Exchange Introduction


Applies to: Forefront Security for Exchange Server

In Microsoft® Exchange, viruses can enter the environment in file attachments to e-mails, e-mail bodies, and public folder posts, but traditional antivirus technology cannot monitor or scan the contents of the Exchange database or the Exchange Transport stack. Exchange environments require an antivirus solution that can prevent the spread of viruses by scanning all messages in real time with minimal impact on server performance or delivery times of messages. Microsoft Forefront Security™ for Exchange Server (FSE) is the solution for protecting Exchange environments.

Forefront Security for Exchange Server is uniquely suited for Exchange Server 2007 environments. It uses the Exchange Virus Scanning Application Programming Interface (VSAPI) to tightly integrate with the Exchange servers to provide seamless protection.

Forefront Security for Exchange Server provides powerful features that include:

  1. Antivirus scanning using multiple antivirus scan engines.

  2. Distributed protection on all storage and transport Exchange server roles, including Edge, Hub, and Mailbox/Public Folder servers.

  3. File filtering by file name, extension, or size.

  4. Comprehensive notifications for the administrator and the message sender and recipient.

Forefront Security for Exchange Server provides powerful protection for your messaging servers and is the antivirus solution for Exchange 2007 environments.

Benefits of using multiple scanning engines

Antivirus vendors all try to release signatures as soon as possible, but with every virus threat there is variation between various antivirus research labs in how quickly virus samples are obtained and analyzed, and signatures are released. By using multiple antivirus scan engines, Forefront customers can realize the benefit of diversification. If all messages are scanned with five engines, it is more likely that one of the engines is equipped to handle a recently released virus than if only one antivirus engine was being used.

Forefront offers configuration settings to enable you to choose a balance between performance and relative level of protection. Any number of engines can be chosen up to a maximum of five, and a bias setting can be chosen to determine if all engines scan every message or if a subset of the selected engines are used to scan each message. The recommended bias setting for increased protection is Favor Certainty. This setting configures Forefront to scan with all available engines that have been selected. (With Favor Certainty an engine may be bypassed if it is temporarily unavailable such as when it is in the middle of reloading to update its signatures.)


You can use the Microsoft Forefront Server Security Management Console to manage multiple Forefront Protection 2010 for Exchange Server instances. You can find the product documentation at Microsoft Forefront Server Security Management Console. You can find a video introduction to the console at Forefront Management Console Part 1.

Forefront Security for Exchange Server scanning overview

  • Antivirus scanning on Edge Transport or Hub Transport servers is done by a Forefront AV Agent that is an E12 Transport agent registered with the Edge Transport.exe and loaded by that process.

  • Antivirus scanning on the Mailbox server for Realtime and Background processing is done by an E12 compatible Forefront VSAPI.dll that is loaded by the Exchange Store.

  • The actual antivirus scanning of messages is performed by separate Forefront Realtime and Transport processes that provide message scanning isolation from the Exchange Transport and Store processes.

Forefront Security for Exchange Server supports Exchange Edge Transport, Hub Transport, and Mailbox/Public Folder server roles. By distributing the scanning workload over the various Exchange servers, the impact on individual servers is reduced and duplicate scanning is eliminated.

Forefront Security for Exchange incorporates new scanning logic that does not scan e-mail that has already been scanned. By default, e-mail scanned at an Edge Transport or Hub Transport does not get scanned again when routed or deposited into mailboxes. This approach minimizes antivirus scanning overhead to maximize mail system performance. It also:

  • Significantly reduces scanning impact at the Information Store.

  • Can be turned off to enable scanning at all points.

To identify mail that has already been scanned, a secure antivirus header stamp is written to each e-mail when it is first scanned at the Edge or Hub server. Later scanning operations (Hub or Store) check for this stamp and if it is present the mail is not re-scanned. When the message is submitted to the Store, the antivirus stamp properties are added to a MAPI property and maintained.

