advertisement
F-Secure Anti-Virus for
Microsoft Exchange
Administrator’s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure
Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate,
F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure
Corporation reserves the right to modify specifications cited in this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.
Copyright © 1993-2010 F-Secure Corporation. All rights reserved.
Portions Copyright © 2003 Commtouch ® Software Ltd.
Copyright © 1997-2009 BitDefender.
This product includes software developed by the Apache Software Foundation (http:// www.apache.org/). Copyright © 2000-2007 The Apache Software Foundation. All rights reserved.
This product includes PHP, freely available from http://www.php.net/. Copyright © 1999-2007 The PHP
Group. All rights reserved.
This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution are Copyright © 2000-2002 Justin Mason and others, unless specified otherwise in that particular file.
All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the
“Artistic License”.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233
GB2374260
Contents
About This Guide 7
Chapter 1 Using F-Secure Anti-Virus for Microsoft Exchange 12
Administering F-Secure Anti-Virus for Microsoft Exchange .......................................13
1.2.2 Modifying Settings and Viewing Statistics with Web Console ........................16
1.3.1 Modifying Settings and Viewing Statistics in Centrally Administered Mode ...17
Chapter 2 Centrally Managed Administration 20
3
Chapter 3 Administration with Web Console 107
4
Chapter 4 Quarantine Management 219
4.5.1 Viewing Details of the Quarantined Message ..............................................228
4.6.4 Deleting Old Quarantined Content Automatically .........................................234
Chapter 5 Updating Virus and Spam Definition Databases 237
Automatic Updates with F-Secure Automatic Update Agent....................................239
Appendix A Variables in Warning Messages 241
Appendix B Sending E-mail Alerts And Reports 244
5
B.2.2 Grant the Relay Permission on the New Scoped Connector........................247
B.2.3 Specify SMTP Server for Alerts and Reports ...............................................247
Appendix C Troubleshooting 248
Checking F-Secure Anti-Virus for Microsoft Exchange ........................................... 251
Checking F-Secure Anti-Virus for Microsoft Exchange Web Console .................... 253
Technical Support 256
6
A BOUT T HIS G UIDE
How This Guide Is Organized...................................................... 8
Conventions Used in F-Secure Guides ....................................... 6
7
8
How This Guide Is Organized
F-Secure Anti-Virus for Microsoft Exchange Administrator's Guide is divided into the following chapters:
Chapter 1.
Using F-Secure Anti-Virus for Microsoft Exchange.
Instructions how to use and administer F-Secure Anti-Virus for Microsoft
Exchange.
Chapter 2.
Centrally Managed Administration . Instructions how to
remotely administer F-Secure Anti-Virus for Microsoft Exchange and
F-Secure Content Scanner Server when they have been installed in centralized administration mode.
Chapter 3.
Administration with Web Console
. Instructions how to administer F-Secure Anti-Virus for Microsoft Exchange with the Web
Console.
Chapter 4.
. Instructions how you can manage and search quarantined mails with the F-Secure Anti-Virus for Microsoft
Exchange Web Console.
Chapter 5.
Updating Virus and Spam Definition Databases
. Instructions how to update your virus definition database.
Appendix A.
. Lists variables that can be included in virus warning messages.
Appendix B.
Sending E-mail Alerts And Reports
. Instructions how to configure the product to send alerts to the administrator by e-mail.
Appendix C.
. Solutions to some common problems.
Technical Support . Contains the contact information for assistance.
Describes the company background and products.
About This Guide
See the F-Secure Policy Manager Administrator's Guide for detailed information about installing and using the F-Secure Policy Manager components:
F-Secure Policy Manager Console, the tool for remote administration of F-Secure Anti-Virus for Microsoft Exchange.
F-Secure Policy Manager Server, which enables communication between F-Secure Policy Manager Console and the managed systems.
9
6
Fonts
Conventions Used in F-Secure Guides
This section describes the symbols, fonts, and terminology used in this manual.
Symbols
WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data.
IMPORTANT: An exclamation mark provides important information that you need to consider.
REFERENCE - A book refers you to related information on the topic available in another document.
NOTE - A note provides additional information that you should consider.
l
TIP - A tip provides information that can help you perform a task more quickly or easily.
An arrow indicates a one-step procedure.
Arial bold (blue) is used to refer to menu names and commands, to buttons and other items in a dialog box.
Arial Italics (blue) is used to refer to other chapters in the manual, book titles, and titles of other manuals.
Arial Italics (black) is used for file and folder names, for figure and table captions, and for directory tree names.
Courier New is used for messages on your computer screen.
Courier New bold is used for information that you must type.
CHAPTER 2
SMALL CAPS ( BLACK ) is used for a key or key combination on your keyboard.
Arial underlined (blue) is used for user interface links.
Arial italics is used for window and dialog box names.
PDF Document
This manual is provided in PDF (Portable Document Format). The PDF document can be used for online viewing and printing using Adobe®
Acrobat® Reader. When printing the manual, please print the entire manual, including the copyright and disclaimer statements.
For More Information
Visit F-Secure at http://www.f-secure.com for documentation, training courses, downloads, and service and support contacts.
In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at [email protected]
.
7
1
U SING F-S ECURE
A NTI -V IRUS FOR
M ICROSOFT E XCHANGE
Administering F-Secure Anti-Virus for Microsoft Exchange........ 13
Using Web Console.................................................................... 14
Using F-Secure Policy Manager Console................................... 17
12
CHAPTER 1
Using F-Secure Anti-Virus for Microsoft Exchange
1.1
Administering F-Secure Anti-Virus for Microsoft
Exchange
F-Secure Anti-Virus for Microsoft Exchange can be used either in the stand-alone mode or in the centrally administered mode, based on your selections during the installation and the initial setup.
Centralized
Administration
Mode
In the centralized administration mode, you can administer F-Secure
Anti-Virus for Microsoft Exchange with F-Secure Policy Manager.
You can use F-Secure Anti-Virus for Microsoft Exchange Web Console to monitor the status, start and stop the product, manage the quarantined content, and to configure settings that are not marked as Final in the
F-Secure Policy Manager Console (settings marked as Final are greyed out in Web Console).
Stand-alone
Mode
You can use F-Secure Anti-Virus for Microsoft Exchange Web Console to administer the product; monitor the status, modify settings, manage the quarantine and to start and stop the product if necessary.
13
14
1.2
Using Web Console
You can open F-Secure Anti-Virus for Microsoft Exchange Web Console in any of the following ways:
Go to Windows Start menu > Programs > F-Secure Anti-Virus for
Microsoft Exchange > F-Secure Anti-Virus for Microsoft
Exchange Web Console
Enter the address of F-Secure Anti-Virus for Microsoft Exchange and the port number in your web browser. Note that the protocol used is https. For example: https://127.0.0.1:25023
When the Web Console login page opens, enter your user name and the password and click Log In . Note that you must have administrator rights to the host where F-Secure Anti-Virus for Microsoft Exchange Web
Console is installed.
1.2.1
Logging in for the First Time
Before you log in the F-Secure Anti-Virus for Microsoft Exchange Web
Console for the first time, check that javascript and cookies are enabled in the browser you use.
Microsoft Internet Explorer users:
The address of the F-Secure Anti-Virus for Microsoft Exchange
Web Console, https://127.0.0.1:25023/ , should be added to the
Trusted sites in Internet Explorer Security Options to ensure that
F-Secure Anti-Virus for Microsoft Exchange Web Console works properly in all environments.
CHAPTER 1
Using F-Secure Anti-Virus for Microsoft Exchange
When you log in for the first time, your browser displays a Security Alert dialog window about the security certificate for F-Secure Anti-Virus for
Microsoft Exchange Web Console. You can create a security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console before logging in, and then install the certificate during the login process.
If your company has an established process for creating and storing certificates, follow that process to create and store the security certificate for F-Secure Anti-Virus for Microsoft Exchange
Web Console.
Step 1. Create the security certificate
1. Browse to the F-Secure Anti-Virus for Microsoft Exchange Web
Console installation directory, for example:
C:\Program Files (x86)\F-Secure\Web User Interface\bin\
2.
Locate the certificate creation utility, makecert.bat, and double click it to run the utility.
3.
The utility creates a certificate that will be issued to all local IP addresses, and restarts the F-Secure Anti-Virus for Microsoft
Exchange Web Console service to take the certificate into use.
4.
Wait until the utility completes, and the window closes. Now you can proceed to logging in.
Step 2. Log in and install the security certificate
1. Open F-Secure Anti-Virus for Microsoft Exchange Web Console.
2.
The Security Alert about the F-Secure Anti-Virus for Microsoft
Exchange Web Console certificate is displayed. If you install the certificate now, you will not see the Security Alert window again.
If you are using Internet Explorer 7, click Continue and then
Certificate Error .
3.
Click View Certificate to view the certificate information.
4.
The Certificate window opens. Click Install Certificate to install the certificate with the Certificate Import Wizard.
15
16
5.
The Certificate window opens. Click Install Certificate to proceed to the Certificate Import Wizard.
6.
Follow the instructions in the Certificate Import Wizard.
If you are using Internet Explorer 7, in the Place all certificates in the
following store selection, select the Trusted Root Certification
Authorities store.
If you are using Internet Explorer 6, you are prompted to add the new certificate in the Certificate Root Store when the wizard has completed. Click Yes to do so.
7.
If the Security Alert window is still displayed, click Yes to proceed or log back in to the F-Secure Anti-Virus for Microsoft Exchange Web
Console.
8.
When the login page opens, log in to Web Console with your user name and the password.
9.
The Web Console displays Getting Started page when you log in for the first time. You can check and configure the following information in the Getting Started page to complete the installation:
Internal domains and senders
E-mail alerts and reports
Database updates
Product updates
1.2.2
Modifying Settings and Viewing Statistics with Web
Console
To change F-Secure Anti-Virus for Microsoft Exchange settings in stand-alone mode, open the F-Secure Anti-Virus for Microsoft Exchange
Web Console and select the variables you want to change from the left
pane. For detailed explanations of all variables, see “ Administration with
CHAPTER 1
Using F-Secure Anti-Virus for Microsoft Exchange
1.2.3
Checking the Product Status
You can check the overall product status on the Home page of F-Secure
Anti-Virus for Microsoft Exchange Web Console. Summary and Services tabs in the Home page displays an overview of each component status and most important statistics of the installed F-Secure Anti-Virus for
Microsoft Exchange components. From the Home page you can also open the product logs and proceed to configure the product components.
1.3
Using F-Secure Policy Manager Console
In the centralized administration mode, you can administer F-Secure
Anti-Virus for Microsoft Exchange with F-Secure Policy Manager. To open
F-Secure Policy Manager Console, select Windows Start menu >
Programs > F-Secure Policy Manager Console.
When the Policy Manager Console opens, go to the Advanced Mode user interface by selecting View > Advanced Mode.
F-Secure Policy Manager Console is used to create policies for F-Secure
Anti-Virus for Microsoft Exchange installations that are running on selected hosts or groups of hosts.
For detailed information on installing and using F-Secure Policy Manager console, see the F-Secure Policy Manager Administrator’s Guide.
1.3.1
Modifying Settings and Viewing Statistics in Centrally
Administered Mode
To change F-Secure Anti-Virus for Microsoft Exchange settings in the centrally administered mode, follow these instructions:
1. Select F-Secure Anti-Virus for Microsoft Exchange from the
Properties pane.
2.
Make sure the Policy tab is selected and assign values to variables under the Settings branch.
17
18
3.
Modify settings by assigning new values to the basic leaf node variables (marked by the leaf icons) shown in the Policy tab of the
Properties pane. For detailed explanations of all variables, see
“ F-Secure Anti-Virus for Microsoft Exchange Settings ”, 21
Initially, every variable has a default value, which is displayed in gray.
Select the variable from the Properties pane and enter the new value in the Editor pane to change it. You can either type the new value or select it from a list box.
Click Clear to revert to the default value or Undo to cancel the most recent change that has not been distributed.
Settings that are configured during the installation and the initial setup require that you select the Final check box from the
Product View pane. For more information, see “ Changing
Settings That Have Been Modified During Installation or
4.
After you have modified settings and created a new policy, it must be distributed to hosts. Choose Distribute from the File menu.
5.
After distributing the policy, you have to wait for F-Secure Anti-Virus for Microsoft Exchange to poll the new policy file. Alternatively, click
Poll the server now in the Server Properties page in F-Secure
Anti-Virus for Microsoft Exchange Web Console.
