Banner

Exchange 2013 anti-malware protection: Will you need anything else?

By Steve Goodman, SearchExchange.TechTarget.com

 

While Microsoft includes native anti-malware protection in Exchange 2013, it raises an important question for potential adopters: Is it enough to replace the anti-malware software they already have in place?

Malware has long been a security problem for messaging systems like Exchange Server. Administrators with on-premises deployments prior to Exchange 2013 were forced to invest in anti-malware software to protect mailboxes against viruses. In Exchange Server 2013, however, Microsoft has integrated anti-malware capabilities into the product, providing admins with a "free" option for protecting Exchange.

Microsoft’s decision to include anti-malware protection in Exchange Server 2013 is similar to its decision to include self-signed certificates in Exchange 2010. When Microsoft built Exchange Server 2010, it included self-signed certificates as a way for customers to perform encryption without investing in a certificate from a commercial certificate authority. Self-signed certificates aren't ideal because messaging clients such as Outlook do not trust self-signed certificates; nor should they. That said, a self-signed certificate is better than no certificate at all.

This basic philosophy also applies to Microsoft's built-in anti-malware protection for Exchange Server 2013. The integrated anti-malware features provide basic protection against email viruses, but the software does not deliver the comprehensive protection that commercial anti-malware products do.

FOPE and EOP

Before I explain how native protection does and does not protect Exchange Server 2013, it's important to understand that the built-in Exchange 2013 anti-malware protection is different from Forefront Online Protection for Exchange (FOPE) and Exchange Online Protection (EOP). EOP is an add-on solution for Exchange anti-malware protection, while FOPE is Microsoft's cloud-based antivirus solution.

Both products are fee-based and use multiple scanning engines. Both EOP and FOPE also offer full reporting capabilities as well as a message-trace feature. As you can see, the capabilities are similar to what you'd find in some of the more well-known commercial antivirus products.

Exchange 2013 anti-malware protection capabilities

Exchange Server 2013's built-in anti-malware protection is much more modest in scope. The first distinction between the built-in software and Microsoft's commercial products is that the Exchange 2013 anti-malware protection only uses a single scanning engine, not multiple scanning engines.

This fact might not be an automatic deal breaker -- especially when you consider that Exchange checks for virus definition updates on an hourly basis -- but it's definitely worth calling out.

A major limitation has to do with how the scanning is performed. Exchange 2013 anti-malware protection performs transport-level scanning. In other words, messages are scanned for malicious content as they pass through the transport pipeline.

Now, there's no denying that transport-level scanning is important, but Exchange 2013 anti-malware protection doesn't scan the mailbox store. In theory, this shouldn't be a problem because anything that makes it into the mailbox database has already been scanned at the transport level, right? Well, imagine that a new type of malware is received before the built-in scanning engine has acquired a definition for it. In this situation, the infected message would pass into the mailbox store.

Let's suppose that immediately after the infected message is delivered, Exchange 2013 is updated with a signature for the virus. The built-in Exchange 2013 protection would actually prevent users from forwarding the infected message to others, because the act of doing so would require the message to re-enter the transport pipeline, where it would be rescanned.

Unfortunately there is nothing stopping a user from opening the infected attachment, because opening a message that has already been delivered to the user's mailbox doesn't require the message to pass through the transport pipeline.

 

To read the full article, go to: SearchExchange

Use Ctrl+Shift+R to “Reply all” to the selected message.
 

Poll

Will tablet and Smart phone use be a big part of your OWA 2013 deployment?