Forefront Security for Exchange Server Best Practices - Scanning considerations

  • Article

 

Applies to: Forefront Security for Exchange Server

This section discusses the effects of different scanning options on Transport scanning (Transport Scan Job) and Store scanning (Realtime or Manual Scan Job). Store scanning includes four options that can be enabled as desired: two that are General Options (Scan on Scanner Update and Enable Background Scan if 'Scan On Scanner Update' Enabled) and two that are in the Registry (DisableAVStamping and Proactive Scanning). Each option affects Store scanning behavior (DisableAVStamping also affects Transport scanning). Generally speaking, as each additional option is enabled, the amount of Store scanning increases, as does the level of protection. However, increased scanning potentially impacts performance.

Scan on Scanner Update [General Option]

Causes previously-scanned files to be re-scanned when accessed following a scan engine update. This provides heightened security protection by re-scanning messages with the latest signatures. This setting is only applicable to a Mailbox server role. For additional best practices about scanner updates, see Forefront Security for Exchange Server Best Practices - Updating engines.

Enable Background Scan if 'Scan On Scanner Update' Enabled [General Option]

Causes a background scan to run every time a scan engine is updated, if the General Option setting Scan on Scanner Update has been enabled. This setting is only applicable to a mailbox server role. Because engine updates occur frequently, this setting has the effect of causing a background scan on large mailbox stores.

DisableAVStamping [registry]

After scanning each message on the Exchange 2007 Transport role, FSE applies a secure antivirus stamp. This prevents duplicate scanning on the Mailbox server role when the message is deposited into the Store.

It is recommended that you use the secure antivirus transport stamp as designed. You should turn it off only if you plan to use different engines or filtering settings on the Transport server and the Mailbox server. Otherwise, needless duplicate scanning occurs.

The "DisableAVStamping" registry key permits you to override the recommended default setting. This causes the Transport stamp to be suppressed, and the Mailbox server to treat the message as not having been previously scanned.

To override the default, add a new DWORD, called "DisableAVStamping" with a value of "1". This value is not present by default and is assumed to be "0" (the default).

FSE stores registry values in the following locations:

For 32-bit systems:

  • HKLM\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server

For 64-bit systems:

  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

Proactive Scanning [registry]

When you set the value of DisableAVStamping to "1", we also recommend that you enable proactive scanning on all Mailbox servers to which the Transport server is routed. This causes newly-arrived mail on the Mailbox server to be queued for scanning. We also recommend that Proactive Scanning be enabled on a Public Folder server. To enable proactive scanning on the Mailbox or Public Folder server role, set the DWORD value of the following Exchange key to "1" (it is normally disabled, with a value of "0"):

HKLM\System\CurrentControlSet\Services\MSExchangeIS\VirusScan\ProactiveScanning