For testing purposes you may also want to change the polling intervals. To do that, select the domain in F-Secure Policy
Manager console and set the Incoming Packages Polling
Interval and Outgoing Packages Update Interval variables to
30-45 seconds. The variables are located under each of the two trees in the F-Secure Management Agent / Settings /
Communications branch. Note that since the default polling interval is 10 minutes, it might take up to 10 minutes for the new setting to take effect.
To view statistics, select the Status tab of the Properties pane. Statistics are updated periodically and can be reset by choosing Reset Statistics on the Policy tab of the Properties pane. For more information, see
“ F-Secure Anti-Virus for Microsoft Exchange Statistics ”, 84.
CHAPTER 1
Using F-Secure Anti-Virus for Microsoft Exchange
To manage the quarantined content, use F-Secure Anti-Virus for Microsoft
Exchange Web Console. For more information, see “ Quarantine
Changing Settings That Have Been Modified During Installation or Upgrade
If you want to change a setting that has been modified locally during installation or upgrade, you need to mark the setting as Final in the restriction editor. The settings descriptions in this manual indicate the settings for which you need to use the Final restriction. You can also check in F-Secure Policy Manager Console whether you need to use the
Final restriction for a setting. Do the following:
1. Select the Policy tab and then select the setting you want to check.
2.
Select the Status tab to see if the setting has been modified locally.
If the setting is shown in grayed font in the Status view, then the product uses the setting from the base policy and therefore the
Final restriction is not needed.
If the setting is shown in normal black font, then the setting has been modified locally. You must mark the setting as Final when you change it.
19
2
C ENTRALLY M ANAGED
A DMINISTRATION
Overview..................................................................................... 21
F-Secure Anti-Virus for Microsoft Exchange Settings ................ 21
F-Secure Anti-Virus for Microsoft Exchange Statistics ............... 84
F-Secure Content Scanner Server Settings ............................... 90
F-Secure Content Scanner Server Statistics............................ 100
F-Secure Management Agent Settings .................................... 103
F-Secure Automatic Update Agent Settings............................. 105
20
CHAPTER 2
Centrally Managed Administration
2.1
Overview
If F-Secure Anti-Virus for Microsoft Exchange is installed in the centrally administered mode, F-Secure Anti-Virus for Microsoft Exchange is managed centrally with F-Secure Policy Manager.
You can use the F-Secure Anti-Virus for Microsoft Exchange Web
Console to manage the quarantined content and to to configure settings that are not marked as Final in the F-Secure Policy Manager Console
(settings marked as Final are greyed out in Web Console).
2.2
F-Secure Anti-Virus for Microsoft Exchange
Settings
In the centralized administration mode, you can change settings and start operations using F-Secure Policy Manager Console. For more
information, see “ Using F-Secure Policy Manager Console ”, 17.
2.2.1
General Settings
Notifications
Specify Notification Sender Address that is used by F-Secure Anti-Virus for Microsoft Exchange for sending warning and informational messages to the end-users (for example, recipients, senders and mailbox owners).
Make sure that the notification sender address is a valid SMTP address. A public folder cannot be used as the notification sender address.
21
22
Network Configuration
The mail direction is based on the Internal Domains and Internal SMTP
senders settings and it is determined as follows:
1. E-mail messages are considered internal if they come from internal
SMTP sender hosts and mail recipients belong to one of the specified internal domains (internal recipients).
2.
E-mail messages are considered outbound if they come from internal SMTP sender hosts and mail recipients do not belong to the specified internal domains (external recipients).
3.
E-mail messages that come from hosts that are not defined as internal SMTP sender hosts are considered inbound.
4.
E-mail messages submitted via MAPI or Pickup Folder are treated as if they are sent from the internal SMTP sender host.
If e-mail messages come from internal SMTP sender hosts and contain both internal and external recipients, messages are split and processed as internal and outbound respectively.
On Microsoft Exchange Server 2003, internal messages which are submitted via MAPI or Pickup Folder are not delivered via transport level. Therefore, those messages do not pass Transport Protection and they are checked on the storage level only.
To scan or filter messages from internal hosts on Microsoft
Exchange Server 2003, use corresponding real-time scanning settings in the storage protection section.
Internal Domains
Internal SMTP
Senders
CHAPTER 2
Centrally Managed Administration
Specify internal domains. Messages coming to internal domains are considered to be inbound mail unless they come from internal SMTP sender hosts.
Separate each domain name with a space. You can use an asterisk (*) as a wildcard. For example, *example.com internal.example.net
Specify the IP addresses of hosts that belong to your organization. Specify all hosts within the organization that send messages to Exchange
Edge or Hub servers via SMTP as Internal
SMTP Senders.
Separate each IP address with a space. An IP address range can be defined as:
a network/netmask pair (for example,
10.1.0.0/255.255.0.0), or
a network/nnn CIDR specification (for example, 10.1.0.0/16).
You can use an asterisk (*) to match any number or dash (-) to define a range of numbers. For example,
172.16.4.4 172.16.*.1 172.16.4.0-16
172.16.250-255.*
23
24
If end-users in the organization use other than
Microsoft Outlook e-mail client to send and receive e-mail, it is recommended to specify all end-user workstations as Internal SMTP
Senders.
If the organization has Exchange Edge and Hub servers, the server with the Hub role installed should be added to the Internal SMTP Sender on the server where the Edge role is installed.
IMPORTANT: Do not specify the server where the Edge role is installed as Internal SMTP
Sender.
Lists and Templates
Match Lists
Specify file and match lists that can be used by other settings.
List name
Type
Filter
Specify the name for the match list.
Specify whether the list contains keywords, file patterns or e-mail addresses.
Specify file names, extensions, keywords or email addresses that the match list contains.
You can use wildcards.
To add multiple patterns to the filter, add each list item to a new line.
Description Specify a short description for the list.
CHAPTER 2
Centrally Managed Administration
Message Templates
Specify message templates for notifications.
Template name
Subject line
Message body
Specify the name for the message template.
Specify the subject line of the notification message.
Specify the notification message text.
For more information about the variables you
can use in notification messages, see “ Variables in Warning Messages ”, 241.
Quarantine
When the product places content to the Quarantine, it saves the content as separate files into the Quarantine Storage and inserts an entry to the
Quarantine Database with information about the quarantined content.
Quarantine Storage Specify the path to the Quarantine storage where all quarantined mails and attachments are placed.
If you change the Quarantine Storage setting, select the Final checkbox in the Restriction
Editor to override initial settings.
During the installation, F-Secure Anti-Virus for
Microsoft Exchange adjusts the access rights to the Quarantine Storage so that only the product, operating system and the local administrator can access it. If you change the Quarantine Storage setting, make sure that the new location has secure access permissions. For more
information, see “ Moving the Quarantine
25
26
Retain Items in
Quarantine
Delete Old Items
Every
Quarantine Cleanup
Exceptions
Quarantine Size
Threshold
Quarantined Items
Threshold
Specify how long quarantined e-mails are stored in the Quarantine before they are deleted automatically.
The setting defines the default retention period for all Quarantine categories. To change the retention period for different categories, configure Quarantine Cleanup Exceptions settings.
Specify how often old items are deleted from the
Quarantine.
The setting defines the default cleanup interval for all Quarantine categories. To change the cleanup interval for different categories, configure Quarantine Cleanup Exceptions settings.
Specify separate Quarantine retention periods and cleanup intervals for infected files, suspicious files, disallowed attachments, disallowed content, spam messages, scan failures and unsafe files.
Specify the critical size (in megabytes) of the
Quarantine. If the Quarantine size reaches the specified value, the product sends an alert to the administrator.
If the threshold is specified as zero (0), the size of the Quarantine is not checked.
Specify the critical number of items in the
Quarantine. When the Quarantine holds the critical number of items, the product sends an alert to the administrator.
If the threshold is specified as zero (0), the amount of items is not checked.
CHAPTER 2
Centrally Managed Administration
Notify When
Quarantine Threshold is Reached
Specify the level of the alert that is sent to administrator when threshold levels are reached.
Released Quarantine
Message Template
Specify the template for the message that is sent to the intented recipients when e-mail content is released from the quarantine. For more
information, see “ Lists and Templates ”, 24.
Automatically
Process Unsafe
Messages
Max Attempts to
Process Unsafe
Messages
The product generates the message only when the item is removed from the Microsoft
Exchange Server store and sends it automatically when you release the item to intended recipients.
Specify how often the product tries to reprocess unsafe messages that are retained in the
Quarantine. Set the value to Disabled to process unsafe messages manually.
Specify how many times the product tries to reprocess unsafe messages that are retained in the Quarantine.
Use the Final Action on Unsafe Messages setting to specify the action that takes place if the message is retained in the Quarantine after the maximum attempts.
Final Action on
Unsafe Messages
Specify the action on unsafe messages after the maximum number of reprocesses have been attempted.
Leave in Quarantine - Leave messages in the
Quarantine and process them manually.
Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients.
27
28
Quarantine Log
Directory
Rotate Quarantine
Logs Every
Keep Rotated
Quarantine Logs
Specify the path to the directory where
Quarantine logfiles are placed.
Specify how often the product rotates
Quarantine logfiles. At the end of each rotation time a new log is created.
Specify how many rotated log files are kept.
Sample Submission
You can use the product to send samples of unsafe e-mails and new, yet undefined malware to F-Secure for analysis.
Max Submission
Attempts
Resend Interval
Specify how many times the product attempts to send the sample if the submission fails.
Specify the time interval (in minutes) how long
F-Secure Anti-Virus for Microsoft Exchange should wait before trying to send the sample again if the previous submission failed.
Connection Timeout Specify the time (in seconds) how long the product tries to contact the F-Secure Hospital server.
Send Timeout Specify the time (in seconds) how long the product waits for the sample submission to complete.
CHAPTER 2
Centrally Managed Administration
Content Scanner Server
Edit the Content Scanner Server settings to change the general content scanning options.
Max Size of Data
Processed in Memory
Specify the maximum size (in kilobytes) of data to be transferred to the server via shared memory in the local interaction mode. When the amount of data exceeds the specified limit, a local temporary file will be used for data transfer.
If the option is set to zero (0), all data transfers via shared memory are disabled.
The setting is ignored if the local interaction mode is disabled.
Connection Timeout Specify the time interval (in seconds) how long
F-Secure Anti-Virus for Microsoft Exchange should wait for a response from F-Secure
Content Scanner Server before it stops attempting to send or receive data.
Working directory Specify the name and location of the working directory, where temporary files are placed.
IMPORTANT: This setting must be defined as
Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product.
During the installation, F-Secure Anti-Virus for
Microsoft Exchange automatically adjusts the access rights so that only the operating system and the local administrator can access files in the Working directory. If you change this setting after the installation, make sure that the new folder has secure access permissions.
29
30
If F-Secure Content Scanner Server uses a proxy server when it connects to the threat detection center and the proxy server requires authentication, the proxy authentication settings can be configured with F-Secure Anti-Virus for Microsoft Exchange Web
Console only. For more information , see “ Proxy Server ”, 210.
CHAPTER 2
Centrally Managed Administration
2.2.2
Transport Protection
You can configure inbound, outbound and internal message protection separately. For more information about the mail direction and
configuration options, see “ Network Configuration ”, 22.
Attachment Filtering
Specify attachments to remove from inbound, outbound and internal messages based on the file name or the file extension.
Strip Attachments Enable or disable the attachment stripping.
List of Attachments to
Strip
Specify which attachments are stripped from
messages. For more information, see “ Lists and
Use Exclusions
Action on Stripped
Attachments
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Specify how disallowed attachments are handled.
Quarantine Stripped
Attachments
Do Not Quarantine
These Attachments
Drop Attachment - Remove the attachment from the message and deliver the message to the recipient without the disallowed attachment.
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether stripped attachments are quarantined.
The default option is Enabled.
Specify which files are not quarantined even when they are stripped. For more information,
see “ Lists and Templates ”, 24.
31
32
Send Notification
Message to Recipient
Specify the template for the notification message that is sent to the intented recipient when disallowed or suspicious attachment is found.
Note that the notification message is not sent if the whole message is dropped.
Send Notification
Message to Sender
Specify the template for the notification message that is sent to the original sender of the message when disallowed or suspicious attachment is
found. For more information, see “ Lists and
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
Do Not Notify on
These Attachments
Specify attachments that do not generate notifications. When the product finds specified file or file extension, no notification is sent.
Notify Administrator Specify whether the administrator is notified when the product strips an attachment and the alert level of the notification..
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in:
F-Secure Management Agent/Settings/Alerting.
CHAPTER 2
Centrally Managed Administration
Virus Scanning
Specify inbound, outbound and internal messages and attachments that should be scanned for malicious code.
Disabling virus scanning disables archive processing and grayware scanning as well.
