The standard Forefront for Exchange license includes the following virus scan engines:

• Kaspersky Labs
  
• InoculateIT and Vet (both from CA)
  
• Sophos
  
• Authentium
  
• Ahn Labs
  
• VirusBuster
  
• Microsoft Anti-Malware Engine
  

You can configure up to five scan engines to run at the same time and in different combinations across the system. This diversity of scan engines and signatures provides additional protection and increases the probability of malware detection.

Forefront also includes the following features:

• Layered protection in messaging infrastructure and checkpoints for message traffic at the Edge (if present), Hub, and Mailbox roles
  
• A secure antivirus header stamp that is written on each message and that is scanned the first time at the edge or hub transport
  

  Note:
  To increase the efficiency of scanning messages, later scans at the hub or at the store check the stamp. This process bypasses rescanning unless an administrator explicitly requests a scan or a signature update occurs.

• Support for Microsoft Exchange Server 2007 SCC and CCR configurations to make sure that both nodes have updated configuration and signatures
  

  Note:
  Failover of the Exchange cluster does not affect the security of the message traffic. Additionally, failure of one scan engine does not affect other scan engines.

• Heuristic capabilities that detect malicious code based on behavioral characteristics (file/attachment filtering by file name, by extension, and so on)
  
• Enabling of the enterprise CAL to provide premium anti-spam capabilities, such as an Exchange Server 2007 IP reputation filter, daily automated content filtering updates, and targeted spam signature data several times every day
  
• Extensive reporting and analysis capabilities (customizable notifications for the message sender or recipient)
  
• A single console that provides centralized deployment, configuration, and update capabilities in large environments
  

  Note:
  Localization occurs in 11 languages. This lets administrators manage e-mail security in their local language.

Forefront scanning can be enabled on the Edge Transport, Hub Transport, and Mailbox servers. Any messages that are received by users in this topology are scanned either at the edge transport or at the hub transport, depending on the origin of the message. For example, a message that originates from an external recipient is scanned at the Edge Transport server before it is delivered to the recipient.

Messages from internal senders or from the Unified Messaging server are scanned at the first Hub Transport server in the delivery path. User mailboxes and public folders can also be scanned either proactively or reactively at the store level on the Mailbox server.

The minimum system requirements for a server installation of Forefront for Exchange are as follows:

• X64 architecture computer that has processors that support the Intel EM64T or AMD64 platform
  
• Windows Server 2003
  
• Microsoft Exchange
  
• 1 gigabyte (GB) of RAM recommended (more RAM for additional licensed scan engines)
  
• 300 MB of available hard disk space
  

FrontPage for Exchange can be installed on the local computer on which Setup is run. You can also install the program on remote computers to enable efficient deployment. You also have the option of performing a "Client – Admin Console only" installation to let administrators install the Forefront management console on their workstations.

On the Select Engines screen, Setup always selects the Microsoft Anti-Malware Engine. Setup also randomly selects four other engines, which you can change on this screen. You can select a maximum of five engines. This includes the Microsoft Anti-malware engine.

Forefront for Exchange recognizes Windows Server 2003 active or passive clusters. On a cluster, Forefront for Exchange must be installed on each node. All configuration data (scan jobs, notifications, and so on) and signature files are associated with the clustered mailbox server (CMS) object. Therefore, the data is configured and replicated to each node. When you apply Exchange service packs and hotfixes, we recommend that Forefront be "unhooked" from Exchange. This is done by using the FSCUtility tool. This tool is available in the Forefront installation folder. Use the following syntax:

FSCUtility /disable

After the installation is complete, Forefront can be re-enabled by using the following syntax:

FSCUtility /enable

Virus Scanning: Forefront can scan messages by using various types of antivirus engines and scan types (on-access, manual, background, and so on). You can specify the level of bias in scanning and the action to take when infection is found (skip, clean, or delete). Forefront can scan nested attachments and compressed files.

