McAfee Security for Microsoft Exchange 8.6.0

Scanning inbound emails

Step-by-step information on what happens to an email that reaches your organization and how MSME scans it to determine if the email is clean or infected.

The process described below is narrated assuming a situation in your organization where you have installed MSME on all these roles.

Microsoft Exchange Server 2010:
Edge Transport
Hub Transport
Mailbox
Microsoft Exchange Server 2013 and 2016:
Edge Transport
MBX

If you don't have an Exchange server on the Edge or Hub Transport role, MSME ignores the steps related to that role.

Task
1 The SMTP stack hosted by EdgeTransport.exe on Edge role receives the email.
2 MSME IP Agent (McTxIPAgent) checks for the source IP address reputation. The IP Agent check is executed before TxAgent operations.
3 MSME Transport Agent (McAfeeTxAgent) scans the email for spam, phish or mail size.
4 If there is detection, it is dropped, else it is returned to the SMTP stack.
5 If the email is clean, McAfeeTxRoutingAgent processes it.
6 MSME receives the same stream and scans for File filtering, Content scanning, Anti-virus (AV) scanning, and URL filtering.
7 If there is a detection, action is taken as per product configuration.
8 MSME stamps the email with AV stamp as per Microsoft specifications.
9 The email is now sent to Exchange Hub server role.
10 SMTP stack hosted by EdgeTransport.exe on Hub server role, receives the email.
11 MSME Transport Agent (McAfeeTxAgent) scans the email for spam, phish or mail size. Only in case of EdgeSync (Edge and Hub server), the session is authenticated where anti-spam scanning is skipped. In this case, Originator check is used for session authentication.
12 If there is detection, the email is dropped, else it is returned back to the SMTP stack.
13 If the email is clean, McAfeeTxRoutingAgent processes it and checks for AV stamp (if any).
14 If AV stamp is present, it checks and compares with the stamp MSME forms with engine/DAT on Hub server role.
15 If the stamp is different, MSME receives the same stream and scans for File filtering, Content scanning and Anti-virus scanning.
16 On Transport, MSME looks for AV stamp whereas on VSAPI, Exchange Store does this work and MSME will not receive a scan call if AV stamp matches.
17 If there is a detection, an action is taken as per product configuration.
18 MSME stamps the email with AV stamp as per Microsoft specifications.
19 The email is routed to Exchange Mailbox server role.
20 Exchange store receives the mail and before saving it to its database, checks for the AV stamp.
21 If AV stamp matches, it saves the item without scanning.
22 If AV stamp does not match, Exchange store calls VSAPI (Virus Scanning API) and scans the email.
The VSAPI check is applicable only for Microsoft Exchange 2010 servers.
23 If there is detection, the email is replaced or deleted as per product configuration.
For Microsoft Exchange server 2013 and 2016, the Hub Transport and mailbox roles are not applicable.