Chapter 13 - Using content filtering.
Keyword filtering scan—When keyword filtering is enabled, Antigen compares the contents of the message to any keyword filter lists that have been created. For more information about keyword filtering, see Chapter 15 - Using keyword filtering.
Attachment scan—If the e-mail message has an attachment, Antigen scans it for worms and viruses:
- Worm purge—The worm purge tool maintains the WormPrge.dat file, which contains a list of known worms. This list is regularly updated and maintained by Antigen. The contents of the message are compared to the list of known worms.
For more information about worm purging, see Chapter 16 - Purging messages infected by worms.
- File filtering—When file filtering is enabled, Antigen compares the contents of the message to the file filter list. The file filter list provides you with the ability to search for attachments with a specific name, type, and size within an e-mail message.
For more information about file filtering, see Chapter 12 - Using file filtering.
- Virus cleaning—Antigen uses multiple virus scan engines to determine whether the attachment contains a virus. For more information about using multiple scan engines, see Chapter 5 - Using multiple scan engines.
Body scan—The body of the message is compared to the worm list that is maintained in the WormPrge.dat file. If no worms are found, Antigen then scans the body of the message for viruses.
The most current Microsoft Antigen for Exchange documentation, including the Microsoft Antigen for Exchange Quick Start Guide, the Microsoft Antigen for Exchange Best Practices Guide, the Microsoft Antigen for Exchange Cluster Installation Guide, and the Microsoft Antigen Spam Manager Best Practices Guide, is available at the Microsoft Antigen TechNet Library.