Antivirus Protection for Exchange Server 2010

With all of the attention paid to spam prevention sometimes we forget that viruses and malware remain a strong threat to our business networks.

Although in many cases spam and viruses go hand in hand, there are still some viruses that have no spam-like characteristics and therefore must be defended by genuine antivirus measures.  I recently worked with a customer who was surprised that their server-level antivirus was finding viruses in emails that had already passed through an external hosted filtering service.

Aside from email-borne viruses there are also non-email vectors for viruses and malware to attack an Exchange server.  Once the malware is on a server or computer on the network it can be used to attack other devices or even send out spam itself.

So with all of that in mind here are some strategies for protecting your Exchange environment from virus infection.

Hosted or Gateway Filtering

The best place to stop an email-borne virus is before it reaches your Exchange servers.  To do this requires either an externally hosted service that all of your email is routed through, or a server that sits in front of the Exchange servers (for example in the DMZ or as an edge/gateway device) to check all mail as it arrives.

A benefit of filtering email before it arrives on the Exchange server is that the resource-intensive virus scanning can occur on a dedicated device without impacting the performance of Exchange.

There are also a much larger range of products and services available for this type of protection, as compared to the number of products that can be installed on an Exchange server in an integrated manner.

Transport Layer Filtering

When an email enters the Exchange Organization it is first received by either an Edge Transport or Hub Transport server.  The Edge Transport role is a dedicated role, while the Hub Transport role can co-exist with Mailbox Servers.  But the modular nature of Exchange server roles means that for the sake of this part of the discussion you can just consider them separate.

An email has to traverse at least one Transport server before it reaches mailboxes.  In larger organizations it will traverse several.  Transport servers typically have lower general workloads than other server roles, and so this makes the Transport layer another ideal place to perform antivirus scanning of email.

Database Layer Filtering

Once an email has arrived in a mailbox it is subject to database level filtering.  This level of filtering tends to be the most costly in terms of server resources, because the Mailbox server typically has a higher workload on it than other server roles.

However an advantage of scanning for viruses at the database level is that scheduled scans can be run over the database to check for any viruses that may have passed through other protection layers before the antivirus signatures were updated to detect them.

Server Filtering

Although some administrators will disagree I tend to prefer installing antivirus agents on the Exchange server to protect from virus threats.

Because the server is subject to the security of other devices on the network there is always the risk that another infected machine could try to exploit an operating system vulnerability on the Exchange server and spread the infection.

Whenever you are installing antivirus software on Exchange servers you simply need to be aware of the exclusions that are recommended by Microsoft to prevent any performance issues with Exchange itself.

Client Filtering

The last piece of the overall solution is client-level filtering.  Similar to server filtering this involves the installation of antivirus agents on the client computers in the network.  However it can also include additional add-ons and plugins that integrate with the email client to prevent viruses from infecting the computer or being spread via the email application.