While Microsoft includes native anti-malware protection in Exchange 2013, it raises an important question for potential...
adopters: Is it enough to replace the anti-malware software they already have in place?
Malware has long been a security problem for messaging systems like Exchange Server. Administrators with on-premises deployments prior to Exchange 2013 were forced to invest in anti-malware software to protect mailboxes against viruses. In Exchange Server 2013, however, Microsoft has integrated anti-malware capabilities into the product, providing admins with a "free" option for protecting Exchange.
Microsoft’s decision to include anti-malware protection in Exchange Server 2013 is similar to its decision to include self-signed certificates in Exchange 2010. When Microsoft built Exchange Server 2010, it included self-signed certificates as a way for customers to perform encryption without investing in a certificate from a commercial certificate authority. Self-signed certificates aren't ideal because messaging clients such as Outlook do not trust self-signed certificates; nor should they. That said, a self-signed certificate is better than no certificate at all.
This basic philosophy also applies to Microsoft's built-in anti-malware protection for Exchange Server 2013. The integrated anti-malware features provide basic protection against email viruses, but the software does not deliver the comprehensive protection that commercial anti-malware products do.
FOPE and EOP
Before I explain how native protection does and does not protect Exchange Server 2013, it's important to understand that the built-in Exchange 2013 anti-malware protection is different from Forefront Online Protection for Exchange (FOPE) and Exchange Online Protection (EOP). EOP is an add-on solution for Exchange anti-malware protection, while FOPE is Microsoft's cloud-based antivirus solution.
Both products are fee-based and use multiple scanning engines. Both EOP and FOPE also offer full reporting capabilities as well as a message-trace feature. As you can see, the capabilities are similar to what you'd find in some of the more well-known commercial antivirus products.
Exchange 2013 anti-malware protection capabilities
Exchange Server 2013's built-in anti-malware protection is much more modest in scope. The first distinction between the built-in software and Microsoft's commercial products is that the Exchange 2013 anti-malware protection only uses a single scanning engine, not multiple scanning engines.
This fact might not be an automatic deal breaker -- especially when you consider that Exchange checks for virus definition updates on an hourly basis -- but it's definitely worth calling out.
A major limitation has to do with how the scanning is performed. Exchange 2013 anti-malware protection performs transport-level scanning. In other words, messages are scanned for malicious content as they pass through the transport pipeline.
Now, there's no denying that transport-level scanning is important, but Exchange 2013 anti-malware protection doesn't scan the mailbox store. In theory, this shouldn't be a problem because anything that makes it into the mailbox database has already been scanned at the transport level, right? Well, imagine that a new type of malware is received before the built-in scanning engine has acquired a definition for it. In this situation, the infected message would pass into the mailbox store.
Let's suppose that immediately after the infected message is delivered, Exchange 2013 is updated with a signature for the virus. The built-in Exchange 2013 protection would actually prevent users from forwarding the infected message to others, because the act of doing so would require the message to re-enter the transport pipeline, where it would be rescanned.
Unfortunately there is nothing stopping a user from opening the infected attachment, because opening a message that has already been delivered to the user's mailbox doesn't require the message to pass through the transport pipeline.
Exchange 2013's built-in malware scanning capabilities provide basic protection but are anything but full proof. Commercial anti-malware products provide much more comprehensive protection.
If you do opt to purchase a commercial product, it's possible to disable the built-in anti-malware protection. However, Microsoft recommends leaving it enabled if you plan on using EOP or FOPE. Doing so provides a stronger and more in-depth defense because multiple scanning mechanisms are being used.
About the author:
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.