Microsoft Forefront Security for

Exchange Server
Evaluation Guide

October 2006

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Summary: Designed especially for technology evaluators, this guide provides

instructions and evaluation materials for Microsoft® Forefront™ Security for Exchange
Server. It is intended to help evaluators assess the scope and functionality of Forefront
Security for Exchange Server through a hands-on feature review.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Copyright
This is a preliminary document and may be changed substantially prior to final commercial release of the
software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, this document should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these patents,
trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association with any
real company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred.

© 2006 Microsoft Corporation. All rights reserved.

Microsoft, Forefront, Antigen, Excel, SharePoint, Windows, Windows Server System, and the Windows
Server System logo are either registered trademarks or trademarks of Microsoft Corporation or Sybari
Software, Inc. in the United States and/or other countries. Sybari Software, Inc. is a subsidiary of
Microsoft Corporation.

The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Evaluators Guide

Table of Contents
Executive Summary......................................................................................1
Benefits of Using Multiple Scanning Engines...................................................2
Forefront Security for Exchange Server Scanning Overview.........................2
Required Tasks for Forefront for Exchange Server.......................................5
Step 1: Configuring the Transport Scan Job.................................................6
Step 2: Configuring Scan Engine Updates.....................................................8
Step 3: Configuring Engine Bias Settings...................................................10
Step 4: Configuring Engine Actions and WormPurge .................................12
Step 5: Configuring the Realtime Scan Job.................................................16
Step 6: Configuring the Background Scan Job............................................19
Step 7: Configuring File Filtering................................................................23
Step 8: Setting Notifications......................................................................27
Step 9: Incident Log Options......................................................................31
Step 10: Quarantine Options......................................................................33
Step 11: General Options Review...............................................................35

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Evaluation Guide 1

Executive Summary
In Microsoft® Exchange Server, viruses can enter the environment in e-mail file
attachments, e-mail bodies, and Public Folder posts, but traditional antivirus technology
cannot monitor or scan the contents of the Exchange database or the Exchange
Transport stack. Exchange environments require an antivirus solution that can prevent
the spread of viruses by scanning all messages in real time with minimal impact on
server performance or message delivery times. Microsoft® Forefront Security™ for
Exchange Server is the solution for protecting Exchange environments.
Forefront Security for Exchange Server is uniquely suited for Exchange Server 2007
environments. It uses the Exchange Virus Scanning Application Programming Interface
(VSAPI) to deeply integrate with Exchange servers to provide comprehensive
protection.
Forefront Security for Exchange Server provides powerful features that include:
1. Antivirus scanning using multiple, integrated antivirus scan engines that are
included with the product.
2. Premium antispam protection through a license to enable the antispam services
that are built into Exchange 2007.
3. Distributed protection on all storage and transport Exchange server roles—
namely, at all Edge, Hub, and Mailbox/Public Folder servers.
4. Protection against new threats with heuristics technology and file filtering by file
name, extension, true file type, and file size.
5. Performance controls for optimizing server speed and availability.
6. Easy management of product configuration and operation, automated signature
updates, and reporting across the enterprise.
Forefront Security for Exchange Server provides comprehensive protection for your
messaging servers and is the antivirus solution for Exchange 2007 environments.
This guide provides a step-by-step explanation of how to configure Forefront Security
for Exchange Server, along with best practices, tips, and tactics to help ensure
successful implementation.

How the Guide Works

Following introductory material, Forefront Security for Exchange Server is explained in a
series of “Required Tasks,” which are steps that must be taken to ensure the software is
properly running and that basic antivirus protections are in place. This is not an
exhaustive review of product features, but a focus on key product areas.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Evaluation Guide 2

Benefits of Using Multiple Scanning Engines

Antivirus vendors all try to release signatures as soon as possible, but with every virus
threat there is variation among antivirus research labs in how quickly virus samples are
obtained and analyzed, and when signatures are released. By using the multiple
antivirus scan engines of Forefront Security for Exchange Server, customers can realize
the benefit of diversification. If all messages are scanned with five engines, it is more
likely that one of the engines is equipped to handle a recently released virus than if only
one antivirus engine is being used.
Forefront Security for Exchange Server offers configuration settings to allow a user to
balance performance needs and the relative level of protection. Administrators can run
up to five engines at once, and select a bias setting to determine if all engines will scan
every message, or if a subset of the selected engines will be used to scan each
message. The recommended bias setting is “Favor Certainty.” This setting configures
Forefront Security for Exchange Server to scan with all available engines that have been
selected unless an engine is temporarily unavailable, such as when it is offline receiving
an update to its signatures.

Forefront Security for Exchange Server

Scanning Overview
Forefront Security for Exchange Server supports Exchange Edge Transport, Hub
Transport, and Store (Mailbox/Public Folder) server roles. By distributing the scanning
workload over the various Exchange servers, the impact on individual servers is reduced
and duplicate scanning is eliminated. Reducing antivirus scanning at the Store was a
specific design goal of Forefront Security for Exchange Server.
Forefront Security for Exchange Server incorporates new scanning logic that does not
scan e-mail that has already been scanned. By default, e-mail scanned at an Edge
Transport or Hub Transport server does not get scanned again when routed or deposited
into mailboxes. This approach minimizes antivirus scanning overhead to maximize mail
system performance. This feature also:
• Significantly reduces scanning impact at the Store.
• Can be turned off to allow scanning at all points.
To identify mail that has already been scanned, a secure antivirus header stamp is
written to each e-mail when it is first scanned at the Edge or Hub server. Later scanning
operations (e.g., at the Hub or Store for incoming mail) check for this stamp and if it is
present the mail is not re-scanned. When the message is submitted to the Store, the
antivirus stamp properties are added to a MAPI property and maintained.
To best utilize this “scan once” capability, all Exchange Transport server roles should be
set to the same configuration settings, so scanning is the same at all Transport points.
There are a number of scanning scenarios based on network topologies. Here are
several of the most common:

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Evaluation Guide 3

Scanning of Inbound Mail

Inbound mail from the Internet is scanned at the Edge server. It is not re-scanned at
the Hub or when first deposited in a Store. However, after the messages reach the
Store server, the Background Scan Job process can be configured to periodically re-scan
all or some of the mail with newer signatures.

Scanning of Outbound Mail

By default, outgoing mail is not scanned at the Store role, but is scanned in transit at
the Hub role. If an Edge server is deployed in the Exchange organization, the mail is not
re-scanned at the Edge server because it has already been scanned at the Hub.

Scanning of Internal Mail

Mail is scanned at the Hub server as it is routed internally. By default the mail is not
scanned at the Store server where it originated, nor is it re-scanned at the destination
Store server.
In all of these scenarios, processing time and load is saved on the Store servers.

The Antivirus (AV) Stamp

There are three conditions that must be met before the Antivirus Transport Agent of
Exchange 2007 places an AV stamp on a message:
• The message must be scanned with at least one virus engine.
• Either no virus must be found or if a virus is found it must be cleaned or deleted.
• If the message was updated, Forefront Security for Exchange Server must
successfully write the updated message back to Exchange.
The Skip:detect mode of Forefront Security for Exchange Server will not write the AV
stamp into a message.

