Microsoft Forefront Security for Exchange Server Quick Start Guide

Microsoft Forefront Security for Exchange Server Version 10

Microsoft Corporation Published: February 2009

Information in this document, including U ! and other Internet "eb site references, is sub#ect to change $ithout notice% Unless other$ise noted, the e&ample companies, organi'ations, products, domain names, e(mail addresses, logos, people, places, and e)ents depicted herein are fictitious, and no association $ith any real company, organi'ation, product, domain name, e(mail address, logo, person, place, or e)ent is intended or should be inferred% Complying $ith all applicable copyright la$s is the responsibility of the user% "ithout limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrie)al system, or transmitted in any form or by any means *electronic, mechanical, photocopying, recording, or other$ise+, or for any purpose, $ithout the e&press $ritten permission of Microsoft Corporation% Microsoft Corporation may ha)e patents, patent applications, trademar,s, copyrights, or other intellectual property rights co)ering sub#ect matter in this document% -&cept as e&pressly pro)ided in any $ritten license agreement from Microsoft Corporation, the furnishing of this document does not gi)e you any license to these patents, trademar,s, copyrights, or other intellectual property% . 200/ Microsoft Corporation% 0ll rights reser)ed% Microsoft, Forefront, "indo$s, and "indo$s 1er)er are either registered trademar,s or trademar,s of Microsoft Corporation in the United 1tates and2or other countries% 0ll other trademar,s are property of their respecti)e o$ners% e)ie$ the Microsoft Forefront 1er)er 1ecurity Pri)acy 1tatement at the Microsoft Forefront 1er)er 1ecurity "eb site%

Contents
Microsoft Forefront 1ecurity for -&change 1er)er 3uic, 1tart 4uide%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 Contents%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6 Introduction to Forefront 1ecurity for -&change 1er)er%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%/ 7hird(party file(le)el anti)irus programs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%/ Installing Forefront 1ecurity for -&change 1er)er 200/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 Forefront 1ecurity for -&change 1er)er system re9uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8 Minimum ser)er re9uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8 Minimum $or,station re9uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 Installing Forefront 1ecurity on a local ser)er%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 50 :ther installations%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 52 1er)ices%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 52 F1CController%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 52 1ecuring the ser)ice from unauthori'ed use%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%56 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 56 Using the Forefront 1er)er 1ecurity 0dministrator%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5; 1tarting the Forefront 1er)er 1ecurity 0dministrator%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5; Connecting to a local ser)er%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5; Forefront 1er)er 1ecurity 0dministration user interface%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5< 1huttle =a)igator%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5< Forefront 1ecurity for -&change 1er)er 4eneral :ptions%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5< Forefront 1ecurity file scanner updating%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5/ Configuring the 7ransport 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5/ Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5/ Configuring anti)irus settings for the 7ransport 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%59 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 59

Controlling the 7ransport 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 20 Configuring the ealtime 1can >ob ( 31%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%25 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 25 Configuring the anti)irus settings for the ealtime 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%22 Controlling the ealtime 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2;

Configuring and running the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2; Configuring the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2; Configuring anti)irus settings for the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2< unning the Manual 1can >ob%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2< 1cheduled bac,ground and on(access scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2< 1cheduled bac,ground scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2? Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2? :n(access scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2/ @eightened security on(access scanning%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2/ Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2/ Aac,ground scanning on engine update%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2/ Filtering files%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Mechanics of file filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Filtering by file type%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Filtering by e&tension%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 28 Filtering by name%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 Filtering by file si'e%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 Configuring the file filter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 29 File filtering action%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 60 Filtering content%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 65 1ender(domains filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 65 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 65 1ub#ect line filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 62 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 62 Content filtering action%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 66

Filtering ,ey$ords%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6; Creating ne$ ,ey$ord lists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6; Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6; -nabling ,ey$ord filtering%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6< Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6< Bey$ord filtering action%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6? 0llo$ed senders lists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6/ Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6/ Filter lists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 68 1ending e(mail notifications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 68 Configuring e(mail notifications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 69 Procedures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 69 eporting and statistics features%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 69 Incidents database%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;0 3uarantine%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;0 :ther database tas,s%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;0

Introduction to Forefront Security for Exchange Server

In MicrosoftC -&change, )iruses can enter the en)ironment in file attachments to e(mail messages, e(mail message bodies, and public folder posts, but traditional anti)irus technology cannot monitor or scan the contents of the -&change database or the -&change transport stac,% -&change en)ironments re9uire an anti)irus solution that can pre)ent the spread of )iruses by scanning all messages in real time $ith minimal impact on ser)er performance or deli)ery times of messages% Microsoft ForefrontD 1ecurity for -&change 1er)er *F1-+ is the solution for protecting -&change en)ironments% Forefront 1ecurity for -&change 1er)er is uni9uely suited for -&change 1er)er 200/ en)ironments% It uses the -&change Eirus 1canning 0PI *E10PI+ to tightly integrate $ith the -&change ser)ers to pro)ide seamless protection% Forefront 1ecurity for -&change 1er)er pro)ides po$erful features that include: 0nti)irus scanning using multiple anti)irus scan engines%

Fistributed protection on all storage and transport -&change ser)er roles, including -dge 7ransport, @ub 7ransport, and Mailbo& or Public Folder ser)ers% File filtering by file name, e&tension, or si'e%

Comprehensi)e notifications for the administrator and the message sender and recipient% Forefront 1ecurity for -&change 1er)er pro)ides po$erful protection for your messaging ser)ers and is the anti)irus solution for -&change 200/ en)ironments% 7his 3uic, 1tart 4uide $ill help you install and start using Microsoft Forefront 1ecurity for -&change 1er)er in a basic en)ironment% For more detailed information about the included topics and for additional topics not co)ered in this guide, see the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

Third !arty fi"e "eve" antivirus !rogra#s

If you use a third(party file(le)el anti)irus program on a ser)er containing Forefront 1ecurity for -&change 1er)er, you must ensure that the follo$ing program folders are not scanned in order to pre)ent corruption of F1-: HFri)e:IJProgram Files *&8?+J Microsoft Forefront 1ecurity

*or $hate)er folder in $hich you installed F1-+ HFri)e:IJProgram FilesJMicrosoftJ-&change 1er)er

7he file(le)el anti)irus scan can also cause a conflict $hen F1- tries to scan e(mail messages%

Insta""ing Forefront Security for Exchange Server $00%

7his release of MicrosoftC ForefrontD 1ecurity for -&change 1er)er supports local and remote installations on Microsoft -&change 1er)er 200/ and local installations on -&change cluster configurations *for more information about installation on clusters, see the KMicrosoft Forefront 1ecurity for -&change 1er)er Cluster Installation 4uideL+% 7he Forefront 1ecurity for -&change 1er)er setup $i'ards can be used to install the product to a local -&change ser)er, to a remote -&change ser)er, or as an 0dministrator(only installation to a local $or,station% Mou must ha)e administrati)e rights to the computer on $hich you are installing Forefront 1ecurity for -&change 1er)er% 7o begin the installation procedure, run 1etup%e&e from the directory containing the installation files%

Forefront Security for Exchange Server syste# re&uire#ents

7he follo$ing are the minimum ser)er and $or,station re9uirements for Forefront 1ecurity for -&change 1er)er% 'ote( 0ll minimum system memory and dis, space re9uirements for Microsoft -&change 1er)er 200/ must be met before installing Forefront 1ecurity for -&change 1er)er% 7oo little a)ailable memory or dis, space may impact the ability of Forefront to scan large files%

Mini#u# server re&uire#ents

7he follo$ing are the minimum ser)er re9uirements% 'ote( If both the -&change and 1harePoint products are installed on the same ser)er, only Forefront for -&change can be installed, to protect -&change% &?; architecture(based computer $ith one of the follo$ing processors:

 Intel Neon or Intel Pentium Family processor that supports Intel -&tended Memory ?; 7echnology *Intel -M?;7+ 0MF :pteron or 0MF 0thlon ?; processor that supports 0MF?; platform

1er)er soft$are: Microsoft "indo$s 1er)erC 2006, "indo$s 1mall Ausiness 1er)er 2006, or Microsoft "indo$s 1er)er G!onghornG Microsoft -&change 1er)er 200/ *1tandard or -nterprise+

