Forefront Security for Exchange Server 2007


Topic Last Modified: 2011-01-13

Microsoft Forefront is a suite of comprehensive, integrated security products that provide end-to-end security for business customers. The Forefront product suite consists of the following components.





Microsoft Forefront Client Security


Microsoft Forefront Security for Exchange Server

Microsoft Forefront Security for SharePoint

Microsoft FrontPage Security for Office Communications Server


Microsoft Internet Security and Acceleration (ISA) Server 2006

Intelligent Application Gateway (IAG) 2007

This topic focuses on Forefront Security for Microsoft Exchange. This product was developed as the successor to the Microsoft Antigen Suite for Microsoft Exchange 2000 Server and for Microsoft Exchange Server 2003. It provides multiple scan engines that can provide layered protection for e-mail in storage and in transport.

The standard Forefront for Exchange license includes the following virus scan engines:

  • Kaspersky Labs

  • InoculateIT and Vet (both from CA)

  • Sophos

  • Authentium

  • Ahn Labs

  • VirusBuster

  • Microsoft Anti-Malware Engine

You can configure up to five scan engines to run at the same time and in different combinations across the system. This diversity of scan engines and signatures provides additional protection and increases the probability of malware detection.

Forefront also includes the following features:

  • Layered protection in messaging infrastructure and checkpoints for message traffic at the Edge (if present), Hub, and Mailbox roles

  • A secure antivirus header stamp that is written on each message and that is scanned the first time at the edge or hub transport

    To increase the efficiency of scanning messages, later scans at the hub or at the store check the stamp. This process bypasses rescanning unless an administrator explicitly requests a scan or a signature update occurs.
  • Support for Microsoft Exchange Server 2007 SCC and CCR configurations to make sure that both nodes have updated configuration and signatures

    Failover of the Exchange cluster does not affect the security of the message traffic. Additionally, failure of one scan engine does not affect other scan engines.
  • Heuristic capabilities that detect malicious code based on behavioral characteristics (file/attachment filtering by file name, by extension, and so on)

  • Enabling of the enterprise CAL to provide premium anti-spam capabilities, such as an Exchange Server 2007 IP reputation filter, daily automated content filtering updates, and targeted spam signature data several times every day

  • Extensive reporting and analysis capabilities (customizable notifications for the message sender or recipient)

  • A single console that provides centralized deployment, configuration, and update capabilities in large environments

    Localization occurs in 11 languages. This lets administrators manage e-mail security in their local language.

Forefront scanning can be enabled on the Edge Transport, Hub Transport, and Mailbox servers. Any messages that are received by users in this topology are scanned either at the edge transport or at the hub transport, depending on the origin of the message. For example, a message that originates from an external recipient is scanned at the Edge Transport server before it is delivered to the recipient.

Messages from internal senders or from the Unified Messaging server are scanned at the first Hub Transport server in the delivery path. User mailboxes and public folders can also be scanned either proactively or reactively at the store level on the Mailbox server.

The minimum system requirements for a server installation of Forefront for Exchange are as follows:

  • X64 architecture computer that has processors that support the Intel EM64T or AMD64 platform

  • Windows Server 2003

  • Microsoft Exchange

  • 1 gigabyte (GB) of RAM recommended (more RAM for additional licensed scan engines)

  • 300 MB of available hard disk space

FrontPage for Exchange can be installed on the local computer on which Setup is run. You can also install the program on remote computers to enable efficient deployment. You also have the option of performing a "Client – Admin Console only" installation to let administrators install the Forefront management console on their workstations.

On the Select Engines screen, Setup always selects the Microsoft Anti-Malware Engine. Setup also randomly selects four other engines, which you can change on this screen. You can select a maximum of five engines. This includes the Microsoft Anti-malware engine.

Forefront for Exchange recognizes Windows Server 2003 active or passive clusters. On a cluster, Forefront for Exchange must be installed on each node. All configuration data (scan jobs, notifications, and so on) and signature files are associated with the clustered mailbox server (CMS) object. Therefore, the data is configured and replicated to each node. When you apply Exchange service packs and hotfixes, we recommend that Forefront be "unhooked" from Exchange. This is done by using the FSCUtility tool. This tool is available in the Forefront installation folder. Use the following syntax:

FSCUtility /disable

After the installation is complete, Forefront can be re-enabled by using the following syntax:

FSCUtility /enable

Virus Scanning: Forefront can scan messages by using various types of antivirus engines and scan types (on-access, manual, background, and so on). You can specify the level of bias in scanning and the action to take when infection is found (skip, clean, or delete). Forefront can scan nested attachments and compressed files.

File Filtering: Forefront can filter based on file names or file types, such as .exe or MP3. Filtered files can be quarantined. You can specify custom deletion text for notifications to the sender and to the recipient.

Content Filtering: Forefront can filter content based on sender domains, subject lines, MIME headers, and so on, for incoming messages. Forefront can also create and import custom filter lists, and use the lists for content filtering. Messages can also be filtered based on keywords in the message body.

Transport Scanning: This scan is performed at the first Edge Transport or Hub Transport server in the path of the message. After a message is scanned, a secure, antivirus header is stamped on it. Later scans at the next Hub Transport or Mailbox server check for this header. If the header is present, the message is not rescanned. When the message is submitted to the store, this header information is added as a MAPI property, and the header is stripped.

Store Scanning: Forefront contains two categories of store scans: Automatic scans (no user scheduling or intervention required), and on-demand scans.