Store Scanning
Store scanning is handled by:
• Realtime Scan Jobs and Background Scan Jobs
• Manual scan jobs
Proactive scanning (scan when messages and files are written to the Store) is turned off
by default. This is a major change from previous versions of Exchange.
By default, messages that arrive at a Store server carry an AV stamp and are not re-
scanned by the Realtime Scan Job process. The Transport Hub that has scanned these
messages can either be located on a separate server or co-located with the Store
server. Content that has never been routed through a Transport Hub will not have an AV
stamp and will be scanned when first retrieved from the store during On-Access
Scanning.
By default, On-Access Scanning is used to scan a message when it is accessed only if
it has not been scanned before. An “access” can include opening a message, viewing it

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Evaluation Guide 4

in the preview pane, and performing content-indexing operations. Most interactive

retrieval has no impact on the Store since messages have already been scanned in
transit.
However, messages in the Sent Items folder, the Outbox, and Public Folders have not
been routed through a Hub role and therefore have not been scanned. They will be
checked with On-Access Scanning because the database does not list them as having
been scanned before.
Optional high-security configuration settings can be enabled on the Store server to scan
a message on access if new signatures have arrived since the message was last
scanned. (See “Scan on Scanner Update” in Settings-General Options.) This is
considered a high security or “outbreak mode” setting. It is meant to be used in the
event of a serious threat that requires constant re-scanning of mail to protect users
from a quickly proliferating attack.
Background scanning now provides incremental background scanning to enhance
server performance. This functionality allows administrators to configure Background
Scan Jobs to scan messages based on certain criteria, such as a message’s age. For
example, administrators can configure Forefront Security for Exchange Server to
schedule a Background Scan Job to run at off-peak hours and to scan only messages
received in the past two days. Administrators can also run a background scan job to
clean the Store server in response to a known event that has deposited infected items
in the store.
Incremental background scanning dramatically reduces Store overhead and provides a
significant level of protection for the latest messages that may have been received on
the Exchange server before the corresponding signatures for that virus were received.
Background Scan Jobs use the same configuration settings that are configured for
Realtime Scan Jobs.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Evaluation Guide 5

Required Tasks for Forefront for Exchange

Server
This chapter discusses the steps needed to provide basic antivirus protection using
Forefront Security for Exchange Server. It is critical to complete all of the steps as they
are outlined to provide the necessary protection for your environment. A checklist of
steps is provided, so you can mark your progress as you configure the system.

A Note on Installation and Use of Forefront Security for Exchange Server

This guide assumes that you have already successfully installed the Forefront Security
for Exchange Server software. For detailed installation instructions, please consult the
Forefront Security for Exchange Server User Guide. It also assumes you are familiar
with how to log in to the built-in Forefront Server Security Administrator console.

Required Tasks Checklist

The following checklist provides a brief overview of all the tasks necessary for
successfully deploying Forefront Security for Exchange Server for antivirus protection.
Use the left column to mark when you have completed each step. Until each step below
is completed, your Forefront system is not optimized to protect your environment. This
may result in a failure to adequately protect your environment.

Check Steps – Click the topic to Description

jump to the instructions

Step 1: Configuring the Transport Set the scanning parameters for the Transport scanning
Scan Job job.

Step 2: Configuring Scan Engine Enable all scan engines to update automatically at pre-
Updates set intervals.

Step 3: Configuring Engine Bias Set the number of engines to be used in each scan.
Settings

Step 4: Configuring Engine Set the action to take in the event of detecting a virus.
Actions and WormPurge Also includes an explanation of the Forefront Worm List.

Step 5: Configuring the Realtime Set the scanning parameters for the Realtime Scan Job
Scan Job (Store).

Step 6: Configuring the Set the time and options for incremental background
Background Scan Job scanning in a Background Scan Job.

Step 7: Configuring File Filtering Set filtering parameters to block specific file types.

Step 8: Setting Notifications Configure notifications for senders, recipients, and

administrators.

Step 9: Incident Log Options Review and update options for the Incident Log.

Step 10: Quarantine Options Review and update options for the Quarantine in
Forefront Security for Exchange Server.

Step 11: General Options Review Review and update General Options settings as needed.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 6

Step 1: Configuring the Transport Scan Job

Why the Transport Scan Job Is Important
The Transport Scan Job is your first layer of defense. It is also the most efficient layer in
terms of processing and should be seen as the defense workhorse, the point where
most scanning gets done and the majority of dangerous and unwanted content is
eliminated.
The Transport Scan Job can be run at various points in the environment, depending on
the configuration of your network. It can be run on an Exchange 2007 Edge Server or
Hub Role, and ideally should be run on all Edge and Hub roles. However, in all cases the
Transport Scan Job should take place at the outermost Exchange Server.

Configuration Steps for the Transport Scan Job

When you first open the Forefront Server Security Administrator, you are on the screen
that you will use to set up the Transport Scan Job. Go to Settings > Scan Job to get to
this screen.

One

Two

Three SAVE!

The following steps should be taken on this screen to properly set up the Transport Scan
Job.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 7

Verify that the Transport Scan Job “State” is set to

One Enabled, and that Virus Scanning, File Filtering, and Keyword
Filtering are listed as On. If they are not on, click on Operate >
Run Job to activate them. Note that Content Filtering, which
includes Subject Line filtering, is not available on the Transport
Scan Job. Subject Line filters can be created using Exchange 2007
Transport Policy rules.
Verify the Transport Messages scanning direction settings.
Two By default, the product will scan inbound, outbound, and internal
messages. Make sure these are all turned on.
Note: Do not deselect Inbound scanning unless you have very
specific reasons to do so! Doing so will open your environment to
viruses!
Inbound
Scans messages coming from an external server (for example,
Internet-based e-mail).
Outbound
Scans any mail that leaves your Exchange server or Exchange
organization. Messages are designated as outbound if at least one
recipient has an external address.
Internal
Scans mail that is being routed between users inside your domain.
Messages are designated as Internal if they originate from inside
your domain and ALL the recipients are located inside your
domain.
Configure your Deletion Text. When Forefront Security for
Exchange Server deletes an infected attachment, it will replace it
Three
with deletion text that tells the recipient the virus was deleted.
The deletion text can be customized. By default it says:
Microsoft Forefront Security for Exchange Server removed
a file since it was found to be infected.
File name: "%File%"
Virus name: "%Virus%"
The text can be changed as needed to reflect any information you
may want to provide to your users. There are two dynamic
keywords that will be filled in based on the virus detected:
%File% — the name of the file that was removed
%Virus% — the name of the virus it was infected with
Additional dynamic keywords can be added to the message, such
as the name of the sender or recipient. To insert a dynamic
keyword, right-click in the Deletion Text window and choose
Paste Keyword.
SAVE! Click the Save button to have your settings take effect.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 8

TIPS, CONSIDERATIONS, and BEST PRACTICES

► It is considered good Internet etiquette to scan your outbound mail for viruses. In
addition, this can protect you from legal liability should an infected PC in your
organization attempt to send out viruses (a common behavior of worm viruses).
► When configuring your Deletion Text, you may want to offer advice to your users
about what to do. Users often get nervous when they receive a virus message, even
though the virus has been deleted. For example, you may add wording such as: “The
infection has been removed and your computer has not been infected with a virus.”

Step 2: Configuring Scan Engine Updates

Why Scan Engine Updates Are Important
Timely updating of your scan engines is critical in the fight against viruses and
unwanted e-mail. The antivirus engines provided within Forefront Security for Exchange
Server are created by third-party vendor labs that work 24 hours a day to provide virus
detection signatures in a timely fashion. If you don’t update your engines frequently,
you lose the benefit of their efforts.
Proxy Server Configuration
If Forefront Security for Exchange Server accesses the Internet through a proxy server,
you must enter information about the proxy server by going to the General Options
panel and entering the required information. See Step 11: General Options Review for
details.

