Fine tuning Microsoft ForeFront Server Security for Exchange

<p>ForeFront is Microsoft s security solution for Microsoft Exchange 2007. Installing ForeFront is less than half the battle however. After you get Forefront installed, you ve got to fine tune its settings for Microsoft Exchange 2007. Brien Posey shows how to fine tune ForeFront Server Sercurity for Exchange.</p>

After the install

After that you have installed ForeFront, it's time to finish configuring and fine tuning it. You can access the administrative console by selecting the ForeFront Server Security Administrator command from the Start | All Programs | Microsoft ForeFront Server Security | Exchange Server menu. Upon doing so, you will see a prompt asking you which server you want to connect to. The current server is selected by default, so just click OK.

Click OK to skip the message regarding ForeFront's evaluation period, and you be taken into the administrative console, shown in Figure A.

Figure A

This is the default view of the ForeFront Server Security Administrator console.

Configuring Scanning Engine Bias

Lesson number one when it comes to configuring ForeFront is that having multiple scanning engines at your disposal isn't always what it seems. When I walked you through the initial setup, I showed you how you could configure ForeFront to use up to five different scanning engines. In a way this is deceptive though, because depending on how ForeFront's Bias settings are configured, ForeFront may not use all of those scanning engines simultaneously, which kind of defeats the whole purpose of using ForeFront.

To configure the Bias settings, click the Settings button in the column on the left, and then click the Antivirus button, found within the Settings section. When you do, you will see the screen shown in Figure B.

Figure B

The Antivirus screen allows you to configure ForeFront's Bias settings.

If you look at the bottom of this screen, the first thing that you will probably notice is the File Scanners section. As you can see in the figure, the File Scanners section lists the various scanning engines that are available. The scanning engines that you chose during the initial setup process are selected by default, but if you want to switch scanning engines for some reason, you can do that by deselecting the scanning engine that you want to remove, and selecting a new scanning engine.

Now, take a look at the Bias drop down list. You will notice that the Bias setting is configured to favor certainty. This means that by default, ForeFront will use its various scanning engines in a way that will be likely to catch most, if not all of the viruses that come into your Exchange Server.

Although this probably sounds as though ForeFront is configured to use all of the scanning engines to catch viruses, that's not what's actually happening. Microsoft's documentation for ForeFront indicates that the Favor Certainty Bias setting causes ForeFront to fluctuate between using half of the scanning engines and using all of them.

Before I move on, I want to quickly address the notion of using half of the scanning engines. When I talk about the other available Bias settings, you will find that several of them use half of the scanning engines. By default though, ForeFront is designed to use five different scanning engines. Since ForeFront can't use two and a half scanning engines, it considers half of the scanning engines to be three. Of course that assumes that you have configured ForeFront to use all five available scanning engines. If you have chosen less than five scanning engines, then half of them will be less than three. The table below lists what ForeFront considers to be half of the scanning engines in various situations:

Number of Scanning Engines

Half of the Scanning Engines











Now that you know what ForeFront means by 'half of the scanning engines', here are the various Bias settings that you can choose from, and what those settings mean:

Bias Setting


Maximum Performance

ForeFront will only use one scanning engine at a time.

Favor Performance

ForeFront will fluctuate between using one scanning engine, and half of your scanning engines.


ForeFront will scan each message with half of the scanning engines.

Favor Certainty

ForeFront will fluctuate between using half of the scanning engines and all of them.

Maximum Certainty

ForeFront will scan all messages using all of the scanning engines.

As you can see, there is a tradeoff between certainty and performance. Each scanning engine has some impact on system performance. The more scanning engines you use at a time, the bigger that impact. ForeFront is designed to use its scanning engines as efficiently as possible. Items are stamped once they have been scanned. This helps to improve performance by eliminating redundant scanning. Even so, you may want to experiment with different bias settings in order to find the best balance between performance and accuracy.

One last thing that I want to show you before I move on is the Action section at the bottom of the screen. You can use the settings found in this section to control what happens when an infected message is detected. By default, the message is cleaned and quarantined, but you have the option of changing this behavior. As you can see in the figure, you have the option of enabling or disabling quarantines and notifications by selecting or deselecting the appropriate check boxes. The Actions drop down list gives you the option of skipping the infection (detecting it only), cleaning and repairing the infected file, or deleting the infected attachment. The choice is yours.

Controlling What Gets Scanned

The next thing that I want to show you is how you can control exactly what it is that ForeFront scans. To do so, click on the Settings button on the right, and then click on the Scan Job button. When you do, you will see the screen that is shown in Figure C.

Figure C

The Scan Job section allows you to control what is scanned for viruses.

