Planning Antivirus Deployment
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-06
Viruses, worms, and other malicious content transmitted by e-mail systems are a destructive reality faced by most Microsoft Exchange administrators. Therefore, you must develop a defensive antivirus deployment for all messaging systems. This topic provides best practice recommendations for the deployment of antivirus software for Microsoft Exchange Server 2007 and Microsoft Office Outlook 2007.
You should pay extra attention to two important changes in Exchange 2007 when you select an antivirus software vendor:
Exchange 2007 is based on a 64-bit architecture.
As described in more detail later in this topic, Exchange 2007 includes new transport agent functionality.
These two changes mean that antivirus vendors must provide Exchange 2007–specific software. Antivirus software that is written for earlier versions of Exchange Server is unlikely to operate correctly with Exchange 2007.
To adopt a defense-in-depth approach, we recommend that you deploy antivirus software that is designed for messaging systems at either the Simple Mail Transfer Protocol (SMTP) gateway or at the Exchange servers that host mailboxes, in addition antivirus software on the user desktop.
You decide what types of antivirus software to use and where the software is deployed by finding the appropriate balance between the cost that you are willing to tolerate and the risk that you are willing to assume. For example, some organizations run antivirus messaging software at the SMTP gateway, file-level antivirus scanning at the Exchange server, and antivirus client software on the user desktop. This approach provides messaging-specific protection at the gateway, general file-level protection at the mail server, and protection at the client. Other organizations may tolerate higher costs and therefore improve security by running antivirus messaging software at the SMTP gateway, file-level antivirus scanning at the Exchange server, and antivirus client software on the user desktop, together with antivirus software that is compatible with Exchange Virus Scanning Application Programming Interface (VSAPI) 2.5 on the Exchange Mailbox server.
Perhaps the most important place to run messaging antivirus software is at the first line of defense in your organization. In Exchange 2007, the first line of defense is at the perimeter network on the Edge Transport server.
To better guard against virus outbreaks from inside the organization and to provide as a second line of defense, we also recommend that you run transport-based antivirus software on the Hub Transport servers inside your organization.
In Exchange 2007, agents act on transport events, much like event sinks in earlier versions of Microsoft Exchange. Third-party developers can write customized agents to take advantage of the underlying Exchange MIME-parsing engine for robust transport-level antivirus scanning.
Many third-party software vendors provide Exchange 2007–specific agents that take advantage of the Exchange transport MIME-parsing engine. Contact your antivirus vendor for more information.
In addition, Microsoft Forefront Security for Exchange Server includes a transport antivirus agent for Exchange 2007. For more information about how to install and configure the Forefront Security for Exchange Server antivirus agent, see Microsoft Forefront Security for Exchange Server User Guide.
|Objects that are not routed through transport, such as items in public folders, Sent Items, and calendar items, which can only be scanned on a Mailbox server, are not protected by transport-only virus scanning.|
You can run file-level virus scanning on the following two classes of computers:
In addition to file-level virus scanning, consider running a Microsoft VSAPI solution on your Exchange Mailbox server.
We strongly recommend that your users run the latest version of Outlook. If you run outdated e-mail clients on the desktop, you take a serious risk because of the object model and attachment-handling behavior in older e-mail clients. By default, therefore, Outlook 2003 and Outlook 2007 are the only MAPI clients from which Exchange 2007 accepts connections. For more information about the risks associated with running older versions of e-mail clients, see Taking Steps to Secure Outlook.
After you have upgraded to Outlook 2003 or Outlook 2007, verify that you have installed a file-level antivirus software product on all desktop computers. In addition, take the following steps:
Develop a plan to make sure that antivirus signature files are automatically updated on all desktops.
Make sure that you develop and maintain an end-to-end update management solution in your organization to battle viruses.
Consider adopting a general policy to run file-level scanning on all desktop and server computers in your organization. Therefore, all Exchange Server computers should have some form of file-level antivirus scanning running on them. For each server role, you must perform additional configuration to file-level scanning so that certain directories, file types, and processes are not scanned. For example, we recommend that you never run file-level antivirus software against the Exchange store databases. For specific configuration information, see File-Level Antivirus Scanning on Exchange 2007.
A Microsoft VSAPI scanning solution may be an important layer of defense for many organizations. You should consider running a VSAPI antivirus solution if either of the following conditions is true:
Your organization does not have complete and reliable desktop antivirus scanning products deployed.
Your organization wants the additional protection that store scanning can provide.
Your organization has developed custom applications that have programmatic access to an Exchange database.
Your user community routinely posts messages into public folders.
Antivirus solutions that use Exchange VSAPI run directly within the Exchange information store process. VSAPI solutions are likely the only solutions that can protect against attack vectors that put infected content inside the Exchange information store while bypassing the standard client and transport scanning. For example, VSAPI is the only solution that scans data that is submitted to a database by CDO (Collaboration Data Objects), WebDAV, and Exchange Web Services.
In addition, when a virus outbreak does occur, in many cases a VSAPI antivirus solution provides the quickest way to remove and eliminate viruses from an infected mail store.
For more specific information about how to run Forefront Security for Exchange Server, which includes a VSAPI scanning engine, see Protecting Your Microsoft Exchange Organization with Microsoft Forefront Security for Exchange Server.
Spam and virus filtering is enhanced by or is also available as a service from Microsoft Exchange Hosted Services. Exchange Hosted Services is a set of four distinct hosted services:
Hosted Filtering, which helps organizations protect themselves from e-mail-borne malware
Hosted Archive, which helps them satisfy retention requirements for compliance
Hosted Encryption, which helps them encrypt data to preserve confidentiality
Hosted Continuity, which helps them preserve access to e-mail during and after emergency situations
These services integrate with any on-premise Exchange servers that are managed in-house or Hosted Exchange e-mail services that are offered through service providers. For more information about Exchange Hosted Services, see Microsoft Exchange Hosted Services.
For a detailed white paper about how MSIT deployed an Exchange 2007 server antivirus solution, see Microsoft Exchange Server 2007 Edge Transport and Messaging Protection.
Microsoft Forefront Security for Exchange Server provides a multiple scanning engine antivirus solution for Exchange Transport server roles and a VSAPI solution for the Exchange Mailbox server. For best practices about an end-to-end antivirus solution, see Forefront Security for Exchange Server Best Practices.