5 gigabyte *4A+ of free memory, in addition to that re9uired to run -&change 200/ *2 4A recommended+% 'ote( "ith each additional licensed scan engine, more memory is needed per scanning process% 2 4A of a)ailable dis, space% 7his is in addition to the dis, space re9uired for Microsoft -&change 1er)er 200/% 5 gigahert' *4@'+ Intel processor%

Mini#u# )orkstation re&uire#ents

7he follo$ing are the minimum $or,station re9uirements: "indo$s 1er)er 2006, "indo$sC 2000 Professional, "indo$s NP, or "indo$s Eista 2<? MA of a)ailable memory 50 MA of a)ailable dis, space Intel processor or e9ui)alent

Insta""ing Forefront Security on a "oca" server

7o install on a local -&change ser)er, you must log on to the local computer using an account that has administrator rights% Clic, 'ext to continue after filling out a screen, unless other$ise directed% 'ote( 0s in most installations, 1etup updates shared Microsoft files on your computer% If you are re9uested to restart your computer, you do not ha)e to do that immediately, but it may be necessary for certain F1- features to $or, correctly%

*rocedures
To insta"" Forefront Security for Exchange Server on a "oca" server 5% un the 1etup%e&e file, $hich is a)ailable on your CF image or from the self( e&tracting pac,age a)ailable at the Microsoft Eolume !icensing Fo$nload Center% 2% 7he initial setup screen is +e"co#e% Clic, 'ext to continue% 6% ead the license at the ,icense -gree#ent screen and clic, .es to accept it%

;% :n the Custo#er Infor#ation screen, enter /ser 'a#e and Co#!any 'a#e, if needed% <% :n the Insta""ation ,ocation screen, select ,oca" Insta""ation% ?% :n the Insta""ation Ty!e screen, select Fu"" Insta""ation% /% 1etup chec,s to see if you ha)e the correct )ersion of the "indo$s Update 0gent% If you do not ha)e the correct )ersion, at the end of the installation you are directed to the Microsoft Update "eb site to do the opt(in manually% If you do ha)e the correct )ersion, 1etup then chec,s if Microsoft Update is enabled% If it is not, the /se Microsoft /!date dialog bo& appears, permitting you to enable it% 8% :n the Quarantine Security Settings screen, select the desired setting% Secure Mode causes all messages and attachments deli)ered from 3uarantine to be re(scanned for )iruses and filter matches% 7his is the default% Co#!ati0i"ity Mode permits messages and attachments to be deli)ered from 3uarantine $ithout being scanned for filter matches% *Messages and attachments are al$ays scanned for )iruses%+ Forefront 1ecurity for -&change 1er)er identifies these messages by placing special tag te&t in the sub#ect line of all messages that are deli)ered from 3uarantine% 9% :n the Engine /!dates 1e&uired screen, read the $arning about engine updates% 50% If you use a pro&y ser)er for scanner updates, select Use Pro&y 1ettings and enter its name or IP address and its port on the Pro&y Information screen% 7his ensures that your pro&y ser)er is correctly configured from the start% If you are doing a fresh install, you may enter the pro&y information% If this is an upgrade, and pro&y data is a)ailable in the registry, this screen does not appear and the e&isting data is preser)ed% 0ny changes to e&isting pro&y information can be made in Genera" 2!tions% 'ote( If a username and pass$ord are re9uired for the pro&y ser)er, they must be entered through 4eneral :ptions once F1- has been installed% 7his must be

50

done immediately, other$ise engine updates $ill fail% 55% If the ser)er you are installing to is an -dge or 7ransport ser)er, you may be as,ed if you $ant F1- to enable 0nti(1pam Updates% If you ha)e ne)er made any change to the 0nti(1pam Updates setting on the -&change Management Console *that is, the setting is in its default state+, you are offered this choice% If you ha)e made a change to that setting, you do not see this option% If you do not enable 0nti( 1pam Updates during F1- installation, you can turn on updates by clic,ing Ena0"e -nti s!a# /!dates in the -ction section of the -&change Management Console% 'ote( If you enable 0nti(1pam Updates during the installation and subse9uently uninstall F1-, updates $ill be disabled% 52% :n the Choose 3estination ,ocation screen, either accept the default destination folder for the product, or clic, 4ro)se to select a different one% Fefault: Program Files*&8?+JMicrosoft Forefront 1ecurityJ-&change 1er)er 56% :n the Se"ect *rogra# Fo"der screen, choose a program folder for Forefront% 0t this point, 1etup chec,s for running ser)ices% Fefault: Microsoft Forefront 1er)er 1ecurityJ-&change 1er)er 5;% :n the Start Co!ying Fi"es screen, re)ie$ the data presented to you% If any changes ha)e to be made, use the 4ack button to na)igate to the screen to be changed% :ther$ise, clic, 'ext to begin the installation% 0 progress bar indicates that the files are being copied% 5<% 0fter installation is complete, you can start or restart the -&change 7ransport 1er)ice, depending on $hether it $as stopped or running $hen the installation began% For a clean install, the ser)ice $as probably still running and needs to be recycled% If you are reinstalling the product, the ser)ice had to be stopped before F1could be uninstalled% If the ser)ice $as running, the 1estart Exchange Trans!ort Service screen appearsO if the ser)ice $as stopped, the Start Exchange Trans!ort Service screen appears% In either case, you can start the 7ransport ser)ice automatically so that Forefront 1ecurity for -&change 1er)er can become acti)e% Clic, 'ext to ha)e 1etup perform this step or clic, Ski! to manually perform this step at a later time% Until the ser)ice has been started or restarted, F1- cannot scan mail being sent or recei)ed% 5?% Fepending on $hether the -&change 7ransport 1er)ice is being started or restarted *that is, you clic,ed 'ext on the prior screen+, the Starting Exchange Trans!ort Service screen or the 1ecyc"ing Exchange Trans!ort Service screen appears% "ait until the status changes to -"" services started, before clic,ing 'ext to continue% 5/% If the Information 1tore 1er)ice $as stopped $hen the install began, the Start

55

Exchange Infor#ation Store screen appears% Mou can start the Information 1tore ser)ice automatically so that Forefront 1ecurity for -&change 1er)er can become acti)e% Clic, 'ext to ha)e 1etup perform this step or clic, Ski! to manually perform this step at a later time% Until the ser)ice has been started, F1- cannot scan mail on the 1tore% If the Information 1tore $as running $hen the installation began, this screen does not appear% 58% If the Information 1tore 1er)ice is being started *that is, you clic,ed 'ext on the prior screen+, the Starting Exchange Services screen appears% "ait until the status changes to -"" services started, before clic,ing 'ext to continue% 59% :n the Insta""Shie"d +i5ard Co#!"ete screen, you are ad)ised to )ie$ the eadme file *recommended+% If you opted to use Microsoft Update and you do not ha)e the correct )ersion of the "indo$s Update 0gent, you are directed to a site to obtain it% Clic, Finish to complete the installation%

2ther insta""ations
If you are installing on a remote ser)er or performing an 0dministrator(only installation follo$ the instructions in the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G If you are installing Forefront 1ecurity for -&change 1er)er in a clustered -&change en)ironment, see the GMicrosoft Forefront 1ecurity for -&change 1er)er Cluster Installation 4uideG%

Services
7he MicrosoftC ForefrontD 1ecurity for -&change 1er)er ser)ices are the components that run on the -&change ser)er and control all bac,(end functionality of F1-% 7hey ser)ice re9uests from the Microsoft Forefront 1er)er 1ecurity 0dministrator, control the scanning processes, generate e(mail notifications, and store )irus incident data to dis, *$hich can be )ie$ed using the Forefront 1er)er 1ecurity 0dministrator+% 0n 0dministrator(only installation does not install the Forefront 1ecurity for -&change 1er)er ser)ices%

FSCContro""er
F1CController acts as the ser)er component that Forefront 1er)er 1ecurity 0dministrator connects to for configuration and monitoring% F1CController coordinates all ealtime, Manual, and 7ransport scanning acti)ities% 7he F1CController startup type defaults to manual%

52

'ote( Changing the startup type to anything other than GmanualG may cause F1- to not scan properly% 'ote( "hen you install Forefront 1ecurity for -&change 1er)er, it is configured to permit e)eryone access to F1CController% 7o change the security settings to restrict access to F1CController, you must use FC:MC=F4 to modify the security settings%

