Monitoring performance and health

 

Applies to: Forefront Protection for Exchange

You can monitor your Forefront Protection 2010 for Exchange Server (FPE) environment by viewing statistics and health monitoring reports. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Monitoring and under Server Security Views, click Dashboard.

In the Server Security Views - Dashboard pane, you can view the following information:

  • The name of the computer running Exchange server.

  • Health monitors. You can monitor the health of your scan jobs, services, engines, and licensing.

  • Summary performance monitors. For each scan job type, there is a pie chart showing the number of scanned messages that contained malware and the number of scanned messages that matched each filter type (file, keyword, subject line, and sender-domain). The total number of messages scanned is also listed along with the date and time that the data was last refreshed.

Monitoring the health of your system

You can monitor the health of FPE by viewing the health monitors at the top of the Dashboard. There are four types of health monitors:

  • Scan Jobs—Monitors the current state of your scan jobs.

  • Services—Monitors the current state of FPE services.

  • Engines—Monitors the current state of your scan engines.

  • Licensing—Monitors the current state of your FPE license.

Viewing health item details

Each of the monitors has an associated Show details link. To see the underlying details, click Show details. This displays summary icons and underlying details.

The summary icons are as follows:

  • Healthy—A green circle with a check mark. This indicates good health and that no action is required.

  • Warning—A yellow triangle with an exclamation mark. This indicates a less than ideal situation that likely bears close monitoring.

  • Error—A red circle with an "X". This indicates an error that may require fixing.

  • Unknown—A gray shield. This indicates that FPE has not yet reached the scheduled health check interval, is not able to determine the current health, or that the item is not defined for your system. An event is generated as soon as FPE determines the health status.

The underlying details are as follows:

  • Health Point—Tells you what is being monitored, for example Realtime scan processes.

  • Last Refresh—Tells you the last time the health point was checked.

  • Message—Tells you the current status of the health point being monitored, including information about any problems that the monitor encountered.

Note

If FPE either has not yet reached the scheduled health check interval or was not able to determine the current health of the health point, there is no message. A message is generated as soon as FPE determines the health status.

About the health points

Note

To ensure that you are viewing the most current data, under the Actions section, you can click Refresh

These are the scan job health points that FPE monitors and the recommended resolution when a health point is not green (healthy):

Health Point Description Resolution

Transport scan enabled

Monitors whether the transport scan has been enabled.

Enable transport scanning through the FPE Administrator Console or by entering Windows PowerShell commands in the Forefront Management Shell.

Edge transport hooked

Monitors whether the Microsoft Exchange Transport service is running and the Forefront agent is registered.

  • Make sure you are using a build of Exchange that is supported by FPE or update your version of FPE to support the build of Exchange you are running.

  • Verify that Exchange PowerShell is operational on the server.

For Edge and Hub servers on Exchange 2007:

  • The Network Service account should have read, write, and list permissions to the following folders:

    • Program Files\Microsoft\Exchange Server\V14\TransportRoles\agents

    • Program Files\Microsoft\Exchange Server\V14\TransportRoles\shared

  • Refer to the program log to retrieve the exact cause of why the agent failed to register or contact Customer Support Services for help in pinpointing the error.

Transport scan processes

Monitors whether the transport scan processes are running normally.

Restart the Microsoft Exchange Transport service.

Selected transport engine initialization

Monitors whether all engines selected for the transport scan have been initialized.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the Universal Naming Convention (UNC) configuration settings are appropriate.

Realtime scan enabled

Monitors whether the realtime scan has been enabled.

Enable realtime scanning through the FPE Administrator Console or by entering Windows PowerShell commands in the Forefront Management Shell.

Information store hooked

Monitors whether the Microsoft Exchange Information Store service is running and the Forefront VSAPI library is registered.

Analyze the event log for details regarding the error.

Realtime scan processes

Monitors whether the realtime scan processes are running normally.

Restart the Microsoft Exchange Information Store service.

Selected realtime engine initialization

Monitors whether all engines selected for the realtime scan have been initialized.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

Selected scheduled engine initialization

Monitors whether all engines selected for the scheduled scan have been initialized.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

These are the services health points that FPE monitors and the recommended resolution when a health point is not green (healthy):

Health Point Description Resolution

Eventing service

Monitors whether the eventing service is functioning.

