Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server

Applies to: Forefront Security for Exchange Server

Although every Microsoft® Exchange messaging organization is unique, it is always wise to have a multi-layered approach to security. Some administrators will find that scanning only at the Edge Transport and Hub Transport servers is adequate for their organization and mail flow. Others will find that they also need to make Mailbox server scanning a part of their antivirus scanning strategy. Microsoft Forefront™ Security for Exchange Server can be deployed on Exchange Edge Transport, Hub Transport, and Mailbox server roles to ensure comprehensive protection of your Exchange organization.

As a first line of defense, Forefront Security for Exchange Server is installed on the Edge Transport and Hub Transport servers to provide antivirus and anti-spam scanning of messages as they enter or transit the messaging domain. Forefront Security for Exchange Server is also installed on Mailbox servers to provide scanning for messages that are not scanned in transport and to provide additional scanning during virus outbreaks. By conducting transport scans at the peripheral and routing servers, messages are clean when they arrive at the Exchange Mailbox server, which reduces the need for mailbox database scanning. This approach spreads the scanning load among several servers to decrease the scanning load on individual servers and reduces or eliminates the need for scanning at the mailbox database, which was a specific design goal of Forefront Security for Exchange Server.

Forefront Security for Exchange Server also incorporates new scanning logic that leverages the Microsoft antivirus stamp to prevent e-mail messages that have been scanned by one Exchange server from being scanned again by a different Exchange server within the same organization. By default, e-mail messages scanned at an Edge Transport or Hub Transport server do not get scanned again when routed or deposited into mailboxes. This approach minimizes antivirus scanning overhead to maximize mail system performance. This feature also:

• Significantly reduces scanning impact at the mailbox database.

• Can be turned off to allow scanning at all points.

To identify mail that has already been scanned, an antivirus header stamp is written to each e-mail message when it is first scanned at the Edge Transport or Hub Transport server. Later scanning operations (for example, at the Hub Transport server or mailbox database for incoming mail) check for this stamp, and if it is present, the mail is not scanned again. When the message is submitted to the mailbox database, the antivirus stamp properties are added to a MAPI property and maintained.

To best utilize this scan once capability, all Exchange transport server roles should be configured to use the same scan engines and scanning settings at all transport points (Hub Transport and Edge Transport servers). This ensures that all mail is scanned using the same antivirus engines and configurations to provide consistent security, no matter where a message enters your organization.

Although scanning at the Edge Transport and Hub Transport servers generally provides an adequate level of security in most messaging organizations, antivirus scanning on the Mailbox server is also recommended in most organizations.

When Forefront Security for Exchange Server is installed on the Mailbox server role, it is configured by default to only scan objects with attachments that have not been scanned in transport. This ensures that Forefront Security for Exchange Server uses few Mailbox server resources in the default configuration.

By having Forefront Security for Exchange Server ready to launch with special background or manual scans, administrators can also establish operational procedures to prepare for reacting to outbreak events that may occur in the future. Some administrators may also want to run regular incremental background scans on a daily or nightly basis to scan only the most recently received mail with the latest antivirus signatures.

These security and performance optimizations for limited, regular mailbox database scanning and targeted background scanning are new in Forefront Security for Exchange Server and are discussed more in the following sections.

Configuring Antivirus Scanning

Forefront Security for Exchange Server can be deployed and configured in a variety of ways depending on the topology of your Exchange organization. The basic scenario in most Exchange organizations is that when mail arrives from the Internet (inbound mail) at a Hub Transport or Edge Transport server, it is scanned and, by default, stamped with an antivirus stamp to prevent the mail from being unnecessarily scanned again at later transit points. Outbound mail and internal mail are scanned at the first Hub Transport server and are stamped with the antivirus stamp to prevent scanning at other transit points. In all organizations, therefore, e-mail traffic should be scanned as it is entering, exiting, or transiting your network. These three basic scanning points are described in the following sections.

Scanning Inbound Mail

Inbound mail from the Internet is scanned at the Edge Transport server. It is not scanned at the Hub Transport server or when first deposited in a mailbox database. You can, however, configure the Background Scan Job to periodically scan all or some mail in the mailbox database with newer antivirus signatures when they become available.

Scanning Outbound Mail

By default, outbound mail is not scanned at the Mailbox server role, but it is scanned in transit at the Hub Transport server role. If an Edge Transport server is deployed in the Exchange organization, the mail is not scanned at the Edge Transport server because it has already been scanned at the Hub Transport server.

Scanning Internal Mail

Mail is scanned at the Hub Transport server as it is routed internally. By default, the mail is not scanned at the Mailbox server where it originated, nor is it scanned at the destination Mailbox server.