Scan Messages for
Viruses
List of Attachments to
Scan
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
Use Exclusions
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
Heuristic Scanning
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scan.
Enable or disable the heuristic scan. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
By default, the heuristic scan is enabled for inbound mails and disabled for outbound and internal mails.
Attempt to Disinfect
Infected Attachments
The heuristic scan may affect the product performance and increase the risk of false malware alarms.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
33
34
Infected files inside archives are not disinfected even when the setting is enabled.
Action on Infected
Messages
Specify whether to drop the infected attachment or the whole message when an infected message is found.
Drop Attachment - Remove the infected attachment from the message and deliver the message to the recipient without the attachment.
Quarantine Infected
Messages
Do Not Quarantine
These Infections
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the quarantine. If a message is infected with a virus or worm which has a name that matches a keyword specified in this list, the message is not
quarantined. For more information, see “ Lists and Templates ”, 24.
Send Virus
Notification Message to Recipient
Specify the template for the notification message that is sent to the intented recipient when a virus or other malicious code is found.
Note that the notification message is not sent if the whole message is dropped.
Send Virus
Notification Message to Sender
Specify the template for the notification message that is sent to the original sender of the message when a virus or other malicious code is found.
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
CHAPTER 2
Centrally Managed Administration
Do Not Notify on
These Infections
For more information, see “ Lists and Templates ”,
Specify infections that do not generate notifications. When the product finds the specified infection, no notification is sent. For
more information, see “ Lists and Templates ”, 24.
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a virus in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in:
F-Secure Management Agent/Settings/Alerting.
35
36
Archive Processing
Specify how the product processes inbound, outbound and internal archive files.
Note that scanning inside archives takes time. Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
Archive processing is disabled when virus scanning is disabled.
Scan Archives
List of Files to Scan
Inside Archives
Specify whether files inside compressed archive files are scanned for viruses and other malicious code.
Specify files inside archives that are scanned for
viruses. For more information, see “ Lists and
Use Exclusions Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scan.
Max Levels in Nested
Archives
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
Action on Max
Nested Archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
CHAPTER 2
Centrally Managed Administration
Action on Password
Protected Archives
Detect Disallowed
Files Inside Archives
Drop the whole message - Do not deliver the message to the recipient.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the password protected archive to the recipient.
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
Specify whether files inside compressed archive files are processed for disallowed content.
Disallowed content is not processed when the archive scanning is disabled.
List of Disallowed
Files to Detect Inside
Archives
Specify files which are not allowed inside
archives. For more information, see “ Lists and
Action on Archives with Disallowed Files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
37
38
Quarantine Dropped
Archives
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange blocks a malformed, password protected, or overnested archive file.
If the archive is blocked because it contains malware, grayware or disallowed files, the administrator receives a notification about that instead of this notification.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in:
F-Secure Management Agent/Settings/Alerting.
Zero-Day Protection
Select whether Proactive Virus Threat Detection is enabled or disabled.
Proactive virus threat detection can identify new and unknown e-mail malware, including viruses and worms.
When proactive virus threat detection is enabled, the product analyzes e-mail messages for possible security threats. All possibly harmful messages are quarantined as unsafe.
Unsafe messages can be reprocessed periodically, as antivirus updates may confirm the unsafe message as safe or infected.
When proactive virus threat detection is disabled, mails are only scanned by antivirus engines.
CHAPTER 2
Centrally Managed Administration
Grayware Scanning
Specify how the product processes grayware items in inbound, outbound and internal messages.
Note that grayware scanning increases the scanning overhead. By default, grayware scanning is enabled for inbound messages only.
Grayware scanning is disabled when virus scanning is disabled.
Scan Messages for
Grayware
Enable or disable the grayware scan.
The default value is Enabled for inbound messages and Disabled for outbound and internal messages.
Action on Grayware Specify the action to take on items which contain grayware.
Pass Through - Leave grayware items in the message.
Drop Attachment - Remove grayware items from the message.
Grayware Exclusion
List
Quarantine Dropped
Grayware
Do Not Quarantine
This Grayware
Drop the Whole Message - Do not deliver the message to the recipient.
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
Specify whether grayware attachments are quarantined.
Specify grayware that are never placed in the
quarantine. For more information, see “ Lists and
39
40
Send Warning
Message to Recipient
Specify the template for the notification message that is sent to the intented recipient when a grayware item is found in a message.
Note that the notification message is not sent if the whole message is dropped.
Send Warning
Message to Sender
Specify the template for the notification message that is sent to the original sender of the message when a grayware item is found in a message.
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
For more information, see “ Lists and Templates ”,
Do Not Notify on This
Grayware
Specify the list of keywords for grayware types that are not notified about.
If the product finds a grayware item with a name that matches the keyword, the recipient and the sender are not notified about the grayware item found.
Leave the list empty if you do not want to exclude any grayware types from notifications.
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a grayware item in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/
Alerting.
CHAPTER 2
Centrally Managed Administration
Content Filtering
Specify how F-Secure Anti-Virus filters disallowed content in inbound, outbound and internal messages.
Filter Disallowed
Content
Specify whether e-mail messages are scanned for disallowed content.
Disallowed Keywords in Message Subject
Specify the list of disallowed keywords to check in e-mail message subjects. For more
information, see “ Using Keywords in Content
Disallowed Keywords in Message Text
Specify the list of disallowed keywords to check in e-mail message text. For more information,
see “ Using Keywords in Content Filtering ”, 42.
Action on Disallowed
Content
Specify the action to take on messages which contain disallowed keywords.
Report only - Deliver the message to the recipient and notify the administrator that the scanned message contained disallowed content.
Drop the whole message - Do not deliver the message to the recipient.
Quarantine - Quarantine the message with disallowed content.
Send Notification
Message to Recipient
Specify whether recipients are notified when disallowed content is found.
Send Notification
Message to Sender
Specify whether the original sender is notified when disallowed content is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Lists and Templates ”,
41
42
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a message with disallowed content.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/
Alerting.
Using Keywords in Content Filtering
When the content filtering is enabled, all messages are checked against every keyword sequence that is specified in the selected list of keywords.
A keyword may contain any characters, including punctuation symbols, spaces, and other word separators. Keywords are case insensitive.
You can use ‘?’ character in a keyword to match any character in that position in the keyword and ‘*’ to match any number of characters.
Keyword examples: example another example co?p?rate
another*example
Matches any message text or subject that contains the word ‘example’.
Matches any message text or subject that contains the ‘another example’ text. Words
‘another’ and ‘example’ have to be separated with exactly one space character.
Matches any message text or subject that contains - for example - words ‘corporate’ or
‘cooperate’.
Matches any message text or subject that contains words ‘another’ and ‘example’ separated with any number of characters. For example, ‘another example’ or ‘another keyword example’.
CHAPTER 2
Centrally Managed Administration
To represent ‘?’ or ‘*’ characters themselves in keywords, use ‘\?’ and ‘\*’ sequences correspondingly. To represent ‘\’ character, use ‘\\’.
For example, to match the '*** SPAM ***' string, enter '\*\*\* spam \*\*\*'.
Spam Control
Change the settings in F-Secure Anti-Virus for Microsoft Exchange/
Settings / Transport Protection / Inbound Mail / Spam Control to configure how F-Secure Anti-Virus for Microsoft Exchange scans incoming mail for spam.
You can configure Spam Control settings for inbound messages, and only if you have F-Secure Spam Control installed.
The threat detection engine of F-Secure Anti-Virus for Microsoft
Exchange can identify spam and virus patterns from the message envelope, headers and body during the first minutes of the new spam or virus outbreak.
These settings are used only if F-Secure Spam Control is installed with the product. Otherwise they will be ignored.
Spam Filtering Specify whether inbound mails are scanned for spam.
Heuristic Spam
Analysis
Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering. For information on configuring
Realtime Blackhole Lists, consult F-Secure
Anti-Virus for Microsoft Exchange Deployment
Guide.
Specify whether heuristic spam analysis is used to filter inbound mails for spam.
43
44
If you enable the heuristic spam analysis, all messages that the threat detection engine does not classify as spam are further analyzed for spam. When the heuristic spam analysis is disabled, only the threat detection engine filters messages for spam.
Heuristic spam analysis slows down the performance but improves the spam detection rate.
Spam Filtering Level Specify the spam filtering level. All messages with the spam filtering level lower than the specified value can pass through.
Decreasing the level allows less spam to pass, but more regular mails may be falsely identified as spam. Increasing the level allows more spam to pass, but a smaller number of regular e-mail messages are falsely identified as spam.
For example, if the spam filtering level is set to 3, more spam is filtered, but also more regular mails may be falsely identified as spam. If the spam filtering level is set to 7, more spam may pass undetected, but a smaller number of regular mails will be falsely identified as spam.
Action on Spam
Messages
Specify actions to take with messages considered as spam, based on the spam filtering level.
Quarantine - Place the message into the quarantine folder.
Forward - Forward the message to the e-mail address specified in the Forward Spam
Messages To E-mail Address setting.
Delete - Delete the message.
CHAPTER 2
Centrally Managed Administration
Add X-Header with
Spam Flag
Add X-Header with
Summary
Modify Spam
Message Subject
Specify if a spam flag is added to the mail as the
X-Spam-Flag header in the following format:
X-Spam-Flag:<flag> where
<flag> is YES or NO,
Specify if the summary of triggered hits is added to the mail as X-Spam-Status header in the following format:
X-Spam-Status: <flag>, hits=<scr> required=<sfl> tests=<tests> where
<flag> is Yes or No,
<scr> is the spam confidence rating returned by the spam scanner,
<sfl> is the current spam filtering level,
<tests> is the comma-separated list of tests run against the mail.
Specify if the product modifies the subject of mail messages considered as spam.
The default value is Enabled.
Specify the text that is added in the beginning of the subject of messages considered as spam.
Add This Text to
Spam Message
Subject
Forward Spam
Messages To E-mail
Address
Safe Senders
The default value is *** SPAM ***.
Specify the e-mail address where messages considered as spam are forwarded when the
Action on Spam Messages setting is set to
Forward.
Specify safe senders. Messages originating from the specified addresses are never treated as spam.
45
46
Blocked Senders
Safe Recipients
Blocked Recipients
Max Message Size
Specify blocked senders. Messages originating from the specified addresses are always treated as spam.
Specify safe recipients. Messages sent to the specified addresses are never treated as spam.
Specify blocked recipients. Messages sent to the specified addresses are always treated as spam.
The product checks the sender address from the
SMTP message envelope, not from the message headers.
Specify the maximum size (in kilobytes) of messages to be scanned for spam. If the size of the message exceeds the maximum size, the message is not filtered for spam.
Since all spam messages are relatively small in size, it is recommended to use the default value.
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type
Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
CHAPTER 2
Centrally Managed Administration
Mail Disclaimer
When the disclaimer is enabled, a disclaimer text is added to all outbound messages.
You can configure Mail Disclaimer settings for outbound messages only.
IMPORTANT: Some malware add disclaimers to infected messages, so disclaimers should not be used for stating that the message is clean of malware.
Add Disclaimer
Disclaimer
Specify whether you want to add a disclaimer to all outbound messages.
Specify the text of disclaimer that is added at the end of outbound messages.
Security Options
Configure security options to limit actions on malformed and suspicious messages.
Action on Malformed
Mails
Specify the action for non-RFC compliant e-mails. If the message has an incorrect structure, the product cannot parse the message reliably.
Drop the Whole Message - Do not deliver the message to the recipient.
Pass Through - The product allows the message to pass through.
Pass Through and Report - The product allows the message to pass through, but sends a report to the administrator.
47
48
Max Levels of Nested
Messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
Action on Mails with
Exceeding Nesting
Levels
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
Specify the action to take on messages with nesting levels exceeding the upper level specified in the Max Levels of Nested Messages setting.
Drop the Whole Message - Messages with exceeding nesting levels are not delivered to the recipient.
Pass Through - Nested messages are scanned up to level specified in the Max Levels of Nested
Messages setting. Exceeding nesting levels are not scanned, but the message is delivered to the recipient.
CHAPTER 2
Centrally Managed Administration
Quarantine
Problematic
Messages
Specify if mails that contain malformed or broken attachments are quarantined for later analysis or recovery.
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange detects a malformed or a suspicious e-mail message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/
Alerting.
Trusted Senders and Recipients
You can use trusted senders and recipients lists to exclude some messages from the mail scanning and processing completely.
Trusted Senders
Trusted Recipients
Specify senders who are excluded from the mail scanning and processing.
Specify recipients who are excluded from the mail scanning and processing.
49
50
2.2.3
Storage Protection
Edit general Storage Protection settings to configure how mailboxes and public folders are scanned in the Exchange Store with real-time, manual and scheduled scanning.