Configuration Steps for Scan Engine Updates

By default, all your engines are set to check for updates once an hour. You can increase
that time to as often as once every 15 minutes. In any case, do not set the update
interval to longer than once an hour unless you have specific reasons for doing so.
To access the scan engine updates, click on Settings > Scanner Updates.

One

Two

SAVE!
Microsoft Confidential – Internal & Partner’s under NDA Use Only
Forefront Security for Exchange Server Reviewer’s Guide 9

Verify that all your engines are Enabled. If for any reason you
choose not to use a particular engine, you can disable the update
One
process by highlighting the engine and clicking the Disable
button.
Configure your Update Path and Times. Forefront Security for
Exchange Server can pull engine updates via HTTP or a UNC path.
Two HTTP is the default setting which uses the update path:
http://forefrontdl.microsoft.com/server/scanengineupdate
If you accidentally delete this, right-click the path box and choose
Default HTTP Path.
Use of the UNC share allows one server to pull updates from
another. This is an efficient update mechanism that saves on
Internet bandwidth consumption if you have multiple servers
running Forefront Security for Exchange Server. One server only
will pull the signatures from the Internet, while the other servers
copy the files over the LAN. If you wish to use this configuration,
please consult the Forefront Security for Exchange Server User
Guide for details.
Important! Each engine must have its update path configured
separately!
You must also set the time that each engine will check for
updates. To do this, click the Daily button and then click the
Repeat Every check box and enter a timeframe.
By default, the Time field is staggered by five minutes for each
engine. This is a good idea, because to avoid bandwidth
contention you don’t want all your engines checking for updates at
the same time.
Important! Each engine must have its update time
configured separately!

SAVE! Click the Save button to have your settings take effect. You must
click the Save button separately for each engine you configure!

TIPS, CONSIDERATIONS, and BEST PRACTICES

► Be aware of the engines you are using. Some virus labs release signatures more
frequently than others on a regular basis (all labs will respond to a major outbreak with
more frequent updates). For example, the Kaspersky lab releases a new update nearly
every hour. The update schedule for that engine should be set accordingly.
► You should stagger your update times so they do not all happen at once. In addition,
you may want to use a time that does not end in 0 or 5. Many users will set their
updates at 1:05 or 1:30 etc. which can lead to contention at the download site. To avoid
this possibility, pick a time such as 1:09 or 1:42.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 10

► Even if you aren’t using a particular engine, you should set it to update regularly, so
if you need to activate it the signatures will be up to date.
► If you have more than one server running Forefront Security for Exchange Server,
use a distributed update mechanism. This allows a single machine to download
signatures, which can then be distributed to other Microsoft Forefront servers (see the
User Guide for details on setting this up). Or, you can use the Microsoft® Forefront™
Server Security Management Console to provide this functionality. Either method will
save greatly on Internet bandwidth and make your updates quicker and more efficient.

Step 3: Configuring Engine Bias Settings

Why Engine Bias Settings are Important
Engine Bias settings allow you to adjust the performance parameters of Forefront
Security for Exchange Server to achieve the best balance between protection and
performance. Ideally, you would scan every piece of e-mail with all available scan
engines, but realistically this is not always possible.
How Engine Bias Works
Engine Bias determines how many engines will be used in each e-mail scan. The
settings range from Maximum Certainty, in which all engines are used, to Maximum
Performance, which uses only one engine. This chart describes the available settings:

Bias Mode Description

Maximum Certainty The product must use 100% of selected engines to scan.
Favor Certainty The product uses all available selected engines to scan.
This is the default setting.
Neutral The product uses 50% of available/selected engines to
scan.
Favor Performance The product uses 25% of available/selected engines to
scan.
Maximum The product uses one of the available/selected engines to
Performance scan.

Scan Engine Bias Settings

The specific engines used from the available engines are determined by the Multiple
Engine Manager (MEM). Engines are selected based on their engine ranking.
Characteristics such as most recent signature update and past performance are taken
into consideration, as well as a random selection when appropriate.
For example, if four engines and a Neutral bias setting are selected, each piece of e-
mail will be scanned by two engines. The MEM will select the most appropriate engines
for the job. If one engine has been updated recently, that engine will likely be one of
the two engines used. Other performance characteristics are taken into account as
Forefront Security for Exchange Server attempts to use the two engines that will be
most effective at the time of scanning.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 11

Configuration Steps for Engine Bias Settings

When configuring a scan job, you must select the engines to use and the bias setting to
use. From the Forefront Server Security Administrator, select Settings > Antivirus.

TWO
ONE

SAVE!

Check the engines you want to use. You can select up to five
ONE engines for each scan job. Five are selected by default. To change
an engine, deselect one first before selecting the next.
Choose your Bias setting. Use the dropdown box to pick the
TWO Bias setting you want to use. Bias settings are explained in the
table above.
Click the Save button to have your settings take effect. You must
SAVE! click the Save button for your settings to take effect!

TIPS, CONSIDERATIONS, and BEST PRACTICES

► When using the Maximum Certainty setting, mail will be held up any time a scan
engine is being updated. By definition Maximum Certainty requires that every message
be scanned by every scan engine. To provide 100% scan engine coverage, mail is
queued until the scan engine update is finished (typically less than 30 seconds but it
can take several minutes). To avoid this, you can lower the bias to Favor Certainty, in
which case scanning and mail flow will continue while an engine is updated. Favor

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 12

Certainty uses all available engines; most of the time e-mail is scanned by all selected
engines, unless one happens to be unavailable, such as during an update. For this
reason, Favor Certainty is considered the Best Practice setting.
► A common practice is to use different bias settings at different points in the
scanning process. Because the Transport Scan Job is less resource-intensive than a
Realtime or Manual Scan Job, Microsoft generally advises to use Maximum Certainty or
Favor Certainty for the Transport Scan Job with five engines enabled, at least as a
starting point. If you run into performance issues, you can make adjustments.
► To enhance performance, Forefront Security for Exchange Server allows additional
processes to be created for the Transport and Realtime Scan Jobs. If the first process is
busy scanning a file, the second process will begin to scan, and so on. By default there
are four Transport Scan Job processes running. This can be increased up to ten by
changing the Transport Process Count field found under General Options >
Scanning. However, be cautious when increasing the number of processes. Each
process will consume additional server resources. It is best to increase them one at a
time and evaluate the performance at each step. The Forefront Service will need to be
recycled for the change to take effect.

Step 4: Configuring Engine Actions and

WormPurge
Why Engine Actions and WormPurge Are Important
Engine Actions and WormPurge determine what happens to a virus when it is detected.
The way you configure this can affect performance and security, as well as the user
experience. In addition to the specific action taken on the virus, you may also choose to
quarantine detected files and to send notifications to senders, recipients, or the virus
administrator(s).
Available Engine Actions
Three actions are available when a virus is detected, as described in the following table.
Action Description
Skip: detect only Make no attempt to clean or delete. Viruses will be logged,
but the files will remain infected. This setting does not
provide any security. This should only be used in specific
testing situations.
Clean: repair Attempt to clean the virus. If successful, the infected
attachment attachment will be replaced with the clean version. If
cleaning is not possible, the attachment will be deleted but
the body of the message will remain. A text file containing
deletion text will be inserted in place of a file that cannot
be cleaned.
Delete: remove Delete the attachment without attempting to clean. The
infection infected file will be removed and a text file containing
deletion text will be inserted in its place.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 13

Configuration Steps for Engine Actions

To configure Engine Actions, from the Forefront Server Security Administrator, select
Settings > Antivirus.