In all of these scenarios, all mail is scanned for viruses during transport into or out of your Exchange organization, but processing time and load is saved on the Mailbox servers by spreading the scanning load among the Hub Transport and Edge Transport servers.

Antivirus Stamp

The antivirus stamp is central to reducing the scanning load on Exchange servers in your organization and increasing the overall performance of your mail system. The antivirus stamp (used in Exchange Server 2007 to minimize duplicate scanning on the Edge Transport, Hub Transport, and Mailbox server roles) is carried with the mail. The antivirus stamp prevents mail from being scanned again at various transit points and when it is first deposited in the store.

The conditions that must be met before the Microsoft Exchange Transport service places an antivirus stamp on a message are as follows:

• The message must be scanned by Forefront Security for Exchange Server with at least one antivirus engine. (The antivirus stamp cannot be used in a mixed antivirus vendor deployment, because Forefront Security for Exchange Server will not trust a stamp that is placed in a message by any other antivirus solution.)

• Either no virus must be found, or if a virus is found, it must be cleaned or deleted.

• If the message was updated, Forefront Security for Exchange Server must successfully write the updated message back to Exchange.

The antivirus stamp is also secure. Only trusted antivirus products running on the Exchange 2007 server can add an antivirus stamp that will be recognized by Exchange. Because there is never a reason for the stamp to exist on mail from another organization, the Exchange Edge Transport or Hub Transport server will also strip off any existing stamp on inbound (Internet) mail and any existing stamp on outbound mail.

Antivirus Protection Levels

Running Forefront Security for Exchange Server on the Edge Transport and Hub Transport servers to ensure scanning of all inbound, outbound, and internal mail provides a basic level of protection. This is referred to as the baseline protection for an Exchange environment.

In most environments, however, we recommend installing Forefront Security for Exchange Server on the Exchange Mailbox servers as well. This provides additional protection for messages that may not have been scanned during transport or during a virus outbreak. This is referred to as global protection. Each protection level is described in this article to help administrators decide how to best deploy and configure Forefront Security for Exchange Server in their environment.

Baseline Protection

For baseline protection throughout the enterprise, we recommend that Forefront Security for Exchange Server be deployed on all Edge Transport and Hub Transport servers. Using this configuration, all incoming, outgoing, and internal mail will be scanned in transit on the transport servers. However, objects that are not routed, such as objects in public folders, the Sent Items folder, and the Calendar folder (which can only be scanned on a Mailbox server) will not be protected. Content that has been scanned in transport is not scanned again after being delivered to the Mailbox server. This also means that mail will not be scanned again, for example, in response to a specific attack that may have penetrated your system despite the transport scanning protection.

Inbound Scanning

The basic configuration for inbound mail scanning is shown in the following image.

Mail is scanned at the Edge Transport server, stamped when identified as safe, and routed into the organization to a Hub Transport server so that it can be delivered to the Mailbox server without further scanning. Scanning at the Edge Transport server helps ensure that mail is clean after it enters your internal messaging organization. It also reduces the processing load on the Hub Transport and Mailbox servers.

For information about configuring Forefront Security for Exchange Server on your Edge Transport servers, refer to the "Microsoft Forefront Security for Exchange Server User Guide" and the "Microsoft Forefront Security for Exchange Server Best Practices Guide." These documents and others are available at the Microsoft Forefront Security for Exchange Server TechCenter.

Outbound Scanning

The basic configuration for outbound mail scanning is shown the following image.

Mail is scanned at the first Hub Transport server, stamped when identified as safe, and routed to the Edge Transport server without further scanning. Scanning at the Hub Transport server helps ensure that mail is clean before it exits your internal messaging organization. It also reduces the processing load on the Edge Transport and Mailbox servers.

For information about configuring Forefront Security for Exchange Server on your Hub Transport servers, refer to the "Microsoft Forefront Security for Exchange Server User Guide" and the "Microsoft Forefront Security for Exchange Server Best Practices Guide." These documents and others are available at the Microsoft Forefront Security for Exchange Server TechCenter.

Internal Scanning

The basic configuration for internal mail scanning is shown the following image.

Just like outbound mail, internal mail is scanned at the first Hub Transport server, stamped when identified as safe, and routed to the destination Mailbox server without further scanning. Scanning at the Hub Transport server helps ensure that mail is clean before it arrives at a Mailbox server in your internal messaging organization.