Securing the service fro# unauthori5ed use

7he Forefront 1ecurity for -&change 1er)ice utili'es Fistributed C:M *FC:M+ to launch and authenticate Forefront 1er)er 1ecurity 0dministrator connections% Mou can build an access list of authori'ed users $ho can connect to the F1CController utili'ing the Forefront 1er)er 1ecurity 0dministrator%

*rocedures
To 0ui"d an access "ist of authori5ed users 5% :pen a command prompt $indo$% 2% 7ype 3C2MC'FG and press E'TE1% 7he Component 1er)ices dialog bo& appears% 6% In the Conso"e 1oot section, e&pand Co#!onent Services% ;% -&pand Co#!uters% <% -&pand My Co#!uter% ?% -&pand 3C2M Config% /% In the -!!"ications list, right(clic, FSCContro""er, and then select *ro!erties% 7he F1CController property dialog appears% 8% Clic, the Identity tab and configure your user accounts% 9% Clic, the Security tab and use the permissions lists to control $hich user accounts ha)e rights to launch and acti)ate the F1CController, access the F1CController, or change the FC:M configuration% 50% Clic, 26 to close the *ro!erties dialog% 7o learn more about ser)ices, including information about F1CMonitor, F1-IMC,

56

F1C ealtime1canner, F1C7ransport1canner, and F1C1tatistics1er)ice, see the Forefront Security for Exchange Server Services chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

/sing the Forefront Server Security -d#inistrator

7he MicrosoftC ForefrontD 1er)er 1ecurity 0dministrator is used to configure and run Forefront 1ecurity for -&change 1er)er locally or remotely% For the Forefront 1er)er 1ecurity 0dministrator to launch successfully, the F1CController and -&change ser)er must be running on the computer to $hich the Forefront 1er)er 1ecurity 0dministrator connects% If you launch the 0dministrator and the MicrosoftC -&change 1er)er is not running, you $ill recei)e an error message% Aecause the Forefront 1er)er 1ecurity 0dministrator is the front end of the Forefront 1ecurity for -&change 1er)er soft$are, it can be launched and closed $ithout affecting the bac,(end processes being performed by the Forefront 1ecurity for -&change 1er)er ser)ices% 7he Forefront 1er)er 1ecurity 0dministrator may also be run in a read(only mode to pro)ide access to users $ho do not ha)e permission to change settings or run #obs, but $ho may need to )ie$ information pro)ided through the user interface%

Starting the Forefront Server Security -d#inistrator

7o run the Forefront 1er)er 1ecurity 0dministrator, clic, Start, point to -"" *rogra#s, point to the Microsoft Forefront Server Security folder, point to the Exchange Server folder, and then clic, Forefront Server Security -d#inistrator%

Connecting to a "oca" server

7he first time the Forefront 1er)er 1ecurity 0dministrator is launched, it prompts you to connect to the -&change ser)er running on the local computer% Mou can use the ser)er name or local alias to connect to the local -&change ser)er% 'ote( For information about connecting to a remote ser)er, see the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

5;

Forefront Server Security -d#inistration user interface

7he Forefront 1er)er 1ecurity 0dministrator user interface contains the 1huttle =a)igator on the left and the $or, panes on the right%

Shutt"e 'avigator
7he 1huttle =a)igator is di)ided into se)eral areas, each of $hich has icons that enable you to access )arious $or, panes: SETTI'GS 7he SETTI'GS area enables you to configure scan #obs, anti)irus settings, scanner updates, templates, and general options% FI,TE1I'G 7he FI,TE1I'G area enables you to configure content filtering, ,ey$ord filtering, file filtering, allo$ed senders lists, and filter lists% 2*E1-TE 7he 2*E1-TE area enables you to control )irus scanning and filter options, schedule and run scan #obs, and perform 9uic, scans% 1E*21T 7he 1E*21T area enables you to configure notifications, )ie$ and manage incidents, and )ie$ and manage 9uarantined files% For detailed information about the areas of the 1huttle =a)igator and their )arious configuration settings, see the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

Forefront Security for Exchange Server Genera" 2!tions

Genera" 2!tions, accessed from the SETTI'GS section of the 1huttle =a)igator, pro)ides access to a )ariety of system(le)el settings for Forefront 1ecurity for -&change 1er)er% 7hese options are stored in the registry% 7he Genera" 2!tions pane eliminates the need to directly access the registry $hen changing these settings% 0lthough there are many options that can be controlled through the Genera" 2!tions pane, each of them has a default *enabled, disabled, or a )alue+ that is probably the correct one for your enterprise% @o$e)er, there are se)eral options that you may $ant to modify $hile configuring Forefront 1ecurity for -&change 1er)er for the first time% 7hese options are:

5<

Critica" 'otification ,ist

Indicates the e(mail addresses of administrators and others $ho should be notified in the e)ent that the -&change store starts and Forefront 1ecurity for -&change 1er)er is not hoo,ed in or if the Forefront 1ecurity store shuts do$n% Multiple e(mail addresses are separated by semicolons% For e&ample: adminPmicrosoft%comOadmin2Pmicrosoft%c om% Indicates that this ser)er is acting as the central hub to distribute scanner updates to other ser)ers% Indicates that pro&y settings are to be used $hen retrie)ing anti)irus scanner updates% *For more information, see the GUpdating the File 1canner 7hrough a Pro&yG section in GFile 1canner UpdatingG in the User 4uide%+ Indicates that Uni)ersal =aming Con)ention *U=C+ credentials are needed $hen retrie)ing scanner updates from a file share% *For more information, see GFile 1canner UpdatingG in the User 4uide%+ Credentials are not supported if you are using the Microsoft Forefront 1er)er 1ecurity Management Console *F11MC+ for redistribution% 7herefore, be sure to clear this setting if you are using F11MC to manage anti)irus engine updates% 7he name or IP address of the pro&y ser)er% e9uired, if using pro&y settings% Indicates the port number of the pro&y ser)er% e9uired, if using pro&y settings% 7he default is port 80% 7he name of a user $ith access rights to the pro&y ser)er, if necessary% :ptional field%

1edistri0ution Server

/se *roxy Settings

/se /'C Credentia"s

*roxy Server 'a#e7I* -ddress *roxy *ort

*roxy /serna#e

5?

*roxy *ass)ord /'C /serna#e /'C *ass)ord

7he appropriate pass$ord for the pro&y user name, if necessary% :ptional field% 7he name of a user $ith access rights to the U=C path, if necessary% :ptional field% 7he appropriate pass$ord for the U=C user name, if necessary% :ptional field%

Forefront Security fi"e scanner u!dating

7he standard MicrosoftC ForefrontD 1ecurity for -&change 1er)er license includes a standard set of anti)irus engines, of $hich four are enabled, in addition to the Microsoft 0ntimal$are -ngine% 7hese engines begin scanning your system as soon as the F1- ser)ice starts% Unless you disable updating a specific engine, all are al$ays automatically updated% 'ote( It is recommended that you schedule updates and do a manual update before scanning $ith an engine that you ha)e not used before% For more information about updating scanners, see the Fi"e Scanner /!dating chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

Configuring the Trans!ort Scan 8o0

7he Forefront 1ecurity for -&change 1er)er 7ransport 1can >ob runs on an -&change 200/ ser)er $ith either a @ub 7ransport or an -dge 7ransport role installed% It can scan, in real time, all MIM- and UU-=C:F-(based e(mail messages that are inbound or outbound from the transport stac, of an -&change site or organi'ation as $ell as all internal e(mail% 7he transport scanner scans for )iruses in attachments and for embedded and @7M! )iruses in the message body% Configure the 7ransport 1can >ob to specify $hat combination of inbound, outbound, and internal mail should be scanned% Mou can optionally specify 3e"etion Text and Tag Text%

*rocedures
To configure the Trans!ort Scan 8o0 5% In the SETTI'GS section of the 1huttle =a)igator, select Scan 8o0% 7he Scan

