About mailbox database scanning


Applies to: Forefront Protection for Exchange

On the Exchange Mailbox server role, Exchange provides a virus scanning API (VSAPI) that enables antivirus vendors to scan messages passing through the Exchange mail store (mailbox database).

When a mail client, such as Outlook, accesses messages, FPE provides real-time protection by means of the Exchange VSAPI plug-in. It intercepts and routes messages to an FPE scanning process for malware scanning and filtering.

A message in the mailbox database can be scanned in the following ways:

  • Realtime scanning—Scans messages when they are accessed. Access can include opening a message with a client application, viewing it in a preview pane, and performing content-indexing operations. By default this option is enabled.

  • Scheduled scanning—Scans messages based on a set schedule or can be run immediately as needed. Scheduled scans are typically used to scan the entire information store. This option must be configured and enabled. To configure scheduled scanning, see Scheduling malware scanning of mailboxes and public folders.


    It is a recommended best practice to run a full, scheduled scan, during off hours in order to conserve resources, after installing FPE.

  • On-demand scanning—Scans specific mailboxes that are suspected of being compromised by malware. This option must be configured and started on demand. To configure on-demand scanning, see Scanning specific mailboxes for malware on-demand.

Together, these scanning processes can be used to provide enhanced protection at the mailbox database.

There are two basic configurations for mailbox database scanning, default and outbreak modes. For more information, see Default mailbox database scanning mode and Malware outbreak mailbox database scanning mode.

See Also


Scanning mailboxes and public folders for malware in real time
Scheduling malware scanning of mailboxes and public folders
Scanning specific mailboxes for malware on-demand