Global Protection

For global protection throughout the enterprise, we recommend that Forefront Security for Exchange Server be deployed on all Edge Transport, Hub Transport, and Mailbox servers. Scanning on the Mailbox servers provides additional security when:

• There is a virus outbreak and potentially dangerous viruses may have penetrated the defenses of your Edge Transport and Hub Transport servers.

• Your organization does not have complete and reliable desktop antivirus scanning products deployed.

• Your organization wants the additional protection that mailbox database scanning can provide.

• Your organization has developed custom applications that programmatically access APIs (such as MAPI, CDO, or WebDAV if you have versions of Exchange prior to Exchange 2010), which directly access a mailbox database.

Mailbox Database Scanning

The ways that a message in the mailbox database can be scanned are as follows:

• Proactive scanning   Scans messages when they are submitted to the mailbox database. (Off by default.)

• On-access scanning   Scans messages when they are accessed. Access can include opening a message, viewing it in the preview pane, and performing content-indexing operations. (On by default.)

• Background Scan Job   Runs once a day. (Must be configured and enabled.)

• Manual Scan Job   Runs on a set schedule or on demand. (Must be configured and enabled.)

• Quick Scan Job   An on-demand scan. (Must be configured.)

Together these scanning processes can be used to provide enhanced protection at the mailbox database. There are two basic configurations for mailbox database scanning, Default and Outbreak modes.

Default Mode

When Forefront Security for Exchange Server is installed on a Mailbox server, it is configured by default to:

• Not scan messages when they are submitted to the mailbox database.

• Scan previously unscanned messages on first access.

• Use the Background Scan Job to scan all messages that meet parameters set by the administrator. The Background Scan Job runs once per day.

This level of protection ensures that messages that are submitted to the mailbox database will be scanned if they are accessed prior to routing and scanning at the Hub Transport or Edge Transport servers to prevent viruses from spreading internally. It also provides added protection by scanning messages again using updated antivirus signatures on a daily basis.

A Background Scan Job also provides incremental background scanning to enhance server performance. This functionality allows administrators to configure Background Scan Jobs to scan messages based on certain criteria, such as a message's age. For example, administrators can configure Forefront Security for Exchange Server to schedule a Background Scan Job to run at off-peak hours and to scan only messages received in the past two days. Administrators can also run a Background Scan Job to clean the Mailbox server in response to a known event that has deposited infected items in the mailbox database. The number of days to scan back is a parameter configurable in the General Options (Scan Messages Received Within The Last <x> Days). We recommend that if you use a Background Scan Job, you configure the server to scan at least the last two days of received e-mail messages.

Incremental background scanning dramatically reduces mailbox database overhead and provides a significant level of protection for the latest messages that may have been received on the Exchange server before the corresponding signatures for that virus were received. Background Scan Jobs use the same configuration settings that are configured for Realtime Scan Jobs.

This added level of protection will place a burden on Mailbox servers, so you should conduct careful capacity planning and performance assessments before installing Forefront Security for Exchange Server on a Mailbox server to ensure that the server is operating with enough spare processing capacity to tolerate the extra load imposed by antivirus scanning.

Outbreak Mode

During a virus outbreak, it is important to increase the level of protection on your Mailbox servers. It is possible that viruses can slip through antivirus scanning on Edge Transport and Hub Transport servers before updated signatures are available. To protect against viruses that may penetrate your defenses during a virus outbreak and arrive on a Mailbox server, we recommend changing the default Forefront Security for Exchange Server configuration in several ways during an outbreak.

In General Options, enable Scan on Scanner Update. This will change the way messages are scanned on the Mailbox server. These changes include:

• On submission to the mailbox database, all messages will be scanned again even if they have been previously scanned at an Edge Transport or Hub Transport server.

• On first access, messages will not be scanned again.

• On later access, messages will be scanned again if there has been an engine update since they were last scanned.

This added level of protection ensures that all messages will be scanned upon submission to the mailbox database and also when updated antivirus signatures become available. Scanning when updated antivirus signatures become available is important during a virus outbreak because it is possible for infected messages to enter your messaging organization before virus signatures become available. By scanning with the latest signature files, infected messages that may have been deposited into the mailbox database are likely to be detected and removed.

This level of protection may place a significant burden on your server, so you should conduct careful capacity planning and performance assessments before installing Forefront Security for Exchange Server on a Mailbox server to ensure that the server is operating with enough spare processing capacity to tolerate the extra load imposed by antivirus scanning. You should also advise e-mail users that to ensure a higher level of protection, server response time may be slower than normal during a virus outbreak.

For additional information about configuring Forefront Security for Exchange Server on a Mailbox server, refer to the "Microsoft Forefront Security for Exchange Server User Guide" and the "Microsoft Forefront Security for Exchange Server Best Practices Guide." These documents and others are available at the Microsoft Forefront Security for Exchange Server TechCenter.

