Executive Summary:

Microsoft Forefront Security for Exchange Server (formerly known as Microsoft Antigen) is designed to overcome the limitations of any single vendor’s email server antivirus product by letting you run up to five antivirus engines simultaneously to better detect and catch threats in email messages. See how to install, set up, and manage Forefront for Exchange on Exchange Server 2007 servers that host mailboxes.

Antivirus products for email servers such as Microsoft Exchange Server try to catch threats at the email server, before users can receive the messages, open their attachments, and unwittingly launch their payloads. While server antivirus products are reasonably good at scanning incoming email messages, they suffer from a common problem: They require constant updates of their scanning engines and signature databases to come close to catching all threats. Microsoft Forefront Security for Exchange Server (formerly known as Microsoft Antigen) is designed to overcome the limitations of any single vendor’s offering by using multiple antivirus engines developed by various vendors. Forefront for Exchange lets you run up to five of these engines simultaneously to better detect and catch threats in email messages.

Let's look at how to install, set up, and manage Forefront for Exchange on Exchange Server 2007 servers that host mailboxes. But first, let's see where Forefront for Exchange fits in Microsoft's line of Forefront products and why you need an antivirus product on your email servers as well as at other locations on your network.

Forefront on the Email Server
Forefront Security for Exchange Server is one of two server security products, the other being Microsoft Forefront Security for SharePoint Server. A desktop antivirus product, Microsoft Forefront Client Security, is also available. (See "Forefront Client Security," May 2007, http://www.windowsitpro.com/Articles/ArticleID/95504/95504.html, for more information about this product.) ISA Server 2006 and Internet Application Gateway (IAG) 2007 (the Whale Communications Secure Sockets Layer (SSL) VPN gateway product acquired by Microsoft) form the Forefront edge security and access products. The Forefront server, client, and edge security products are intended to help an enterprise defend itself against a wide range of threats.

Regardless of whether an organization has an email gateway such as an Exchange 2007 Edge Transport server, installing Forefront on servers hosting mailboxes can reduce the likelihood that a virus will be introduced by a user who has brought in an infected file from outside the organization (e.g., on a thumb drive or downloaded from a Web site) and who attempts to distribute it by email. Organizations might also want to consider deploying Forefront Security for Exchange Server on Exchange Edge and Hub Transport servers, if they have them, for another layer of defense, but I don't cover that here. Note that Forefront Security for Exchange Server 2007 can be installed only on Exchange Server 2007. If you're still running Exchange Server 2003, you can use the previous version of Forefront Security for Exchange Server, called Antigen.

Installing Forefront Security for Exchange Server
The version of Forefront Security for Exchange Server that I describe installing here is the 32-bit version that comes on the Exchange 2007 120-day evaluation DVD or that you download from the Forefront product Web site ( http://www.microsoft.com/forefront). The evaluation software comes in both 32-bit and 64-bit versions, but only the 64-bit version is available for use in a production environment, which stands to reason because Exchange Server 2007 is 64-bit.

The Exchange Management Console’s End-to-End Scenario tab (visible when you click the top Microsoft Exchange node) contains instructions for installing Forefront Security for Exchange Server. Click Protect your Exchange Servers from viruses, worms and other malware to begin.

Forefront Security for Exchange Server uses a wizard to guide you through remote or local installation. If you select the remote installation option, you're requested to enter the name of the server on which to install Forefront Security and the administrative share (the default is C$). Before a remote installation can proceed, the wizard will check that the remote machine is available and that Exchange 2007 is installed on it. Note that an enabled firewall, such as the host firewall that comes with Windows Server 2003 SP1 or R2, might interfere with the installation by causing the installation wizard to falsely believe the server isn't available.

After you select a remote machine on which to install the software or choose local installation, you're given the option of Full Installation (the default) or installing the client (referred to as Client – Admin console only). You should select Full Installation for each of your Exchange mailbox servers.

You have two options for quarantine settings: Secure Mode or Compatibility Mode. You should select Secure Mode unless you have a real reason to select Compatibility Mode. With Secure Mode, messages and attachments are scanned when they're released from quarantine to ensure they're free of viruses. With Compatibility Mode, quarantined items aren't scanned on release.

Next, you select the antivirus engines you want to use. The wizard always selects the Microsoft Antimalware Engine, but you can select four others from AhnLab, CA (both InoculateIT and Vet), Authentium, Kaspersky Lab, Norman, Sophos, and VirusBuster. In January, CA announced that it would combine the InoculateIT and Vet antivirus engines into a new Vet engine, so if you want to use a CA engine, use Vet instead of InoculateIT.

During Forefront Security installation, you'll be prompted to temporarily stop some services. Note that stopping these services will impact the ability of your users to send and receive email messages, and possibly the flow of messages into and out of your organization and between email servers.

