Академический Документы
Профессиональный Документы
Культура Документы
d
an
at
rs
d
d
d
d
d
an
an
an
d
an
an
an
an
t
ic
a
de
m
ec
an
at
ct
m
m
m
nt
m
m
m
t
ea
nn
m
ec
D
ne
m
om
om
om
om
om
om
he
om
fH
o
oC
ej
co
on
pC
ut
aC
hC
oC
oC
tC
lC
nd
nR
O
pC
tT
is
nC
fA
ai
se
nd
oo
at
ut
hl
el
nE
nD
O
cp
O
el
nM
O
nD
nH
nR
nE
nA
nE
nN
nd
nH
nR
O
O
O
O
O
O
O
nE
O
O
O
EdgeTransportSvc.exe
Smtp Receive
Connector IP Connection MEx Event
Tarpitting Inbound TLS Inbound MLS
Selection throttling Dispatch
Transport
SMTP Receive Agents
n
ll
io
wa
d
d
an
at
rs
d
d
d
d
d
an
an
an
an
an
an
an
an
t
c
a
de
m
nd Fire
ec
i
at
ct
m
m
m
nt
m
m
m
om
t
ea
nn
ec
fD
ne
om
om
om
om
om
om
om
om
he
fH
oC
ej
co
on
pC
ut
nE r
aC
hC
oC
oC
tC
pC
lC
nd
nR
O de
O
tT
is
nC
fA
ai
se
oo
at
ut
hl
el
el
nE
nD
O
cp
O
a
nM
O
nD
nH
nR
nH
nE
nA
nN
He
nd
O
nR
O
O
O
O
O
O
O
nE
O
O
AddressRewritingInbound Agent
Sender ID Agent
priority
on restart fork/create
Stranded Mail
Content Filtering Agent
Scanner
create
Attachment Filtering Agent
Messages
Jet
Inbound
Internet Inbound
Outbound Outbound
FSE-protectedInbound
Edge
Outbound
Inbound
Inbound
Outbound
Inbound
Inbound
Outbound
FSE-protected Hub
Mailbox
Outbound
A scan process analyzes messages and applies appropriate file navigation, filters, and malware
scans for each part of a message.
There are multiple scanning processes per scan job type (default number is 4), configurable by
the administrator, which enable concurrent processing of multiple messages and reduce the
direct impact of the scanning process on the core Exchange process (preventing, for example,
the possibility of crashing due to the deep content inspection of potentially malicious code).
Currently, the FPE scan process encompasses the following scanning technologies:
Figure 4 describes the Forefront scan process basic diagram in Exchange Edge and Hub roles.
Exchange Transport
Forefront
Antispam Agents Antimalware Agent Other Agents
ScanProcess
Scan
Scan Process
Process
Scan Process
AntimalwareEngine
File Navigators Adapters Keyword and Quarantine and
Filtering Engines Actions
Figure 5 Forefront Security for Exchange Server Scan Process on Mailbox Role
Figure 5 describes the Forefront scan process basic diagram on Exchange Mailbox role
Forefront VSAPI
hook agent
ScanProcess
Scan
Scan Process
Process
Scan Process
AntimalwareEngine
File Navigators Adapters Keyword and Quarantine and
Filtering Engines Actions
Clean
A message part (which could be a message body or an attachment) is cleaned. This option only
applies to virus scans. If cleaning is successful, the original part will be replaced by the cleaned
part and reassembled into the original format of the message. For example, an e-mail contains
the attachment a.zip. This zip file contains two files: b1.doc and b2.exe. If b1.doc is infected but
cleaned by FPE and b2.exe is clean, a modified a.zip that contains the cleaned b1.doc and the
original b2.exe will arrive in the user’s inbox.
Delete
A message part is deleted and replaced with custom defined deletion text. For example, an e-
mail contains the attachment a.zip. This zip file contains two files, b1.doc and b2.exe. If b1.doc is
infected, it will be deleted, and a modified a.zip that contains the deletion text b1.txt and the
original b2.exe will arrive at the user’s inbox.
Deletion Text b1.txt contains the following text by default:
“Forefront Security for Exchange Server detected b1.doc to be infected.”
The FPE administrator can customizethe Deletion Text. For more information on customizing
Deletetion Text, refer the FPE Operations Guide.