Why Realtime and Background Scanning Are Important

By default, messages that arrive at a Mailbox server carry an antivirus stamp and are not scanned again by the Realtime Scan Job process. The Hub Transport server where the messages were scanned can either be located on a separate server or located with the Mailbox server. Content that has never been routed through a Hub Transport server will not have an antivirus stamp and will be scanned when first retrieved from the mailbox database during on-access scanning.

By default, on-access scanning is used to scan a message when it is accessed only if it has not been scanned before. Most interactive retrieval has no impact on the mailbox database because messages have already been scanned in transit.

Messages in the Sent Items folder, the Outbox folder, and in public folders, however, have not been routed through a Hub Transport server and therefore have not been scanned. They will be checked with on-access scanning because the database does not list them as having been scanned before.

Optional high-security configuration settings can be enabled on the Mailbox server to scan a message on access if new signatures have arrived since the message was last scanned. (To do this, in General Options, select Scan on Scanner Update.) This is considered a high security or Outbreak mode setting. It is meant to be used in the event of a serious threat that requires constant scanning of mail to protect users from a quickly proliferating attack.

Why the Realtime Scan Job Is Important

The Realtime Scan Job protects the mailbox database itself. This is the second line of defense against Internet viruses and the first line of defense against viruses that may be introduced via the desktop. The Realtime Scan Job protects the Mailbox server (mailboxes and public folders).

The Realtime Scan Job also gives you protection against viruses that may have slipped through the Edge Transport or Hub Transport servers. For example, it is possible that a virus may get into your mailbox database because it strikes before your scan engines are updated. Later, after the engines are updated, the Realtime Scan Job will be able to catch the virus that was missed earlier.

The parameters you set for the Realtime Scan Job are also used for Background Scan Jobs, which is a key component of protection with Forefront Security for Exchange Server.

Why the Background Scan Job Is Important

The Background Scan Job provides a key protection mechanism by periodically scanning the mailbox database with the latest signature updates. This provides a clean up mechanism to catch any viruses that may have been missed during a Transport Scan Job. We recommend that you run the Background Scan Job once each day, preferably at a time of low mail activity.

Unless set otherwise, the Background Scan Job does not recognize the previously scanned status of a message. It scans based on its own parameters. This is because the Background Scan Job is meant specifically for scanning messages that have been scanned before and applying the latest antivirus signatures to them.

The Background Scan Job has various configurable parameters that allow for incremental background scanning. This reduces the extent of the scan, providing a balance between protection and performance. In Exchange Server 2003, background scanning could only scan the entire mailbox database, a potentially lengthy process. In Exchange Server 2007, incremental background scanning provides a way to selectively scan a subset of messages on the server most likely to be infected.

It is a best practice to schedule a regular Background Scan Job of the mailbox database to scan items that have been received within the last two days. This is the preferred setting on medium-scale to large-scale mail servers. On small-scale servers housing fewer mailboxes, it is possible to scan a larger selection of messages and, in some cases, you can scan all stored messages every 24 hours, during off-peak times.

The engines and bias settings used by the Background Scan Job are the same as those set in the Realtime Scan Job.

Proactive Scanning

With proactive scanning, Mailbox servers that contain public folder databases scan files as they are posted to the server and scan items in the Sent Items folder in mailbox databases. Proactive scanning is turned off by default.

We recommend that proactive scanning be turned on for public folder databases so that the content is scanned when it is posted to the server. Because content posted to the public folder database server is usually not routed through a Hub Transport server, proactive scanning is one of the only ways to ensure that the content is scanned. The other method of scanning this content is to enable incremental background scans. Scanning material as it is posted to the public folder database also prevents download delays when the content is accessed.

For information about proactive scanning, refer to the "Microsoft Forefront Security for Exchange Server User Guide." This document and others are available at the Microsoft Forefront Security for Exchange Server TechCenter.

Conclusion

By installing Forefront Security for Exchange Server on the Mailbox server, the administrators provide an added layer of protection and have a tool at their disposal for reacting to virus outbreaks.

We recommend installing Forefront Security for Exchange Server on Edge Transport servers, Hub Transport servers, and Mailbox servers to provide the maximum level of protection for your organization. This global approach to antivirus security will ensure that all messages and files are scanned, and that during a virus outbreak, administrators will be able to quickly react to prevent infections in their organization.

Administrators should also remember that they need to perform a careful assessment of their messaging topology to decide how best to ensure that all messages are scanned when entering, exiting, or transiting their organization.