Monitoring performance and health

You can monitor your Forefront Protection 2010 for Exchange Server (FPE) environment by viewing statistics and health monitoring reports. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Monitoring and under Server Security Views, click Dashboard.

In the Server Security Views - Dashboard pane, you can view the following information:

The name of the computer running Exchange server.
Health monitors. You can monitor the health of your scan jobs, services, engines, and licensing.
Summary performance monitors. For each scan job type, there is a pie chart showing the number of scanned messages that contained malware and the number of scanned messages that matched each filter type (file, keyword, subject line, and sender-domain). The total number of messages scanned is also listed along with the date and time that the data was last refreshed.

Monitoring the health of your system

You can monitor the health of FPE by viewing the health monitors at the top of the Dashboard. There are four types of health monitors:

Scan Jobs—Monitors the current state of your scan jobs.
Services—Monitors the current state of FPE services.
Engines—Monitors the current state of your scan engines.
Licensing—Monitors the current state of your FPE license.

Viewing health item details

Each of the monitors has an associated Show details link. To see the underlying details, click Show details. This displays summary icons and underlying details.

The summary icons are as follows:

Healthy—A green circle with a check mark. This indicates good health and that no action is required.
Warning—A yellow triangle with an exclamation mark. This indicates a less than ideal situation that likely bears close monitoring.
Error—A red circle with an "X". This indicates an error that may require fixing.
Unknown—A gray shield. This indicates that FPE has not yet reached the scheduled health check interval, is not able to determine the current health, or that the item is not defined for your system. An event is generated as soon as FPE determines the health status.

The underlying details are as follows:

Health Point—Tells you what is being monitored, for example Realtime scan processes.
Last Refresh—Tells you the last time the health point was checked.
Message—Tells you the current status of the health point being monitored, including information about any problems that the monitor encountered.

Note:
If FPE either has not yet reached the scheduled health check interval or was not able to determine the current health of the health point, there is no message. A message is generated as soon as FPE determines the health status.

About the health points

Note:
To ensure that you are viewing the most current data, under the Actions section, you can click Refresh

These are the scan job health points that FPE monitors:

Health Point	Description
Transport scan enabled	Monitors whether the transport scan has been enabled.
Edge transport hooked	Monitors whether the Microsoft Exchange Transport service is running and the Forefront agent is registered.
Transport scan processes	Monitors whether the transport scan processes are running normally.
Selected transport engine initialization	Monitors whether all engines selected for the transport scan have been initialized.
Realtime scan enabled	Monitors whether the realtime scan has been enabled.
Information store hooked	Monitors whether the Microsoft Exchange Information Store service is running and the Forefront VSAPI library is registered.
Realtime scan processes	Monitors whether the realtime scan processes are running normally.
Selected realtime engine initialization	Monitors whether all engines selected for the realtime scan have been initialized.
Selected scheduled engine initialization	Monitors whether all engines selected for the scheduled scan have been initialized.

These are the services health points that FPE monitors:

Health Point	Description
Eventing service	Monitors whether the eventing service is functioning.
Monitor service	Monitors whether the monitoring service is functioning.
E-mail pickup service	Monitors whether the e-mail pickup service is functioning.
Available disk space	Monitors the amount of disk space remaining.

These are the engines health points that FPE monitors:

Health Point	Description
Spam definition update	Monitors whether the spam engine definitions were updated, and how recently. For information about spam engine updates, as opposed to spam engine definition updates, see Viewing engine summary information.
Selected engines updated	Monitors whether the engines that were selected for scan jobs were also selected for updates.
All engine updates enabled	Monitors whether the engines that were selected for updating were successfully updated.
Selected engines update period	Monitors whether the engines that were selected for updating were updated recently.

This is the licensing health point that FPE monitors:

Health Point	Description
License status	Monitors whether your license is still valid, is nearing expiration, or has expired.

Viewing engine summary information

You can monitor engine summary information for FPE by viewing the Engines health monitor, and then selecting Engine Summary.

In the Engine Summary dialog box, you can view the following information about engine and definition updates:

Engine—The scan engine, for example Microsoft Antimalware Engine.
In Use—Indicates whether the engine is in use with a scan job.
Updates Enabled—Indicates whether updating is enabled (Yes) or disabled (No) for the engine.
Engine Version—The version of the engine.
Definition Version—The version of the malware definition files currently in use by the engine. (This data may not be available for every engine.)
Last Update—The date and time of the last successful or failed update of the engine or definition files. Failed updates appear in red text.

Last Check—The date and time of the last check made for a new engine or definition update.

Note:
For the Cloudmark Antispam Engine, the Last Update and Last Check fields only show the date and time of the last successful or failed engine update. Updates of the spam definition files are shown via the Spam definition update health point.

Note:
You can sort any of the columns alphabetically by clicking the column's heading. For information about changing how the engine and definition files are updated, see Configuring engine and definition updates.

Customizing the Dashboard view

You can customize which items appear on the Server Security Views – Dashboard pane.