File Filtering: Forefront can filter based on file names or file types, such as .exe or MP3. Filtered files can be quarantined. You can specify custom deletion text for notifications to the sender and to the recipient.

Content Filtering: Forefront can filter content based on sender domains, subject lines, MIME headers, and so on, for incoming messages. Forefront can also create and import custom filter lists, and use the lists for content filtering. Messages can also be filtered based on keywords in the message body.

Transport Scanning: This scan is performed at the first Edge Transport or Hub Transport server in the path of the message. After a message is scanned, a secure, antivirus header is stamped on it. Later scans at the next Hub Transport or Mailbox server check for this header. If the header is present, the message is not rescanned. When the message is submitted to the store, this header information is added as a MAPI property, and the header is stripped.

Store Scanning: Forefront contains two categories of store scans: Automatic scans (no user scheduling or intervention required), and on-demand scans.

Each of these categories supports the following multiple types of scans.

In scenarios such as a widespread virus infection or a suspected virus in the wild, administrators may have to increase scanning in the store. In Forefront, they can do this in the following ways.

Scan on Scanner Update (Outbreak Mode): This mode automatically enables proactive scanning. Every that time a scan engine signature is updated, the virus engine version number is incremented. Because the transport scan virus engine version number is always 1 (one), the message antivirus header is always outdated when it reaches the store. Therefore, the header causes the message to be re-scanned on submission. Messages are rescanned on access if any of the engines are updated in the intervening period. This mode of scanning has a significant effect on server performance, and it should be activated only after careful consideration.

To enable this feature, click Settings, and then click Options in the Forefront management console.

DisableAVStamping: This mode disables creating an antivirus scan header during the transport scan. You can enable the DisableAVStamping mode by changing the following registry subkey:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

In this subkey, set the value of the DWORD DisableAVStamping to 1.

This value must be set on every hub and edge transport server. Messages will be scanned at the transport, but they will not be stamped. Messages arrive at the store marked "un-scanned." Then, they are scanned on first access. The transport and store scanning can be configured to use different scan engines to provide better protection.

Background Scan with "Scan on Scanner Update" (Ultimate Security Mode): This mode provides the highest level of security among the available modes. Background scanning starts every time that a scan engine is updated. Mailboxes continue to be scanned sequentially as scan engines are updated. This avoids the problem in which a scan finishes an initial pass of mailboxes before an engine update occurs. The update restarts the scan so that the process returns to the first mailbox and rescans all the mailboxes in the first pass. Those mailboxes then are scanned repeatedly, and the remaining mailboxes are never scanned. Additionally, messages are scanned upon submission to the store. Then, they are rescanned on access if an engine update occurs after the submission scan. Ultimate Security mode is the most resource-intensive of all scanning modes.

Ultimate Security mode is enabled from the Forefront management console. To do this, enable Scan on Scanner Update mode, and then select Enable Background Scan if 'Scan on Scanner Update' Enabled.

Forefront for Exchange provides a parameter named Bias that lets you maintain the desired balance between scanning performance and security. Using this parameter has the following advantages:

• Maximum performance: A scan of every item by using only one of the selected engines to provide the best performance but the least certainty
  
• Favor Performance: A scan of every item that uses any number of randomly selected scan engines from one engine to one-half of the selected engines
  
• Neutral: A scans of every item that uses at least one-half of the selected engines
  
• Favor Certainty: A scan of every item that uses any number of randomly selected scan engines from one engine to one-half of the selected engines
  
• Maximum Certainty: A scan of every item by using all the selected engines to provide the worst performance but the most certainty
  

For more information about multiple scan engines, see the white paper, Multiple Scan Engine Advantage and Best Practices for Optimal Security and Performance.

For more information about how to use Forefront Security for Exchange Server, see the following topics:

Forefront Security for Exchange Server Best Practices Guide

Forefront Security for Exchange Server 2007 User Guide