Besides
planning for anti-spam, you need also to consider protecting your
Exchange organization from viruses or other dangerous software
applications.
1. Exchange Server 2010 Antivirus Protection
E-mail is one of the most
common ways to spread viruses from one organization to another. The
security community even refers to email as a vector used to spread
viruses. One of the primary tasks in protecting your Exchange Server
organization is to ensure that all messages containing viruses are
stopped at the messaging environment's perimeter.
Although Exchange
Server 2010 already provides some basic antivirus features, it is
important to implement a separate antivirus product based on VSAPI that supports Exchange 2010.
Exchange Server 2010 includes the following virus protection features:
VSAPI Support of the Virus Scanning application programming interface (VSAPI)
In Exchange Server 2010, Microsoft maintains support for the same VSAPI
used in Exchange Server 2003 and Exchange Server 2007. VSAPI does not
reduce any viruses unless you install a product that uses VSAPI to scan
your messages and remove viruses when messages have been infected.
Transport agents that filter and scan messages
Exchange Server 2010 includes the concept of transport agents—such as
the attachment filtering agent—to remove spam and viruses from the
messaging stream. By enabling attachment filtering on the Edge
Transport or Hub Transport servers, you can reduce the spread of
malware attachments before they enter the organization. Additionally,
third-party vendors can create transport agents that specifically scan
for viruses. Because all messages must pass through a Hub Transport
server, this is an efficient and effective means to scan all messages
in transit.
Antivirus stamping Antivirus
stamping reduces how often a message is scanned as it proceeds through
an organization. It does this by stamping scanned messages with the
version of the antivirus software that performed the scan and the scan
results. This antivirus stamp travels with the message as it is routed
through the organization, and determines whether additional virus
scanning must be performed on a message.
2. Considerations for Deploying an Antivirus Solution
Many antivirus solutions
are available on the market. Exchange 2010 requires a solution that
supports VSAPI, such as Symantec Mail Security for Microsoft Exchange,
Trend Micro ScanMail Suite for Microsoft Exchange, or the Microsoft's
Forefront Protection 2010 for Exchange Server. Just make sure VSAPI and
Exchange 2010 are supported when you evaluate the best antivirus
solution for your company.
Although implementing an antivirus solution in Exchange Server is straightforward, you should keep some factors in mind when choosing and configuring an antivirus solution.
2.1. Implementing Multiple Antivirus Layers
To provide enhanced
security against viruses, you should implement multiple layers of
antivirus protection. A virus can enter your organization from the
Internet through an e-mail or from a non-protected client within your
company. Thus, it is a best practice to implement several layers of
antivirus protection such as a firewall, a bastion server such as an
Edge Transport server, and at the client-computer level.
2.2. Maintaining Regular Antivirus Updates
Installing the antivirus
product does not automatically mean that your organization is fully
protected. Regular antivirus pattern updates are critical to a
well-implemented antivirus solution. You should also monitor that your
antivirus patterns are updated frequently.
If you have a
Microsoft System Center Operations Manager 2007 R2 environment in your
organization, you can make sure that pattern updates of your antivirus
solution are monitored with a respective SCOM management pack if
available. This will ensure that you are notified when a pattern update
does not occur in a timely manner.
3. Using Forefront Protection 2010 for Exchange Server
Forefront Protection 2010 for Exchange Server is a separate message-hygiene software package that you can integrate with Exchange Server 2010 to provide antimalware and anti-spam protection for the Exchange environment.
3.1. Benefits of Forefront Protection
Forefront
Protection 2010 for Exchange Server (FPE) was specifically developed
for Exchange Server and thus provides rich antivirus and anti-spam
functionality for medium to large enterprises. FPE supports Exchange
2007 SP1 and later versions.
Forefront Protection 2010 for Exchange Server extends Exchange Server 2010 with the following advanced protection features:
Simple configuration/maintenance-free setup
Auto-configured anti-spam agents with smart defaults
Unified management of FPE, Exchange, and Forefront Online Protection for Exchange
Premium multiple engine antimalware protection
Leading anti-spam content filter engine with spam catch rate above 99 percent
An overview of the ways FPE provides benefits when implementing it together with Exchange 2010 can be found in Table 1.
