Sunday, December 30, 2012

Exchange 2013 Anti-Malware Protection

Since there will be no Forefront protection for Exchange Server 2013 to handle spam and other bad things coming in with mail from Internet, Exchange admins must use something else to block those bad things, but what to use?

For those organizations that use Exchange Edge and Forefront protection for Exchange on it can continue to use that together with Exchange server 2013.
There is no Exchange 2013 Edge server yet, but hopefully it will be in the future.

Another option that many organizations already use is to leverage something outside of Exchange for hygiene. This software is deployed on regular servers or as an appliance and some is used as a service on Internet, and most of the time these solutions costs money.

Microsoft did not leave organizations completely out in the dark by removing forefront for Exchange. They moved some if it’s functionality into Exchange.
First we have to regular transport anti-spam agents that have its legacy from Exchange 2003 and IMF (Intelligent Message Filter). They of course have evolved and some organizations use them today with their Exchange 2007 and Exchange 2010.
Installation is done with help of a powershell script “install-AntispamAgents.ps1” located in the scripts subfolder in the Exchange installation. Difference with Exchange 2013 compared to earlier versions is that in Exchange 2013 there is no GUI to configure those agents and you must leverage powershell.
Those agents are as stated anti-spam agents, http://technet.microsoft.com/en-us/library/jj218660.aspx . They have been around for years and are configured in the same way as before so one thing you definitely should do is to use safelist aggregation, http://anewmessagehasarrived.blogspot.se/2008/04/outlook-safelist-aggregation.html but configuration of the anti-spam agents is a story for it self.

Secondly the malware filtering piece of Forefront for Exchange moved into Exchange itself, http://technet.microsoft.com/en-us/library/jj150547.aspx. If you have an Exchange 2010 with forefront for Exchange installed and an Exchange 2013 you will see the same folder structure “C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server” and “C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS
This is something that you have to enable and configure after installation of Exchange and are all done with powershell commands.
To enable the malware agent who is disabled by default, use the powershell script “Enable-AntimalwareScanning.ps1”. This script will not only enable the malware agent but also configure regular updates, restart the transport service etc. to get everything running. Default automatic update check for definitions will every 60 minutes. You can verify when and what version of the engine and definitions is in use with “Get-EngineUpdateInformation” or if you want to manually check for updates, use the powershell script “Update-MalwareFilteringServer.ps1” that basically is a wrapper around the “Start-EngineUpdate” powershell command.

When this is done, you should have a look at the default malware policy and possibly alter the configuration, http://technet.microsoft.com/en-us/library/jj150576.aspx.
Think about the available options for a while before changing them, especially where to send notifications and to whom otherwise you can create a mail storm of notifications.

If the built-in anti-spam agents and malware protection is good enough for your organization is something you have to decide. There is little information about how the malware piece is performing in real life since very few organizations don’t yet run Exchange 2013