5/

8o0 Settings $or, pane appears% 2% In the #ob list in the upper pane, select the Trans!ort Scan 8o0% 6% In the 7ransport Messages section of the $or, pane, indicate the combination of In0ound, 2ut0ound, and Interna" messages to be scanned: 1electing the In0ound chec, bo& $ithin the Scan 8o0 Settings $or, pane configures Forefront 1ecurity for -&change 1er)er to scan all e(mail messages entering the -dge 7ransport ser)er or @ub 7ransport ser)er% Messages are designated as inbound if the message originated from or $as relayed through an e&ternal ser)er% If the e&ternal ser)er is not running F1-, this is an effecti)e $ay to protect your installation from infected e(mail messages coming from the Internet% 1electing the 2ut0ound chec, bo& $ithin the Scan 8o0 Settings $or, pane configures F1- to scan all outgoing e(mail messages that lea)e your -&change site or -&change organi'ation )ia the -dge 7ransport ser)er or @ub 7ransport ser)er% Messages are designated as outbound if at least one recipient has an e&ternal address% 1electing the Interna" chec, bo& $ithin the Scan 8o0 Settings $or, pane configures F1- to scan all mail that is being routed from one location inside your domain to another location inside your domain% Messages are designated as internal if they originate from inside your domain and all the recipients are located inside your domain% ;% :ptionally, you can specify 3e"etion Text, $hich is used to replace the contents of an infected file during a delete operation% 7he default deletion te&t informs you that an infected file $as remo)ed, along $ith the name of the file and the name of the )irus found% 7o create your o$n custom message, clic, Feletion 7e&t% <% :ptionally, you can specify Tag Text% 7his te&t is used by Forefront 1ecurity for -&change 1er)er to KtagL the sub#ect line or MIM- header of messages that meet filter criteria so that they can be identified later for routing into specific user inbo&es or for other purposes identified by the Forefront 1er)er 1ecurity 0dministrator% 7he action for a filter must set to Identify( Tag Message in order for the tag to be used% 7o modify the te&t, clic, the Tag Text button on the Scan 8o0 Settings $or, pane% 7he 7ag 7e&t dialog bo& appears% 7here are t$o fields, each of $hich has a default that can be changed% 7he sub#ect line tag te&t defaults to K1U1P-C7:L and the message header tag te&t *$hich cannot ha)e any spaces+ defaults to K>un,(MailL% Clic, 26% ?% Clic, the Save button to sa)e your 7ransport 1can >ob settings% 'ote( "hen editing the 7ransport 1can >ob, if no changes are made to the 7ransport 1can >ob configuration, the Save and Cance" buttons are inacti)e%

58

Ma,ing any change to the configuration acti)ates these buttons% If you ma,e a change to the 7ransport 1can >ob and try mo)ing to another scan #ob or shuttle icon, you are prompted to sa)e or discard your changes%

Configuring antivirus settings for the Trans!ort Scan 8o0

0fter you ha)e configured the scan #ob settings, select the anti)irus engines to use, the 4ias setting, the -ction to ta,e, and $hether to Send 'otifications or Quarantine Fi"es%

*rocedures
To configure antivirus settings 5% In the SETTI'GS section of the 1huttle =a)igator, clic, -ntivirus% 7he -ntivirus Settings $or, pane appears% 2% From the list in the upper pane, select the Trans!ort Scan 8o0% 6% From the list of a)ailable third(party scanners in the Fi"e Scanners section, choose the file scanning engines% 7he fi)e engines you chose at installation are initially selected by default% *0lthough you may only use a ma&imum of fi)e engines, you may use any fi)e% Mou are not limited to the ones you selected during the installation%+ 7o disable )irus scanning $hile retaining the ability to run File Filtering and Bey$ord Filtering, clear the Virus Scanning chec, bo& in the 1un 8o0 $or, pane of the 2*E1-TE section of the 1huttle =a)igator for the 7ransport 1can >ob% 'ote( If you ha)e the ma&imum of fi)e engines selected and you $ant to change the ones used, clear the chec, bo&es of un$anted engines before selecting ne$ ones% Mou may only ha)e a ma&imum of fi)e engines selected at a time% ;% In the 4ias field, select a bias setting for the scan #ob% Aias controls ho$ many engines to use to pro)ide you $ith an acceptable probability that your system is protected% 7he more engines you use, the greater the probability that all )iruses $ill be caught% @o$e)er, the more engines you use, the greater the impact on your systemQs performance% 'ote( Aecause the 7ransport 1can >ob is your first line of defense against un$anted and malicious messages and attachments, consider setting the

59

4ias to Max Certainty or Favor Certainty% Favor Certainty is the default setting% For more information about 4ias settings, see the Mu"ti!"e Scan Engines chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G <% In the -ction field, select the action that you $ant Forefront 1ecurity for -&change 1er)er to perform $hen a )irus is detected: Ski!( detect on"y Ma,e no attempt to clean or delete the infection% Eiruses are reported, but the files remain infected% If, ho$e)er, Felete Corrupted Compressed, Felete Corrupted Uuencode Files, or Felete -ncrypted Compressed Files $as selected in 4eneral :ptions, a match to any of those conditions $ill cause the item to be deleted% C"ean( re!air attach#ent 0ttempt to clean the )irus% If successful, the infected attachment or message body is replaced $ith the clean )ersion% If cleaning is not possible, the attachment or message body is replaced $ith the Feletion 7e&t% 7his is the default setting% 3e"ete( re#ove infection Felete the attachment or message body $ithout attempting to clean it% 7he detected attachment is remo)ed from the message and the Feletion 7e&t is inserted in its place% Ay default, the te&t file contains the follo$ing string $hen )ie$ed: Microsoft Forefront 1ecurity for -&change 1er)er remo)ed RFileR since it $as found to be infected $ith REirusR )irus% ?% -nable e(mail notifications by using the Send 'otifications field% 7his setting does not affect reporting to the Eirus Incidents log% In addition, you must also configure the notifications *see 1ending e(mail notifications+% =otifications are disabled by default% /% -nable or disable sa)ing infected attachments detected by the file scanning engines by using the Quarantine Fi"es field% 3uarantining is enabled by default% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 8% Clic, the Save button to sa)e your anti)irus settings%

Contro""ing the Trans!ort Scan 8o0

7o control the 7ransport 1can >ob, clic, 2*E1-TE in the 1huttle =a)igator, and then clic, the 1un 8o0 icon% 7he 1un 8o0 $or, pane appears%

20

1elect the Trans!ort Scan 8o0 in the list at the top of the 1un 8o0 $or, pane% 7he bottom portion of the 1un 8o0 $or, pane sho$s the status and results of the currently selected scan #ob% "ith the 7ransport 1can >ob selected, the Ena0"e and 4y!ass buttons control the operation of the #ob% 7he 7ransport 1can >ob can scan for )iruses, perform file filtering or ,ey$ord filtering, or a combination of the three tas,s% Use the Virus Scanning, Fi"e Fi"tering, and 6ey)ord Fi"tering chec, bo&es to ma,e the appropriate selections% 0ny change to these settings is immediate, e)en if the #ob is currently running% 7he lo$er portion of the 1un 8o0 $or, pane sho$s the detection results of the currently selected scan #ob%

Configuring the 1ea"ti#e Scan 8o0 QS

7he Forefront 1ecurity for -&change 1er)er ealtime 1can >ob runs on the -&change ser)er to pro)ide immediate scanning of e(mail messages that are sent or recei)ed by the mailbo&es and public folders resident on the ser)er% 7his method of scanning e(mail messages in real time is the most effecti)e method for stopping the spread of infectious file attachments% 7he ealtime 1can >ob can be configured to scan message bodies as $ell as attachments% 7his feature is disabled by default upon installation, but can be enabled by selecting 4ody Scanning 1ea"ti#e in the Genera" 2!tions $or, pane% Message body scanning increases the time re9uired to scan messages% 7he ealtime 1can >ob can be configured $ith scan #ob settings, anti)irus settings, and run( time settings% 'ote( 7he ealtime 1can >ob settings are also used by Aac,ground 1canning%

*rocedures
To configure the 1ea"ti#e Scan 8o0 5% In the SETTI'GS section of the 1huttle =a)igator, select Scan 8o0% 7he Scan 8o0 Settings $or, pane appears% 2% In the top portion of the $or, pane, select the 1ea"ti#e Scan 8o0% 6% In the Scan portion of the $or, pane, select the mailbo&es and public folders to be protected% 7here are three options for ma,ing mailbo& or public folders selections: -"" 1can all e&isting and ne$ly created mailbo&es or public folders% 'one Fo not scan any mailbo&es or public folders%