Real-Time Scanning
The real-time scanning can automatically scan messages that have been created or received.
General
Specify which messages you want to scan during the real-time scanning.
Scan Only Messages
Created Within
Specify which messages are scanned with the real-time scanning, for example; Last hour, Last
day, Last week. Messages that have been created before the specified time are not scanned.
This setting works only with Microsoft Exchange
Server 2007 or 2010.
Scan Timeout Specify how long to wait for the real-time scan result. After the specified time, the client that tries to access the scanned message gets the
"virus scanning in progress" notificaion.
Attachment Filtering
Attachment filtering can remove attachments from messages in the
Microsoft Exchange Storage based on the file name or the file extension of the attachment.
Process Mailboxes Specify mailboxes that are filtered for attachments.
Disabled - Do not filter any mailboxes for attachments.
CHAPTER 2
Centrally Managed Administration
Process All Mailboxes - Filter attachments in all mailboxes.
Process Only Included Mailboxes - Filter attachments in the Included Mailboxes list.
Process All Except Excluded Mailboxes - Do not filter attachments in the Excluded Mailboxes list but process all other mailboxes.
Included Mailboxes Specify mailboxes that are filtered for attachments when the Process Mailboxes setting is set to Process Only Included
Mailboxes.
Excluded Mailboxes Specify mailboxes that are not filtered for attachments when the Process Mailboxes setting is set to Process All Except Excluded
Mailboxes.
Process Public
Folders
Specify public folders that are filtered for attachments.
Disabled - Do not filter any public folders for attachements.
Process All Folders - Filter attachments in all public folders.
Process Only Included Folders - Filter attachments in the Included Folders list.
Included Folders
Process All Except Excluded Folders - Do not filter attachments in the Excluded Folders list but process all other public folders.
Specify public folders that are filtered for attachments when the Process Public Folders setting is set to Process Only Included Folders.
51
52
Excluded Folders
List of Attachments to
Strip
Specify the list of attachments that are stripped
from messages. For more information, see “ Lists and Templates ”, 24.
Use Exclusions
Specify public folders that are not filtered for attachements when the Process Public Folders setting is set to Process All Except Excluded
Folders.
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from filtering.
Quarantine stripped attachments
Do not quarantine these attachments
Replacement text template
Specify whether stripped attachments are quarantined.
Specify attachments which are not quarantined even when they are stripped.
For more information, see “ Match Lists ”, 24.
Specify the template for the text that replaces the suspicious or disallowed attachment when the attachment is removed from the message.
For more information, see “ Message
Virus Scanning
Specify messages and attachments in the Microsoft Exchange Storage that should be scanned for malicious code.
Disabling virus scanning disables archive processing and grayware scanning as well.
Scan Mailboxes Specify mailboxes that are scanned for viruses.
Disabled - Do not scan any mailboxes.
Scan All Mailboxes - Scan all mailboxes.
CHAPTER 2
Centrally Managed Administration
Scan Only Included Mailboxes - Scan mailboxes specified in the Included Mailboxes list.
Scan All Except Excluded Mailboxes - Scan all mailboxes except those specified in the
Excluded Mailboxes list.
Included Mailboxes Specify mailboxes that are scanned for viruses when the Scan Mailboxes setting is set to Scan
Only Included Mailboxes.
Excluded Mailboxes Specify mailboxes that are not scanned when the Scan Mailboxes setting is set to Scan All
Except Excluded Mailboxes.
Scan Public Folders Specify public folders that are scanned for viruses.
Disabled - Do not scan any public folders.
Scan All Folders - Scan all public folders.
Scan Only Included Folders - Scan public folders specified in the Included Folders list.
Scan All Except Excluded Folders - Scan all public folders except those specified in the
Excluded Folders list.
Included Folders
IMPORTANT: You need to specify the primary
SMTP address for the account which is used to scan items in public folders on Microsoft
Exchange 2010. The user account must have permissions to access and modify items in the public folders. For more information, see
Specify public folders that are scanned for viruses when the Scan Public Folders setting is set to Scan Only Included Folders.
53
54
Excluded Folders
List of Attachments to
Scan
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
Use Exclusions
Specify public folders that are not scanned when the Scan Public Folders setting is set to Scan All
Except Excluded Folders.
Attempt to Disinfect
Infected Attachments
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scan.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Quarantine Infected
Attachments
Do Not Quarantine
This Infections
Replacement Text
Template
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether infected and suspicious attachments are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Lists and
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Lists and Templates ”, 24.
CHAPTER 2
Centrally Managed Administration
Archive Processing
Specify how the product processes archive files in Microsoft Exchange
Storage.
Archive processing is disabled when virus scanning is disabled.
Scan Archives
List of Files to Scan
Inside Archives
Use Exclusions
Specify if files inside archives are scanned for viruses and other malicious code.
Specify files that are scanned for viruses inside archives.
Specify files inside archives that are not scanned. Leave the list empty if you do not want to exclude any files from the scan.
Max Levels in Nested
Archives
Specify how many levels deep to scan in nested archives, if Scan Viruses Inside Archives is enabled.
Action on Max
Nested Archives
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
Specify the number of levels the product goes through before the action selected in Action on
Max Nested Archives takes place. The default setting is 3.
Specify the action to take on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested
Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
55
56
Action on Password
Protected Archives
Quarantine Dropped
Archives
Drop Archive - Archives with exceeding nesting levels are removed.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
Grayware Scanning
Specify how the product processes grayware items in Microsoft Exchange
Storage.
Grayware scanning is disabled when virus scanning is disabled.
Scan Messages for
Grayware
Enable or disable the grayware scan.
Action on Grayware Specify the action to take on items which contain grayware.
Report only- Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
CHAPTER 2
Centrally Managed Administration
Grayware Exclusion
List
Quarantine Dropped
Grayware
Do Not Quarantine
These Grayware
Replacement Text
Template
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
Specify whether grayware attachments are quarantined.
Specify grayware that are never placed in the
quarantine. For more information, see “ Lists and
Specify the template for the text that replaces the grayware attachment when the grayware attachment is removed from the message. For
more information, see “ Lists and Templates ”, 24.
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type
Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
57
58
Manual Scanning
You can scan mailboxes and public folders for viruses and strip attachments manually at any time. To manually scan mailboxes and public folders you have specified in the settings, follow these instructions:
1. Browse to the F-Secure Anti-Virus for Microsoft Exchange /
Operations / Manual Scanning branch in F-Secure Policy manager
Console.
2.
Click Start .
3.
Distribute the policy.
If you want to stop the manual scan in the middle of the scanning process, click Stop and distribute the policy.
General
Specify which messages you want to scan during the manual scan.
Scan Mailboxes Specify mailboxes that are scanned for viruses.
Disabled - Do not scan any mailboxes.
Scan All Mailboxes - Scan all mailboxes.
Scan Only Included Mailboxes - Scan mailboxes specified in the Included Mailboxes list.
Scan All Except Excluded Mailboxes - Scan all mailboxes except those specified in the
Excluded Mailboxes list.
Included Mailboxes Specify mailboxes that are scanned for viruses when the Scan Mailboxes setting is set to Scan
Only Included Mailboxes.
Excluded Mailboxes Specify mailboxes that are not scanned when the Scan Mailboxes setting is set to Scan All
Except Excluded Mailboxes.
Scan Public Folders Specify public folders that are scanned for viruses.
CHAPTER 2
Centrally Managed Administration
Disabled - Do not scan any public folders.
Scan All Folders - Scan all public folders.
Scan Only Included Folders - Scan public folders specified in the Included Folders list.
Scan All Except Excluded Folders - Scan all public folders except those specified in the
Excluded Folders list.
Included Folders
Excluded Folders
IMPORTANT: You need to specify the primary
SMTP address for the account which is used to scan items in public folders on Microsoft
Exchange 2010. The user account must have permissions to access and modify items in the public folders. For more information, see
Specify public folders that are scanned for viruses when the Scan Public Folders setting is set to Scan Only Included Folders.
Specify public folders that are not scanned when the Scan Public Folders setting is set to Scan All
Except Excluded Folders.
Incremental Scanning Specify which messages are scanned for viruses during the manual scan.
All Messages - Scan all messages.
Only Recent Messages - Scan only messages that have not been scanned during the previous manual or scheduled scan.
59
60
Attachment Filtering
Specify attachments that are removed from messages during the manual scan.
Strip Attachments Enable or disable the attachment stripping.
List of Attachments to
Strip
Specify which attachments are stripped from
messages. For more information, see “ Lists and
Use Exclusions
Quarantine Stripped
Attachments
Do Not Quarantine
These Attachments
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Specify whether stripped attachments are quarantined.
Replacement Text
Template
Specify which files are not quarantined even when they are stripped. For more information,
see “ Lists and Templates ”, 24.
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Lists and Templates ”, 24.
Virus Scanning
Specify messages and attachments that should be scanned for malicious code during the manual scan.
Scan Messages for
Viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
List of Attachments to
Scan
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
CHAPTER 2
Centrally Managed Administration
Use Exclusions
Heuristic Scanning
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scan.
Enable or disable the heuristic scan. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
Attempt to Disinfect
Infected Attachments
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Quarantine Infected
Attachments
Do Not Quarantine
These Infections
Replacement Text
Template
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether infected or suspicious attachments are quarantined.
Specify infections that are never placed in the quarantine. If a message is infected with a virus or worm which has a name that matches a keyword specified in this list, the message is not
quarantined. For more information, see “ Lists and Templates ”, 24.
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Lists and Templates ”, 24.
61
62
Archive Processing
Specify how the product processes archive files during the manual scan.
Scan Archives
List of Files to Scan
Inside Archives
Use Exclusions
Specify if files inside archives are scanned for viruses and other malicious code.
Specify files that are scanned for viruses inside archives.
Specify files inside archives that are not scanned. Leave the list empty if you do not want to exclude any files from the scan.
Max Levels in Nested
Archives
Specify how many levels deep to scan in nested archives, if Scan Viruses Inside Archives is enabled.
Action on Max
Nested Archives
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
Specify the number of levels the product goes through before the action selected in Action on
Max Nested Archives takes place. The default setting is 3.
Specify the action to take on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested
Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
Drop Archive - Archives with exceeding nesting levels are removed.
CHAPTER 2
Centrally Managed Administration
Action on Password
Protected Archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Detect Disallowed
Files Inside Archives
Action on Archives with Disallowed Files
Specify whether files inside compressed archive files are processed for disallowed content.
List of Disallowed
Files to Detect inside
Archives
Specify files which are not allowed inside
archives. For more information, see “ Lists and
Specify the action to take on archives which contain disallowed files.
Pass through - Leave the archive to the message.
Quarantine Dropped
Archives
Drop archive - Remove the archive from the message.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
63
64
Grayware Scanning
Specify how the product processes grayware items during the manual scan.
Scan Messages for
Grayware
Enable or disable the grayware scan.
Action on Grayware Specify the action to take on items which contain grayware.
Report only- Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
Grayware Exclusion
List
Quarantine Dropped
Grayware
Do Not Quarantine
This Grayware
Replacement Text
Template
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
Specify whether grayware attachments are quarantined.
Specify grayware that are never placed in the
quarantine. For more information, see “ Lists and
Specify the template for the text that replaces the grayware attachment when the grayware attachment is removed from the message. For
more information, see “ Lists and Templates ”, 24.
CHAPTER 2
Centrally Managed Administration
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type
Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Advanced
Configure how to handle nested messages and specify the administrator account to scan public folders.
Max Levels of Nested
Messages
Specify how many levels deep to scan in nested e-mail messages.
A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
Admin User
Credentials
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
Specify the primary SMTP address for the account which is used to scan items in public folders. The user account must have permissions to access and modify in the public folders.
The setting is used on Microsoft Exchange 2010 platform only and affects manual, realtime, and scheduled storage scanning. If you do not specify any address, public folders in Exchange
Store cannot be accessed or even listed.
65
66
Scheduled Scanning
You can schedule scan tasks to scan mailboxes and public folders periodically. The scheduled scanning table displays all scheduled tasks and date and time when the next scheduled task occurs for the next time.
To deactivate scheduled tasks in the list, clear the Active checkbox in front of the task. Check the checkbox to make it active again.
Click Add to add a new scheduled task to the list.
To duplicate a task, select it from the list and click Copy .
To edit a previously created task, click Edit .
To remove the selected task from the list, click Clear Row .
Click Clear Table to remove all tasks from the list.
Force Row enforces the current scheduled task to be active in all subdomains and hosts. Force Table enforces all current scheduled tasks to be active in all subdomains and hosts.