If you look at the top portion of this screen, you will see a listing for Transport Scan Job. This scan job is created by default, and is responsible for scanning messages as they move through the transport pipeline. Keep in mind that in my lab I have installed ForeFront onto an edge transport server. According to my research though, ForeFront creates the same job on hub transport servers.

In pretty much every Microsoft management utility that I can think of, you are able to right click on the items listed within the console, choose the Properties command from the resulting shortcut menu, and then edit the listing's properties on the resulting properties sheet. The ForeFront Server Security Administrator is different though. The job or jobs that are listed are not clickable. If you want to control what is being scanned, then you must simply select the job and then select the appropriate check boxes within the Transport Messages section below.

As the names of the check boxes imply, selecting the Inbound check box causes SMTP messages from the Internet to be scanned as they enter your Exchange Server organization. Inbound messages are by far the most important messages to scan.

Outbound messages are messages that your users send to recipients outside of your Exchange Server organization. It is usually a good idea to scan outbound messages. You never know when a user in your organization might contract an e-mail virus, and you would not want that user to be able to spread that virus to your customers or suppliers.

The third scanning option is Internal. If you select this option, then messages sent between users within your Exchange Server organization will be automatically scanned for viruses. I have read case studies in which some companies disable internal scanning for performance reasons. The logic is that if inbound and outbound messages are being scanned, then there is no reason why any of the internal messages should ever be infected. Furthermore, workstation level antivirus software that's integrated into Outlook should be able to stop any infections from being spread internally.

In a way, I can see the logic in this point of view, and I do not disagree with the idea that disabling internal scanning can help to improve the server's performance. Personally though, I think that if ForeFront offers you the chance to scan messages flowing across the internal transport pipeline, then you should take advantage of that capability. Sure, you can rely on client level antivirus software to detect viruses as they are accessed through Outlook, but taking this approach does not allow you to use multiple scanning engines to scan internal messages.

Another reason why I think that you should enable internal scanning is that if you disable internal scanning, then there is the potential for infected messages to make it into user's inboxes. Yes, client level antivirus software can disinfect the messages as users open them through Outlook, but do you really want to have viruses present within your information store database? Besides, what happens if a user uses OWA to open an infected attachment instead of using Outlook?

The good news is that Inbound, Outbound, and Internal message scanning is enabled by default. If you do decide to make a change though, keep in mind that the change will not take effect until you click the Save button located in the lower, right hand corner of the console screen.

One last thing that is worth pointing out on this screen is the Deletion Text and Tag Text buttons. The Deletion Text button allows you to control the contents of the notification that a user receives if notifications are enabled and an infected attachment is deleted. By default, the user receives a short message containing the name of the infected file and the name of the virus that was detected.

The Tag Text button allows you to add a tag line to a message's subject line if ForeFront suspects that the message might be spam. I don't really want to get into ForeFront's spam filtering capabilities since they initially mirror those that are built into Exchange 2007. If you want to use ForeFront to filter spam though, you can access those capabilities by clicking the Filtering button, as shown in Figure D.

Figure D

You can use ForeFront to control spam filtering.

Performing Exchange Server Maintenance

One last issue that I want to discuss is that of performing Exchange Server maintenance. Periodically, you will probably want to install service packs or hot fixes for Exchange. If you are using an automatic update mechanism, such as Windows Server Update Service (WSUS), then you won't usually have to worry about what I am about to show you. If you typically perform manual updates though, then this is important.

To install an update for Exchange Server once ForeFront has been installed, you must begin by stopping all of the Exchange Server related services. After doing so, you must temporarily disable ForeFront. The easiest way of accomplishing this is to open a Command Prompt window, and navigating to the folder in which ForeFront is installed. You must then use the FSCUtility command with the /disable switch to disable ForeFront. Assuming that ForeFront is installed in the default location, the actual commands that you would use are:


CD\Program Files (x86)\Microsoft ForeFront Security\Exchange Serer

FSCUtility /disable

Once you have executed these commands, you can apply your Exchange Server update. When the update process is complete, you can re-enable ForeFront by entering the following commands:

FSCUtility /enable


Keep in mind that you may still have to restart the various Exchange Server services.

One thing that you might have noticed about the first set of commands that I showed you is that the default installation path for ForeFront is \Program Files (x86)\Microsoft ForeFront Security\Exchange Server. This installation path indicated that the server is running a 64-bit version of Windows, but a 32-bit version of ForeFront. The reason for this is that I installed ForeFront onto my lab server directly from the Exchange 2007 installation DVD. Microsoft does offer a 64-bit version of ForeFront, which you should be using for real world deployments.