Purge
The entire message is deleted and will not be delivered to the recipient(s). This option always
applies to worms (a special virus type). This option is supported in realtime (Exchange Mailbox)
scanning as well. In VSAPI 2.6, the VIRSCAN_DELETE_MESSAGE error code will indicate that the
top level message is deleted, effectively purging the message.
See Table 1 and Table 2 for what this action applies to.
Identify
A user-defined word or phase will be pre-pended to the e-mail subject line. No other action is
taken on the message. This is supported in filtering. It is available for keyword filtering, file filter-
ing, subject line filtering, and sender-domain filtering.
For example, if a keyword is matched within an e-mail message body, text defined by the FPE
administrator will be pre-pended to the e-mail subject line, indicating that a matching keyword
was found. The default pre-pended-text is “SUSPECT:”
FPE administrators can also use this option to add a MIME message header so that it can be
identified later for processing into folders at a user’s inbox or for other purposes identified by
the FPE administrator. By default, X-Junk-Mail is written to the header.
ACTION TABLE
The following table shows the action options within FPE filters and default actions among vari-
ous scan job types.
Filter Type
File Filter Keyword Allowed Subject Line Sender-
Scan Job Type Filter Sender Domain
1
Hub Transport Skip (detect Skip (detect N/A Skip (detect Skip (detect
or only) only) only) only)
Edge Transport Purge Purge Purge Purge
Delete Identify Identify Identify
Identify
Table 1
Note:
1. The Allowed Sender List is used to identify sender address/domains that are allowed to by-
pass the configured filters (File Filter, Keyword Filter, Subject Line Filter, Sender-Domain Filter).
The following table shows the action choices in FPE among various scan job types for malware
scans.
Malware Type
Virus Spyware
Table 2
Table 3
Scan Sequence
When a message is scanned by an FPE scan process, it is processed by antimalware engines and
filtering engines in one pass. This is done by navigating each part of the encoded message or
compressed files in a recursive manner. This maximizes the performance and increases the
complexity of the process. The following diagrams depict the logic flow of the scan and action
sequence for the scan process.
No
Yes Yes
Message Header Scanning
Does message match a Is the action purge? Message removed from pipeline
sender/domain filter? No
Yes
[Transport] Is the action identify? Tag(s) added to header(s)
No
No
Yes
Yes Yes
Does message header Is the action purge? Message removed from pipeline
match a subject filter No
Yes
No
[Transport] Is the action identify? Tag(s) added to header(s)
No
The following diagrams depict the logic flow of the scan and action sequence for the message
body and attachments.
Note:
The scan sequence is a recursive operation based on file navigation flow.
“End of execution” means to go back to the last level of execution of the recursive action. For
example, a message contains a.zip as an attachment, and a.zip contains b.exe and c.doc. If b.exe
is spyware but not a virus, and the spyware scan action is “Delete”, file b.exe will be replaced
with Deletion Text “b.txt”, and the execution will end for b.exe and the flow will go back to the
scan of the next container subpart, c.doc.
Check if is container
No
Yes No Yes Yes
Keyword Filtering
[Transport] Is this Does sender match Does message body Is the action purge? Message removed from pipeline
No file a message Yes an allowed sender list No match a keyword filter? No
body? for keyword filtering?
Yes
Yes [Transport] Is the action identify? Tag(s) added to header(s)
Yes
Does file contain a worm? Message removed from pipeline
No
No Yes Yes
Does sender match an allowed sender list Is the action purge? Message removed from pipeline
Does file name or type
Yes for file filtering? No match a file filter?
Yes
Antimalware/Filtering Agent
No
File Filtering
No
No Is the action delete? Deletion text inserted
Yes No
Treated as corrupted
Was part of a container? Can file be rebuilt?
No; action is skipNo compressed file
Yes
New container replaces old
Yes
Was file a subpart of a container? End of execution
No
We summarized some of the core functionalities in Forefront Protection for Exchange Server
and provided detailed views of malware scanning and filtering. This should give you an in-depth
understanding of the product to leverage the superior protection provided by FPE.
The vision behind this product line is to maximize protection by building a solution that is com-
ponentized and is adaptive to current and future scanning technologies. We are working hard
towards that goal.
Your feedback is critical for improving the existing product and building more successful ones in
the future.