Creating Scheduled Task
Start the Scheduled Task Wizard by clicking Add .
Step 1. General Properties
CHAPTER 2
Centrally Managed Administration
67
Enter the name for the new task and select how frequently you want the operation to be performed.
Task name Specify the name of the scheduled operation.
Do not use any special characters in the task name.
Perform this task Specify how frequently you want the operation to be performed.
Once - Only once at the specified time.
Daily - Every day at the specified time, starting from the specified date.
Weekly - Every week at the specified time on the same day when the first operation is scheduled to start.
68
Start time
Start date
Step 2. Mailboxes
Monthly - Every month at the specified time on the same date when the first operation is scheduled to start.
Enter the start time of the task in hh:mm format.
Enter the start date of the task in mm/dd/yyyy format
Choose which mailboxes are processed during the scheduled operation.
Mailboxes Specify mailboxes that are processed during the scheduled scan.
Do not scan mailboxes - Disable the mailbox scanning.
Scan all mailboxes - Scan all mailboxes.
CHAPTER 2
Centrally Managed Administration
Scan only included mailboxes - Scan all specified mailboxes. Click Add or Remove to edit mailboxes that are scanned.
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Add or Remove to edit mailboxes that are not scanned.
The format to enter the included or excluded mailbox is the username, for example: user1
69
70
Step 3. Public Folders
Choose which public folders are processed during the scheduled operation.
Public folders Specify public folders that are processed during the scheduled scan.
Do not scan public folders - Disable the public folder scanning.
Scan all public folders - Scan all public folders.
Scan only included public folders - Scan all specified public folders. Click Add or Remove to edit public folders that are scanned.
CHAPTER 2
Centrally Managed Administration
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Add or Remove to edit public folders that are not scanned.
The format to enter the included or excluded mailbox is the name of the public folder.
IMPORTANT: You need to specify the primary
SMTP address for the account which is used to scan items in public folders on Microsoft
Exchange 2010. The user account must have permissions to access and modify items in the public folders. For more information, see
71
72
Step 4. Attachment Filtering
Choose settings for stripping attachments during the scheduled operation.
Enable or disable the attachment stripping.
Strip attachments from e-mail messages
Targets
Strip these attachments
Exclude these attachments from stripping
Specify which attachments are stripped from
messages. For more information, see “ Lists and
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
CHAPTER 2
Centrally Managed Administration
Actions
Quarantine stripped attachments
Do not quarantine these attachments
Specify whether stripped attachments are quarantined.
Specify file names and file extensions which are not quarantined even when they are stripped.
For more information, see “ Lists and Templates ”,
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Lists and Templates ”, 24.
73
74
Step 5. Virus Scanning
Choose settings for virus scanning during the scheduled operation.
Scan messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
General Options
Heuristic Scanning Enable or disable the heuristic scanning. The heuristic scanning analyzes files for suspicious code behavior so that the product can detect unknown malware.
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
Targets
CHAPTER 2
Centrally Managed Administration
Scan these attachments
Exclude these attachments from scanning
Actions
Try to disinfect infected attachments
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Quarantine infected attachments
Do not quarantine these infections
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Lists and
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Lists and Templates ”, 24.
75
76
Step 6. Grayware Scanning
Choose settings for grayware scanning during the scheduled operation.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only- Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
CHAPTER 2
Centrally Managed Administration
Grayware exclusion list
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Lists and
Quarantine grayware Specify whether grayware attachments are quarantined.
Do not quarantine this grayware
Specify grayware that are never placed in the
quarantine. For more information, see “
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Lists and
77
78
Step 7. Archive Processing
Choose settings for stripping attachments during the scheduled operation.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Specify files inside archives that are scanned for
viruses. For more information, see “ Lists and
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Max levels in nesting archives
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
CHAPTER 2
Centrally Managed Administration
Detect disallowed files inside archives
Specify whether files inside compressed archive files are processed for disallowed content.
Disallowed content is not processed when the archive scanning is disabled.
Actions
Action on archives with disallowed files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without the archive.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Action on password protected archives
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
79
80
Quarantine dropped archives
Pass through - Deliver the message with the password protected archive to the recipient.
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
Step 8. Processing Options
CHAPTER 2
Centrally Managed Administration
81
Choose advanced processing options for all the messages processed during the scheduled operation.
Processing options
Incremental scanning Specify whether you want to process all messages or only those messages that have not been processed previously during the manual or scheduled processing.
Max levels of nested messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
82
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
File type recognition
Use intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Step 9. Summary
CHAPTER 2
Centrally Managed Administration
83
The Scheduled Task Wizard displays the summary of created operation.
Click Finish to accept the new scheduled operation and to exit the wizard.
84
2.3
F-Secure Anti-Virus for Microsoft Exchange
Statistics
To view statistics, open the Status tab from the Properties pane and open the Statistics subtree. It displays statistics for the host for each F-Secure
Anti-Virus for Microsoft Exchange installation. If a policy domain is selected, the Status view displays the number of hosts in the domain and which hosts are disconnected from F-Secure Policy Manager.
Resetting Statistics
You can reset statistics by using controls under the F-Secure Anti-Virus
for Microsoft Exchange / Operations branch.
To reset transport scanning statistics, follow these instructions:
1. Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Transport Statistics / Statistics to Reset branch.
2.
Set statistics you want to reset to Yes.
3.
Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Transport Statistics / Reset branch.
4.
Click Start in the Editor pane.
To reset storage scanning statistics, follow these instructions:
1. Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Storage Statistics / Statistics to Reset branch.
2.
Set Real-Time Scanning to Yes.
3.
Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Storage Statistics / Reset branch.
4.
Click Start in the Editor pane.
The Status above the button displays "Operation still in progress" until the program reports that statistics have been reset.
CHAPTER 2
Centrally Managed Administration
2.3.1
Common
Version
Previous Reset of
Statistics
MIB Version
Installation Directory
Build
Common
Status
Displays the F-Secure Anti-Virus for
Microsoft Exchange version number.
Displays the last date and time when the statistics were reset.
Displays the MIB version number.
Displays the complete path where F-Secure
Anti-Virus for Microsoft Exchange is installed.
Displays the F-Secure Anti-Virus for
Microsoft Exchange build number.
Displays the product name and lists all installed hotfixes.
Displays whether F-Secure Anti-Virus for
Microsoft Exchange is running (started), stopped, or whether the current status of the agent is unknown.
85
86
2.3.2
Transport Protection
You can view the inbound, outbound and internal message statistics separately.
Previous Reset of
Statistics
Displays the date and time of the last reset of statistics.
Number of Processed
Messages
Displays the total number of processed messages since the last reset of statistics.
Number of Infected
Messages
Number of High &
Medium Virus Risk
Messages
Displays the number of messages with attachments that are infected and cannot be automatically disinfected.
Displays the number of messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a virus outbreak.
Number of Grayware
Messages
Displays the number of messages that have been found to contain grayware.
Number of
Suspicious Messages
Displays the number of suspicious content found, for example password-protected archives, nested archives and malformed messages.
Displays the number of filtered attachments.
Number of Stripped
Attachments
Number of Filtered
Messages
Displays the number of messages that have been found to contain disallowed keywords in the message subject or text.
Number of Spam
Messages
Displays the number of messages that are classified as spam.
Last Infection Found Displays the name of the last infection found.
Last Time Infection
Found
Displays the time when the last infection was found.
CHAPTER 2
Centrally Managed Administration
2.3.3
Storage Protection
Common
Number of Mailboxes Displays the number of currently protected user mailboxes.
Number of Public
Folders
Displays the number of currently protected public folders.
Real-time and Background Scanning
Previous Reset of
Statistics
Displays the date and time of the last reset of statistics.
Number of Processed
Items
Displays the total number of processed items since the last reset of statistics.
Number of Infected
Items
Displays the number of items that are infected and cannot be automatically disinfected.
Number of Grayware
Items
Displays the number of items that have been found to contain grayware.
Number of
Suspicious Items
Displays the number of suspicious content found, for example password-protected archives and nested archives.
Number of Stripped
Attachments
Displays the number of attachments stripped during the real-time scan.
Last Infection Found Displays the name of the last infection found.
Last Time Infection
Found
Displays the time when the last infection was found.
87
88
Manual Scanning
Total Number of
Mailboxes
Number of Processed
Mailboxes
Displays the number of mailboxes that have been processed.
Total Number of
Public Folders
Displays the total number of mailboxes in
Exchange Store that the product processes during the manual scan.
Displays the total number of Public folders in the
Exchange Store that the product processes during the manual scan.
Number of Processed
Public Folders
Displays the number of public folders that have been processed.
Estimated Time Left Displays the estimated time left to finish the current manual scan.
Elapsed Time Displays the time that has elapsed since the manual scan was started.
Number of Processed
Items
Displays the total number of processed items during the previous manual scan.
Number of Infected
Items
Displays the number of items that were infected and could not be automatically disinfected during the previous manual scan.
Number of Grayware
Items
Displays the number of items that have been found to contain grayware.
Number of
Suspicious Items
Number of Stripped
Attachments
Displays the number of suspicious content found during the previous manual scan, for example password-protected archives and nested archives.
Displays the number of filtered attachments during the previous manual scan.
CHAPTER 2
Centrally Managed Administration
Last Infection Found Displays the name of the last infection found.
Last Time Infection
Found
Previous Scanning
Displays the time when the last infection was found.
Displays the date and time of the previous manual scan.
2.3.4
Quarantine
The quarantine statistics display the total number of quarantined items, the current size of the quarantine storage (in megabytes), and the detailed statistics of quarantined items by category. For more information,
see “ Quarantine Management ”, 219.
89
90
2.4
F-Secure Content Scanner Server Settings
Use the variables under the F-Secure Content Scanner Server / Settings branch to define the settings for content providers and to change the general content scanning options.
2.4.1
Interface
Specify how the server will interact with clients.
IP Address
TCP Port
Specifies the service listen address in case of multiple network interface cards or multiple IP addresses. If you do not assign an IP address
(0.0.0.0), the server responds to all IP addresses assigned to the host.
Specifies the TCP port that the server listens for incoming requests. The default port number is
18971. If you change this port number, you must modify the connection settings of the client accordingly, so that the client sends requests to the same port.
Accept Connections Specifies a comma-separated list of IP addresses the server accepts incoming requests from. If the list is empty, the server accepts connections from any host.
Max Connections Specifies the maximum number of simultaneous connections the server can accept. Value zero
(0) means no limit.
Max Connections Per
Host
Specifies the maximum number of simultaneous connections the server can accept from a particular host. Value zero (0) means no limit.
CHAPTER 2
Centrally Managed Administration
Send Content
Timeout
Receive Content
Timeout
Specifies how long the server should wait before it timeouts on sending data to the client.
Specifies how long the server should wait before it timeouts when receiving data from the client.
Keep Alive Timeout Specifies the length of time before the server closes an inactive/idle connection. This ensures that all connections are closed if the protocol fails to close a connection.
2.4.2
Virus Scanning
Specify scanning engines to be used when F-Secure Content Scanner
Server scans files for viruses, and the files that should be scanned.
Scan Engines
Action if Engine
Malfunctions
Scan Inside Archives
Scan engines can be enabled or disabled. If you want to disable the scan just for certain files, enter the appropriate file extensions to
Excluded extensions field and separate each extension with a space. The Excluded
extensions field supports * and ? wildcards.
Specify how the product reacts if it cannot scan a file.
Return Scan Error - Drop the file being scanned and send a scan error.
Scan with Other Engines - Scan the file with other available scan engines.
Specify whether files inside compressed archive files should be scanned for viruses, if they are not excluded from scanning.
91
92
Max Levels in Nested
Archives
Suspect Max Nested
Archives
Suspect Password
Protected Archives
Scanning inside archives takes time.
Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
If Scan Inside Archives is enabled, F-Secure
Content Scanner Server can scan files inside archives that may exist inside of other archives. Furthermore, these nested archives can contain other archives.
Specify the number of levels F-Secure
Content Scanner Server goes through before the action selected in Suspect Max
Nested Archives takes place. The default setting is 3.
Increasing the value increases the load on the system and thus decreases the overall system performance. This means that the system becomes more vulnerable for DoS
(Denial-of-Service) attacks.
If the amount of nested archives exceeds the value specified in the Max Levels in Nested
Archives, the file is stopped if Treat as
Unsafe is selected. If Treat as Safe is selected, the archive file is sent to the user.
Compressed archive files can be protected with passwords. These archives can be opened only with a valid password, so
F-Secure Content Scanner Server cannot scan their content. Password protected archives can be stopped by selecting Treat
as Unsafe. If Treat as Safe is selected, password protected archives are delivered to recipient.
