Understanding antimalware scanning
Applies to: Forefront Protection for Exchange
FPE can be deployed and configured in a variety of ways depending on the topology of the Exchange organization. In most Exchange organizations, when mail arrives from the Internet (inbound mail) at a Hub Transport or Edge Transport server, a few actions occur. First, FPE antispam agents process email messages, filtering spam messages before they enter an organization. Next, the FPE antimalware routing agent passes email messages to FPE scanning processes for malware and filtering processing. By default, it is then stamped with an antivirus stamp to prevent it from being unnecessarily scanned again. Outbound mail and internal mail are also scanned at the first Hub Transport server and are stamped to prevent additional scanning. For improved protection, all e-mail traffic should be scanned as it is entering, exiting, or transiting the network. FPE scanning navigates through these three basic scanning points in the following ways:
Scanning inbound mail — Inbound mail from the Internet is scanned at either the Edge Transport server or at the Hub Transport server if no Edge Transport server is deployed. If an Edge Transport server is deployed and FPE scans and puts the antivirus stamp on a message, that message will not be rescanned at the Hub Transport server or when delivered to the mailbox database. You can configure the scheduled scan to periodically scan all or some mail in the mailbox database with new antimalware definitions when they become available. For more detailed information about scanning inbound mail, see Inbound scanning.
Scanning outbound mail — By default, outbound mail is not scanned at the Mailbox server role, but is scanned in transit at the Hub Transport server role. If an Edge Transport server is deployed, the mail is not scanned at the Edge Transport server because it has already been scanned at the Hub Transport server. For more detailed information about scanning outbound mail, see Outbound scanning.
Scanning internal mail — Mail is scanned at the Hub Transport server as it is routed internally. By default, the mail is not scanned at the Mailbox server where it originated, nor is it scanned at the destination Mailbox server. For more detailed information about scanning internal mail, see Internal scanning.
In all these scenarios, all mail is scanned for malware during transport into or out of an Exchange organization, but processing time and load is conserved on the Mailbox servers by spreading the scanning load among the Hub and Edge Transport servers.