To best utilize this “scan once” capability, it is recommended that all Exchange servers be configured with the same configuration settings so that scanning at various distributed points in the Exchange organization are all equivalent.

There are several scanning scenarios:

Scanning of inbound mail

Mail is scanned at the Edge server. The mail is not rescanned at the Hub or when first deposited in the Mailbox servers. However, after the messages are deposited in the Mailbox server, the server can be configured to periodically rescan all or some of the content with newer signatures.

Scanning of outbound mail

By default, outgoing mail is not scanned on the mailbox server, but is scanned at the Hub server. If Mailbox and Hub server roles are deployed on the same computer, the mail is scanned by the Hub Transport role. If there is an Edge server deployed in the Exchange Organization, the mail is not rescanned at the Edge server.

Scanning of internal mail

Mail is scanned at the Hub server as it is routed internally. By default the mail is not scanned at the Mailbox server where it originated or rescanned at the destination Mailbox server.

In all of these scenarios, processing time and load is saved on the Mailbox servers.

The AV stamp

There are three conditions that must be met before the AV Transport Agent places an AV stamp on a message:

  • The message must be scanned with at least one virus engine.

  • Either no virus must be found or if a virus is found it must be cleaned or deleted.

  • If the message was updated, Forefront must successfully write the updated message back to Exchange.

If Forefront is set to Skip:detect only mode for virus scanning, no stamp will be written if a virus is found. Only antivirus scanning sets the stamp; file filtering has no effect on it.

Mailbox scanning

Store scanning is handled by:

  • Realtime scan job and Background Scanning

  • Manual scan job

Proactive scanning (Scan when messages and files are written to the Store.) is turned off by default.

By default, messages that arrive at a Mailbox server carry a Transport stamp and are not re-scanned by the Realtime scanning processes. The Transport Hub that has scanned theses messages can either be located on a separate server or co-located with the Mailbox server. Content that has never been routed through a Transport Hub does not have an AV stamp and is scanned when first retrieved from the store by On-Access Scanning.

By default, On-Access Scanning is used to scan a message when it is accessed only if it has not been scanned before. Access includes opening a message, viewing in the preview pane, and content indexing operations. Most retrieval has no impact on the Store since messages have been scanned in transit. On-access scan provides protection for messages in the Sent Items folder, the Outbox, and Public Folders.

There are optional high security configuration settings that can be enabled on the Mailbox server to scan a message on access if new signatures have arrived since the message was last scanned. (See the Scan on scanner update option in Settings- General Options.) It is recommended that these high security settings be used only in the event of a serious threat that requires constant rescanning of mail to protect users from a known threat which requires this level of protection.

When Outlook is running in cache mode, there are two copies of the user folders, one local and one on the server. Forefront is a server application and only has access to the server copy. This provides appropriate protection, because sending or receiving transfers the message to the server, where scanning takes place.

It should be noted that On-Access protection is limited. When the mail has already been downloaded to a client Outlook cache in Outlook 2003 or Outlook 2007 (if Outlook cache mode is on), then locally accessing the mail in Outlook does not cause an On-Access event on the Exchange server. Background scanning is useful for this case when the mail is already stored in the client cache. If Background scan detects a virus, the store copy of the message will be cleaned or deleted, forcing the client to re-synchronize the (cleaned or purged) messages the next time the client connects to Exchange.

Background Scanning now provides incremental Background Scanning to enhance performance. This functionality enables administrators to configure Background scanning jobs to scan messages based on their age. For example, administrators can configure Forefront to schedule a background scan job to run at off peak hours and to only scan messages received in the past two days. Administrators can also run a background scan job to clean the mailbox server in response to a known event that has deposited infected items in the store.

Incremental Background Scanning dramatically reduces Store overhead and provides a significant level of protection for the latest messages that may have been received on the Exchange server before the corresponding signatures for that virus were received. Background Scanning uses the same configuration settings configured in the Realtime Scan job.

Microsoft recommends that Proactive scanning be turned on for a Public Folder server so that the content is scanned when it is posted to the server and does not incur any download delays when the content is accessed.