One
Two
Three
SAVE!

Choose the Action. After verifying that the Transport Scan Job is
selected, choose the desired engine action using the dropdown
One
menu. This action will be applied across all scan engines for the
Transport Scan Job.
Select Notifications, if desired. If you wish to send notifications
when a virus is detected, click the Send Notifications check box.
Two
For details on how to enable and customize specific notifications,
see Step 8: Setting Notifications.
Select Quarantine, if desired. If you want to save copies of
infected files for inspection, select the Quarantine Files option.
Three While rare, it is possible that a scan engine will falsely identify a
message as a virus. This option saves a copy of the message
and/or attachment into the Quarantine list, where it can be
examined and, if need be, released.
SAVE! Click the Save button to have your settings take effect.

TIPS, CONSIDERATIONS, and BEST PRACTICES

► You may want to consider not using the option to “Clean: Repair Attachment.” This
feature was more useful some years ago when cleanable viruses were more common

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 14

and valid documents were often infected. The virus world has changed over the years,
and the vast majority of viruses today are not cleanable (some estimates are that less
than 10% of viruses can be cleaned). Also, a valid infected file is much less common.
Most of the time the entire attachment is a virus and has no valid content. Because the
attempt to clean the virus requires additional processing resources, many organizations
decide to simply use the “Delete: Remove Infection” option.
► If you choose the “Clean” option, Forefront Security for Exchange Server will pass
the file to each of the selected scan engines for cleaning. If one is not able to clean the
file, it gets passed to the next scanner which will attempt to clean it. If none of the
engines can successfully clean the file, it is deleted.
► Consider whether you wish to use the Quarantine feature. It does provide an added
level of security because you can retrieve a message that has been incorrectly tagged
as a virus. However, there is overhead involved in quarantining files, particularly if many
viruses are captured each day. Large organizations may block millions of viruses in a
month. Many of these, however, may be worm viruses, which are not quarantined under
any circumstance (see Why WormPurge Is Important, below). Ideally, you would want
to Quarantine detected viruses, but you may determine that the better course is to
simply delete them.
► There are various considerations around sending notifications. Please see Step 8:
Setting Notifications to better understand your options.

Why WormPurge Is Important

Prior to the advent of worms, viruses were typically infected attachments that were sent
along with a legitimate e-mail message. That is, the message body of the e-mail
contained information valuable to the recipient, but the attachment was infected and
had to be blocked. Because of this, the e-mail message body was delivered to the
recipient so they would be aware that someone had communicated with them.
A worm virus, however, is entirely useless. The message body itself is part of the virus
and contains no useful data. Yet antivirus software would deliver these messages to the
end user, typically with some kind of warning that caused confusion and concern. To
make matters worse, worm attacks would hit in massive e-mail storms, with thousands
or even millions striking in a day. This caused tremendous clutter in mail stores,
slowdowns on networks, increased help desk calls, and a flood of user notifications
(which in themselves formed a new problem). To eliminate all these problems,
WormPurge was introduced.
WormPurge works by means of a Worm List. This is a list of known worm viruses and
virus families. When a scan engine detects a virus, the virus name is compared to the
names in the Worm List. If there is a match (for example, any variant of the Netsky
virus) the message is tagged as a worm and the following actions are always taken:

Action Benefit
The entire worm message is The worm is stopped before it enters the network.
deleted, including the full Network impact is minimized; there is no impact
message body. on the mail store or the e-mail services.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 15

The worm message or
attachment is never
quarantined, even if you select
the Quarantine option.
No notifications are sent, and
users do not receive anything.
The Quarantine is kept much smaller and runs
more efficiently.
Users are not even aware that a worm has been
detected and blocked, so there are no help desk
calls. Users are not alarmed. Notification floods
are stopped. Note that there is an option to send
Worm Notifications to specific Worm
Administrators.

The Worm List is updated periodically in the same manner as any other scan engine.
Because worms now form the vast majority of viruses in the wild, the WormPurge
feature in Forefront Security for Exchange Server is an exceptionally valuable tool in
network security.
The WormPurge feature also works on outbound and internal e-mail. This is important if
a machine in your network is infected and begins sending worm messages outbound.
Sending viruses could lead to legal liabilities for your company. WormPurge helps ensure
this does not happen. Internal protection is important to prevent an infected mailbox
from infecting other mailboxes in your organization.
Configuring WormPurge in Forefront Security for Exchange Server
WormPurge is configured by default. There is no need to turn it on. Just make sure you
set the Worm List to periodically update along with the rest of your scan engines as
explained in Step 2: Configuration Steps for Scan Engine Updates. WormPurge can be
deactivated by setting a registry key (as described in the User Guide). This is highly
discouraged and is considered a violation of security best practices.

TIPS, CONSIDERATIONS, and BEST PRACTICES

► Some organizations want to simply delete all viruses—worms or otherwise—even at
the risk of losing valid e-mail message content. They also do not want to Quarantine
items or send any notifications. This can greatly simplify your virus management, but
realize that it does contain a risk of losing e-mail communications that users may want
to receive.
If you wish to do this, you can create a Custom Worm List. This list defines any virus as
a worm, and treats it in the same way. The list contains a single asterisk (*), which will
match any virus name. The procedure for creating a custom worm list is explained in
the Forefront Security for Exchange Server User Guide in the section “Creating a
Custom WormPurge List.” Note that if you update the existing Worm List, it will get
overwritten the next time a new list is released. The Custom Worm List can only be
updated manually.
► While you may not want to delete all viruses as described above, you may want to
add some non-worm virus types to your WormPurge list. For example, some of the
antivirus engines will detect phishing e-mails and denote them by using the term
“Phish” in the virus description. Adding *Phish* to your Custom Worm List will treat
these messages as if they were worms. Other virus definitions you may consider adding

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 16

include *Backdoor*, *Trojan*, *Troj*, *Rootkit*, and *Exploit*.

Step 5: Configuring the Realtime Scan Job

Why the Realtime Scan Job Is Important
The Realtime Scan Job protects the mail store itself. This is the second line of defense
against Internet viruses and the first line of defense against viruses that may be
introduced via the desktop. The Realtime Scan Job protects the Store (Mailboxes and
Public Folders).
The Realtime Scan Job also gives you protection against viruses that may have slipped
through the Edge or Hub servers. For instance, it is possible that a virus may get into
your Store because it strikes before your scan engines are updated. Later on, after the
engines update, the Realtime Scan Job will be able to catch the virus that was missed
earlier.
The parameters you set for the Realtime Scan Job are also used for Background Scan
Jobs, which is a key component of protection with Forefront Security for Exchange
Server.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 17

Configuration Steps for the Realtime Scan Job

Open the Forefront Server Security Administrator and go to Settings > Scan Job to
get to the Scan Job Settings screen. Make sure that one of the Realtime Scan Jobs is
highlighted. These settings will apply to all of your Exchange storage groups.

One

Two

Three SAVE!