Each of these categories supports the following multiple types of scans.

Proactive scanning: Messages are scanned immediately when they are submitted to the store. In a default configuration, proactive scanning is disabled.

To enable Proactive scanning, set the following registry key:


In this subkey, set the value of the DWORD ProactiveScanning to 1.

Proactive scanning is useful for protecting messages in Sent Items, in Outbox, in Drafts, and in public folders that are not scanned in transport.

On-access scanning: Messages are scanned when a user or application accesses them. For example, messages are scanned when a user preview them in Outlook or accesses them in a mobile device, or during content indexing. In a default configuration, on-access scanning is enabled.

Mail that is already scanned by transport scanning is not rescanned by on-access scanning (based on the antivirus header). On-access scanning is meant to be a safeguard for mail that is usually not scanned in transport, such as the contents of Sent Items, of Outbox, of Drafts, and of public folders.

By default, on-access scanning is limited to messages that are received within the last day. This limit helps avoid a build-up of scan requests when mailboxes are migrated to Exchange 2007 or if Forefront is newly installed on the server. After the scan requests become stabilized, we recommend that you increase this value to 3-7 days.

Background scanning: Background scanning acts in a clean-up role to scan and clean messages in such folders as Sent Items, Outbox, Drafts, and public folders whose content is never exposed to transport scanning. Background scanning can be configured to do the following:

  • Scan all items in the mailbox

  • Scan only items delivered in the past n days

  • Scan only messages that have attachments

  • Scan previously unscanned messages

In the default configuration background, scan runs one time each day. Background scan ignores any previous virus scan stamps on messages, and rescans them.

Manual Scan: Manual scanning can be scheduled as required (daily, weekly, and so on), or on-demand from the console. This process scans all messages in every folder in the selected mailboxes. Therefore, a manual scan involves high overhead. It is most frequently used for searching mailboxes for a specific attachment. It is not necessarily used to find a virus. More typically, it is used to find a confidential document that was sent.

Quick Scan: Quick scanning can be run on-demand from the console. A quick scan is most frequently used to scan specific mailboxes or public folders for viruses only (no file or content scanning). This process lets you select specific engines with which to scan the mailbox or public folder.

In scenarios such as a widespread virus infection or a suspected virus in the wild, administrators may have to increase scanning in the store. In Forefront, they can do this in the following ways.

Scan on Scanner Update (Outbreak Mode): This mode automatically enables proactive scanning. Every that time a scan engine signature is updated, the virus engine version number is incremented. Because the transport scan virus engine version number is always 1 (one), the message antivirus header is always outdated when it reaches the store. Therefore, the header causes the message to be re-scanned on submission. Messages are rescanned on access if any of the engines are updated in the intervening period. This mode of scanning has a significant effect on server performance, and it should be activated only after careful consideration.

To enable this feature, click Settings, and then click Options in the Forefront management console.

DisableAVStamping: This mode disables creating an antivirus scan header during the transport scan. You can enable the DisableAVStamping mode by changing the following registry subkey:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

In this subkey, set the value of the DWORD DisableAVStamping to 1.

This value must be set on every hub and edge transport server. Messages will be scanned at the transport, but they will not be stamped. Messages arrive at the store marked "un-scanned." Then, they are scanned on first access. The transport and store scanning can be configured to use different scan engines to provide better protection.

Background Scan with "Scan on Scanner Update" (Ultimate Security Mode): This mode provides the highest level of security among the available modes. Background scanning starts every time that a scan engine is updated. Mailboxes continue to be scanned sequentially as scan engines are updated. This avoids the problem in which a scan finishes an initial pass of mailboxes before an engine update occurs. The update restarts the scan so that the process returns to the first mailbox and rescans all the mailboxes in the first pass. Those mailboxes then are scanned repeatedly, and the remaining mailboxes are never scanned. Additionally, messages are scanned upon submission to the store. Then, they are rescanned on access if an engine update occurs after the submission scan. Ultimate Security mode is the most resource-intensive of all scanning modes.

Ultimate Security mode is enabled from the Forefront management console. To do this, enable Scan on Scanner Update mode, and then select Enable Background Scan if 'Scan on Scanner Update' Enabled.

Forefront for Exchange provides a parameter named Bias that lets you maintain the desired balance between scanning performance and security. Using this parameter has the following advantages:

  • Maximum performance: A scan of every item by using only one of the selected engines to provide the best performance but the least certainty

  • Favor Performance: A scan of every item that uses any number of randomly selected scan engines from one engine to one-half of the selected engines

  • Neutral: A scans of every item that uses at least one-half of the selected engines

  • Favor Certainty: A scan of every item that uses any number of randomly selected scan engines from one engine to one-half of the selected engines

  • Maximum Certainty: A scan of every item by using all the selected engines to provide the worst performance but the most certainty



In transport

On submission to store

On first access

On subsequent access

Background scan

Default operation mode


Not scanned

Not scanned if previously scanned

Not scanned

One time each day

Outbreak mode



Not Scanned

Scanned if there is an engine update after the previous scan

One time each day

Ultimate Security mode



Scanned if there is an engine update after the previous scan

Scanned if there is an engine update after the previous scan

Every time an engine updates

For more information about multiple scan engines, see the white paper, Multiple Scan Engine Advantage and Best Practices for Optimal Security and Performance.

For more information about how to use Forefront Security for Exchange Server, see the following topics:

Forefront Security for Exchange Server Best Practices Guide

Forefront Security for Exchange Server 2007 User Guide


Community Additions