25

 Se"ected 1can specific mailbo&es or public folders% "hen you choose Se"ected, the icon underneath the options becomes acti)e% Clic, this icon to change to the listing of mailbo&es or public folders on the ser)er% Mou can choose each mailbo& or public folder to be scanned by clic,ing its name% Mou can use the accompanying buttons to select all or none of the mailbo&es or public folders% 7he 97 button in)erts the current selection% 'ote( Choosing all mailbo&es or public folders in the selection $indo$ is not the same as choosing the -"" option in the pre)ious $indo$% 0n inclusion list is built from the selections made in this $indo$% =e$ mailbo&es or public folders added after ma,ing this selection are not automatically included% 7o return to the main scan selection $indo$, clic, the arro$ in the upper(right corner of the mailbo& or public folder selection $indo$% ;% :ptionally, you can specify 3e"etion Text, $hich is used to replace the contents of an infected file during a delete operation% 7he default deletion te&t informs you that an infected file $as remo)ed, along $ith the name of the file and the name of the )irus found% 7o create your o$n custom message, clic, 3e"etion Text% <% Clic, the Save button to sa)e your scan #ob settings%

Configuring the antivirus settings for the 1ea"ti#e Scan 8o0

7here are )arious settings that you can ad#ust for the ealtime 1can >ob% 7hese include file scanner selection, bias, action, notifications, and 9uarantining% To configure antivirus settings 5% In the SETTI'GS section of the 1huttle =a)igator, select -ntivirus% 7he -ntivirus Settings $or, pane appears 2% In the #ob list in the upper pane, select the 1ea"ti#e Scan 8o0% 6% In the lo$er pane, select the engines to use for the scan #ob, from the list of a)ailable Fi"e Scanners% 0ll the engines are listed, and the fi)e you chose at installation are initially selected by default% *0lthough you may only use a ma&imum of fi)e engines, you may use any fi)e% Mou are not limited to the ones you selected during the installation%+ 7o disable )irus scanning $hile retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning chec, bo& in the 1un 8o0

22

$or, pane of the 2*E1-TE section of the 1huttle =a)igator for the 1ea"ti#e Scan 8o0% 'ote( If you ha)e the ma&imum of fi)e engines selected and you $ant to change the ones used, clear the chec, bo&es of un$anted engines before selecting ne$ ones% Mou may only ha)e a ma&imum of fi)e engines selected at a time% ;% In the 4ias field, select a bias setting for the scan #ob% Aias controls ho$ many engines to use to pro)ide you $ith an acceptable probability that your system is protected% 7he more engines you use, the greater the probability that all )iruses $ill be caught% @o$e)er, the more engines you use, the greater the impact on your systemQs performance% 'ote( Consider setting the 4ias to Favor Certainty% For more information about 4ias settings, see the Mu"ti!"e Scan Engines chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G <% In the -ction field, select the action that you $ant Forefront 1ecurity for -&change 1er)er to perform $hen a )irus is detected% 7he action choices are: Ski!( detect on"y Ma,e no attempt to clean or delete the infection% Eiruses are reported, but the files remain infected% If, ho$e)er, Felete Corrupted Compressed, Felete Corrupted Uuencode Files, or Felete -ncrypted Compressed Files $as selected in 4eneral :ptions, a match to any of those conditions causes the item to be deleted% C"ean( re!air attach#ent 0ttempt to clean the )irus% If successful, the infected attachment or message body is replaced $ith the clean )ersion% If cleaning is not possible, the attachment or message body is replaced $ith the 3e"etion Text% 7his is the default setting% 3e"ete( re#ove infection Felete the attachment $ithout attempting to clean it% 7he detected attachment is remo)ed from the message and the Feletion 7e&t is inserted in its place% ?% -nable e(mail notifications by using the Send 'otifications field% 7his setting does not affect reporting to the Incidents log% In addition, you must also configure the notifications *see 1ending e(mail notifications+% =otifications are disabled by default% /% -nable or disable the sa)ing of attachments detected by the file scanning engines by using the Quarantine Fi"es field% 3uarantining is enabled by default% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable%

26

8% Clic, Save%

Contro""ing the 1ea"ti#e Scan 8o0

7o control the ealtime 1can >ob, clic, 2*E1-TE in the 1huttle =a)igator, and then clic, the 1un 8o0 icon% 7he 1un 8o0 $or, pane appears% 7he upper portion of the 1un 8o0 $or, pane contains a list of scan #obs and displays their current state% 1elect the ealtime 1can >ob% It can be enabled or disabled using the Ena0"e and 4y!ass buttons% 7he pane also displays chec, bo&es that permit you to enable or disable )irus scanning, file filtering, and content filtering% 7he lo$er portion of the 1un 8o0 $or, pane sho$s the detection results of the currently selected scan #ob%

Configuring and running the Manua" Scan 8o0

Forefront 1ecurity for -&change 1er)er enables you to customi'e the Manual 1can >ob to scan mailbo&es that are not co)ered by the ealtime 1can >ob or that contain messages that predate the installation of Forefront 1ecurity for -&change 1er)er% 7he Manual 1can >ob is also useful for scanning $ith a third(party engine that is different from those being used by the ealtime 1can >ob% It is recommended that you run a full manual scan after installing Forefront 1ecurity for -&change 1er)er for the first time% 'ote( 7he Manual 1can >ob can be configured to scan message bodies as $ell as attachments% 7his feature is disabled by default upon installation, but can be enabled by selecting 4ody Scanning Manua" in the Genera" 2!tions $or, pane% Message body scanning increases the time re9uired to perform a manual scan of a ser)er%

Configuring the Manua" Scan 8o0

7o modify the Manual 1can >ob, clic, SETTI'GS in the 1huttle =a)igator, and then clic, the Scan 8o0 icon% 7he Scan 8o0 Settings $or, pane opens to the right% 7he upper portion of the Scan 8o0 Settings $or, pane contains the list of configurable scan #obs% 1elect the Manual 1can >ob%

2;

7he lo$er portion of the $or, pane permits you to select the mailbo&es and public folders to be protected and edit the deletion te&t that is used $hen the contents of an infected file are deleted% 7o configure Manual 1can >ob settings for scanning mailbo&es and public folders, and to specify deletion te&t, you can follo$ the procedures in the Configuring the ealtime 1can >ob ( 31 chapter%

Configuring antivirus settings for the Manua" Scan 8o0

7here are )arious settings that you can ad#ust for the Manual 1can >ob% 7hese include file scanner selection, bias, action, notifications, and 9uarantining% For details, see the procedures in the Configuring -ntivirus Settings For the Trans!ort Scan 8o0 chapter%

1unning the Manua" Scan 8o0

7o run the Manual 1can >ob, clic, 2*E1-TE in the 1huttle =a)igator, and then clic, the 1un 8o0 icon% 7he 1un 8o0 $or, pane appears% 7he upper portion of the 1un 8o0 $or, pane contains a list of scan #obs and displays their current state% 1elect the Manual 1can >ob% It can be started, paused, or stopped using the appropriate buttons% 7he pane also displays chec, bo&es that permit you to enable or disable )irus scanning, file filtering, and content filtering% 7he lo$er portion of the 1un 8o0 $or, pane sho$s the detection results of the currently selected scan #ob%

Schedu"ed 0ackground and on access scanning

7he MicrosoftC -&change Eirus 1canning 0PI *E10PI+ pro)ides the ability to perform bac,ground scanning of all files in the information store and on(access scanning of files as they are accessed% 7hese features enhance the functionality of Forefront 1ecurity for -&change 1er)er by ensuring that files are scanned using the latest engine updates and scanning configuration%

2<

Schedu"ed 0ackground scanning

1cheduled bac,ground scanning is recommended as a $ay to periodically scan a selected set of messages $ith the latest engine updates and scanning configurations% 7he scope of the Aac,ground 1can >ob is determined by the options selected in Genera" 2!tions under the 4ackground Scanning section% Ay default, bac,ground scanning is set to scan all messages recei)ed $ithin the last t$o days% 7o acti)ate bac,ground scanning, a Aac,ground 1can >ob must be scheduled% 7o schedule the Aac,ground 1can >ob, clic, 2*E1-TE in the 1huttle =a)igator, and then clic, the Schedu"e 8o0 icon% 7he Schedu"e 8o0 $or, pane appears% 7he upper portion of the Schedu"e 8o0 $or, pane sho$s the Aac,ground 1can >ob and indicates if it is enabled or disabled% 7he lo$er portion of the Schedu"e 8o0 $or, pane sho$s the scheduling information and configuration for the Aac,ground 1can >ob%

*rocedures
To schedu"e 0ackground scanning 5% 1elect the date, time, and fre9uency of your scheduled bac,ground scan% 2% If the #ob is disabled, clic, Ena0"e to enable it% 6% Clic, Save% 7he Schedu"e 8o0 $or, pane displays the status of the bac,ground scan% To sto! or disa0"e 0ackground scanning 5% Clic, 1E*21T in the 1huttle =a)igator, and then clic, Schedu"e 8o0% 2% 0t the top of the Schedu"e 8o0 $or, pane, select the 4ackground Scan 8o0% 6% Clic, the Sto! button on the Schedu"e 8o0 $or, pane% 'ote( 0fter a Aac,ground 1can >ob has been stopped, it restarts after the ne&t signature update if the Genera" 2!tions settings Scan on Scanner /!date and Ena0"e 4ackground Scan if :Scan on Scanner /!date: Ena0"ed are selected *both are disabled by default+% If you do not $ant the Aac,ground 1can >ob to start after the ne&t signature update, you can disable the schedule scan in t$o $ays: Clear the Genera" 2!tions settings Scan on Scanner /!date and Ena0"e

2?

