My name is Ryan McGrath and I am a PSS Security Engineer for Microsoft. For the past year I’ve worked exclusively with the Forefront products in their Beta phase working directly with the TAP/ RDP customers and the Product Development group here on Long Island, NY. Working in the TAP program has given me the opportunity to interact with customers who are using the Forefront products for the first time as well as customers that are extremely knowledgeable of our Antigen products and the functionality they provide. That being said, it was easy to pick up on specific topics that would most likely become of high interest to the customer base as a whole. One such topic was the default functionality of Forefront for Exchange on an Exchange 2007 mailbox server.
Forefront behavior on a Mailbox server:
Forefront will have a relatively heavy impact on Exchange 2007 servers with the mailbox role when first installed. Since none of the emails in the store will have an AV stamp on them initially, all messages that are 1 day old or less (by default) in the Information Store will be scanned by Forefront when accessed. An access is either opening a message, viewing a message in the preview pane and some Exchange indexing functions. These actions will trigger an On-Access VSAPI scan, in which Exchange hands the message to Forefront. This phase may consume a large amount of resources and server performance may be significantly affected initially.
These messages handed to and scanned by the Realtime scan job will have the AV stamp (as a MAPI property) applied to them by Realtime and they will not be rescanned if accessed again. Messages that are more than 1 day old will not be handed to the Realtime scan job by VSAPI when accessed due to their age. This was done to help alleviate some of the drastic performance issues that were seen during this “burn in” or bootstrap period. The “On-Access Scan Messages Received Within the Last” General Option can be changed from the default of 1 day.
Once Forefront has been installed for a while the customers will begin to see Forefront resource utilization plateau. This is due to the fact that the number of On-Access scans will drop significantly thereby freeing up cycles to be used by other Exchange related functions. This is due to the fact that, hopefully, all messages will have been scanned at the customer’s Edge or Hub Transport server (with Forefront installed of course!) and had the Transport stamp applied. This transport stamp will be propagated to a MAPI property therefore suppressing the need for VSAPI to hand those same messages to the Realtime scan job when accessed on the mailbox server due to the presence of the stamp.
Regarding the AV stamp, the Manual Scan job does not apply an AV stamp on messages that it scans nor does it ignore messages that already contain the stamp. The Manual scan job will scan everything regardless of the presence of the AV stamp and regardless of the age of the message.
Note: When running a manual scan job, if a message does not contain an AV stamp and is less than 1 day old in age the message will be given to the Realtime scan job by VSAPI and if an infection is contained it will be the Realtime scan job that removes it. Any other rules of the Manual scan job will then be applied after the Realtime scan has had access to the message. Keep in mind that holds true only to messages that are in the Store without an AV stamp (anything with the stamp will be ignored by VSAPI/Realtime) and are less than one day old. This may confuse customers who run a Manual scan but see the Realtime scan job picking up some infections.
The Transport Scan job, Realtime Scan job and Background Scan job are the only scan jobs with the ability to write the AV stamp. The Manual scan job cannot write the AV stamp.
There is one big difference in mailbox scanning from previous versions of Antigen. On Exchange 2007, mail is allowed to leave the mailbox server without being scanned. The reason is that all mail will flow through a Hub server, and will be scanned there. This will result in different behavior that may confuse customers who have been long standing Antigen users. For example, if you set a subject line filter on the Realtime scan job (it is not available on the Transport scan job) and send the message it will not always be caught as it used to. If Administrators are using this as a test they will not see a detection and the message will arrive in the mailbox undetected. This can cause them to believe that the product is not working. The mail is allowed to leave the mailbox, and will be scanned at the Hub server. A Transport stamp will be placed on the message at the Hub, and therefore the message will not be rescanned on the mailbox server, and the subject filter will not be applied. The message will simply arrive with no action being taken by Forefront. You would either have to run a Manual scan for the subject line detection (there is no delete option), or configure Background scan to run. You could also enable a key on the hub server to keep Forefront from writing the stamp so it would be scanned on access but that is not recommended for obvious performance reasons, etc.
I guess the summary of this is that Forefront will behave differently on mailbox servers than Antigen used to. This may cause some alarm and confusion. The performance issues should resolve themselves over a little time however; some scanning behavior needs to be explained with relation to the AV stamp and how Forefront handles messages that have already been scanned on an Edge/Hub server by Forefront and the change in behavior regarding scanning on the mailbox server