When Auto-Protect scanning is enabled, Mail Security applies a stamp to messages it scans at the Edge Transport or Hub Transport servers. The stamp indicates the version of definitions that were used for the scan. Each time Mail Security scans the message, it also scans for file filtering rule violations.
Mail Security searches for this stamp each time the message is routed through the mail flow to another server. Mail Security determines if the message has been scanned and if the message was scanned with the most current definitions. When the server in which the mail is routed contains more current definitions than those indicated in the stamp, the message is rescanned with the newer definitions
Messages that have been stamped are not rescanned for file filtering and content filtering rules.
The message is disposed of based on the settings that you configure when Mail Security detects a violation. No stamp is applied to the message, even if the message is repaired. If the message is routed to another server role, Mail Security detects that there is no stamp and rescans the message.
Figure: How incoming email messages are scanned shows how an incoming email message is scanned as it enters your Exchange Server 2007/2010 environment.
Figure: How outgoing email messages are scanned shows how an outgoing email message is scanned as it leaves your Exchange Server 2007/2010 environment.
Figure: How internal email messages are scanned shows how an internally routed email message is scanned.