Using Windows Performance Monitor
Applies to: Forefront Protection for Exchange
Forefront Protection 2010 for Exchange Server (FPE) performance counters can be displayed by using the Performance Monitor provided by Windows and usually found in Control Panel, in Administrative Tools. In the Add Counters dialog box, you can add counters for the following FPE performance objects:
Forefront Engines—Provides statistics about the antimalware engines used by the scanning processes.
Forefront Eventing—Provides statistics about the internal queue used for processing incidents, quarantined items, and notifications.
The following performance counters reflect spam scanning activity:
Forefront Exchange Batv Agent—Provides statistics about backscatter filtering.
Forefront Exchange Connection Filtering Agent—Provides statistics about connection filtering.
Forefront Exchange Content Filter Agent—Provides statistics about connection filtering.
The following performance counters reflect malware and filter scanning activity:
Forefront Exchange On Demand Scanner—Provides statistics about the on-demand scan.
Forefront Exchange Realtime Scanner—Provides statistics about the realtime scan.
Forefront Exchange Scheduled Scanner—Provides statistics about the scheduled scan.
Forefront Exchange Transport Scanner—Provides statistics about the transport scan.
After you select one of these performance objects, you can view the available counters listed, as well as the instances of the selected object. You can also view explanations about each counter.
About malware and filter scanning performance objects
The malware and filter scanning performance objects include a separate instance for each process being used by that scan job, enabling you to inspect performance counters on a process-by-process basis. This lets you drill down within a particular scan job into the individual processes for that scan job. For example, if you notice that a specific process is consuming resources in Task Manager, you can use the performance counters for that process to profile its behavior. This list of processes is dynamic, so if a process has to restart (for example, due to a scanning timeout), that instance disappears and is replaced by a new process instance.
There are also instances prefaced by underscores that enable you to view counters across processes. The _Total instance displays values across all active process instances. However, when a process exits, its data is no longer reflected in the _Total instance. The _RunningTotal and _CumulativeTotal instances reflect counters for the scan job since FPE was installed; however, the _RunningTotal counters can be reset. Using these counters, you have access to performance counters even after a process exits.
There are a number of performance counters available in each performance object. The first distinction to note is that the counters are broken down into counters for messages and for message parts. While it is common to think of mail flow through FPE as messages, some messages contain multiple message bodies or attachments, and attachments are sometimes containers of many files. Because FPE navigates through all these parts of a message, and sometimes takes action only on a part (or on multiple parts) of a single message, these counters are broken out separately. Be aware that many attachment files, for example OpenXML files, are actually container files comprised of multiple file parts.
The second distinction in the available performance counters is between historical and live counters. The majority of counters are historical in that they always increase to reflect how many messages or message parts met the criteria. Regardless of when you add these counters into a Performance Monitor session, they always reflect what that process has done since it started. Live counters are for rates – the current message rate (number of messages or message parts scanned per second) and the average time necessary to scan a message or message part. These counters are live because they reflect only current values, and are continually reset. (You can change the polling interval for checking counters through Performance Monitor settings.) In order to gain a historical sense of the trends in these rates, you must define data collector sets in Performance Monitor that continually monitor these counters.
For more information about how to use this application, see the documentation for Windows Performance Monitor.