Start the Microsoft Forefront Server Protection Eventing Service.

Monitor service

Monitors whether the monitoring service is functioning.

Start the Microsoft Forefront Server Protection Monitor service.

E-mail pickup service

Monitors whether the e-mail pickup service is functioning.

Start the Microsoft Forefront Server Protection Mail Pickup Service.

Available disk space

Monitors the amount of disk space remaining.

Clear disk space on the server running Exchange and FPE.

These are the engines health points that FPE monitors and the recommended resolution when a health point is not green (healthy):

Health Point Description Resolution

Spam definition update

Monitors whether the spam engine definitions were updated, and how recently. For information about spam engine updates, as opposed to spam engine definition updates, see Viewing engine summary information.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

Selected engines updated

Monitors whether the engines that were selected for scan jobs were also selected for updates.

Ensure that the engines selected for updating match the engines selected for scanning.

All engine updates enabled

Monitors whether the engines that were selected for updating were successfully updated.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

Selected engines update period

Monitors whether the engines that were selected for updating were updated recently.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

This is the licensing health point that FPE monitors and the recommended resolution when a health point is not green (healthy):

Health Point Description Resolution

License status

Monitors whether your license is still valid, is nearing expiration, or has expired.

Enter the product key in the FPE Administrator Console or by entering Windows PowerShell commands in the Forefront Management Shell. If you do not have a product key, contact your Microsoft sales representative or visit the Pricing and Licensing site.

Viewing engine summary information

You can monitor engine summary information for FPE by viewing the Engines health monitor, and then selecting Engine Summary.

In the Engine Summary dialog box, you can view the following information about engine and definition updates:

  • Engine—The scan engine, for example Microsoft Antimalware Engine.

  • In Use—Indicates whether the engine is in use with a scan job.

  • Updates Enabled—Indicates whether updating is enabled (Yes) or disabled (No) for the engine.

  • Engine Version—The version of the engine.

  • Definition Version—The version of the malware definition files currently in use by the engine. (This data may not be available for every engine.)

  • Last Update—The date and time of the last successful or failed update of the engine or definition files. Failed updates appear in red text.

  • Last Check—The date and time of the last check made for a new engine or definition update.

    Note

    For the Cloudmark Antispam Engine, the Last Update and Last Check fields only show the date and time of the last successful or failed engine update. Updates of the spam definition files are shown via the Spam definition update health point.

Note

You can sort any of the columns alphabetically by clicking the column's heading. For information about changing how the engine and definition files are updated, see Configuring engine and definition updates.

Customizing the Dashboard view

You can customize which items appear on the Server Security Views – Dashboard pane.

To customize the Dashboard view

  1. In the Actions section, click Control Gallery.

  2. In the Control Gallery dialog box, select which items you want to appear on the Server Security Views – Dashboard pane. A check mark next to the item indicates that it is displayed; no check mark indicates that it is hidden (you can also click the red X box, associated with each item, to remove it from the view).

  3. Click Exit to close the Control Gallery dialog box.

Monitoring performance by viewing statistics

You can monitor the performance of FPE by viewing the statistics in the Dashboard. If you need the statistics broken down further, you can view detailed malware statistics, detailed filtering statistics, and detailed spam statistics.

Note

Statistics data (for instance, the total number of messages processed by content filtering) is accumulated from the time you begin using FPE, unless you reset the data as explained later in this topic.

Viewing detailed malware statistics

To see statistics about messages with malware, click Monitoring and under Server Security Views, click Malware Details. In the Server Security Views - Malware Details pane, the details are broken out by scan job type: transport, realtime, scheduled, and on-demand. You can sort any of the columns by clicking its heading. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

-
Malware detected in messages—The total number of messages that contained malware. This data only applies to transport scans.

-
Malware detected in message parts—The total number of message parts (for example, attachments or files included within container files) that contained malware.

-
Purged messages—The total number of messages purged from your mail system due to malware detections.

-
Deleted message parts—The total number of message parts deleted and replaced with deletion text due to malware detections.