Verify that the Realtime Scan Job “State” is set to Enabled

and that all scanning types are listed as On. If they are not on,
One
click Operate > Run Job to activate them. (Note that for the
Realtime Scan Job, Keyword Filtering is not available.)
Choose what you want to scan. The Realtime Scan Job works
Two on both Mailboxes and Public Folders. However, you may choose
not to scan every Mailbox and/or Public Folder. Forefront Security
for Exchange gives you the options to scan All, None, or
Selected Mailboxes and Public Folders.
If you choose Selected, click the icon under Selected to open the
selection window. From there, choose the objects you wish to
have included in each scan. For example, if you open Public
Folders, you would see a screen similar to this:

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 18

Note: Choosing all Mailboxes or Public Folders in the selection

window is not the same as choosing the All option button in the
previous window. An inclusion list is built from the specific
selections made in this window. New Mailboxes or Public Folders
added after making this selection will not automatically be
included. To include new items automatically, make sure you
select All.
Configure your Deletion Text. When Forefront Security for
Three Exchange Server deletes an infected attachment it will replace it
with deletion text that tells the recipient the virus was deleted.
The deletion text can be customized. By default it says:
Microsoft Forefront Security for Exchange Server removed
a file since it was found to be infected.
File name: "%File%"
Virus name: "%Virus%"
The text portion can be changed as needed to reflect any
information you may want to provide to your users. There are two
dynamic keywords that will be filled in based on the virus
detected:
%File% — the name of the file that was removed
%Virus% — the name of the virus it was infected with
Additional dynamic keywords can be added to the message, such
as the name of the sender or recipient. To insert a dynamic
keyword, right-click in the Deletion Text window and choose
Paste Keyword.
Note: This is different than the Deletion Text you set for the
Transport Scan Job.
SAVE! Click the Save button so your settings take effect.

Configure Engine Bias and Engine Actions

The Realtime Scan Job also requires you to set the Engine Bias and Engine Actions.
These are configured separately for each Realtime Scan Job. The steps are the same as

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 19

shown previously in Step 3: Configuring Engine Bias Settings and Step 4: Configuring
Engine Actions and WormPurge. Follow these same steps, but make sure you highlight
the Realtime Scan Job when making your settings.
TIPS, CONSIDERATIONS and BEST PRACTICES
► Be aware of the engines you are using. Some virus labs release signatures more
frequently than others on a regular basis (all labs will respond to a major outbreak with
more frequent updates). For example, the Kaspersky lab releases a new update nearly
every hour. The update schedule for that engine should be set accordingly.
► You should stagger your update times so they do not all happen at once. In addition,
you may want to use a time that does not end in 0 or 5. Many users will set their
updates at 1:05 or 1:30 etc. which can lead to contention at the download site. To avoid
this possibility, pick a time such as 1:09 or 1:42.
► Even if you aren’t using a particular engine, you should set it to update regularly, so
if you need to activate it the signatures will be up to date.
► If you have more than one server running Forefront Security for Exchange Server,
use a distributed update mechanism. This allows a single machine to download
signatures, which can then be distributed to other Microsoft Forefront servers (see the
User Guide for details on setting this up). Or, you can use the Microsoft® Forefront™
Server Security Management Console to provide this functionality. Either method will
save greatly on Internet bandwidth and make your updates quicker and more efficient.
► Ideally you would always use five engines and set them to Maximum Certainty. This
would provide the best possible level of detection. However, depending on the
characteristics of your server, you may or may not be able to run five engines. Each
additional engine does add to scanning time and resource usage. This is particularly
true at the Realtime Scan Job.
► A common practice is to use different bias settings at different points in the
scanning process. Microsoft recommends using the Favor Certainty setting for the best
combination of security and performance. As you monitor performance, you can make
adjustments if needed to the bias setting.
► To enhance performance, Forefront Security for Exchange Server allows additional
processes to be created for the Realtime Scan Job. If the first process is busy scanning
a file, the second process will begin to scan, and so on. By default there are four
Realtime Scan Jobs running. This can be increased up to ten by changing the Realtime
Process Count field found under General Options > Scanning.
However, be cautious when increasing the number of processes. Each process will
consume additional server resources. It is best to increase them one at a time and
evaluate the performance at each step. The Forefront Service will need to be recycled
for the change to take effect.

Step 6: Configuring the Background Scan Job

Why the Background Scan Job is Important

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 20

The Background Scan Job provides a key protection mechanism by periodically scanning
the mail Store with the latest signature updates. This provides a “clean up” mechanism
to catch any viruses that may have been missed during a Transport Scan Job. Microsoft
recommends that you run the Background Scan Job once each day, preferably at a time
of low mail activity.
Unless set otherwise, the Background Scan Job does not recognize the previously
scanned status of a message. It scans based on its own parameters. This is because the
Background Scan Job is meant specifically for re-scanning messages that have been
scanned before and applying the latest scan engine signatures to them.
The Background Scan Job has various configurable parameters that allow for
incremental background scanning. This reduces the extent of the scan, providing a
balance between protection and performance. The engines and bias settings used by
the Background Scan Job are the same as those set in the Realtime Scan Job.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

 One

Forefront Security for Exchange Server Reviewer’s Guide 21

Configuration Steps for the Background Scan Job

Open the Forefront Server Security Administrator and go to Operate > Schedule Job
to get to the correct screen. All you need to do here is set the time for the Background
Scan Job to begin each day.

One

Two

SAVE!

One Enable the Background Scan Job. Click on the Background

Scan Job and then click the Enable button.
Select the Background Scan Job start time. In the Calendar,
Two set the Time and Frequency for the Background Scan Job.
Microsoft recommends running setting it for “Daily,” at a time
when your mail server is less active than usual.

SAVE! Click the Save button so your settings take effect.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 22

Setting the Background Scan Job parameters

There are several parameters that control the behavior of the Background Scan Job.
These are defaulted to the best-practice options; however you may wish to modify them
to suit your own environment. These settings are found under Settings > General
Options, in the section titled Background Scanning.

Option
Enable Background Scan
Job if “Scan On Scanner
Update” Enabled
Scan Only Messages With
Attachments
Scan Only Unscanned
Messages
Scan Messages Received
Within The Last <x>
Hours/Days
Description
Indicates that Forefront Security for Exchange Server
should initiate a background scan every time a scan
engine is updated if the General Option setting Scan
on Scanner Update is enabled. This setting is
enabled by default. See the Tips section below for
more details.
Indicates that the Background Scan Job should only
scan messages that include attachments. This setting
is enabled by default.
Indicates that the Background Scan Job should only
scan messages that have not already been scanned.
Places limits on background scanning by allowing
administrators to configure Forefront Security for
Exchange Server to scan messages based on their age.
The options are: Anytime, 4 hours, 6 hours, 8
hours, 12 hours, 18 hours, 1 Day, 2 Days, 3 Days,
4 Days, 5 Days, 6 Days, 7 Days, and 30 Days.
If background scanning is scheduled to run daily, the
recommended setting is to scan the previous two days’
worth of mail. However, the time should be set based
on both security and performance considerations.

TIPS, CONSIDERATIONS, and BEST PRACTICES

► As mentioned above, the general recommendation is to scan the past two days of e-
mail. This is because within two days it is very likely that a new virus is being caught by
at least one of the scan engines. It serves little purpose to continually re-scan
messages that are many days, or even weeks and months, old. By applying scoping
parameters to the scanning process, Forefront Security for Exchange Server strikes a
sensible balance between performance and security.
► In past versions of Exchange, the Background Scan Job could only scan the entire
Store. This made background scanning impractical due to the serious amount of
overhead incurred in scanning large mail stores. The new incremental background
scanning features now make Background Scan Job a feasible and sensible layer of
protection.
► During periods of virus outbreaks, an even higher level of protection may be
desired. By selecting the option Enable Background Scan if “Scan On Scanner

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 23

Update” Enabled, you are telling Forefront Security for Exchange Server to restart
background scanning every time a new scanner update is received (this is typically
many times a day). The Background Scan Job moves along scanning folder after folder,
and after a restart it continues scanning where it left off. This ensures that all folders
will get scanned. Keep in mind that turning this feature on means background scanning
will likely be a continuous process, and it may impact mail system performance.
However, this provides the most significant level of protection as it repeatedly applies
the latest signatures to messages in the Store. The scoping parameters are still
respected during this process, so the number of messages scanned is still limited.