When installation is finished, you're given the option of viewing Forefront Security's readme file. Unlike some other readme files, this one contains some useful information, such as details about how to install the Forefront Administrator console on Windows XP, the fact that you can't use Forefront Security in Exchange Active-Active clusters, and known issues.

Managing Forefront Security Settings
Once you've installed Forefront Security for Exchange Server, you can manage it by launching the Forefront Server Security Administrator console from the Start menu. Note that the UI (which Figure 1 shows) is different from the traditional Microsoft look and feel—a legacy of Forefront Security’s Antigen past. If you have multiple Exchange servers running Forefront Security in your environment, you can select a server to manage from the drop-down list at the top of the console.

Click SETTINGS in the left-hand column to work with a scan job, antivirus settings, scanner updates, templates, or general options. Under Scan Job, you'll find Realtime Scan Job and Manual Scan Job. On a mailbox server, Forefront Security uses the foreground processes of the real-time job to scan email messages when they're retrieved from the mail store, if the items haven't been previously scanned and marked as clean and if new engine and signature updates haven't been received. The background processes of the real-time job scan email messages in mail stores.

The real-time scan job runs four processes by default. An item is passed to the first process. If this process is busy, the item is passed to the second process, then the third process, and so on. One quarter of the total number of processes is used to scan items in the background, continuously, to ensure that items are scanned with engine and signature updates as updates are received. You can adjust the number of processes in General Options, up to ten.

For each scan job, you can configure what to scan. The default is to scan all mailboxes and public folders, but you can choose not to scan either or to scan specific mailboxes and public folders. You can't create a new scan job, but you can create a new template that specifies settings for a scan job and then apply that template to one of the existing scan jobs. I describe how to do this below.

If Forefront Security finds a virus in an item, it substitutes a message for the item and moves the item to quarantine. You can customize the message by clicking on the Deletion Text button at the bottom of the window.

I recommend that you configure scan jobs to scan all user mailboxes as well as any mailboxes that are owned by services or processes (such as Microsoft SQL Server, Microsoft System Center Operations Manager 2007, or a third-party application) that forward messages to users. If you have a mailbox that belongs to a service or process that simply receives notifications and is capable of deleting malformed email, then you can usually choose not to scan that mailbox. The same is true for Public Folders.

Select SETTINGS, Antivirus to choose the antivirus engines that Forefront Security uses for the scan jobs, the default action that's taken when Forefront Security encounters an infected item (detect only, repair, or delete), whether to send notifications, and whether to quarantine infected files. I recommend that you have Forefront Security attempt to repair email and attachments that are flagged as being infected. If Forefront Security is unable to complete a repair operation, it will quarantine the item for inspection.

You can also adjust the bias that Forefront Security uses when scanning items. The default is to Favor Certainty, which means that Forefront Security uses four of your five chosen antivirus engines (selected at random) to scan each email message. You might wish to consider dropping this to Neutral, which means that three engines are used, unless you believe a virus outbreak is spreading through the Internet via email, or even choose Favor Performance (two engines), if you also have Forefront Security installed on Exchange 2007 Edge and Hub Transport servers and a comprehensive desktop antivirus product.

The Scanner Updates window (which Figure 2 shows) lets you configure which scan engines and signature databases to update and the frequency and time of the updates. By default, all scan engines and associated signatures are updated regardless of whether you're using them. You can disable updates for an engine, and you can force an update at any time. I recommend leaving the default setting. The performance impact of updating all the engines and signatures is offset by being able to quickly switch engines when desired.

Click SETTINGS, Templates to apply a stored template to a scan job. You might use templates if you have multiple Exchange servers running Forefront Security and you want to apply common settings consistently across all of them. You can also use a template to configure a scan job that you might want to run at a special time; for example, when you know there's a virus or worm propagating via email, you might apply a template with more restrictive security settings. If you have just one Exchange server with Forefront Security, you can ignore templates, and manually adjust the real-time and manual scan jobs.

If you want to create a new template to use across all the Exchange mailbox servers running Forefront Security in your organization, click File, Templates, New. You can create three types of scan job template: transport, real-time, and manual. From this menu, you can also create a filter set template, which you can associate with one or more templates. I cover filter sets a little later. For installations on mailbox servers, you'll want to create only real-time and manual filters.

After you create a scan job or filter set template, you can access it from most windows in Forefront Security by selecting File, Templates, View Templates. In this mode, all templates are displayed, and you can select one, make changes, and then click Save in the lower right-hand corner of the window.

To apply a template to a real-time or manual scan job, Select SETTINGS, Templates, select Realtime Scan Job or Manual Scan Job, and then select the appropriate template from the Template drop-down list and click Save. You can also apply a filter set template to the scan job by selecting it from the Filter Set drop-down list and clicking Save. If you ever make changes directly to the real-time or manual scan job, the scan or filter template settings applied to the job will be overwritten, but the templates will not.

