Malware outbreak mailbox database scanning mode
Applies to: Forefront Protection for Exchange
During a malware outbreak, it is important to increase the level of protection on your Mailbox servers. It is possible that malware can slip through antimalware scanning on Edge Transport and Hub Transport servers before updated definitions are available. To protect against malware that may penetrate your defenses during a malware outbreak and arrive on a Mailbox server, we recommend that you change the default FPE configuration in several ways during an outbreak.
Using the realtime scan during an outbreak
During a malware outbreak, you should enable the Scan after engine update setting for the realtime scan. This changes the way that messages are scanned on the Mailbox server.
These changes include the following:
On submission to the mailbox database, all messages are scanned again even if they have been previously scanned at an Edge Transport or Hub Transport server. In essence, when you enable the Scan after engine update setting, you override the antimalware stamp.
On first access, messages are not scanned again.
On subsequent access, messages are scanned again if there has been an engine or definition update since they were last scanned.
Note
Enabling the Scan after engine update realtime scan setting also automatically enables Microsoft Exchange proactive scanning. With proactive scanning, mailbox servers that contain public folder databases scan files as they are posted to the server. Proactive scanning also causes a scan of messages in the Sent Items folder in mailbox databases.
Benefit: This added level of protection ensures that all messages are scanned upon submission to the mailbox database and also when updated antimalware definitions become available. By scanning with the latest definition files, infected messages that may have been deposited into the mailbox database are likely to be detected and deleted.
Using the scheduled or on-demand scans during an outbreak
You can also use scheduled or on-demand scanning to scan a mailbox server after a known outbreak has occurred. Scheduled scans can be used to clean the server of malware received before protection definitions were available. On-demand scans can be used to immediately scan just a few specific mailboxes that you suspect may be compromised by malware. If additional information is known about certain characteristics of the malicious e-mail, you may want to also create and enable specific filters for the realtime, scheduled, and on-demand scan jobs. For more information about how to configure filters, see Configuring filtering.
Capacity planning considerations for outbreaks
The increased level of protection during a malware outbreak may place a significant burden on your server. Therefore, you should conduct careful capacity planning and performance assessments before you install FPE on a Mailbox server. This will help ensure that the server is operating with enough spare processing capacity to tolerate the extra load imposed by increased antimalware scanning. You should also advise e-mail users that in order to ensure more protection, server response time may be slower than typical during a malware outbreak. For more information, see Capacity planning for Forefront Protection 2010 for Exchange Server.