4ackground Scan if :Scan on Scanner /!date: Ena0"ed% Clic, the 3isa0"e button on the Schedu"e 8o0 $or, pane%

2n access scanning
Ay default, -&change 200/ on(access scanning ensures that all files being accessed ha)e been scanned at least once by Forefront 1ecurity for -&change 1er)er%

;eightened security on access scanning

@eightened security on(access scanning may be acti)ated to ensure that all files being accessed are scanned if the anti)irus engines ha)e been updated after the file $as originally stored% 'ote( It is recommended that these high security settings be used only in the e)ent of a serious threat that re9uires constant rescanning of mail to protect users from a ,no$n threat re9uiring this le)el of protection%

*rocedures
To ena0"e heightened security on access scanning @eightened security on(access scanning is controlled by the Genera" 2!tions setting: Scan on Scanner /!date% Follo$ing a scanner update, pre)iously scanned files are re(scanned $hen accessed if this option is enabled%

4ackground scanning on engine u!date

Aac,ground scanning on engine update is intended to ensure that all files are scanned using the latest updates and configurations% Aac,ground scanning initiates a scan of the entire information store after scan engine updates% Aac,ground scanning on engine update is disabled by default upon installation because bac,ground scanning of large information stores can place a hea)y load on the ser)er% For

2/

information about enabling bac,ground scanning on engine update, see the 4ackground Scanning and 2n -ccess Scanning chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

Fi"tering fi"es
7he Forefront 1ecurity for -&change 1er)er file filter feature gi)es administrators the ability to search for attachments $ith a specific name, type, e&tension, and si'e $ithin an e(mail message% If it finds a match, the file filter can be configured to perform actions on the attachment such as delete, 9uarantine, notify, and report the detected file% 7he file filter offers a fle&ible means to detect file attachments $ithin e(mail messages and other :utloo, items, including 7as,s and 1chedules *such as meetings and appointments+%

Mechanics of fi"e fi"tering

File filtering can be configured to assess se)eral aspects of an attached file: the file name and e&tension, the actual file type, and the file si'e% Ay using these criteria, administrators can filter files in a )ariety of $ays%

Fi"tering 0y fi"e ty!e

If you $ant to filter certain file types, you can create the filter S%S and set the Fi"e Ty!es selection to the e&act file type you $ant to filter% For e&ample: Create the filter S%S and set the Fi"e Ty!es to M*<% 7his ensures that all MP6 files are filtered no matter $hat their file name or e&tension% :ne ad)antage of setting a generic filter *for e&ample, S%S+ and associating it $ith a certain file type *for e&ample, E=E+ is that it pre)ents the potential of users bypassing the filter by simply changing the e&tension of a file%

Fi"tering 0y extension
If you $ant to filter any file that has a certain e&tension, you can create a generic filter for the e&tension and set the Fi"e Ty!es selection to -"" Ty!es% Filter matching is not case(sensiti)e% For e&ample: Create the filter >?exe> and set the Fi"e Ty!es selection to -"" Ty!es% 7his ensures that all files $ith an ?exe e&tension are filtered%

28

Fi"tering 0y na#e
If you $ant to filter all files $ith a certain name, you can create a filter using the file name and set the Fi"e Ty!es selection to -"" Ty!es% Filter matching is not case(sensiti)e% For e&ample: If a )irus uses an attached file named !ay"oad?doc, you can create the filter !ay"oad?doc and set the Fi"e Ty!es selection to -"" Ty!es% 7his ensures that any file named payload%doc is filtered no matter $hat the file type%

Fi"tering 0y fi"e si5e

7he Forefront 1ecurity for -&change 1er)er file filter can also be configured to filter files based on their si'e% 7o detect files by si'e, specify a comparison operator *T, I, H, IT, HT+ and a file si'e in ,ilobytes *BA+, megabytes *MA+, or gigabytes *4A+% 7hese are placed immediately after the file name% For e&ample, the filter >?0#!@A1?$M4 filters all %bmp files larger than or e9ual to 5%2 megabytes% 7he Genera" 2!tions setting Max Container Fi"e Si5e specifies the ma&imum container file si'e *in bytes+ that F1- $ill attempt to clean or repair in the e)ent that it disco)ers an infected file%

Configuring the fi"e fi"ter

Mou can configure the file filter by file names, file types, or file si'es%

*rocedures
To configure the fi"e fi"ter 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% Clic, the Fi"e icon% 7he Fi"e Fi"tering pane appears% 6% 1elect the scan #ob for $hich you $ant to add a file filter% ;% Create the file filter by clic,ing the -dd button and entering the proper synta&% 7here are a number of $ays you can enter a file filter% File filters $or, by a combination of file name and file type% Mou must select both elements to complete the filter% <% Use the Fi"e Fi"ter field to set the filter to Ena0"ed% ?% In the -ction field, indicate the action that should be ta,en $hen a file filter is matched% 7he options are described in File filtering action%

29

/% 1elect if you $ould li,e to send notifications $hen a file is detected% In addition, you must also configure the notifications *see 1ending e(mail notifications+% 8% 1elect if you $ould li,e detected files 9uarantined% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 9% :ptionally, you can specify 3e"etion Text, $hich is used to replace the contents of an infected file during a delete operation% 7he default deletion te&t informs you that an infected file $as remo)ed, along $ith the name of the file and the name of the filter% 7o create your o$n custom message, clic, 3e"etion Text% 50% Clic, the Save button to sa)e the ne$ file filter% 'ote( Mou can also put your filters in Filter lists%

Fi"e fi"tering action

1elect the action that you $ant Forefront 1ecurity for -&change 1er)er to perform $hen a file filter is matched% Ay default, it is set to 3e"ete( re#ove contents% 'ote( Mou must set the action for each file filter you configure% 7he -ction setting is not global% 1elect one of the follo$ing: Ski!( detect on"y ecords the number of messages that meet the filter criteria, but permits messages to route normally% If, ho$e)er, Felete Corrupted Compressed, Felete Corrupted Uuencode Files, or Felete -ncrypted Compressed Files $as selected in 4eneral :ptions, a match to any of those conditions causes the item to be deleted% 3e"ete( re#ove contents Feletes the file attachment% 7he detected file attachment is remo)ed from the message, and the Feletion 7e&t is inserted in its place% Mou can configure the te&t using the 3e"etion Text button% *urge( e"i#inate #essage Feletes the message from your mail system% "hen you select this option, a $arning appears informing you that if there is a filter match, the message $ill be purged and unreco)erable% Clic, .es to continue% 'ote( If the Quarantine Fi"es chec, bo& is selected, ho$e)er, purged messages are 9uarantined and can be reco)ered from the 3uarantine database%

60

 Identify( tag #essage 7he sub#ect line or message header of the detected message can be tagged $ith a customi'able $ord or phrase% 7his tag can be modified for each scan #ob by clic,ing the Tag Text button on the Scan 8o0 Settings $or, pane and modifying the te&t% 7his tag is used for all filters associated $ith the particular scan #ob% For more information about setting file filters, including using $ildcard characters and creating filters only for inbound or outbound messages, see the Fi"e Fi"tering chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

Fi"tering content
Content filtering permits administrators to filter messages using a )ariety of filtering tools, including sender(domains filtering and sub#ect line filtering% Content filtering pro)ides another tool to help manage the flo$ of messages entering and e&iting your enterprise mail stream% 'ote( Content filtering is only a)ailable for ealtime and Manual 1can >obs% Mou can only select the Ski!( detect on"y action for Manual 1can >obs%