CHAPTER 2
Centrally Managed Administration
Acceptable Unpacked
Size Threshold
Scan Extensions Inside
Archives
Extensions Allowed in
Password Protected
Archives
Max Scan Timeout
Specify the acceptable unpacked size (in kilobytes) for archive files. If the unpacked size of an archive file exceeds this threshold, the server will consider the archive suspicious and corresponding action will be taken.
Enter all the extensions you want to scan inside archives.
Define a space-separated list of the file extensions allowed in password protected archives. Wildcards (*, ?) can be used.
Example: "DO? *ML".
Specify the maximum time that one scanning task can last. The Max Scan Timeout is 10 minutes by default.
93
94
2.4.3
Virus Statistics
Select the number of most active viruses and the number of days to be displayed on the Top 10 virus list.
Time Period
Viruses to Show
Send Statistics to
F-Secure World Map
Mail Server Address
Specify the time period for the most active viruses list. The product shows statistics about most active viruses detected during the specified time period. The possible value range is from 1 hour to 90 days.
Specify the number of most active viruses to be displayed for the time period specified in the 'Time Period' setting. The possible values are Top 5, Top 10 and Top 30.
The product can collect and send statistics about viruses and other malware to the
F-Secure World Map service.
When the F-Secure World Map support is enabled, the product sends encrypted e-mail reports periodically to the service. These reports list only the name and the amount of found malware and they do not contain any sensitive information such as IP or e-mail addresses or user names.
You can also forward unencrypted reports to a configurable e-mail address and use the same statistics for your own internal purposes.
Specify the IP address of the mail server that is used to send e-mail.
Mail Server Port
E-mail Addresses for
Unencrypted Reports
CHAPTER 2
Centrally Managed Administration
Specify the port number of the mail server that is used to send e-mail.
Specify e-mail addresses where you want to send unencrypted virus statistics reports.
Separate each address with a comma or space.
2.4.4
Database Updates
Specify how you want to keep the virus definition databases up-to-date.
Verify Integrity of
Downloaded Databases
Notify When Databases
Become Old
Notify When Databases
Older Than
Specify whether the product should verify that the downloaded virus definition databases are the original databases published by F-Secure Corporation and that they have not been altered or corrupted in any way before taking them to use.
Specify whether F-Secure Content Scanner
Server should notify the administrator if virus definition databases have not been updated recently.
Specify the time (in days) how old virus definition databases can be before F-Secure
Content Scanner Server sends the notification to the administrator.
95
96
2.4.5
Spam Filtering
Specify the number of Spam Scanner instances to be created and used for spam analysis.
Number of spam scanner instances
Specify the number of Spam Scanner instances to be created and used for spam analysis. As one instance of the spam scanner is capable of processing one mail message at a time, this setting defines how many messages will undergo spam analysis simultaneously.
You might need to modify this setting if you enable Realtime Blackhole Lists (DNSBL/
RBL) for spam filtering. For more information, consult F-Secure Anti-Virus for
Microsoft Exchange Deployment Guide.
You have to restart the Content Scanner
Server after you change this setting and distribute the policy to take the new setting into use.
IMPORTANT: Spam analysis is a processor-intensive operation and each spam scanner instance takes approximately
25MB of memory (process fsavsd.exe). Do not increase the number of instances unless the product is running on a powerful computer.
CHAPTER 2
Centrally Managed Administration
2.4.6
Threat Detection Engine
Configure the virus outbreak and spam threat detection.
VOD Cache Size
Class Cache Size
Spam Detection
Specify the maximum number of patterns to cache for the virus outbreak detection service.
By default, the cache size is 10000 cached patterns.
Specify the maximum number of patterns to cache for spam detection service. By default, the cache size is 10000 cached patterns.
Increasing cache sizes may increase the threat detection performance but it requires more disk space and may degrade the threat detection rate. Cache sizes can be disabled (set the size to 0) for troubleshooting purposes.
Specify whether the threat detection engine is used while scanning inbound messages for spam.
Action on Connection
Failure
Specify the action for messages when the threat detection center cannot be contacted and the threat detection engine cannot classify the message.
Pass through - The message is passed through without scanning it for spam.
97
98
Trusted Networks
Heuristic Scanning - F-Secure Content Scanner
Server checks the message using spam heuristics.
Specify networks and hosts in the mail relay network which can be trusted not to be operated by spammers and do not have open relays or open proxies.
Define the network as a network/netmask pair
(10.1.0.0/255.255.0.0), with the network/nnn
CIDR specification (10.1.0.0/16), or use ‘*’ wildcard to match any number and ‘-’ to define a range of numbers (172.16.*.1, 172.16.4.10-110).
2.4.7
Proxy Configuration
Specify proxy server parameters that Content Scanner Server uses when it connects to the threat detection center.
Use Proxy Server Specify whether F-Secure Content Scanner
Server uses a proxy server when it connects to the threat detection center.
Proxy Server Address Specify the address of the proxy server.
Proxy Server Port Specify the port number of the proxy server.
CHAPTER 2
Centrally Managed Administration
2.4.8
Advanced
Specify the location and the minimum size of the Working directory.
Working Directory Specify where temporary files are stored.
The Working directory should be on a local hard disk for the best performance. Make sure that there is enough free disk space for temporary files.
Working Directory Clean
Interval
During the setup, access rights are adjusted so that only the operating system and the local administrator can access files in the
Working directory. If you make changes to
Working Directory settings, make sure that the new directory has the same rights.
Specify the time after which the inactive temporary files in the Working directory are deleted. The default clean interval is 30 minutes.
Free Space Threshold
IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product.
Max Number of
Concurrent Transactions
Specify when F-Secure Content Scanner
Server should send a low disk space alert to the administrator. The default setting is 100 megabytes.
Specifies the maximum number of transactions the server processes simultaneously.
99
100
2.5
F-Secure Content Scanner Server Statistics
The Statistics branch in the F-Secure Content Scanner Server tree displays the version of F-Secure Content Scanner Server that is currently installed on the selected host and the location of F-Secure Content
Scanner Server installation directory.
2.5.1
Server
The Server branch contains the following information:
Version
Status
The version of the F-Secure Content
Scanner Server.
The status of F-Secure Content Scanner
Server, whether it has been started and it is running or it is stopped.
Start Time
Previous Reset of
Statistics
The date and time when the server was started.
The date and time of the last reset of statistics.
Number of Scanned Files The number of files that have been scanned.
Last Database Update The last date and time when virus definition database was updated.
Database Update Version The currently used version of the database update. The version is shown in
YYYY-MM-DD_NN format, where
YYYY-MM-DD is the release date of the update and NN is the number of the update for that day.
Last Infection Found The name of the last infection that was encountered.
Last Time Infection
Found
CHAPTER 2
Centrally Managed Administration
The date and time when the last infection was found.
2.5.2
Scan Engines
The Scan Engines table displays the scan engine statistics and information.
Name
Version
Status
Last Database Update
Database Date
Last Infection Found
Last Time Infection
Found
Processed Files
Displays the name of the scan engine.
Displays the version number of the scan engine.
Displays the status of the scan engine. The scan engine can be loaded and enabled or disabled by the administrator, or not loaded at all.
Displays the last date and time when virus definition database was taken into use by the scan engine.
Displays the date the virus signature database for the scan engine was created.
Displays the last infection found by the scan engine.
Displays the date and time of the last infection found by the scan engine.
Displays the number of files processed by the scan engine.
101
102
Infected Files
Disinfected Files
Database Version
Displays the number of infected files found by the scan engine.
Displays the number of files successfully disinfected by the scan engine.
Displays the current version of database updates used by the scan engine.
2.5.3
Common
The Common statistics branch displays the list of installed product hotfixes.
2.5.4
Spam Control
The Spam Control branch displays the following information:
Spam Scanner Version Displays the version and build number of the
Spam Scanner.
Status Displays the status of the Spam Scanner.
Previous Reset of
Statistics
Database Version
Displays when the Spam Scanner statistics were reset last time.
Displays the version of the database currently used by the Spam Scanner.
Last Database Update Displays the date and time when the Spam
Scanner database was last updated.
CHAPTER 2
Centrally Managed Administration
Number of Processed
Messages
Total Spam Statistics
Displays the total number of e-mail messages that have been analyzed for spam.
These statistics show how many mail messages have been identified with each spam confidence level rating.
2.5.5
Virus Statistics
The Virus Statistics branch displays the following information:
Last Updated
Most Active Viruses
Displays the date and time when the virus statistics were updated last time.
Displays the list of most active viruses.
103
2.6
F-Secure Management Agent Settings
If the F-Secure Anti-Virus for Microsoft Exchange is working in centrally administered mode, you have to make sure F-Secure Anti-Virus for
Microsoft Exchange sends and receives data from F-Secure Policy
Manager Server. To do this, change communications settings from
F-Secure Management Agent.
For detailed information on F-Secure Management Agent, see the
F-Secure Policy Manager Administrator's Guide.
Communications
Host Configuration Mode Shows whether the host is stand-alone or centrally administered.
Active Protocol Sets the active protocol.
104
Protocols
Spool Time Limit
Slow Connection
Definition
A subdirectory containing the settings for the
File Sharing and the HTTP protocol. These settings should be carefully checked before distribution. Errors can result in problems with communicating with the hosts.
The maximum time the host will store the information it is unable to transmit.
This setting can be used to disallow
F-Secure Management Agent from downloading large remote installation packages over slow network connections.
F-Secure Management Agent measures the speed of the network link to F-Secure Policy
Manager Server and stops the download if the minimum speed specified by this setting is not met.
HTTP
Management Server
Address
Incoming Packages
Polling Interval
Outgoing Packages
Update Interval
URL of the F-Secure Policy Manager Server.
The URL should not have a slash at the end.
For example:
“http://fsms.example.com”.
Defines how often the host tries to fetch incoming packages (such as Base Policy files or new virus signature databases) from the F-Secure Policy Manager Server.
Defines how often the host tries to transmit to the administrator information that is periodically updated (such as statistics).
CHAPTER 2
Centrally Managed Administration
2.7
F-Secure Automatic Update Agent Settings
Using F-Secure Automatic Update Agent is the most convenient way to keep the databases updated. It connects to F-Secure Policy Manager
Server or the F-Secure Update Server automatically.
In order to update the spam definition databases F-Secure
Automatic Update Agent must be installed on the same computer as F-Secure Spam Control.
Communications
Automatic updates
Internet connection checking
HTTP settings
Enable or disable automatic virus and spam definition updates.
By default, automatic updates are enabled.
Specify whether the product should check the connection to the Internet before trying to retrieve updates.
Assume always connected - The computer is connected to the Internet all the time.
Detect connection - The product detects when the computer is connected to the Internet.
Detect traffic - The product assumes that the computer is connected to the Internet only when other applications use the network.
Detect connection is the default setting.
Select whether to use an HTTP proxy when retrieving automatic updates.
If F-Secure Automatic Update Agent connects to the Internet through a proxy server, specify the
HTTP proxy addess in the User-defined proxy
settings > Address field.
105
106
PM Proxies
Intermediate server failover time
Intermediate server polling interval
Allow fetching updates from
F-Secure Update
Server
Enter the HTTP proxy server address.
Specify F-Secure Policy Manager Proxies that you want to use as sources for automatic updates.
If no F-Secure Policy Manager Proxies are configured, the product retrieves the latest virus definition updates from F-Secure Update Server automatically.
Specify (in hours) the failover time to connect to
F-Secure Policy Manager Server or F-Secure
Policy Manager Proxy.
If the product cannot connect to any user-specified update server during the failover time, it retrieves the latest virus definition updates from F-Secure Update Server if Allow fetching updates from F-Secure Update Server is enabled.
Specify (in minutes) how often the product checks one of the update sources for new updates.
Specify whether the product should connect to
F-Secure Update Server when it cannot connect to any user-specified update server. Specify PM
Proxies to configure the update servers.
3
A DMINISTRATION
W EB C ONSOLE
WITH
Overview................................................................................... 108
Home........................................................................................ 109
Transport Protection ................................................................. 113
Storage Protection.................................................................... 139
Spam Control............................................................................ 133
Quarantine................................................................................ 178
Automatic Updates ................................................................... 188
Engines..................................................................................... 207
General Server Properties........................................................ 195
107
108
3.1
Overview
This section describes how to use Web Console to administer F-Secure
Anti-Virus for Microsoft Exchange.
If F-Secure Anti-Virus for Microsoft Exchange is installed in the stand-alone mode, it can be administered with F-Secure Anti-Virus for
Microsoft Exchange Web Console. The Web Console is installed with
F-Secure Anti-Virus for Microsoft Exchange.
