Using Edge Transport Rules to Manage Viruses
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
You can use the Edge Rules agent and transport rules in Microsoft Exchange Server 2010 to help protect your organization from viruses.
New viruses threaten organizations every day. To minimize the damage caused by viruses, antivirus vendors and administrators must respond to virus threats as soon as possible. Despite a quick response, there will be a gap between the time that a virus threat appears and the time that a solution becomes available. This gap, when a virus threat remains unknown and unresolved, is called a zero-day virus threat.
At the same time, viruses that have been circulating on the Internet for many years also continue to pose a significant threat to organizations. Although the majority of these viruses can be identified by antivirus scanners, antivirus scanners may be taken offline by mistake, updated with out-of-date definitions, or experience other problems that make them unavailable.
The transport rules that run on computers that have the Edge Transport server role installed are designed to help you manage and control zero-day virus threats and preexisting or ongoing virus threats.
For more information about transport rules, see the following topics:
Looking for management tasks related to anti-spam and antivirus functionality? See Managing Anti-Spam and Antivirus Features.
Most viruses contain unique characteristics that identify them as a virus, such as a specific e-mail address in the From message header field, a specific subject, or an attachment. You can configure transport rules to identify potentially harmful messages by these unique characteristics and perform a specific action on them. Available actions include sending the message to a quarantine mailbox, deleting it completely, or adding a warning to the subject.
It's important to maximize the number of infected messages that you identify in your perimeter network on Edge Transport servers to reduce the cost of processing the messages after they have entered the Exchange organization. If you can identify an infected message on Edge Transport servers and either reject or delete it, you don't incur the cost of storing the message on your internal servers or the cost of scanning the message for viruses.
When you create a transport rule to identify virus threats, you should examine the reports published about the virus and look for unique characteristics that identify the virus and that could be used in a transport rule. The following list describes some unique characteristics that a virus may contain:
Limited number of strings in the subject or message body
Specific e-mail address in either the From header field or To header field
Specific message header field that has a specific value
Important: Although you may be able to identify unique characteristics about a particular virus, you must make sure that these characteristics don't match any content that may exist in legitimate messages.
For more information about the types of message content that can be examined by transport rules on an Edge Transport server, see Transport Rule Predicates.
After you have identified the unique characteristics of a virus, you can create a transport rule to perform actions on it. The actions that you perform on specific messages depend on your organization's policies.
|If you decide to drop an SMTP connection, delete a message, or reject a message, you can't retrieve it. If you want to prevent the message from being delivered, but don't want to delete it, configure the rule to deliver the message to a quarantine mailbox.|
For more information about the actions available on transport rules on an Edge Transport server, see Transport Rule Actions.
For more information about how to manage and configure transport rules used to identify and perform actions on messages that may be infected with viruses, see the following topics:
The following topics provide additional information that will help you manage and enhance transport rules:
Transport messaging policies are enhanced by services available from Microsoft Exchange Hosted Services.
Exchange Hosted Services is a set of four distinct hosted services:
Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
Hosted Archive, which helps them satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations
These services integrate with any on-premises Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.