Step 7: Configuring File Filtering

Why File Filtering Is Important
Even with the excellent protection provided by the multiple scanning engines in
Forefront Security for Exchange Server, there is always a risk that a dangerous file will
not be detected by the scan engines. To add another, proactive layer of protection to
your enterprise, it is considered a security best practice to block certain file types that
are considered potentially dangerous. File attachments can be detected by their name,
type, size, or any combination of the three.
Available File Filtering Actions
There are four actions available when a file is detected, as described in the following
table.

Action Description
Skip: detect only Records the number of messages that meet the filter
criteria, but allows messages to route normally. This
setting does not provide any protection. However, you may
want to use this setting to log instances of specific file
types being sent or received without taking action on them.
Delete: Remove Deletes the file attachment. The detected file attachment is
contents removed from the message and a text file is inserted in its
place. The text file contains the text you configure using
the “Deletion Text” button. The user receives the original
message, with the unwanted file(s) removed.
Purge: eliminate Deletes the message from your mail system. The user
message never sees the message. If you wish to keep a copy of the
e-mail, choose the Quarantine File option.
Identify: tag message Writes a customizable prefix into the message subject line
or a custom X-header in to the e-mail header. This mode is
not commonly used for file filtering.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 24

Configuration Steps for File Filtering

Open the Forefront Server Security Administrator and go to Filtering > File to get to
the correct screen. File Filtering can be applied to Transport Scan, Realtime Scan and
Manual Scan Jobs. Make sure you are on the correct scan job when setting the file
filters. Setting a File Filter requires that you create the filter, enable it, set the
associated Action and define Deletion Text as appropriate.

One

SAVE!
Two Three

Four

Select the Scan Job that the filter will apply to. File Filtering is
One available across all Scan Jobs. Each Scan Job can have its own set
of File Filters.

Create the File Filter. Create the file filter by clicking the Add
button and entering the proper syntax. You have a number of
Two
ways to enter a File Filter. The filters work by a combination of
name and file type. You must select both elements to complete
the filter.
File Name/Extension—this will match on the actual name of the
file. You can use a full file name (for example, file.doc) or use
wildcards (*.doc). This is shown under the File Names section.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 25

File Type—in the File Types section you must associate the File
Name filter with file types. For instance, to block anything with a
name of *.doc, enter *.doc in the File Names section, and under
File Types choose All Types. To block only actual DOC files, then
enter *.doc under File Names, and under File Types clear the All
Types option and choose DOCFILE from the list of file types.
Keep in mind that the File Names and File Types sections work
together for every filter you create.
For more details on acceptable wildcard usage, see the Forefront
Security for Exchange Server User Guide. For details on other
ways to block files, see the “Tips” section below.
Enable the Filter and Choose the Actions and Notifications.
Three Using the drop-down make sure the filter is set to Enabled. This
provides a quick way to turn a filter off as well.
Set the Filter action and Quarantine options, as desired. To
notify senders or recipients that their file has been blocked, check
the Notifications box and then customize the notification
messages in the Notifications section.
Keep in mind that Actions, Quarantine, and Notification are set
individually for every filter you create.
Configure your Deletion Text. When a file is deleted based on a
Four File Filter, Forefront Security for Exchange Server replaces it with
text that tells the recipient the file was deleted. By default it says:
Microsoft Forefront Security for Exchange Server removed
a file since it was found to match a filter.
File name: "%File%"
Filter name: "%Filter%"
The text can be customized, as needed, to reflect any information
you may want to provide to your users. There are two dynamic
keywords that will be filled in based on the virus detected:
%File% — the name of the file that was removed
%Filter% — the name of the filter used to remove the file
Additional dynamic keywords can be added to the message, such
as the name of the sender or recipient. To insert a dynamic
keyword, right-click in the Deletion Text window and choose
Paste Keyword.
SAVE! Click the Save button so your settings take effect.

TIPS, CONSIDERATIONS, and BEST PRACTICES

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 26

► File Filters can be created to work only on inbound or outbound messages. This is
useful in order to establish different rules for what enters your organization and what
leaves it. To set a filter for inbound or outbound messages, prefix the filter with <in> or
<out>. For example:
<in>test.doc — detects the file test.doc only if it is entering the organization
<out>test.doc — detects the file test.doc only if it is leaving the organization
► File Filters can be set to block files of a certain size, using standard comparison
operators ( =, <, >, <=, >=) and file size designations (KB, MB, GB). These can be
combined with file name and type conventions. For example:
*.bmp>=1.2MB — detects any BMP file equal to or greater than 1.2 Megabytes
<in>*.com>150KB — detects any inbound COM file greater than 150 Kilobytes
*.*>5GB — detects any file greater than 5 Gigabytes
► The file filtering of Forefront Security for Exchange Server provides excellent
flexibility for blocking files based on size. Rather than have a single rule that applies
across all file types, you can apply file type-specific rules.
► File filters are applied before virus scanning. Therefore, if a message contains a
virus and is also included on the list of blocked file types, it will be stopped by the File
Filter rule. If you then release this message from the Quarantine, it will go to the virus
engines for scanning and be caught as a virus.
► Be aware of product behavior when a message has more than one attachment type.
For example, if a message has two different attachments and one corresponding filter
rule was set to Delete and the other to Purge, the entire message will be purged.
► Each scan job has unique Deletion Text. You may want to design different text for
Transport Scan Job file filters and Realtime or Manual Scan Job file filters.
► You may want to use the Skip: detect only feature to identify specific files without
blocking them. This may be done for corporate compliance or monitoring reasons. For
example, you may want to filter for any spreadsheet files leaving the organization to
create an Incident Log event.
► In addition to direct File Filtering rules, Forefront Security for Exchange Server
allows the use of Filter Lists that can contain multiple filtering rules. Lists can also be
activated quickly to provide protection. Consult the User Guide for information on
creating Filter Lists.
► Forefront Security for Exchange Server can unpack and repack ZIP and other
container files while removing specific contents from within them. For example, if a ZIP
file contained a DOC file and an EXE file, and a File Filter were created to block EXE
files, then Forefront Security for Exchange Server will unpack the ZIP, remove the EXE
file, replace it with a text place marker, repackage the ZIP, and deliver it to the user.
This way, the user still is able to receive the DOC file, while the EXE is blocked.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 27

Step 8: Setting Notifications

Why Notifications Are Important
E-mail notifications play a critical role in keeping Exchange users informed about
changes that occur to their attachments due to virus cleaning and file filtering. E-mail
notifications are also important to administrators who prefer to have information
delivered directly to their mailbox instead of continually checking logs for activity.
Note that by design, Forefront Security for Exchange Server never sends any
notification for worm viruses. This is because worms are never legitimate
communication and often come from spoofed addresses.
The product offers an extensive collection of customizable notification options. You
should review this list and decide which of these notifications you wish to use.