The final option under SETTINGS is General Options, which you can use to configure diagnostics, logging, scanner updates (including proxy server settings), scanning options, and background scanning. There are two sets of important options here. First, if you have a proxy server that requires authentication before clients can connect to the Internet, you can configure both the proxy server address and the credentials to use here.

The second set of options lets you configure a Forefront Security for Exchange Server system to distribute scanning engine and signature database updates to other Forefront Security installations. By configuring a server as a distribution server, you can eliminate the need for each Forefront Security server to fetch updates from Microsoft. On the distribution server, follow the directions in the online Help file to create a shared folder for the updates in the Forefront Security installation folder, and select the Redistribution Server option.

On clients that will fetch their updates from a redistribution server rather than from Microsoft, go to SETTINGS, Scanner Updates and enter the Universal Naming Convention (UNC) name of the shared folder on the redistribution server in the Network Update Path field. Note that you can specify both primary and secondary update paths, which means that you can have more than one redistribution server or that you can specify Microsoft as the secondary update path. This option is useful for redundancy. If you require credentials from clients that connect to a redistribution server’s shared folder, you can specify which credentials a client should use under General Options in the Scanner Updates window. Note that some of the options under General Options (the ones marked with an asterisk) will take effect only after you stop and restart Forefront Security.

Forefront Security Filtering
Clicking FILTERING in the left-hand column of the Forefront Server Security Administrator console lets you configure filters based on a variety of criteria, including keywords in content and subject lines and attachment names and file types. Forefront Security intelligently recognizes file types regardless of file extensions through content inspection, defeating common tricks such as adding .txt to the filename of an .exe, .zip, or other file. Content filtering isn't designed to catch viruses in messages as much as it is to catch spam and sensitive emails that contain company confidential information. Under FILTERING, you can also define Allowed Senders, people who can send email messages that aren't subject to content filtering rules.

You can apply any filter directly to the real-time or manual scan job or to a filter set template. If you configure a filter set template, you can then apply it to a scan job template or directly to the real-time and manual scan jobs by using the SETTINGS, Templates option mentioned earlier. If you want to apply the same filter settings to multiple scan job templates or directly to the scan jobs themselves, I recommend that you do create a filter set template and apply the template to ensure that each scan job template, and the scan jobs themselves, are consistent.

If you want to filter for spam keywords and the email addresses of known spammers, you can get lists of these from several Web sites. Forefront Security on an Exchange Edge server obtains antispam updates from Microsoft as a feature of the license.

Running, Scheduling, and Reporting
Clicking OPERATE in the left-hand column of the Forefront Server Security Administrator console shows three options: Run Job, Schedule Job, and Quick Scan. Clicking Run Job shows you the status of the real-time and manual scan jobs. You can enable or disable the real-time scan, start a manual job, or pause or stop a running manual job. When you click a scan job, the results of the job can be seen in the lower half of the window, as Figure 3 shows.

The Schedule Job window lets you enable a scheduled manual scan job and set the time it will run and the frequency. You can do the same for the background real-time job.

The Quick Scan window lets you run a one-off scan of mailboxes and public folders. You can select which antivirus engines to use, the bias to apply, and the default action to take when the scan encounters a virus. The results of a quick scan are shown in the bottom half of the window. Note that if you have the option to View Templates enabled, they will be listed, but you will be unable to enable or disable a scan job template or view the results from a template.

The REPORT item in the left-hand column has three components: Notification, Incidents, and Quarantine. Clicking Notification opens a window where you can configure automatic notification of events such as the discovery of a virus or an email containing a specific keyword. For each type of event, you can enable or disable notification, configure who the notification should be sent to by email, and set the subject and contents of the message sent.

Clicking on Incidents displays a report of events that have occurred and scanning statistics (e.g., the number of messages scanned).

The Quarantine component is where the Forefront Security administrator can examine email messages and attachments that have been flagged as containing a virus, a banned file type, or a specific keyword. If you can satisfy yourself that there's no real threat, you can release quarantined items by clicking Deliver in the right-hand column (as Figure 4 shows). It's also possible to configure Forefront Security to automatically purge items from quarantine after a fixed period of time by clicking the Purge check box at the bottom of the window. You can manually clear the quarantine by clicking Clear Log in the right-hand column.

I've described how to install Forefront Security for Exchange Server and how to perform basic administration and operation tasks. You can find out more about Forefront Security for Exchange Server at http://www.microsoft.com/forefront. You can also get details about the Microsoft Forefront Server Security Management console, which integrates Forefront Security for Exchange, Forefront Security for SharePoint, and Microsoft Antigen.