To customize the Dashboard view

In the Actions section, click Control Gallery.
In the Control Gallery dialog box, select which items you want to appear on the Server Security Views – Dashboard pane. A check mark next to the item indicates that it is displayed; no check mark indicates that it is hidden (you can also click the red X box, associated with each item, to remove it from the view).
Click Exit to close the Control Gallery dialog box.

Monitoring performance by viewing statistics

You can monitor the performance of FPE by viewing the statistics in the Dashboard. If you need the statistics broken down further, you can view detailed malware statistics, detailed filtering statistics, and detailed spam statistics.

Viewing detailed malware statistics

To see statistics about messages with malware, click Monitoring and under Server Security Views, click Malware Details. In the Server Security Views - Malware Details pane, the details are broken out by scan job type: transport, realtime, scheduled, and on-demand. You can sort any of the columns by clicking its heading. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

Malware detected in messages—The total number of messages that contained malware. This data only applies to transport scans.
Malware detected in message parts—The total number of message parts (for example, attachments or files included within container files) that contained malware.
Purged messages—The total number of messages purged from your mail system due to malware detections.
Deleted message parts—The total number of message parts deleted and replaced with deletion text due to malware detections.
Cleaned message parts—The total number of message parts cleaned due to malware detections.
Skipped message parts—The total number of message parts detected and logged as containing malware, with no other action taken.
Quarantined messages—The total number of full messages quarantined due to malware detections. This data only applies to transport scans.
Quarantined message parts—The total number of message parts quarantined due to malware detections.

Viewing detailed filtering statistics

To see statistics about messages that matched filters, click Monitoring and under Server Security Views, click Filtering Details. In the Server Security Views - Filtering Details pane, the details for the various filter matches are broken out by scan job type: transport, realtime, scheduled, and on-demand. You can sort any of the columns by clicking its heading. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

Messages scanned—The total number of messages scanned. This data only applies to transport scans.
Message parts scanned—The total number of message parts (for example, attachments or files included within container files) scanned.
Messages containing filter matches—The total number of messages that matched filters. This data only applies to transport scans.
Message parts containing filter matches—The total number of message parts that matched filters.
Messages purged due to filter matches—The total number of messages purged from your mail system due to filter matches. This data only applies to transport scans.
Message parts deleted due to filter matches—The total number of message parts deleted and replaced with deletion text due to filter matches.
Message parts skipped after filter matches—The total number of message parts detected and logged due to filter matches, with no other action taken.
Filter matches quarantined as full messages—The total number of full messages quarantined due to filter matches. This data only applies to transport scans.
Filter matches quarantined as individual message parts—The total number of individual message parts quarantined due to filter matches.

Viewing detailed spam statistics

To see statistics about spam, click Monitoring and under Server Security Views, click Spam Details. In the Server Security Views - Spam Details pane, the details are broken out by the spam filtering type: Connection Filtering, SMTP Filtering, Content Filtering, and Backscatter Filtering. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

Connection Filtering

Messages processed by connection filtering—The total number of messages processed by the connection filter.
Messages allowed by IP allow list—The total number of messages allowed to enter the Exchange organization by the IP allow list without being scanned for spam.
Messages blocked by IP block list—The total number of messages blocked by the IP block list.
Messages blocked by DNS block list—The total number of messages blocked by the DNS block list.

SMTP Filtering

Messages processed by SMTP filtering—The total number of messages processed by SMTP filtering.
Messages blocked by sender filtering—The total number of messages blocked by sender filtering.
Messages blocked by sender ID filtering—The total number of messages blocked by sender ID filtering.
Messages blocked by recipient filtering—The total number of messages blocked by recipient filtering.

Content Filtering

Messages processed by content filtering—The total number of messages processed by content filtering.
Messages rejected by content filtering—The total number of messages rejected by content filtering.
Messages deleted by content filtering—The total number of messages deleted by content filtering.
Messages quarantined by content filtering—The total number of messages quarantined as spam by content filtering.

Backscatter Filtering

Messages processed by backscatter filtering—The total number of messages processed by backscatter filtering.
Messages blocked by domain rejection list—The total number of messages blocked by the domain rejection list.
Messages allowed by domain exclusion list—The total number of messages allowed by the domain exclusion list.
Messages blocked by backscatter agent—The total number of messages blocked by backscatter filtering.

Resetting statistics data

You can reset malware, filtering, and spam statistics in order to begin a fresh count.

In the Server Security Views - Malware Details pane or the Server Security Views - Filtering Details pane, in the Actions section, click the action to Clear Transport Statistics, Clear Realtime Statistics, Clear Scheduled Statistics, or Clear On-Demand Statistics. Regardless of which pane you are in, this clears the statistics for both malware and filtering for the selected scan job.
In the Server Security Views - Spam Details pane, in the Actions section, click the action to Clear Spam Statistics.
To reset all statistics (malware, filtering, and spam) for all scan jobs, in the Server Security Views - Dashboard pane, in the Actions section, click the action to Clear All Statistics.

Clicking these actions clears all malware and filtering data for the selected scan job, clears all spam data, or clears all data. Depending on which action option you selected, the statistics for the Dashboard and the associated details reports (Malware Details, Filtering Details, or Spam Details) are reset to zero.