Securing Exchange mailboxes with MS Forefront

by Ashutosh Desai    Apr 21, 2010

Email has become a vital mode of communication for organizations today — small and large. For this reason, it is essential that messaging service providers provide high availability of service coupled with security that is also as reliable as the mail solution. In a conversation with CXOtoday, Javeed Khan, manager- managed services, and Swaminathan BG, manager - managed services, Tata Communications, shared their experiences of using Microsoft’s anti-virus and anti-spam solution on their Exchange servers.

What version of Forefront for Exchange have you currently implemented at Tata Communications for your customers?
Right now we are using Antigen for Exchange 2003. It is now renamed as Forefront and is an anti-virus and anti-spam (AVAS) application. Antigen is for Exchange 2003 while Forefront is for Exchange 2007 and later. There is no change in terms of functionality or how it works, only the name of the application.

Share with us the product’s threat management capabilities? When used with the mail server, how does it protect mailboxes?
It has an option of deploying the product in various perimeter levels. Based on your requirement, if you want this to be installed on a gateway level where you run only the SMTP service on a box and deploy this product. In this scenario, it scans on an SMTP protocol level. If you enable outbox scan, whatever emails you get from outside the organization, it will again rescan — through the anti-virus engine — the outbound messages as well. This is at one level.

At another level, if you want to install the application on the Exchange server itself, it does automatic mailbox-level scanning. As and when an email is received, it gets scanned and delivered to the mailbox. It has an option to run a manual scan or database scan as well.

How does Forefront keep its engine updated with the latest security patches?
The good thing about this product is that it has multiple anti-virus engines integrated into a single product. Normally any anti-virus available in the market usually has a single engine capability. With regard to discovering new threats, if any one of the anti-virus engines goes offline, the other engine can detect the threat and obtain a signature for that. This is the advantage of having multiple anti-virus engines.

The problem with single engine anti-virus solutions is the possibility of not obtaining an update on time. This could leave the mail server exposed to security vulnerabilities. Whereas in Forefront, it has eight to nine different anti-virus engines integrated into it. It has anti-virus engines like Kaspersky, Microsoft, Sophos, etc. If one engine goes offline, the other can take over the scanning of messages.

It is obvious that running eight to nine anti-virus engines on one server, server performance will go down. Additionally, it adds to the computing load if Exchange is installed on the same server. These two are heavy, processor and memory intensive applications. As a workaround, we also have an option of selectively enabling engines to optimize server performance.

One needs also to consider the time required in downloading and installing the updates. This differs from vendor to vendor. With the help of Forefront’s multiple anti-virus engines, we are able to minimize the time delay.

But there will still be some time lag in installing timely updates?
In Antigen, we normally schedule a time to check for updates from the vendor website. It depends on how frequently you check for updates. In a large environment, one must consider the mail flow reaching the mail server. Being an ISP provider, we receive lakhs of emails per day. Even five minutes is critical for us. If you do not get an update for one hour, we will receive thousands of emails in that same time period. We have scheduled different updating intervals across multiple engines. We minimize that factor of getting infected by running multiple engines at a single point of time.

Is there a way to restore emails that are wrongly classified as junk?
Yes, there is. When you configure any policies to block particular content, or define a content compliance policy, you can recall mails or attachments that are quarantined because they may contain data that the policy is configured to filter out. There are chances that legitimate mails also get quarantined because of what the attachment may contain. These emails can be retrieved from the database and sent to the recipients.

Could you elaborate on the ease of management in Antigen and the new versions? The admin has a single console to take care of the anti-virus, scanning updates, look into the anti-spam parts, handle content-filtering; notifications can also be done. In our case, we have deployed across geographical locations. We can get into the antigen which is deployed at a London site through a single console.

Spam tends to have content that can contain common words that pass through the content filters. Is Antigen/Forefront intelligent enough to filter these emails as well?
Yes, it is intelligent enough to monitor inbound and outbound flow. It increases it logic against spam. Let’s say for outbound emails, it understands the pattern and improvises its logic to detect the actual spam. For example, if you are a recruitment company, and you send many CVs, based on the frequent keywords used, it improves its logic, detects or evolves according to the mail flow.

What about policy setting options for Antigen/Forefront?
Yes, we can have customized content filtering or you can have the policies capture using the ‘true value’. This means if a .doc file is renamed as an .exe, it will still detect the true value as well as the extension of the file.

What were the reasons for choosing Antigen/Forefront for Exchange Server?
The most important thing we found by migrating to Forefront is that it works well with Exchange. Earlier, we used a third-party anti-virus product. Initially, it worked alright with Exchange. But later on we started experiencing memory management issues. The Exchange server started going down frequently. Exchange is a resource intensive application, in terms of memory and processor. Any anti-virus that works with Exchange, must be well designed and integrated with the messaging server.

The third-party anti-virus vendor blamed the Microsoft Exchange Server. We approached Microsoft and they identified the third-party anti-virus product as the problem. We found that the anti-virus was set to use more kernel memory. Exchange also utilized more memory, resulting in the service eventually failing.

We decided to move to Microsoft’s solution for Exchange Server because we had to ensure the service was up and running for our customers. Coordinating with two different vendors is very painful. Since both the products are Microsoft and seemed to be designed to work well together. Add to this the flexible deployment scenarios that Forefront offers.

Licensing was another advantage. Vendors usually provide licenses on the number of installations. Irrespective of the number of mailboxes you host, you have to purchase for a minimum number of mailbox. For Antigen, licensing is not dependent on the number of installations. You can deploy any number of servers with Antigen but you need to pay based on of the number of mailboxes. It is a pay-as-you-go model, where we send a monthly report to Microsoft, and we pay according to that.

One more advantage is that Antigen is integrated with Microsoft Operations Manager (MOM) enabling us to proactively monitor the application’s performance.