Premium spam protection

As a licensed user of Forefront Security for Exchange Server, you receive premium anti-spam services. This premium service updates the content filter daily, using Microsoft Update. In addition, the service includes the Spam Signature and IP Reputation Service updates, available on an as-needed basis, up to several times a day. Built upon the base level of anti-spam protection within Exchange 2007, these premium anti-spam services add:

  • Microsoft IP Reputation Service, which provides sender reputation information about IP addresses that are known to send spam. This is an IP block list offered exclusively to Exchange 2007 customers. Premium spam protection also includes automated updates for this filter, available on an as-needed basis, up to several times a day.

  • Spam Signature updates to identify the most recent spam campaigns. The signature updates are available on an as-needed basis, up to several times a day.

  • Automated content filtering updates for Microsoft Smartscreen spam heuristics, phishing Web sites, and other Intelligent Message Filter (IMF) updates.

  • Targeted spam signature data and automatic updates to identify the latest spam campaigns.

These capabilities help ensure that your organization has the most up-to-date protection against the latest spam attacks.

For more information about anti-spam protection, see Managing Anti-Spam and Antivirus Features in the Microsoft Exchange Server 2007 documentation.

Scanning order

When FSE scans a file or an e-mail message, the following tasks are performed in the order listed:

  • Allowed senders scan—If the allowed senders list functionality is enabled, FSE compares the message sender's domain or address to the allowed senders list. If a message is from a domain or address in the allowed senders list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.

    You can configure the allowed senders list functionality to bypass specific types of filters, such as keyword filters, file filters, and content filters or you can bypass all filters. For more information, see Keyword filtering.

  • Content filtering scan—Content filtering includes the following filters (for more information see Content filtering):

    • Sender-domains filtering—When sender-domains filtering is enabled, FSE compares the message sender to the senders and the domains that are in the sender-domains filter list.

    • Subject line filtering—When subject line filtering is enabled, FSE compares the contents of the message's subject line to the words in the subject line filter list.

  • Keyword filtering scan—When keyword filtering is enabled, FSE compares the contents of the message to any keyword filter lists that have been created. For more information, see Keyword filtering.

  • Attachment scan—If the e-mail message has an attachment, FSE scans it for worms and viruses:

    • Worm purge—The worm purge tool maintains the WormPrge.dat file, containing a list of known worms. This list is regularly updated and maintained by FSE. The contents of the message are compared to the list of known worms. For more information, see Purging messages infected by worms.

    • File filtering—When file filtering is enabled, FSE compares the contents of the message to the file filter list. The file filter list provides you with the ability to search for attachments with a specific name, type, and size within an e-mail message. For more information, see File filtering.

    • Virus cleaning—FSE uses multiple virus scan engines to determine whether the attachment contains a virus. For more information, see Multiple scan engines.

  • Body scan—The body of the message is compared to the worm list that is maintained in the WormPrge.dat file. If no worms are found, FSE then scans the body of the message for viruses. For more information, see Purging messages infected by worms and Multiple scan engines

Third-party file-level antivirus programs

If you use a third-party file-level antivirus program on a server containing Forefront Security for Exchange Server, you must ensure that the following program folders are not scanned in order to prevent corruption of FSE:

  • <Drive:>\Program Files (x86)\ Microsoft Forefront Security

    (or whatever folder in which you installed FSE)

  • <Drive:>\Program Files\Microsoft\Exchange Server

The file-level antivirus scan can also cause a conflict when FSE tries to scan e-mail messages.

Additional documentation

The most current Microsoft Forefront Security for Exchange Server documentation, including the "Microsoft Forefront Security for Exchange Server Quick Start Guide", the "Microsoft Forefront Security for Exchange Server Best Practices Guide", and the "Microsoft Forefront Security for Exchange Server Cluster Installation Guide", is available at the Microsoft Forefront Security for Exchange Server TechNet Library.