Sender do#ains fi"tering

1ender(domains filtering enables administrators to filter messages from particular senders or domains% "ildcard characters can be used to enable such filters as SPdomain%com to filter all mail from a certain domain% 'ote( 1ender(domains filtering only applies to the Fro# field in a message% It cannot be used for the To field%

*rocedures
To configure sender do#ains fi"tering 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% 1elect the Content icon% 7he Content Fi"tering pane appears% 6% In the upper $or, pane, select the 1ea"ti#e Scan 8o0 or the Manua" Scan 8o0% ;% In the Content Fie"ds pane in the lo$er(left corner, select 1ender(Fomains, and then clic, the -dd button in the Content Fi"ters pane%

65

<% 0 te&t bo& appears% 7ype the sender or domain to filter% If you $ant to use a generic domain name filter, you must use an asteris, *S+ $ildcard character before the domain name% For e&ample: S@domain.com ?% Press -=7- $hen you ha)e typed the sender or domain% Mou may add as many entries as you li,e% /% -nable the filter $ith the Fi"ter field% 8% In the -ction field, indicate the action that should be ta,en $hen the filter is matched% 7he options are described in Content filtering action% 9% Indicate if you $ould li,e to send notifications $hen a file is detected% In addition, you must also configure the notifications *see 1ending e(mail notifications+% 50% Indicate if you $ould li,e detected files 9uarantined% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 55% Clic, the Save button to sa)e the ne$ file filter% 7he scan #ob loo,s at both the display name and the e(mail address of the sender to match against sender(domains filters% If either matches, the filter action $ill be ta,en% 'ote( Mou can also ha)e 0llo$ed senders lists%

Su0Bect "ine fi"tering

1ub#ect line filtering enables administrators to filter messages based on the content of the sub#ect line of the message% "ildcard characters can be used%

*rocedures
To configure su0Bect "ine fi"tering 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% In the upper $or, pane, select the 1ea"ti#e Scan 8o0 or the Manua" Scan 8o0% 6% 1elect the Content icon% 7he Content Fi"tering pane appears%

62

;% In the Content Fie"ds pane in the lo$er(left corner select Su0Bect ,ines, and then clic, the -dd button in the Content Fi"ters pane% <% 0 te&t bo& appears% 7ype the content you $ould li,e to filter% ?% Press E'TE1 after you ha)e typed the content% Mou may add as many entries as you li,e% If you are entering a partial sub#ect line as a filter, it is recommended that you use asteris, *S+ $ildcard characters at the beginning and the end of the phrase to ensure proper detection% /% -nable the filter $ith the Fi"ter field% 8% In the -ction field, indicate the action that should be ta,en $hen the filter is matched% 7he options are described in Content filtering action% 9% Indicate if you $ould li,e to send notifications $hen a file is detected% In addition, you must also configure the notifications *see 1ending e(mail notifications+% 50% Indicate if you $ould li,e detected files 9uarantined% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 55% Clic, the Save button to sa)e the ne$ file filter%

Content fi"tering action

If you are defining a filter for the ealtime 1can >ob, select the action for Forefront 1ecurity for -&change 1er)er to ta,e upon detecting a match to your filter criteria *the Manual 1can >ob has a fi&ed )alue of Ski!( detect on"y+% 'ote( Mou must set the action for each file filter you configure% 7he -ction setting is not global% For a ealtime 1can >ob sender(domains or sub#ect line filter, select the Ski! or *urge action: Ski!( detect on"y 7his setting records the number of messages that meet the filter criteria, but still permits messages to route normally% If, ho$e)er, Felete Corrupted Compressed, Felete Corrupted Uuencode Files, or Felete -ncrypted Compressed Files $as selected in 4eneral :ptions, a match to any of those conditions $ill cause the item to be deleted%

66

 *urge( e"i#inate #essage 7his setting deletes the message from your mail system% "hen you select this option, a $arning appears, informing you that if there is a filter match, the message $ill be purged and unreco)erable% Clic, .es to continue%

Fi"tering key)ords
Bey$ord filtering is intended to identify un$anted e(mail messages by analy'ing the contents of the message body as messages are transported by the 7ransport 1can >ob% Ay creating ,ey$ord lists, you can filter messages based on a )ariety of $ords, phrases, and sentences% 0dditionally, ,ey$ord filter lists help you to organi'e your ,ey$ord filters%

Creating ne) key)ord "ists

For ma&imum fle&ibility, you can create your o$n lists of ,ey$ords to scan for% Mou can thus maintain indi)idual lists of filters for use by different scan #obs%

*rocedures
To create a ne) key)ord "ist 5% In the 1huttle =a)igator, clic, FI,TE1I'G, and then clic, the Fi"ter ,ists icon% 2% 1elect 6ey)ords in the ,ist Ty!e pane% 6% In the ,ist 'a#es section, clic, the -dd button% ;% 7ype a name for the ne$ list, and then press Enter% 7he empty list appears in the ,ist 'a#es section% <% "ith the ne$ list name selected, clic, the Edit button% 7he Edit Fi"ter ,ist dialog bo& appears% Use it to add content to your filter list% ?% In the Inc"ude In Fi"ter section, clic, the -dd button% /% 7ype a $ord or phrase to be included in the filter list% Press Enter $hen you are finished typing% Mou may ha)e as many $ords or phrases as you $ant, but each must be entered separately% 7he Exc"ude fro# I#!ort field is used to enter ,ey$ords or phrases that should ne)er be included in the ,ey$ord list% 7his pre)ents these $ords and phrases from accidentally being added $hen importing a list from a te&t file% For information about importing ne$ items into a filter list and for detailed information about ,ey$ord filter synta&, see the GBey$ord !istsG chapter of the GMicrosoft

6;

Forefront 1ecurity for -&change 1er)er User 4uide%G 8% "hen you are finished adding items, clic, 26% 9% Clic, Save%

Ena0"ing key)ord fi"tering

0fter you ha)e created a ,ey$ord list, you must enable it%

*rocedures
To ena0"e key)ord fi"tering 5% In the 1huttle =a)igator, clic, FI,TE1I'G% 2% Clic, the 6ey)ord icon% 7he 6ey)ord Fi"tering $or, pane appears% 6% 1elect the Trans!ort Scan 8o0% *Bey$ord filtering only $or,s $ith the 7ransport 1can >ob%+ ;% In the 6ey)ord Fie"ds section, select Message 4ody% <% 1elect one of the filter lists you ha)e created% ?% Using the Fi"ter field, set the filter to Ena0"ed% /% 1et the Bey$ord filtering action% 8% Indicate $hether you $ould li,e to send notifications *for the procedures to configure notifications, see 1ending e(mail notifications+, 9uarantine identified files, and scan inbound, outbound, or internal mail% 9% Indicate if you $ould li,e to 3uarantine identified files% -nabling 9uarantine causes deleted attachments and purged messages to be stored, permitting you to reco)er them% @o$e)er, $orm(purged messages are not reco)erable% 50% Indicate $hat combination of Inbound, :utbound, and Internal mail should be scanned% 55% Indicate the Minimum Uni9ue Bey$ord @its% 7his setting enables you to specify ho$ many uni9ue ,ey$ords must be matched for the action to be ta,en% 7he default is one 5% For e&ample, you ha)e set the minimum uni9ue ,ey$ord hits )alue to 6% 7he $ord K$onderfulL, $hich is in the list, appears three times in the message% @o$e)er, no other $ord in the list appears at all% 7he ,ey$ord filter has not been matched, because only one term in the list $as matched%

6<

52% 1a)e your changes%

6ey)ord fi"tering action

Mou must indicate the action that Forefront 1ecurity for -&change 1er)er should ta,e upon detecting a match to your filter criteria% 'ote( Mou must set the action for each content filter you configure% 7he -ction setting is not global% 7he action choices are: Ski!( detect on"y ecords the number of messages that meet the filter criteria, but permits messages to route normally% If, ho$e)er, Felete Corrupted Compressed, Felete Corrupted Uuencode Files, or Felete -ncrypted Compressed Files $as selected in 4eneral :ptions, a match to any of those conditions $ill cause the item to be deleted% Feletes the message from your mail system% "hen you select this option, a $arning appears informing you that if there is a filter match, the message $ill be purged and unreco)erable% Clic, .es to continue% 7he sub#ect line or message header of the detected message can be tagged $ith a customi'able $ord or phrase% 7his tag can be modified for each scan #ob by clic,ing the Tag Text button on the Scan 8o0 Settings $or, pane and modifying the te&t% 7his tag is used for all filters associated $ith the particular scan #ob%

