Hygiene - Filtering Core Test

Messaging hygiene refers to the antivirus and antispam framework built into Microsoft Exchange Server.

Exchange 2013/2016 comes out of the box with basic built-in anti-malware protection designed to help organizations combat viruses and spyware in their e-mail messaging environment. This anti-malware feature scans emails in the transport pipeline for viruses, spyware, and malware in real-time, and deletes the messages and attachments found to be infected, so as to shield the mailbox from harm.

If this anti-malware filter takes too long to scan emails or experiences frequent crashes/failures, it will not only delay the flow of emails through the transport pipeline, but will also expose the Exchange environment to malicious virus attacks. To ensure that the Exchange environment stays healthy and protected against such unscrupulous attacks and unnecessary delays, administrators will have to keep a close watch on how the anti-malware filter functions. This is exactly what the Hygiene – Filter Core test does. This test tracks the requests to the anti-malware engine, monitors how quickly and efficiently the engine processes the scanning requests it receives, and in the process, proactively alerts administrators to potential delays and errors in filtering.

Target of the test : A Microsoft Exchange 2013/2016 server

Agent deploying the test : An internal/remote agent

Outputs of the test : One set of results for the Exchange server monitored

Configurable parameters for the test
  1. Test period - How often should the test be executed
  2. Host - The host for which the test is to be configured.
  3. port – The port at which the host listens.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Average scan time:

Indicates the time taken to scan requests.


A high value could indicate a bottleneck in scanning.

Average classification time per request:

Indicates the time taken to classify one scan request.


An unusually high value could indicate that request classification is taking longer than expected.

Crashed scan processes:

Indicates the number of scan processes that crashed in the last hour. 


Ideally, the value of this measure should be 0. A high value is a cause for concern as it indicates frequent scan crashes.

Running scan processes:

Indicates the number of scan processes currently running.


This is a good indicator of the current workload of the anti-malware filter.

Scan requests error:

Indicates what percentage of scan requests submitted in the last minute encountered errors that prevented the processing of those scan requests.


This includes scan requests rejected, fatal errors and errors while processing.

Ideally, this measure should report the value 0. A high value indicates that many scan requests have encountered errors and were hence not processes. This is a cause for concern and warrants an investigation.

Timed out scan requests:

Indicates the number of scan requests that timed out in the last minute.



Average wait time for scanned requests:

Indicates the average time for which a scan request waits in the internal queue.


A high value is indicative of a processing slowdown.

Scan requests processed rate:

Indicates the number of scan requests processed per second.


Ideally, the value of this measure should be high. A consistent drop in this value could indicate a processing slowdown.

Scan requests in request queue:

Indicates the number of scan requests that are currently in the internal queue.



Scan requests submitted rate:

Indicates the number of scan requests submitted per second, including requests accepted  and rejected by the scanning system.