E-mail notifications are useful for keeping Exchange users informed about changes that have occurred to their attachments due to malware cleaning and filtering, as well as informing users of infections that exist when malware is detected and not cleaned. E-mail notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.

Configuring notifications

FPE uses two types of notifications:

  • Incident notification—A notification that FPE sends about a malware or filter incident. You can customize these notifications and configure them to be sent to the message's sender and recipients. For more information about each type of incident notification, see About incident notifications.

  • Event notification—A notification that FPE sends to an administrator about its status. You can disable or customize these notifications. For more information about each type of event notification, see About event notifications.

To configure notifications

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console's Monitoring view, in the tree, expand Configuration, and then click Notifications.

    The Configuration - Notifications pane contains the available notifications, listed under their notification type, and the notification roles for which they are enabled. Each notification is configured individually.

  2. Right-click the notification (or notifications) you want to configure, and then click Edit Notification. For more information about the purpose of each notification, see About notifications.

  3. In the Edit Notification dialog box, select the notification role (for which you are configuring the notification) by clicking one of the following options:

    • Administrator—Configures notifications to be sent to administrators when an incident or event occurs. You can configure all notification types for administrators. This is the default notification role.

    • Internal Sender—Configures incident notifications to be sent to the sender of an e-mail message that generated an incident, if that sender is internal to your organization.

    • External Sender—Configures incident notifications to be sent to the sender of an e-mail message that generated an incident, if that sender is external to your organization.

    • Internal Recipient—Configures incident notifications to be sent to the internal recipients of an e-mail message that generated an incident, if the recipients are internal to your organization.

    • External Recipient—Configures incident notifications to be sent to the external recipients of an e-mail message that generated an incident, if the recipients are external to your organization.

      Note:
      For more information about internal and external addresses, see Identifying external and internal addresses.

  4. Configure the following settings for the selected notification role:

    • Enable—Selecting this check box enables the notification. By default, all incident notifications are disabled, and all event notifications are enabled except for Engine updated and Engine update not available. For more information about suppressing individual enabled notifications for antimalware scans and filters, see the “Related Topics” section at the end of this topic.

    • To—A semicolon-separated list of people and groups who will receive the notification. This list can only be changed for the Administrator notification role. It can include Exchange names, aliases, and groups. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.

    • Cc—A semicolon-separated list of people and groups who will receive a "carbon copy" of the notification. This list can include Exchange names, aliases, and groups. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.

    • Bcc—A semicolon-separated list of people and groups who will receive a "blind carbon copy" of the notification. This list can include Exchange names, aliases, and groups. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.

    • Subject—The message that is sent on the subject line of the notification. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros.

    • Message body—The message that is sent as the body of the notification. If you right-click and select Insert Field, you can select a keyword substitution macro; for more information, see Keyword substitution macros. (Administrators can include the MIME headers in this field by inserting the MIME macro.)

      Note   When enabling Virus found, File filter matched, Worm found, or Keyword filter matched notifications on an Edge server, you must use a full SMTP address (for example: Administrator@contoso.com) for the notification to work properly.

    You can optionally configure additional notification roles for this notification.

  5. Click Apply and Close to return to the Configuration - Notifications pane, and then click Save.

About notifications

The following sections describe the various notifications for each notification type.

About incident notifications

Incident notifications report the who, what, where, and when details of an infection, including the disposition of the malware or the attachment. You can also use incident notifications to keep track of filtering. The following types of incident notifications are available:

  • File error—Sent when a configured file setting is encountered during scanning (for example, if a file is found to be ExceedinglyNested or a CorruptedCompressedFile). For more information about the types of incidents that may trigger this notification, see Incidents reported.

  • File filter matched—Sent when a file filter is matched.

  • Keyword filter matched—Sent when a keyword filter is matched.

  • Sender-domain filter matched—Sent when a sender-domain filter is matched.

  • Subject line filter matched—Sent when a subject line filter is matched.

  • Spyware found Sent when spyware is detected.

  • Virus found—Sent when a virus is detected.

  • Worm found—Sent when a worm is detected.

  • Scan error—Sent when an error occurs during scanning. For more information about the types of incidents that may trigger this notification, see Incidents reported.

About event notifications

Event notifications report on FPE functionality and issues. They include events like scan startup, licensing warnings, engine updates, and engine selections. The following are the available event notifications:

  • Scan startup—Sent whenever a scan is started.

  • License warning—Sent when the product license nears expiration.

  • License expired—Sent when the product license has expired.

  • Database size warning—Sent when the incidents database nears its maximum configured size. For more information, see "Configuring the incidents database size warning" in Managing incidents.

  • Engine updated—Sent when any engine has been successfully updated.

  • Engine update failed—Sent when any engine encountered an error while updating.

  • Engine update not available—Sent when an engine update attempt found no new definitions.

  • Critical error—Sent when FPE encounters a critical error.

  • Health change to green—Sent when a health monitoring point changes to green.

  • Health change to red—Sent when a health monitoring point changes to red.

  • Health change to yellow—Sent when a health monitoring point changes to yellow.

Changing the From address for notifications

FPE utilizes SMTP messaging for notification purposes, placing the message in the SMTP service Pickup folder and resolving the Exchange name with the Active Directory directory service. By default, the server profile used for identifying notifications is: ForefrontServerProtection@servername.server. However, you can change this server profile by modifying the FromAddress registry value.

To modify the FromAddress registry value

  1. Open the Registry Editor and navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\

  2. Modify the default value of FromAddress to the sender name you would like. Alphanumeric characters are acceptable. You may also use the at sign (@) or a period (.), but these characters cannot be the first or last character. Any illegal characters will be replaced with an underscore (_).

  3. You must restart the Microsoft Exchange and Microsoft Forefront Server Protection services in order for this change to take effect.

Note:
To ensure that notifications are always delivered to the inbox and are not mistakenly detected as spam by Microsoft Outlook, the FromAddress of the notifications must be added to the safe senders list of all mailboxes that expect to receive these notifications. (To access the safe senders list in Outlook 2007, click Tools and then Options, click the Junk E-mail button, and then click the Safe Senders tab.)

Related Topics