Notification Type Description

Virus Administrators Alerts administrators of all viruses being detected on the
server being protected by Forefront Security for Exchange
Default: on
Server. Typically, the notification is used for reporting the
(administrator
who, what, where, and when details of the virus, including
address must be
its disposition.
entered)
Virus Sender Alerts the sender of the infection if the sender is an
(internal) Exchange user in your organization. The typical message
would include help in determining the extent of infection on
Default: on
the user’s own machine, who to call, and how to proceed
Virus Sender Alerts the sender of the infection if the sender is not a user
(external) in your organization.
Default: on
Virus Recipients Alerts the recipient of the infection if the recipient is an
(internal) Exchange user in your organization. The typical message
would include help in determining the extent of infection on
Default: off
the users own machine, who to call and how to proceed.
Virus Recipients Alerts the recipient of the infection if the recipient is not a
(external) user in your organization.
Default: off
File Administrators Alerts administrators of all files that satisfy the filtering
criteria on the server being protected by Forefront Security
Default: on
for Exchange Server. Typically, the notification is used for
(administrator
reporting the who, what, where, and when details of the
address must be
filtering performed, including the disposition of the
entered)
attachment. This notification is also used for messages that
are purged by a File Filter.
File Sender (internal) Alerts the sender of the filtered attachment if the sender is
an Exchange user in your organization. This notification is
Default: on
also used for messages that are purged by a File Filter.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 28

Notification Type Description

File Sender (external) Alerts the sender of the filtered attachment if the sender is
not a user in your organization. This notification is also
Default: on
used for messages that are purged by a File Filter.
File Recipients Alerts the recipient of the filtered attachment if the
(internal) recipient is an Exchange user in your organization. This
notification is also used for messages that are purged by a
Default: off
File Filter.
File Recipients Alerts the recipient of the filtered attachment if the
(external) recipient is not a user in your organization. This notification
is also used for messages that are purged by a File Filter.
Default: off
Worm Administrator Alerts administrators of all worm messages that are
detected/purged by Forefront Security for Exchange
Default: on
Server.
(administrator
address must be
entered)
Content Administrator Alerts administrators of all messages that are blocked by
content filtering.
Default: on
(administrator
address must be
entered)
Content Sender Alerts the sender that a message was filtered by Sender or
(internal) Subject Line Filtering if the sender is an Exchange user in
your organization.
Default: on
Content Sender Alerts the sender that a message was filtered by Sender or
(external) Subject Line Filtering if the sender is not a user in your
organization.
Default: on
Content Recipients Alerts the recipient that a message was filtered by Sender
(internal) or Subject Line Filtering if the recipient is an Exchange user
in your organization.
Default: off
Content Recipients Alerts the recipient that a message was filtered by Sender
(external) or Subject Line Filtering if the recipient is not a user in your
organization.
Default: off
Keyword Alerts administrators of all messages that are filtered by
Administrators Keyword Filtering.
Default: on
(administrator
address must be
entered)

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 29

Notification Type Description

Keyword Sender Alerts the sender that a message was filtered by Keyword
(internal) Filtering if the sender is an Exchange user in your
organization.
Default: on
Keyword Sender Alerts the sender that a message was filtered by Keyword
(external) Filtering if the sender is not a user in your organization.
Default: on
Keyword Recipients Alerts the recipient that a message was filtered by Keyword
(internal) Filtering if the recipient is an Exchange user in your
organization.
Default: off
Keyword Recipients Alerts the recipient that a message was filtered by Keyword
(external) Filtering if the recipient is not a user in your organization.
Default: off

Configuration Steps for Setting Notifications

Setting notifications is a two-step process. The Notification itself must be enabled and
customized as needed. Then, the specific scan job or filter must have Notifications
enabled. You must remember to check the Notifications box on each particular scan job
in order to activate the Notifications.
The steps below describe configuring Notifications only. Open the Forefront Server
Security Administrator and go to Report > Notification to get to the correct screen.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 30

One

Two

Three

SAVE!

Enable or disable the Notifications. Check that the

One Notifications you wish to use are enabled and those you don’t wish
to use are disabled. To change a setting, highlight the Notification
and click the appropriate Enable or Disable button.
Enter addresses for administrator notifications. All
Two administrator notifications must have recipient e-mail addresses
defined for them. Enter one or more addresses in the To:, cc:, or
bcc: address lines.
Customize the Notification Subject line and Body text. While
Three default notification text is provided, you may want to customize
each message. Edit the text in the appropriate areas to customize
the text. You can enter additional automatic keyword fields by
right-clicking and choosing Paste Keyword.
Click the Save button to have your settings take effect. You must
SAVE! also activate Notifications from within each specific scan job or
filter.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 31

TIPS, CONSIDERATIONS, and BEST PRACTICES

► Notifications are an important way to inform your users about what has happened to
their e-mail and/or file attachments. By carefully crafting your notification messages,
you can help your end users understand what is happening, help alleviate any concerns,
inform them who to contact for more information, etc. A well-crafted Notification can
reduce help desk calls.
► Consider the positive impact well-crafted notifications can have on security. If an
internal user is detected as sending a virus, that means their machine is infected in
some way. You may want your notification to provide explicit instructions such as
“Please turn off your computer immediately and call the Emergency Virus Hotline at…”
This will help stop the spread of viruses from that machine, or perhaps shut down the
machine before files are lost or other damage is done.
► If you are an administrator, you may not want to receive all the administrator
notifications in your personal e-mail account. Instead, consider creating a special
mailbox just to receive notifications from Forefront Security for Exchange Server. You
may also want to use a Public Folder to provide access to multiple administrators or
help desk staff. You can send notifications to multiple recipients, as needed.
► When constructing your notification messages, you may wish to consult your Human
Resources or Legal Departments about the message contents. This is particularly true
for notifications that are designated for people outside of your organization, as there
may be legal ramifications involved, as well as for notifications that are generated based
on policy violations, such as from Keyword Filters.
► Consider carefully if you want to send notifications to External Virus Senders.
Viruses may be sent from spoofed or stolen e-mail accounts, resulting in Forefront
Security for Exchange Server sending messages to people who have nothing to do with
sending the virus in the first place. To reduce this impact, Forefront Security for
Exchange Server never sends a notification for a virus designated as a worm, because
these are always from either false or spoofed addresses.

Step 9: Incident Log Options

Why the Incident Log Is Important
The Incident Log keeps a record of any detection made by Forefront Security for
Exchange Server, whether virus, file filter, etc. This provides a critical record of
information should you need to search for a particular event, such as checking if a
message to a particular user was purged.
The Incident Log screen allows you to view incidents, search among them, export the
log, view statistics, and set purge times.
Configuration Steps for the Incident Log
The Incident Log is activated by default. However, there are settings you may wish to
make and functions you should be aware of. Open the Forefront Server Security
Administrator and go to Report > Incidents to get to the correct screen.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 32

One

SAVE!

Two

Three

View and sort incidents. Incidents will be displayed on the

screen. By clicking the columns you can sort data based on that
One
column heading.

