2009

Spectrum Engineering
Consortium Ltd.

[INSTALLING FOREFRONT EXCHANGE

SECURITY IN MAILBOX SERVER]
This document is for IT staff for smoothly installation FSE in a mailbox server also test its functionality.
In this Scenario we are targeting placement of Forefront on the Mailbox Server Role. Forefront Security for Exchange
includes both Realtime and Transport Layer Scanning Capabilities along with a Manual Scan capability. There is
also a rich, highly customizable Content Scanning capability for both Files by File Extension (Example: Quarantine all
files with a .scr File Extension) and File Name (Example: Quarantine all files named zippo_virus.txt), restrictions by
Allowed Sender, Filtering by Key Word (Example: Delete all files with the word 'tucan' in the Subject or Message
Body) and a Manual Scan capability that provides for Business specific combinations of the many variations available
above. We will explorer the initial installation and then in separate Blog entries provide examples of using Filtering by
1) Content, 2) Keyword, 3) File, 4) Allowed Sender or 5) Filter Lists.

Finally, it is always worth mentioning that one of the primary reasons Businesses are selecting Forefront Security for
Exchange is it is a Product designed from the ground up to incorporate scanning through multiple Anti-Virus Engines
with the maximum 5 Engines (of 10 available) selected for any one Scan Type. The current Anti-Virus Vendors
included in Forefront Security for Exchange are:

 Norman Virus Control

 Microsoft Antimalware Engine
 Sophos Virus Detection Engine
 CA Inoculate IT
 CA Vet
 Authentium Command Antivirus Engine
 AhnLab Antivirus Scan Engine
 Worm List
 VirusBuster Antivirus Scan Technology
 Kaspersky Antivirus Technology

Let's get this Product installed then explore its capabilities further!

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 2

I begin by logging onto the Exchange 2007 Mailbox Server Role and identifying the Forefront Security for Exchange
Setup File.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 3

I initiate the Setup process using the Wizard Based dialogue windows.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 4

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 5
By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 6
The complexity of the Setup configuration is low. In this example I am completing a 'Local Installation'.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 7

Forefront Security for Exchange provides the ability to complete a 'Full Installation' or a separate 'Console Only
Installation.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 8

Once message are in 'Quarantine' there are several approaches to consider when 'handling' these Quarantined
Messages. 'Secure Mode' is recommended as rescanning of Messages is a better idea (in my opinion) than not
applying any of the unique Content or File Filtering capabilities a second time when viewing.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 9

I select default, randomly chosen Anti-Virus Engines (5 of a possible 10 Engines) understanding that once Forefront
Security for Exchange is in place we receive Anti-Virus Engine and Virus Definition Files from all 10 Vendors.
Additionally, we can then 'selectively choose 5 Vendors' on a Per Server (and even Per Scan Type) basis.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 10

Here is a clear statement that all 10 Anti-Virus Engines and Anti-Virus Definition Files require downloadable updates
upon completion of the installation process. Typically this 'Engine' and 'AV Definition' update process takes under 30
Minutes total.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 11

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 12
By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 13
Final confirmation of the intended installation steps the Microsoft Intaller for Forefront Security for Exchange will
execute prior to execution.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 14

Since Forefront Security for Exchange incorporates 'Transport Level Anti-Virus Scanning' the Exchange 2007
Transport Service must be Stopped, Forefront Security for Exchange installed, then the Exchange 2007 Transport
Service Started again.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 15

Confirmation that the Exchange 2007 Transport Service re-Started again successfully.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 16

Success! A quick scan of the 'Readme' File and we are ready to roll. Note: the 'Readme' file includes detail on how
to generate a Test Virus File as prescribed by EICAR. It is not really a Virus, just a file with Content that all Anti-Virus
Vendors understand are 'test values'. http://www.eicar.org

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 17

The Forefront Security for Exchange Administrator icon and Application are now in place and functionality.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 18

I have found the most logical 'first step' in configuring Forefront Security for Exchange is validating the 'Proxy Server'
settings are correct. This allows the Application to go to the defined Microsoft Internet URL and download both Anti-
Virus Engine Updates and Anti-Virus Definitions.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 19

Anti-Virus Engine and Anti-Virus Definition Updates begin downloading right away. The Download Schedule is
completely customizable.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 20

Now I move to a Windows XP SP2 Workstation with Outlook 2007 installed. The intent of this Login is to use the
'Test EICAR Virus File', send it in an e-mail to fellow employees and determine if Forefront Security for Exchange
'catches' the Virus.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 21

I login as Ralph McGee - one of my fictitious e-mail users on Exchange 2007.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 22

I have placed the 'EICAR Virus Test File' on the Desktop of 'All Users' on this Worksation. I briefly rename this file
from 'eicar.com' to 'eicar.pow' and send it to other Mailbox holders. Go Virus Test File Go!

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 23

Right away Forefront Security for Exchange picks up the 'EICAR Virus Test File' as witnessed in the Quarantine
Object in the Forefront Security for Exchange Application. We can see who sent the Virus, the Virus Type, the
Recipients, anyone marked as a Carbon Copy (CC) and the action taken by Forefront Security for Exchange. Most of
these parameters are configurable based on the requirements of your Business.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 24

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 25
Another valuable capability of Forefront Security for Exchange is that when an 'Event' occurs the Application Log on
the Local Server includes an Event by Event ID. There is complete integration with Microsoft Operations Manager
2005 and System Center Operations Manager 2007 for compiling Performance Metrics along with detailed Alerting.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 26

I now move back to the Mailbox of Ralph McGee. Forefront Security for Exchange has sent the e-mail and replaced
the Virus Payload with a Text File named 'eicar.txt'.

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 27

We can customize the 'Notification Message' as I have done in this example by indicating the line starting with '....If
you have

By- Md. Ashifuzzaman [MCSE, MCTS,MCITP] Page 28