To open the Web Console, see “ Using Web Console ”, 14.
Registering
F-Secure
Transport Agent
F-Secure Transport Agent should be registered in the Microsoft Exchange
Transport Service automatically during the installation. If Web Console notifies that it is not, follow these instructions:
1. Open Exchange Management Shell.
2.
Call the Get-TransportAgent command from the command line in
Shell.
3.
If F-Secure Transport Agent is not listed as a transport agent, you need to install it manually: a. Enter cmd in the Start menu > Run to open the command prompt.
b. Type cd “C:\Program Files (x86)\F-Secure\Anti-Virus for
Microsoft Exchange” to go to the product installation directory.
c. Type
PowerShell.exe -command ".\fstragnt.ps1 install" to install F-Secure Transport Agent.
CHAPTER 3
Administration with Web Console
3.2
Home
Summary
The Web Console displays Getting Started page when you log in for the first time. You can check and configure the following information in the
Getting Started page to complete the installation:
Internal domains and senders
E-mail alerts and reports
Database updates
Product updates
109
110
The Summary tab displays the current status of the product components.
Normal; the feature is enabled and everything is working as it should.
Informational; the feature is disabled.
Warning; the feature or an antivirus engine is disabled or virus and spam definition databases are not up-to-date.
Error; the license has expired, the feature is not installed, all antivirus engines are disabled or a component is not loaded,
F-Secure Content Scanner Server is not up and running or virus and spam definition databases are really old.
Scan Tasks
Click Find quarantined e-mail or attachment to manually scan mailboxes and public folders for viruses and strip attachments in them.
For instructions, see “ Manual Scanning ”, 153.
Quarantine Tasks
Click Find quarantined content to search for the quarantined content.
For more information, see “ Searching the Quarantined Content ”, 222.
Log Files
Click View F-Secure Log to view the F-Secure log file (LogFile.log) in a new Internet browser window. Click Download to download and save the
LogFile.log for later use.
Click View Automatic Update Log to view the update log file.
Services
CHAPTER 3
Administration with Web Console
111
Under the Services tab, you can start, stop and restart F-Secure
Anti-Virus for Microsoft Exchange, F-Secure Content Scanner Server and
F-Secure Automatic Update Agent.
112
Virus Statistics
Virus Statistics tab displays information on the most active viruses found during the scan.
F-Secure World Map Support
The product can collect and send statistics about viruses and other malware to the F-Secure World Map service.
If you enable F-Secure World Map support, make sure that the server can
relay messages properly. For more information, see “ Sending E-mail
CHAPTER 3
Administration with Web Console
3.3
Transport Protection
You can configure inbound, outbound and internal message protection separately. For more information about the mail direction and
configuration options, see “ Network Configuration ”, 202.
After you apply new transport protection settings, it can take up to
20 seconds for the new settings to take effect.
Status
113
114
The Status page displays a summary of the processed inbound, outbound and internal mail messages:
Processed messages Displays the total number of processed messages since the last reset of statistics.
Infected messages Displays the number of messages with attachments that are infected and cannot be automatically disinfected.
High & Medium virus risk messages
Displays the number of messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a virus outbreak.
Grayware messages Displays the number of messages that have grayware items, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Suspicious messages Displays the number of suspicious content found, for example password-protected archives, nested archives and malformed messages.
Stripped attachments Displays the number of filtered attachments.
Filtered messages Displays the number of messages that have been found to contain disallowed keywords in the message subject or text.
Spam messages
Last Infections
Displays the number of messages that are classified as spam.
Displays the name of the last infection found in inbound, outbound, and internal messages.
3.3.1
Attachment Filtering
CHAPTER 3
Administration with Web Console
115
Specify attachments to remove from inbound, outbound and internal messages based on the file name or the file extension.
Enable or disable the attachment stripping.
Strip Attachments from e-mail messages
Targets
Strip these attachments
Exclude these attachments
Specify which attachments are stripped from
messages. For more information, see “ Match
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
116
Actions
Action on disallowed attachments
Specify how disallowed attachments are handled.
Drop Attachment - Remove the attachment from the message and deliver the message to the recipient without the disallowed attachment.
Quarantine stripped attachments
Do not quarantine these attachments
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether stripped attachments are quarantined.
Specify files which are not quarantined even when they are stripped. For more information,
Notifications
Send notification message to recipient(s)
Specify whether recipients are notified when disallowed or suspicious attachment is found.
Note that the notification message is not sent if the whole message is dropped.
Send notification message to sender
Specify whether the original sender is notified when disallowed or suspicious attachment is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Message
CHAPTER 3
Administration with Web Console
Do not notify on these attachments
Specify attachments that do not generate notifications. When the product finds specified file or file extension, no notification is sent.
Send alert to administrator
Specify whether the administrator is notified when the product strips an attachment. If you enable the notification, specify the alert level of the notification.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity
level. For more information, see “ Alerting ”, 198.
3.3.2
Virus Scanning
117
118
Specify inbound, outbound and internal messages and attachments that should be scanned for malicious code.
Disabling virus scanning disables grayware scanning and archive processing as well.
Scan e-mail messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
Heuristic Scanning Enable or disable the heuristic scan. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
By default, the heuristic scan is enabled for inbound mails and disabled for outbound and internal mails.
The heuristic scan may affect the product performance and increase the risk of false malware alarms.
Proactive virus threat detection
Select whether Proactive Virus Threat Detection is enabled or disabled.
Proactive virus threat detection can identify new and unknown e-mail malware, including viruses and worms.
When proactive virus threat detection is enabled, the product analyzes e-mail messages for possible security threats. All possibly harmful messages are quarantined as unsafe.
Unsafe messages can be reprocessed periodically, as antivirus updates may confirm the unsafe message as safe or infected.
When proactive virus threat detection is disabled, mails are only scanned by antivirus engines.
CHAPTER 3
Administration with Web Console
Targets
Scan these attachments
Exclude these attachments
Actions
Try to disinfect
Specify attachments that are scanned for
viruses. For more information, see “ Match Lists ”,
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Action on infected messages
Quarantine infected messages
Do not quarantine these infections
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether infected messages are disinfected or dropped.
Drop Attachment - Remove the infected attachment from the message and deliver the message to the recipient without the attachment.
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Match
119
120
Notifications
Send notification message to recipient(s)
Specify whether recipients are notified when a virus or other malicious code is found.
Note that the notification message is not sent if the whole message is dropped.
Send notification message to sender
Specify whether the original sender is notified when a virus or other malicious code is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Message
Do not notify on these infections
Specify infections that do not generate notifications. When the product finds the specified infection, no notification is sent.
Send alert to administrator
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a virus in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity
level. For more information, see “ Alerting ”, 198.
3.3.3
Grayware Scanning
CHAPTER 3
Administration with Web Console
121
Specify how the product processes grayware items in inbound, outbound and internal messages.
Note that grayware scanning increases the scanning overhead. By default, grayware scanning is enabled for inbound messages only.
Grayware scanning is disabled when virus scanning is disabled.
Scan e-mail messages for grayware
Enable or disable the grayware scan.
Actions
Action on grayware Specify the action to take on items which contain grayware.
122
Grayware exclusion list
Quarantine dropped grayware
Do not quarantine this grayware
Pass through - Leave grayware items in the message.
Drop attachment - Remove grayware items from the message.
Drop the whole message - Do not deliver the message to the recipient.
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Specify whether grayware attachments are quarantined when dropped.
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Send warning message to recipient(s)
Specify the template for the notification message that is sent to the intented recipient when a grayware item is found in a message.
Note that the notification message is not sent if the whole message is dropped.
Send warning message to sender
Specify the template for the notification message that is sent to the original sender of the message when a grayware item is found in a message.
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
For more information, see “ Message
CHAPTER 3
Administration with Web Console
Do not notify on this grayware
Send alert to administrator
Specify a list of keywords for grayware types on which no notifications are sent.
If the product finds a grayware item with a name that matches the keyword, the recipient and the sender are not notified about the grayware item found.
Leave the list empty if you do not want to exclude any grayware types from notifications.
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a grayware item in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity
level. For more information, see “ Alerting ”, 198.
123
124
3.3.4
Archive Processing
Specify how F-Secure Anti-Virus processes inbound, outbound and internal archive files.
Note that scanning inside archives takes time. Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
Archive processing is disabled when the virus scanning is disabeld.
Scan archives Specify whether files inside compressed archive files are scanned for viruses.
Targets
List of files to scan inside archives
Specify files inside archives that are scanned for
viruses. For more information, see “ Match Lists ”,
CHAPTER 3
Administration with Web Console
Exclude these files
Limit max levels of nested archives
Detect disallowed files inside archives
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
Specify files which are not allowed inside
archives. For more information, see “ Match
Actions
Action on archives with disallowed files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
125
126
Action on password protected archives
Quarantine dropped archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the password protected archive to the recipient.
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
The default value is Drop archive for inbound and outbound mail, and Pass through for internal mail.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
Notifications
Send alert to administrator
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange blocks a suspicious overnested or password protected archive file.
If the archive is blocked because it contains malware, grayware or disallowed files, the administrator receives a notification about that instead of this notification.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity
level. For more information, see “ Alerting ”, 198.
3.3.5
Content Filtering
CHAPTER 3
Administration with Web Console
127
Specify how F-Secure Anti-Virus filters disallowed content in inbound, outbound and internal messages.
Filter out e-mail messages with disallowed/ undesirable content
Targets
Disallowed keywords in message subject
Specify whether e-mail messages are scanned for disallowed content.
Specify the list of disallowed keywords to check in e-mail message subjects. For more
information, see “ Using Keywords in Content
Disallowed keywords in message text
Specify the list of disallowed keywords to check in e-mail message text. For more information,
see “ Using Keywords in Content Filtering ”, 129.
128
Actions
Action on disallowed content
Specify the action to take on messages which contain disallowed keywords.
Report only - Deliver the message to the recipient and notify the administrator that the scanned message contained disallowed content.
Drop the whole message - Do not deliver the message to the recipient.
Quarantine - Quarantine the message with disallowed content.
Notifications
Send notification message to recipient(s)
Send notification message to sender
Specify whether recipients are notified when disallowed content is found.
Specify whether the original sender is notified when disallowed content is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Message
Send alert to administrator
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a message with disallowed content.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity
level. For more information, see “ Alerting ”, 198.
CHAPTER 3
Administration with Web Console
Using Keywords in Content Filtering
When the content filtering is enabled, all messages are checked against every keyword sequence that is specified in the selected list of keywords.
A keyword may contain any characters, including punctuation symbols, spaces, and other word separators. Keywords are case insensitive.
You can use ‘?’ character in a keyword to match any character in that position in the keyword and ‘*’ to match any number of characters.
Keyword examples: example another example co?p?rate
another*example
Matches any message text or subject that contains the word ‘example’.
Matches any message text or subject that contains the ‘another example’ text. Words
‘another’ and ‘example’ have to be separated with exactly one space character.
Matches any message text or subject that contains - for example - words ‘corporate’ or
‘cooperate’.
Matches any message text or subject that contains words ‘another’ and ‘example’ separated with any number of characters. For example, ‘another example’ or ‘another keyword example’.
To represent ‘?’ or ‘*’ characters themselves in keywords, use ‘\?’ and ‘\*’ sequences correspondingly. To represent ‘\’ character, use ‘\\’.
For example, to match the '*** SPAM ***' string, enter '\*\*\* spam \*\*\*'.
129
130
3.3.6
Other Options
Configure other options to limit actions on malformed and problematic messages.
File Type Recognition
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
CHAPTER 3
Administration with Web Console
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Trusted senders and recipients
List of trusted senders
Specify senders who are excluded from the mail scanning and processing.
List of trusted recipients
Specify recipients who are excluded from the mail scanning and processing.
For more information, see “ Match Lists ”, 217.
Mail disclaimer Specify whether you want to add a disclaimer to all outbound messages.
Click Edit disclaimer to edit the disclaimer text.
Mail disclaimer is available only for outbound messages.
Some malware add disclaimers to infected messages, so disclaimers should not be used for stating that the message is clean of malware.
Options
Limit max levels of nested messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
131
132
Actions
Action on mails with exceeding nesting levels
Specify the action to take on messages with nesting levels exceeding the upper level specified in the Max Levels of Nested Messages setting.
Drop the Whole Message - Messages with exceeding nesting levels are not delivered to the recipient.
Pass Through - Nested messages are scanned up to level specified in the Max Levels of Nested
Messages setting. Exceeding nesting levels are not scanned, but the message is delivered to the recipient.
Action on malformed mails
Specify the action for non-RFC compliant e-mails. If the message has an incorrect structure, the product cannot parse the message reliably.