Set the Incident Log Purge time. The Incident Log can grow
Two very large. When this happens, performance can be affected. To
keep the log from growing too large, you can set a Purge time.
Click the Purge After check box and choose how many days of
Incident Log data you wish to retain.
Use the filter to locate items. When searching for a specific
Incident, the Filtering field can be very helpful. Mark the check
Three
box, select a column category, and then enter specific filter text.
Wildcards are available for the Filtering field. Consult the
Forefront Security for Exchange Server User Guide for details. You
must click the Save button for your filter settings to take effect.
For example, you may wish to examine only virus incidents. To do
so, set the Filter Column to “Incident” and enter “Virus” in the
Filter box. Click Save and the result will be a list of all virus
detections.
SAVE!
Click the Save button to have your settings take effect.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 33

TIPS, CONSIDERATIONS, and BEST PRACTICES

► The Incidents Log provides the ability to export the log into a TXT or delimited file
(for viewing in a spreadsheet). To export, click the Export button. Note that if you are
using a filter on the Incident Log, only the filtered data set will be exported. This allows
you to greatly reduce the amount of data exported, allowing for easier data analysis.
For example, you may wish to examine only virus incidents. To do so, set the Filter
Column to “Incident” and enter “Virus” in the Filter box. Click Save and the result will be
a list of all Virus detections, ready for exporting.

Step 10: Quarantine Options

Why the Quarantine Is Important
Quarantine allows you to store messages and/or attachments that Forefront Security for
Exchange Server has detected as infected or matching a particular filter. The
quarantined items can be inspected and, if need be, released to the intended recipient,
redirected elsewhere, or deleted. Quarantined files are stored in an encoded format in
the Quarantine folder in the Forefront Security for Exchange Server installation folder.
The Quarantine screen allows you check for items, search among them, deliver them,
export them for viewing, and set purge times.
Configuration Steps for the Quarantine
The Quarantine itself does not need to be activated. Whether or not items are
quarantined is set on every specific scan job or filter. However, there are settings you
may wish to make and functions you should be aware of on the Quarantine screen.
Open the Forefront Server Security Administrator and go to Report > Quarantine to
get to the Quarantine screen.

One
Four

SAVE!

Two

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Three
Forefront Security for Exchange Server Reviewer’s Guide 34

View and Sort Quarantined items. Quarantined items will be

displayed on the screen. By clicking the columns you can sort data
One
based on that column heading.

Set the Quarantine Purge time. The Quarantine can grow very
large, especially if you are quarantining spam. When this happens,
Two performance can be affected. To keep the log from growing too
large, you can set a Purge time. Click the Purge After check box
and choose how many days of Quarantine data you wish to
maintain.
Use the filter to search for items. When searching for a
Three specific Quarantine item, the Filtering field can be very helpful.
Mark the check box, select a column category, and then enter
specific filter text. Wildcards are available for the Filtering field.
Consult the User Guide for details. You must click the Save button
for your filter settings to take effect.
For example, you may wish to examine only virus incidents. To do
so, set the Filter Column to “Incident” and enter “Virus” in the
Filter box. Click Save and the result will be a list of all Virus
detections.
Deliver items as needed. If a particular message or attachment
Four needs to be delivered, highlight the item and click the Deliver
button. The pop-up window will allow you to deliver the item to
the original recipient(s) or redirect it elsewhere. All items released
from Quarantine will be re-scanned for viruses, to prevent release
of a known virus. If the release from Quarantine releases a virus,
the item will return to the Quarantine. See the “Tips” section
below for other aspects of released items.
SAVE! Click the Save button so your settings take effect.

TIPS, CONSIDERATIONS, and BEST PRACTICES

► Entire messages are stored only for File Filters (when the filter is set to Purge) and
Content Filters. For virus-infected attachments, only the attachment is stored (the
message is delivered). A worm message is purged and never quarantined.
► There are two delivery modes for the Quarantine. Secure Mode will re-scan items
with content filters when they are released. Compatibility Mode will not. For instance,
if you have set a File Filter to block EXE files and you release an EXE file from the
Quarantine, Secure Mode will cause the item to be re-blocked and Compatibility Mode
will allow the item to be delivered. In all cases, anything released from the Quarantine
is re-scanned for the presence of viruses and the message or attachment is blocked if a
virus is detected. The Mode setting is changed in the General Options panel.
► The Quarantine can store items in two ways: as a single EML file or as separate
messages and attachments. When storing as an EML file, Microsoft® Outlook Express is

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 35

needed to view the message and attachment (after saving it to a separate file outside
the Quarantine). Without Outlook Express, it will be very difficult to extract the file from
within the EML format. If you do not wish to use Outlook Express, then by storing items
separately you can view the message body as a text file and/or retrieve the attachment
directly. To set how items are stored, go to the General Options panel and use the drop-
down list under Quarantine Messages.

Step 11: General Options Review

Forefront Security for Exchange Server provides many settings through the General
Options panel. Many of these are used only in specific instances or for specific needs.
This section provides a brief overview of the General Options. For full details, consult
the Forefront Security for Exchange Server User Guide.
Security administrators should review the General Options carefully because they may
help address specific security needs. Where appropriate, best practices have been
outlined below. However, these are general guidelines only. Consider all the options
available as they may be needed in your particular environment.
The General Options are located under the “Settings” menu.
Diagnostics
The Diagnostics section allows you to turn on advanced logging for troubleshooting
situations. These diagnostics should only be used when directed by Microsoft support.
An Archive feature allows copies of all inbound and outbound mail to be saved to an
archive folder. Critical Notifications provides e-mail notifications in the event of a key
Forefront service failure or restart.
Best Practices:
• Select the Notify on Startup option.
• The e-mail addresses of appropriate recipients should be added to the Critical
Notification List.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 36

Logging
The Logging settings allow Forefront Security for Exchange Server to generate detailed
logging information. While not as detailed as the Diagnostics logging, these logging
functions retain important historical information about the program’s environment.
Best Practices:
• Make the same selections as shown below.
• Enter a value for Max Program Log Size. If kept at 0, the Program Log may
grow too large and begin to cause performance issues.

Scanner Updates
The Scanner Update settings are used to customize how engine updates are performed,
as well as providing notifications about updates. The majority of these settings are used
on an as-needed basis.
Best Practices:
• Choose Perform Updates at Startup. This ensures that if any server running
Forefront Security for Exchange Server is inoperative for a long period of time,
the program will immediately begin to download new scan engines upon startup.

Microsoft Confidential – Internal & Partner’s under NDA Use Only

Forefront Security for Exchange Server Reviewer’s Guide 37

Scanning
The Scanning settings are a critical part of Forefront Security for Exchange Server and
should be carefully reviewed by security administrators. This extensive portion of the
General Options covers areas such as what kind of message scanning should be
performed, how certain file types should be handled (such as compressed files, corrupt
files, nested ZIP files, etc.), scanner time-out settings, quarantine behavior, and some
important infrastructure settings, such as entering lists of internal domains to help
distinguish internal from external e-mail. The default values provided will work in most
environments. The “Best Practices” section below refers only to items that are not
defaulted but may be desirable in your network.

This shows only a portion of the Scanning settings.

Best Practices:
• Choose Scan Doc Files as Containers on both the Transport Scan Job and
Realtime Scan Job. This provides deep scanning of .doc files and others that use
the OLE embedded data format (such as .xls, .ppt). These files may have other
files embedded in them. There is a performance impact associated with this
practice, but it provides a more complete level of scanning.
• Choose Purge Message if Message Body Deleted – Transport. In some
instances, part or all of a message body will be deleted because it is considered
a virus, but the message may still be delivered with Deletion Text replacing the
removed contents. This can cause confusion or concern among recipients. By
selecting this option, the entire message is deleted and the user never sees it. It
is not very likely that the message contains any valid information.
• Make sure to fill out the Internal Address field with all of your internal mail
domains. This is necessary for Forefront to properly determine email direction.

Background Scanning
These settings are discussed in the Step 6: Configuring the Background Scan Job.

Microsoft Confidential – Internal & Partner’s under NDA Use Only