About antimalware protection levels


Applies to: Forefront Protection for Exchange

Topic Last Modified: 2011-01-21

When you run FPE on the Edge Transport and Hub Transport servers to ensure that all inbound, outbound, and internal mail is scanned, you achieve a basic level of protection. This is referred to as the baseline protection for an Exchange environment. In most environments however, we recommend that you also install FPE on the Exchange Mailbox servers. This provides additional protection for messages that may not have been scanned during transport or during a malware outbreak. This is referred to as global protection. Your protection level depends on the needs of your organization.

For baseline protection throughout an Exchange enterprise, we recommend that you deploy FPE on all Edge Transport and Hub Transport servers. When you use this configuration, all incoming, outgoing, and internal mail is scanned in-transit on the transport servers.

Objects that are not routed, such as objects in public folders, the Sent Items folder, and the Calendar folder, which can only be scanned on a Mailbox server, are not protected.

Mail scanned in-transport is not scanned again on Mailbox servers.

For a global protection level throughout the enterprise, we recommend that FPE be deployed on all Edge Transport, Hub Transport, and additionally, all Mailbox servers.

Scanning on the Mailbox servers provides additional security under the following scenarios:

  • There is a malware outbreak and potentially dangerous malware may have penetrated the defenses of your Edge Transport and Hub Transport servers.

  • Your organization does not have complete and reliable client antimalware scanning products deployed.

  • Your organization wants the additional protection that mailbox database scanning can provide.

  • Your organization has developed custom applications that programmatically access APIs such as CDO, MAPI, or WebDAV that directly access a mailbox database.