E-mail notifications

 

Applies to: Forefront Security for Exchange Server

E-mail notifications are critical in keeping Exchange users informed about changes that occur to their attachments due to virus cleaning and file filtering, or informing users of infections that exist when a virus is detected and not cleaned. E-mail notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.

How notifications are sent

Forefront Security for Exchange Server utilizes SMTP messaging for notification purposes, placing the message in the SMTP service Pickup folder and resolving the Exchange name with the Active Directory® directory service. By default, the server profile used for this purpose is: **Forefront_**Server_Name. For example: Forefront_EX_Server1. To change the server profile, you must modify the FromAddress registry value.

To change the FromAddress registry value on Exchange 2007

  1. Open the Registry Editor and navigate to one of these registry values:

    For 32-bit systems (only valid during evaluation of FSE):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\ Notifications\FromAddress

    For 64-bit systems:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\FromAddress

  2. Change the default value to the sender name you would like. Alphanumeric characters are acceptable. You may also use the at sign (@) or a period (.), but these characters cannot be the first or last character. Any illegal characters are replaced with an underscore (_).

  3. You must restart the Exchange and Forefront Security services for this change to take effect.

Configuring notifications

There are various types of notification messages and each can be individually configured.

To configure notifications

  1. In the REPORT area of the Shuttle Navigator, select Notification. The Notification Setup work pane appears.

    The top pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. For more information about each of the roles, see Notification roles.

  2. Enable those notifications that are to be in effect. (For more information, see Enabling and disabling a notification.)

    Note

    Scan job configurations control whether a scan job sends any enabled notifications.

  3. Make the desired changes to the notifications that are to be enabled. For more information, see Editing a notification.

  4. Click Save to save your work.

Notification roles

The following list describes the various notification roles. Typically, each notification is used for reporting the who, what, where, and when details of the infection or the filtering performed, including the disposition of the virus or the attachment.

Virus Administrators

Alerts administrators of all viruses detected on a server being protected by FSE.

Virus Sender (internal)

Alerts the sender of the infection, if the sender is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user's own computer, who to call, and how to proceed.

Virus Sender (external)

Alerts the sender of the infection, if the sender is not a user in your organization.

Virus Recipients (internal)

Alerts the recipient of the infection, if the recipient is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user's own computer, who to call, and how to proceed.

Virus Recipients (external)

Alerts the recipient of the infection, if the recipient is not a user in your organization.

File Administrators

Alerts administrators of all messages that are filtered by file filtering on the server being protected by FSE. This notification is also used for messages purged by the file filter.

File Sender (internal)

Alerts the sender of the filtered attachment, if the sender is an Exchange user in your organization. This notification is also used for messages purged by the file filter.

File Sender (external)

Alerts the sender of the filtered attachment, if the sender is not a user in your organization. This notification is also used for messages purged by the file filter.

File Recipients (internal)

Alerts the recipient of the filtered attachment, if the recipient is an Exchange user in your organization. This notification is also used for messages purged by the file filter.

File Recipients (external)

Alerts the recipient of the filtered attachment, if the recipient is not a user in your organization. This notification is also used for messages purged by the file filter.

Worm Administrators

Alerts administrators of all worm messages that are detected or purged by Forefront Security for Exchange Server.

Content Administrators

Alerts administrators of all messages that are filtered by content filtering (sender and subject line filtering).

Content Sender (internal)

Alerts the sender that a message was filtered by sender or subject line filtering, if the sender is an Exchange user in your organization.

Content Sender (external)

Alerts the sender that a message was filtered by sender or subject line filtering, if the sender is not a user in your organization.

Content Recipients (internal)

Alerts the recipient that a message was filtered by sender or subject line filtering, if the recipient is an Exchange user in your organization.

Content Recipients (external)

Alerts the recipient that a message was filtered by sender or subject line filtering, if the recipient is not a user in your organization.

Keyword Administrators

Alerts administrators of all messages that are filtered by keyword filtering.

Keyword Sender (internal)

Alerts the sender that a message was filtered by keyword filtering, if the sender is an Exchange user in your organization.

Keyword Sender (external)

Alerts the sender that a message was filtered by keyword filtering, if the sender is not a user in your organization.

Keyword Recipients (internal)

Alerts the recipient that a message was filtered by keyword filtering, if the recipient is an Exchange user in your organization.

Keyword Recipients (external)

Alerts the recipient that a message was filtered by keyword filtering, if the recipient is not a user in your organization.

Configuring internal addresses

Internal addresses must be identified in Forefront Security for Exchange Server so that the proper notifications can be sent to senders and recipients. Internal addresses are configured with the Internal Address option in the General Options pane or by use of the Domains.dat file. For information about configuring internal addresses, see the "General Options" section in Forefront Server Security Administrator.

Enabling and disabling a notification

The Enable and Disable buttons in the Notification Setup work pane permit you to enable or disable any selected notification. The current status of each notification is displayed in the list in the top pane, under the State column. A change made to the status of a notification takes effect as soon as you click Save.

Note

Scan job configurations control whether a scan job sends any enabled notifications.

Editing a notification

The changes that are made to the lower portion of the Notification Setup work pane apply to the notification role currently selected in the notification list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a notification and try moving to another notification role or shuttle icon without saving it, you will be prompted to save or discard your changes. All changes take effect immediately when saved.

The following are the fields that can be edited:

To

A semicolon-separated list of people and groups who will receive the notification. This list can include Exchange names, aliases, groups, and Keyword substitution macros. Notifications may also be sent to cc and bcc recipients.

Subject

The message that will be sent on the subject line of the notification. This field can include Keyword substitution macros.

Body

The message that will be sent as the body of the notification. This field can include Keyword substitution macros. (Administrators may also include the MIME headers in this field by inserting the %MIME% macro.)

Note

When enabling Virus Administrators, File Administrators, Worm Administrators, or Keyword Administrators notifications on an Edge server, you must use a full SMTP address (For example, Administrator@microsoft.com) for the notification to work properly.