Forefront Security for Exchange Server Best Practices - Deployment considerations


Applies to: Forefront Security for Exchange Server

For baseline protection throughout the enterprise, it is recommended that Forefront Security for Exchange Server be deployed on all Edge and Hub servers. Using this configuration, all incoming, outgoing, and internal mail is scanned in transit on the Transport servers. However, objects which are not routed, such as Public Folder items, Sent Items, and Calendar items (which can only be scanned on a Mailbox server) are not protected. Content which has been scanned in Transport can not be further scanned after being delivered to the Mailbox server, in response to a specific attack that may have penetrated your system despite the Transport scanning protection.

For global protection throughout the enterprise, it is recommended that Forefront Security for Exchange Server be deployed on all Edge, Hub, and Mailbox servers. To obtain optimal performance, all servers should have identical protection settings (although the Edge server might benefit from using more engines and a higher bias setting to ensure that all mail is scanned by multiple engines).

When mail arrives at a Hub or Edge Transport server, it is scanned and, by default, stamped with a special internal property called an “AV Stamp”. This AV Stamp property (used in Exchange 2007 to minimize duplicate scanning on the Transport and Mailbox server roles) is carried with the mail, and prevents it from being rescanned at various transit points and when it is first deposited in the Store. Even with this optimization, before installing FSE (or any antivirus scanning software) on a Mailbox server, you should conduct careful capacity planning and performance assessments to ensure that the server is operating with enough spare processing capacity to tolerate the extra load imposed by antivirus scanning.

The Forefront multiple engine architecture helps maximize antivirus protection through diversity. Studies have shown that scanning with five engines decreases the window of vulnerability from the time a new threat is encountered in the wild to the time that at least one engine vendor has released a protective signature. By default, messages are scanned only once by Forefront, however, it is a best practice to schedule background scanning on the Mailbox server to periodically rescan messages using the latest available signatures. In Exchange 2003, background scanning could only scan the entire mailbox Store, a potentially lengthy process. In Exchange 2007, incremental background scanning provides a way to selectively scan a subset of messages on the server most likely to be infected. It is a best practice to schedule a regular background scan of the Store to re-scan items that have been received within the last two days. This is the preferred setting on medium to large scale mail servers. On smaller-scale servers housing fewer mailboxes, it is possible to scan a larger selection of messages and, in some cases, you can scan all stored messages every 24 hours, during off-peak times. The procedure for configuring a regular background scan is as follows:

  • In the General Options pane, Background Scanning section, select “Scan Messages Received Within the Last __ Days” (specifying two days, as suggested above) and “Scan Only Messages with Attachments”.


    The setting “Scan Only Unscanned Messages” must not be selected, otherwise all messages that have already been scanned with a previous signature version will not be scanned again.

  • In the Schedule Job pane, enable the Background Scan Job and schedule it to run at a selected date, time, and frequency.


    On large mailbox servers, if more than two days’ worth of mail is selected, the Background scan can continue for days. The scan can be manually stopped at any time using the “Stop” button in the Schedule Job pane.

Third-party file-level antivirus programs

If you use a third-party file-level antivirus program on a server containing Forefront Security for Exchange Server, you must ensure that the following program folders are not scanned in order to prevent corruption of FSE:

  • <Drive:>\Program Files (x86)\ Microsoft Forefront Security

    (or whatever folder in which you installed FSE)

  • <Drive:>\Program Files\Microsoft\Exchange Server

The file-level antivirus scan can also cause a conflict when FSE tries to scan e-mail messages.