Table 1. Forefront Protection 2010 for Exchange Server Overview
FEATURE | DESCRIPTION |
---|
Malware scan with multiple engines | You
can automatically scan messages using multiple malware pattern engines,
not just a single one. Single antimalware engine creates a single
failure point in the entire deployment; with Forefront you can use five
engines scanning the messaging stream simultaneously and thus remove
this deficiency. |
New Microsoft antispyware engine | Scans messages for spyware. |
Intelligent Engine Management | Automatically
tracks the most efficient and performing engines and forces them to
execute on the messaging stream first. Enables these engines as a part
of dynamically chosen subset of engines. |
Full support for VSAPI | Forefront Protection 2010 for Exchange Server fully supports the Exchange VSAPI. |
Forefront DNSBL service | Provides
aggregated sender reputation information supplied by multiple external
and internal vendors about IP addresses that are known to send spam.
This is an IP Block list offered exclusively to Exchange Server. |
Premium spam protection | Includes the new Cloudmark-based Content Filter engine. |
Automatic content filter updates | Automatic
updates for the content filter directly from the vendor's update site.
Microupdates are available every 30 to 45 seconds without any manual
interaction. |
Backscatter protection | Forefront Protection 2010 includes new backscatter filter to prevent bogus NDRs from entering Exchange organization. |
Integration with Forefront Online Protection via Hybrid Model | Allows
you to implement both on-premises and online protection from a single
connection point (via Forefront UI) and apply a single policy to both
online and on-premises protection. This also allows for lowering TCO of
messaging hygiene and malware protection. |
Unified protection management | New
administrative and monitoring model via Windows PowerShell support with
new dashboard implementation. Consolidated support for all protection
features and technologies including basic Exchange anti-spam filters. |
Hyper-V support | Is fully supported in a Hyper-V virtual environment. |
True Type File Filtering | Enables Real File Type inspection (not just extension) and actionable scanning of nested files/within .zip attachments. |
Global Exception Lists | Single access point to sender and recipient exception lists to enforce allow and block actions from a single place. |
Streamlined SCL ratings | Less
ambiguous SCL ratings to simplify spam categorization and decrease the
false positive rate. The vast majority of mail is correctly classified
as either spam or good, legitimate mail. |
Sender/sender domain, File, Keywords, and Subject Line filters | Allow scanning of incoming, outgoing, and internal messaging streams. |
3.2. Forefront Protection 2010 Deployment Options
When you implement Forefront Protection 2010 for Exchange Server, you must consider the various deployment options.
First, you need to
determine the servers on which you plan to install Forefront Protection
2010 by considering the following criteria:
As a baseline, you should at least deploy Forefront Protection 2010 for Exchange Server on all Edge and Hub Transport servers.
For
full protection, you should deploy Forefront Protection 2010 for
Exchange Server on all Edge Transport, Hub Transport, and Mailbox
servers.
Note: You
do not need to install Forefront Protection 2010 on the Client Access
Server role because Forefront is only needed on the Mailbox, Edge, or
Hub Transport server roles.
By default, FPE scans each
e-mail only once and then stamps it with a special AV Stamp so that
other servers do not scan that message again. However, if necessary,
you can enable rescanning of messages already scanned by FPE. Best
practices also call for enabling FPE on Mailbox servers, but you need
to rationalize the number of engines to run. Scanning with a
dynamically allocated subset of engines looks like very attractive
option and it is recommended that you have at least one engine enabled
for scanning Mailbox servers. Periodic rescanning of databases provides
additional assurance that there are no missed or hidden threats in the
accepted messages and allows for proactive protection against various
threats. You should also consider enabling periodic on-demand scanning
of mailboxes to remove offensive or malicious content delivered in the
past.
As a best practice, you
should enable at least three scan engines and select the Scan With A
Dynamic-Chosen Subset of Engines option, which provides optimal
protection without significantly sacrificing server performance or
messaging throughput.
Forefront
Protection 2010 for Exchange Server, compared to Forefront Security for
Exchange 2007, improves messaging throughput from 25 to 40 messages per second with all five engines running.