Microsoft Forefront Protection 2010

Microsoft Forefront Protection 2010 for Exchange Server (FPE) provides protection against malware and spam by including multiple scanning engines in a single solution. FPE provides customers with an administration console that includes customizable configuration settings, filtering options, monitoring features and reports, anti-spam protection, and integration with the Forefront Online Protection for Exchange (FOPE) product.

This section provides information about configuring Microsoft Forefront Protection and its event mappings to ArcSight data fields.

Configuring Forefront Protection

To enable writing events to the Windows Event Log from Forefront Protection:

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Logging Options section, select the Enable event logging check box. When checked (the default), you can use the associated check boxes to individually enable or disable the following options (which are enabled by default):

    • Incidents: Enables or disables event logging for incidents. 
    • Engines: Enables or disables event logging for engines. 
    • Operational: Enables or disables logging for all other events, such as system information and health events. 

    When the Enable event logging check box is cleared, incidents logging is suspended for incidents, engines, and operational events.

  3. Click Save.

Note: The relevant Microsoft Exchange and Microsoft Forefront Server protection services must be restarted in order for any changes to these settings to take effect.  This typically includes the Microsoft Exchange Transport, Microsoft Exchange Information Store, and Microsoft Forefront Server Protection Controller services.