Protecting Exchange Server 2007 from Viruses
Exchange
2007 includes many improvements to assist organizations with their
antivirus strategies. The product continues to support the Virus
Scanning Application Programming Interface (VSAPI). In addition,
Microsoft has made a significant investment in the creation of more
effective, efficient, and programmable virus scanning at the transport
level.
A few of the antivirus measures included in Exchange 2007 are listed as follows:
Transport agents— Exchange 2007 introduces the concept of transport agents. Agents
are managed software components that perform a task in response to an
application event. These agents act on transport events, much like
event sinks in earlier versions of Exchange. Third-party developers can
write customized agents that are capable of utilizing the Exchange
Multipurpose Internet Mail Extensions (MIME) parsing engine allowing
extremely robust antivirus scanning. The Exchange 2007 MIME parsing
engine has evolved over many years of Exchange development and is
likely the most trusted and capable MIME engine in the industry.
Antivirus stamping—
Exchange 2007 provides antivirus stamping, a method of stamping
messages that were scanned for viruses with the version of the
antivirus software that performed the scan and the result of the scan.
This feature helps reduce the volume of antivirus scanning across an
organization because, as the message travels through the messaging
system with the antivirus stamp attached, other systems can immediately
determine whether additional scanning must be performed on the message.
Attachment filtering—
In Exchange 2007, Microsoft has implemented attachment filtering by a
transport agent. By enabling attachment filtering on your
organization’s Edge Transport server, you can reduce the spread of
malicious attachments before they enter the organization.
Note
Although
Exchange Server 2007 provides features to help minimize an
organization’s exposure to viruses, it does not have true, built-in
antivirus protection, as Exchange does
not actually scan messages or attachments to look for infection.
However, continued support for the built-in Virus Scanning Application
Program Interface (VSAPI) allows specialized antivirus programs to
connect their applications to your Exchange environment to scan
messages as they are handled by Exchange.
Forefront Security for Exchange Server
Designed
by Microsoft specifically for Exchange Server 2007, Forefront Security
for Exchange Server is the next generation of Microsoft Antigen for
Exchange. Because these products were designed specifically to work
together, Forefront integrates with Exchange Server 2007 to provide
improved protection, performance, and centralized management.
Forefront Security for Exchange Server delivers the following:
Advanced
protection against viruses, worms, phishing, and other threats by
utilizing up to five antivirus engines simultaneously at each layer of
the messaging infrastructure
Optimized
performance through coordinated scanning across Edge, Hub, and Mail
servers and features such as in-memory scanning, multithreaded scanning
processes, and performance bias settings
Centralized
management of remote installation, engine and signature updating,
reporting, and alerts through the Forefront Server Security Management
Console
Although the client
antivirus protection that is provided by Forefront Security for
Exchange Server is language independent, the setup, administration of
the product, and end-user notifications are currently available in 11
server languages. When Forefront Security for Exchange Server detects a
message that appears to be infected with a virus, the system generates
a notification message and sends it to the recipient’s mailbox. This
message is written in the language of the server running Forefront
because the server is not able to detect the language of the
destination mailbox.
Third-Party Antivirus Products for Exchange
In
addition, there are many third-party antivirus vendors in the
marketplace. At the time of this writing, there was little to no
documentation on their websites about future integration with Exchange
2007; however, there is no doubt that most of these companies will have
compatible products ready by the time the product is released.
Many
mechanisms can be used to protect the messaging environment from
viruses and other malicious code. Most third-party virus-scanning
products scan for known virus signatures and provide some form of
heuristics to scan for unknown viruses. Other antivirus products block
suspicious or specific types of message attachments at the point of
entry before a possible virus reaches the Information Store.
Antivirus products keep viruses from reaching the end user in two fundamental ways:
Gateway scanning—
Gateway scanning works by scanning all messages as they go through the
SMTP gateway (typically connected to the Internet). If the message contains
a virus or is suspected of carrying a virus, the antivirus product can
clean, quarantine, or delete it before it enters your Exchange
organization.
Mailbox scanning—
Mailbox scanning is useful to remove viruses that have entered the
Information Store. For example, a new virus might make it into the
Exchange environment before a signature file that can detect it is in
place. These messages on the Information Store cannot be scanned by a
gateway application; however, with an antivirus product that is capable
of scanning the Information Store, these messages can be found and
deleted.
Antivirus Outsourcing
Although
an organization can put in place many gateway antivirus products to
address antispam and antivirus issues, outsourcing these tasks has
gained popularity in recent years. Companies specializing in antivirus
and antispam are able to host your organization’s MX records, scanning
all messages bound for your company, and forwarding the clean messages
to your organization. Although this removes a level of control from
your administrators, many organizations are finding this outsourcing
cost-effective, as they no longer have to maintain staff devoted
strictly to these measures.