*urge( e"i#inate #essage

Identify( tag #essage

'ote( Forefront 1ecurity for -&change 1er)er ,ey$ord filtering scans both plain te&t and @7M! message body content% If Forefront 1ecurity for -&change 1er)er finds a

6?

match in both the @7M! and the plain te&t, it reports t$o detections in the Eirus Incidents log and the 3uarantine database%

-""o)ed senders "ists

Forefront 1ecurity for -&change 1er)er pro)ides allo$ed senders list functionality to permit administrators to maintain lists of safe e(mail addresses that are not sub#ected to filtering by the 7ransport 1can >ob% *7he allo$ed sender lists ha)e no effect on scanning for )iruses%+ Forefront 1ecurity for -&change 1er)er chec,s the sender address against the allo$ed senders list% 7he sender address is defined by the Genera" 2!tions setting Trans!ort Sender Infor#ation *either /se MIME Fro#( ;eader *the default+ or /se Trans!ort !rotoco" M-I, F12MC? If the e(mail address or e(mail domain appears on the allo$ed senders list, Forefront 1ecurity for -&change 1er)er $ill bypass all filtering that has been enabled for the list%

*rocedures
To create an a""o)ed senders "ist 5% In the FI,TE1I'G section of the 1huttle =a)igator, select Fi"ter ,ists% 2% In the ,ist Ty!e section, select -""o)ed Senders% 6% In the ,ist 'a#es section, clic, the -dd button, type a name for the ne$ list in the te&t bo& pro)ided, and then press E'TE1 to sa)e the list% ;% "ith the ne$ list name selected, clic, the Edit button% 7he Edit Fi"ter ,ist dialog bo& appears% Use it to enter e(mail addresses or e(mail domains to include in the allo$ed sender list% <% In the Inc"ude In Fi"ter section, clic, the -dd button% 7ype the e(mail address or domain in the te&t bo&, and press Enter% User addresses should be entered in the format: userPdomain% -(mail domain names should be entered in the format: Sdomain% ?% -nter each address or domain indi)idually% /% "hen you are finished adding items, clic, 26% 8% Clic, Save to sa)e the list% 9% 7o enable the list, clic, -""o)ed Senders in the FI!7- I=4 section of the 1huttle =a)igator, select the 7ransport 1can >ob, select the list name in the Sender ,ists $or, pane, and set the ,ist State to Ena0"ed% 50% In the Ski! Scanning for section, indicate if the allo$ed senders list should

6/

apply to 6ey)ord Fi"tering, Fi"e Fi"tering, or both% Mou can clic, -"" Ty!es to ha)e all the choices selected% If you ma,e no choice, the filter is effecti)ely disabled% 55% Clic, Save%

Fi"ter "ists
7he Filter list functionality in Forefront 1ecurity for -&change 1er)er also permits you to create filter lists for use $ith content and file filtering% Ay using filter lists for File Filters, 1ub#ect !ines Filters, or 1ender(Fomains Filters, you can maintain indi)idual lists of filters for use by different scan #obs or simply organi'e your filters% 7o create a ne$ file or content filter list, select Fi"es, Bey$ords, Su0Bect ,ines, Sender 3o#ains, or 0llo$ed 1enders in the ,ist Ty!es pane of the Fi"ter ,ists )ie$ *of the FI,TE1I'G section of the 1huttle =a)igator+ and clic, the -dd button% 7ype a name for the filter list and then press Enter% 7he ne$ filter list no$ appears in the ,ist 'a#es section% 0fter you create a ne$ list, clic, the Edit button% 7he $indo$ described in 0llo$ed senders lists appears to permit you to add items to the list *or to edit it+% Clic, the -dd button to add file names and types, $ords and phrases, or domain names% 7he type of items you add depends on the type of filter list you selected: Fi"es *add file names+, 6ey)ords *add $ords that might appear in the message+, Su0Bect ,ines *add te&t that might appear in the sub#ect line of a message+, Sender 3o#ains *add specific senders or generali'ed domains+, or -""o)ed Senders *add safe addresses or domains+% 7he Exc"ude fro# I#!ort field is used to enter file names, $ords and phrases, or domain names that should ne)er be included on the rele)ant list% 7his pre)ents these entries from accidentally being added $hen importing a list from a te&t file% For information about importing ne$ items into a filter list, see the GBey$ord FilteringG chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G 'ote( Mou can change the name of a list by selecting the list in the ,ist 'a#es bo& and pressing F2%

Sending e #ai" notifications

-(mail notifications are critical in ,eeping -&change users informed about changes that occur to their attachments due to )irus cleaning and file filtering, or informing users of infections that e&ist $hen a )irus is detected and not cleaned% -(mail notifications are also important to

68

administrators $ho prefer to ha)e information deli)ered directly to their mailbo& instead of continually chec,ing logs for acti)ity%

Configuring e #ai" notifications

7here are )arious types of notification messages, including Eirus, File, "orm, Content, and Bey$ord, and each can be indi)idually configured%

*rocedures
To configure notifications 5% In the 1E*21T section of the 1huttle =a)igator, select 'otification% 7he 'otification Setu! $or, pane appears% 7he top pane of the 'otification Setu! $or, pane lists the default notification roles% -ach role can be customi'ed, as $ell as enabled or disabled% For details about each of the default notification roles, see the G-(Mail =otificationsG chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G 2% -nable the notifications that are to be in effect% 7he Ena0"e and 3isa0"e buttons in the 'otification Setu! $or, pane permit you to selecti)ely enable or disable any selected notification% 7he current status of each notification is displayed in the list in the top pane, under the State column% 0 change made to the status of a notification ta,es effect as soon as you clic, Save% 'ote( 1can #ob configurations control $hether a scan #ob sends any enabled notifications% 6% Ma,e the desired changes to the notifications that are enabled% ;% Clic, Save to sa)e your $or,%

1e!orting and statistics features

Forefront 1ecurity for -&change 1er)er pro)ides a )ariety of reports designed to help administrators analy'e the state and performance of the Forefront 1ecurity for -&change 1er)er ser)ices through the Forefront 1er)er 1ecurity 0dministrator%

69

Incidents data0ase
7he Incidents database *Incidents%mdb+ stores all )irus detections or filter operations for a MicrosoftC -&change 1er)er, regardless of the scan #ob that caught the infection or performed the filtering% 7he results are stored to dis, in the Incidents database by the F1CController and are not dependent on the Forefront 1er)er 1ecurity 0dministrator remaining open% 7o )ie$ the Incidents database, select Incidents in the 1E*21T section of the 1huttle =a)igator% 7he Incidents $or, pane appears% For details about the information that Forefront 1ecurity for -&change 1er)er reports for each incident, see the G eporting and 1tatisticsG chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

Quarantine
Forefront 1ecurity for -&change 1er)er, by default, creates a copy of e)ery detected file before a clean, delete, or s,ip action occurs% 7hese files are stored in an encoded format in the 3uarantine folder under the Forefront 1ecurity for -&change 1er)er FatabasePath folder *$hich defaults to the Installation folder+% Forefront 1ecurity for -&change 1er)er performs t$o different 9uarantine operations: 9uarantine of entire messages or 9uarantine of attachments only% -ntire messages are 9uarantined only for content filters and file filters that are set to *urge $hen 9uarantine is enabled% 0n administrator can access the Quarantine pane to delete or e&tract stored detected file attachments% 7o )ie$ the 3uarantine log, clic, 1E*21T in the 1huttle =a)igator, and then clic, the Quarantine icon% 7he Quarantine pane appears% 7he 9uarantine list reports the date the file $as 9uarantined, the name of the file, the type of incident that triggered the 9uarantine *such as )irus or filter match+, the name of the infecting )irus or the filter name, the sub#ect field of the message, the sender name, the sender address, the recipient names, and the recipient addresses%

2ther data0ase tasks

7here are other tas,s you can perform $ith the Incidents or 3uarantine databases% For e&ample, you can clear or mo)e the databases, e&port or purge database items, or filter database )ie$s% For more information, see the K eporting and 1tatisticsL chapter of the GMicrosoft Forefront 1ecurity for -&change 1er)er User 4uide%G

;0