-
Cleaned message parts—The total number of message parts cleaned due to malware detections.

-
Skipped message parts—The total number of message parts detected and logged as containing malware, with no other action taken.

-
Quarantined messages—The total number of full messages quarantined due to malware detections. This data only applies to transport scans.

-
Quarantined message parts—The total number of message parts quarantined due to malware detections.

Viewing detailed filtering statistics

To see statistics about messages that matched filters, click Monitoring and under Server Security Views, click Filtering Details. In the Server Security Views - Filtering Details pane, the details for the various filter matches are broken out by scan job type: transport, realtime, scheduled, and on-demand. You can sort any of the columns by clicking its heading. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

-
Messages scanned—The total number of messages scanned. This data only applies to transport scans.

-
Message parts scanned—The total number of message parts (for example, attachments or files included within container files) scanned.

-
Messages containing filter matches—The total number of messages that matched filters. This data only applies to transport scans.

-
Message parts containing filter matches—The total number of message parts that matched filters.

-
Messages purged due to filter matches—The total number of messages purged from your mail system due to filter matches. This data only applies to transport scans.

-
Message parts deleted due to filter matches—The total number of message parts deleted and replaced with deletion text due to filter matches.

-
Message parts skipped after filter matches—The total number of message parts detected and logged due to filter matches, with no other action taken.

-
Filter matches quarantined as full messages—The total number of full messages quarantined due to filter matches. This data only applies to transport scans.

-
Filter matches quarantined as individual message parts—The total number of individual message parts quarantined due to filter matches.

Viewing detailed spam statistics

To see statistics about spam, click Monitoring and under Server Security Views, click Spam Details. In the Server Security Views - Spam Details pane, the details are broken out by the spam filtering type: Connection Filtering, SMTP Filtering, Content Filtering, and Backscatter Filtering. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

Connection Filtering

  • Messages processed by connection filtering—The total number of messages processed by the connection filter.

  • Messages blocked by IP block list—The total number of messages blocked by the IP block list.

  • Messages blocked by DNS block list—The total number of messages blocked by the DNS block list.

SMTP Filtering

  • Messages processed by SMTP filtering—The total number of messages processed by SMTP filtering.

  • Messages blocked by sender filtering—The total number of messages blocked by sender filtering.

  • Messages blocked by sender ID filtering—The total number of messages blocked by sender ID filtering.

  • Messages blocked by recipient filtering—The total number of messages blocked by recipient filtering.

Content Filtering

  • Messages processed by content filtering—The total number of messages processed by content filtering.

  • Messages rejected by content filtering—The total number of messages rejected by content filtering.

  • Messages deleted by content filtering—The total number of messages deleted by content filtering.

  • Messages quarantined by content filtering—The total number of messages quarantined as spam by content filtering.

Backscatter Filtering

  • Messages processed by backscatter filtering—The total number of messages processed by backscatter filtering.

  • Messages blocked by domain rejection list—The total number of messages blocked by the domain rejection list.

  • Messages allowed by domain exclusion list—The total number of messages allowed by the domain exclusion list.

  • Messages blocked by backscatter agent—The total number of messages blocked by backscatter filtering.

Resetting statistics data

You can reset malware, filtering, and spam statistics in order to begin a fresh count.

  • In the Server Security Views - Malware Details pane or the Server Security Views - Filtering Details pane, in the Actions section, click the action to Clear Transport Statistics, Clear Realtime Statistics, Clear Scheduled Statistics, or Clear On-Demand Statistics. Regardless of which pane you are in, this clears the statistics for both malware and filtering for the selected scan job.

  • In the Server Security Views - Spam Details pane, in the Actions section, click the action to Clear Spam Statistics.

  • To reset all statistics (malware, filtering, and spam) for all scan jobs, in the Server Security Views - Dashboard pane, in the Actions section, click the action to Clear All Statistics.

Clicking these actions clears all malware and filtering data for the selected scan job, clears all spam data, or clears all data. Depending on which action option you selected, the statistics for the Dashboard and the associated details reports (Malware Details, Filtering Details, or Spam Details) are reset to zero.

See Also

Concepts

Using Windows Performance Monitor