Configuring virus filtering

  • Article

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to enable and configure virus filtering on your Forefront TMG server. Forefront TMG provides edge protection that removes these threats before they can enter an organization’s infrastructure.

This topic describes:

  • Scanning with multiple engines

  • Configuring the intelligent engine selection policy

  • Configuring virus filtering on your server

Prerequisites

Before you configure virus filtering, make sure you complete the following:

  • Install the Exchange Edge Transport server role and Forefront Protection 2010 for Exchange Server (FPES)on each Forefront TMG server in the array, as described in Installing prerequisites for e-mail protection.

  • Create the initial SMTP routes using the E-Mail Policy Wizard, as described in Configuring SMTP routes.

  • Enable virus filtering, either by using the E-Mail Policy Wizard, or by clicking Enable Virus Filtering from the Tasks pane of the Virus and Content Filtering tab.

Scanning with multiple engines

Forefront TMG lets you employ multiple scan engines (up to five) to detect and clean viruses from e-mail attachments. Multiple engines provide extra security by enabling you to draw upon the expertise of various virus labs to keep your environments virus-free; a virus might slip by one engine, but it's unlikely to get past three.

Configuring the intelligent engine selection policy

The intelligent engine selection policy setting controls how many of the selected engines should be used in order to provide you with an acceptable probability that your system is protected (because there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater is the impact on your system's performance.

Configuring virus filtering on your server

To configure virus filtering

  1. In the Forefront TMG Management console, in the tree, click the E-Mail Policy node.

  2. In the details pane, click the Virus and Content Filtering tab, and under Virus Filtering, click Enabled.

  3. On the General tab of the Antivirus Configuration dialog, verify that Status is set to Enabled.

  4. On the Engines tab, select an engine management method:

    • Use automatic engine management

    • Manually enable up to 5 engines—If you select this option, you must enable at least one antivirus engine.

  5. Also on the Engines tab, configure the following Intelligent Engine Selection Policy options:

    • Always scan with all selected engines—Queues scanning if any selected engine becomes busy, such as during signature updates.

    • Scan with the subset of selected engines that are available—Scans with all selected engines that are available. Scans continue with the available engines when one of the selected engines is being updated.

    • Scan with a dynamically chosen subset of the selected engines—Heuristically chooses from the selected engines, based on recent results and statistical projections. On average, half of the selected engines are used in scanning any single object.

    • Scan with only one of the selected engines—Heuristically chooses from the selected engines, based on recent results and statistical projections. Only one of the selected engines is used in scanning any single object.

  6. On the Remediation tab, select the action to take when a virus is detected in an e-mail attachment.

    • Skip (detect only)—Makes no attempt to clean or delete. Viruses are reported, but the files remain infected.

    • Clean (repair attachment)—Attempts to clean the virus. If the attempt is successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the deletion text. This is the default setting for each antivirus scan type.

    • Delete (remove infection)—Deletes the attachment without attempting to clean it. The detected attachment is removed from the message, and the deletion text is inserted in its place.

  7. If you want the e-mail recipient to be notified whenever a virus is detected, on the Remediation tab, click Send notifications.

  8. Forefront TMG replaces the contents of the infected file with the text you provide in the Deletion text box. The default deletion text informs the recipient that an infected file was removed and includes the name of the file and the name of the virus found. The deletion text can be customized; simply type your own text in the box.

Tasks

Installing prerequisites for e-mail protection

Concepts

Configuring protection from e-mail-based threats
Planning to protect against e-mail threats