Quarantine problematic messages
Drop the Whole Message - Do not deliver the message to the recipient.
Pass Through - The product allows the message to pass through.
Pass Through and Report - The product allows the message to pass through, but sends a report to the administrator.
Specify if mails that contain malformed or broken attachments are quarantined for later analysis or recovery.
CHAPTER 3
Administration with Web Console
Notifications
Send alert to administrator
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange detects a malformed or a suspicious e-mail message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity
level. For more information, see “ Alerting ”, 198.
3.4
Spam Control
The threat detection engine of F-Secure Anti-Virus for Microsoft
Exchange can identify spam and virus patterns from the message envelope, headers and body during the first minutes of the new spam of virus outbreak.
You can configure Spam Control settings for inbound messages, and only if you have F-Secure Spam Control installed.
133
134
3.4.1
Status
The Status page displays the statistics of the spam scanner:
Spam scanner version
Number of processed messages
Displays the total number of processed messages since the last reset of statistics.
Last updated
Displays the version number of the installed spam scanner.
Database version
Displays the date and time when the latest spam definition update was retrieved.
Displays the version of the installed spam definition database.
Spam confidence level / number of messages
Displays the number of messages found with specified spam confidence levels.
3.4.2
Settings
CHAPTER 3
Administration with Web Console
135
Specify how F-Secure Anti-Virus for Microsoft Exchange processes inbound spam messages.
These settings are used only if F-Secure Spam Control is installed with the product, otherwise these settings are not available.
Check inbound e-mail messages for spam
Specify whether inbound mails are scanned for spam.
Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering. For information on configuring
Realtime Blackhole Lists, consult the F-Secure
Anti-Virus for Microsoft Exchange Deployment
Guide.
136
Options
Heuristic spam analysis
Spam filtering level
Specify whether heuristic spam analysis is used to filter inbound mails for spam.
If you enable the heuristic spam analysis, all messages that the threat detection engine does not classify as spam are further analyzed for spam. When the heuristic spam analysis is disabled, only the threat detection engine filters messages for spam.
Heuristic spam analysis slows down the performance but improves the spam detection rate.
Specify the spam filtering level. Decreasing the level allows less spam to pass, but more regular mails may be falsely identified as spam.
Increasing the level allows more spam to pass, but a smaller number of regular e-mail messages are falsely identified as spam.
For example, if the spam filtering level is set to 3, more spam is filtered, but also more regular mails may be falsely identified as spam. If the spam filtering level is set to 7, more spam may pass undetected, but a smaller number of regular mails will be falsely identified as spam.
The allowed values are from 0 to 9.
Click More options to configure advanced spam filtering options:
Max message size - Specify the maximum size
(in kilobytes) of messages to be scanned for spam. If the size of the message exceeds the maximum size, the message is not filtered for spam.
CHAPTER 3
Administration with Web Console
Spam confidence level
Forward spam messages to e-mail address -
Specify the e-mail address where messages considered as spam are forwarded when the
Action on Spam Messages setting is set to
Forward.
Click Add new action to add a new action for messages with the spam level above the specified Spam Filtering Level.
Specify the spam level and select action to take:
Quarantine - Place the message into the quarantine folder.
Forward - Forward the message to the specified e-mail address.
Delete - Delete the message.
Actions on passed through messages
Add X-header with spam flag
Specify if a spam flag is added to the mail as the
X-Spam-Flag header in the following format:
X-Spam-Flag:<flag> where
<flag> is YES or NO,
Add X-header with summary
Specify if the summary of triggered hits is added to the mail as X-Spam-Status header in the following format:
X-Spam-Status: <flag>, hits=<scr> required=<sfl> tests=<tests>
137
138
Modify spam message subject where
<flag> is Yes or No,
<scr> is the spam confidence rating returned by the spam scanner,
<sfl> is the current spam filtering level,
<tests> is the comma-separated list of tests run against the mail.
Specify if the product modifies the subject of mail messages considered as spam.
Add this text to spam message subject
Specify the text that is added in the beginning of the subject of messages considered as spam.
By default, the text is: *** SPAM ***.
Safe/Blocked senders and recipients
List of safe senders Specify safe senders. Messages originating from the specified addresses are never treated as spam.
List of safe recipients Specify safe recipients. Messages sent to the specified addresses are never treated as spam.
List of blocked senders
Specify blocked senders. Messages originating from the specified addresses are always treated as spam.
List of blocked recipients
Specify blocked recipients. Messages sent to the specified addresses are always treated as spam.
The product checks the sender address from the
SMTP message envelope, not from the message headers.
CHAPTER 3
Administration with Web Console
3.5
Storage Protection
Configure Storage Protection settings to specify how e-mail messages and attachments in selected mailboxes and public folders should be scanned.
Status
139
The Status page displays a summary of the protected mailboxes and public folders and infections found.
Number of mailboxes Displays the number of currently protected user mailboxes.
Number of public folders
Processed items
Displays the number of currently protected public folders.
Displays the total number of processed items since the last reset of statistics.
140
Stripped Attachments Displays the number of attachments filtered based of their file name or the file extension.
Infected items Displays the number of items that are infected and cannot be automatically disinfected.
Grayware items
Suspicious items
Displays the number of grayware items, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Displays the number of suspicious content found, for example password-protected archives and nested archives.
Last infection found Displays the name of the last infection found.
Last time infection found
Displays the time when the last infection was found.
3.5.1
Real-Time Scanning
The real-time scanning can automatically scan messages that have been created or received.
General
CHAPTER 3
Administration with Web Console
141
Real-time scanning scans messages in mailboxes and public folders for viruses.
Scanning
Scan only messages created within
Specify which messages are scanned with the real-time scanning, for example; Last hour, Last
day, Last week. Messages that have been created before the specified time are not scanned.
This setting works only with Microsoft Exchange
Server 2007 and 2010.
Scan timeout Specify how long to wait for the real-time scan result. After the specified time, the client that tries to access the scanned message gets the
"virus scanning in progress" notification.
142
File Type Recognition
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Attachment Filtering
CHAPTER 3
Administration with Web Console
143
Attachment filtering can remove attachments from messages in the
Microsoft Exchange Storage based on the file name or the file extension of the attachment.
Targets
Process Mailboxes Specify mailboxes that are filtered for attachments.
Do not process mailboxes - Do not filter any mailboxes for attachments.
Process all mailboxes - Filter attachments in all mailboxes.
144
Process Public
Folders
Strip these attachments
Exclude these attachments
Process only included mailboxes - Filter attachments in specified mailboxes only. Click
Edit to add or remove mailboxes that are processed.
Process all except excluded mailboxes - Do not filter attachments in specified mailboxes but process all other mailboxes. Click Edit to add or remove mailboxes that should not be processed.
Specify public folders that are filtered for attachments.
Do not process public folders - Do not filter any public folders for attachements.
Process all public folders - Filter attachments in all public folders.
Process only included public folders - Filter attachments in specified public folders only.
Click Edit to add or remove public folders that are processed.
Process all except excluded public folders - Do not filter attachments in specified public folders but process all other public folders. Click Edit to add or remove public folders that should not be processed.
Specify which attachments are removed from messages.
For more information, see “ Match Lists ”, 217.
Specify attachments that are not removed from messages even if they match to the match list rule. Leave the list empty if you do not want to exclude any attachments from filtering.
CHAPTER 3
Administration with Web Console
Actions
Quarantine stripped attachments
Do not quarantine these attachments
Specify whether stripped attachments are quarantined.
Specify attachments which are not quarantined even when they are stripped.
For more information, see “ Match Lists ”, 217.
Notifications
Replacement text template
Specify the template for the text that replaces the suspicious or disallowed attachment when the attachment is removed from the message.
For more information, see “ Message
145
146
Virus Scanning
Specify messages and attachments in the Microsoft Exchange Storage that should be scanned for malicious code.
Targets
Scan mailboxes Specify mailboxes that are scanned for viruses.
Do not scan mailboxes - Disable the mailbox scanning.
Scan all mailboxes - Scan all mailboxes.
Scan only included mailboxes - Scan all specified mailboxes. Click Edit to add or remove mailboxes that should be scanned.
CHAPTER 3
Administration with Web Console
Scan public folders
Scan these attachments
Exclude these attachments
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Edit to add or remove mailboxes that should not be scanned.
Specify public folders that are scanned for viruses.
Do not scan public folders - Disable the public folder scanning.
Scan all folders - Scan all public folders.
Scan only included public folders - Scan all specified public folders. Click Edit to add or remove public folders that should be scanned.
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Edit to add or remove public folders that should not be scanned.
IMPORTANT: You need to specify
Administrator's mailbox setting to list and scan public folders on Microsoft Exchange 2010
platform. For more information, see “ General ”,
Specify attachments that are scanned for
viruses. For more information, see “ Match Lists ”,
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Actions
Try to disinfect Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
147
148
Disinfection may affect the product performance.
Quarantine infected attachments
Do not quarantine these infections
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether infected attachments are quarantined.
Specify virus and malware infections that are never placed in the quarantine. For more
information, see “ Match Lists ”, 217.
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Message Templates ”,
Grayware Scanning
CHAPTER 3
Administration with Web Console
149
Specify how the product processes grayware items during real-time scanning.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only- Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
150
Grayware exclusion list
Quarantine dropped grayware
Do not quarantine this grayware
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Specify whether grayware attachments are quarantined when dropped.
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Message
Archive Processing
CHAPTER 3
Administration with Web Console
151
Specify how F-Secure Anti-Virus processes archive files in Microsoft
Exchange Storage.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Limit max levels of nested archives
Specify files that are scanned for viruses inside archives.
Specify files inside archives that are not scanned. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels deep to scan in nested archives, if Scan Viruses Inside Archives is enabled.
152
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
Specify the number of levels the product goes through before the action selected in Limit max
Levels of Nested Archives takes place. The default setting is 3.
Actions
Action on max nested archives
Specify the action to take on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested
Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
Drop archive - Archives with exceeding nesting levels are removed.
Action on password protected archives
Quarantine dropped archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
3.5.2
Manual Scanning
CHAPTER 3
Administration with Web Console
153
You can scan mailboxes and public folders for viruses and strip attachments manually at any time.
Statistics
The Statistics page displays a summary of the messages processed during the latest manual scan:
Status Displays whether the manual scan is running or stopped.
Number of processed mailboxes
Displays the number of mailboxes that have been scanned and the total number that will be scanned when the manual scan is complete.
Number of processed public folders
Displays the number of public folders that have been scanned and the total number that will be scanned when the manual scan is complete.
154
Estimated time left
Elapsed time
Processed items
Displays the time left when the manual scan is running.
Displays how long it has been since the manual scan started.
Displays the number of items processed during the scan.
Displays the number of infected items found.
Infected items
Grayware items
Suspicious items
Displays the number of grayware items found, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Displays the number of suspicious content found, for example password-protected archives and nested archives.
Stripped attachments Displays the number of filtered attachments.
Last infection found Displays the name of the last infection found.
Last time infection found
Displays the date when the last infection was found.
Tasks
If the manual scan scans an item that has not been previously scanned for viruses and the real-time scan is on, the scan result may appear on the real-time scan statistics.
Click Start Scanning to start the manual scan.
Click Stop Scanning to stop the manual scan.
Click View Scanning Report to view the latest manual scan report.
General
CHAPTER 3
Administration with Web Console
155
Specify which messages you want to scan during the manual scan.
Targets
Scan mailboxes Specify mailboxes that are scanned for viruses.
Do not scan mailboxes - Do not scan any mailboxes during the manual scan.
Scan all mailboxes - Scan all mailboxes.
Scan only included mailboxes - Scan all specified mailboxes. Click Edit to add or remove mailboxes that should be scanned.
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Edit to add or remove mailboxes that should not be scanned.
156
Scan public folders Specify public folders that are scanned for viruses.
Do not scan public folders - Do not scan any public folders during the manual scan.
Scan all folders - Scan all public folders.
Scan only included public folders - Scan all specified public folders. Click Edit to add or remove public folders that should be scanned.
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Edit to add or remove public folders that should not be scanned.
IMPORTANT: You need to specify
Administrator's mailbox setting to list and scan public folders on Microsoft Exchange 2010
platform. For more information, see “ General ”,
Incremental Scanning Specify which messages are scanned for viruses during the manual scan.
All messages - Scan all messages.
Only Recent Messages - Scan only messages that have not been scanned during the previous manual or scheduled scan.
File Type Recognition
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
CHAPTER 3
Administration with Web Console
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Options
Limit max levels of nested messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
Advanced
Administrator's mailbox
Specify the primary SMTP address for the account which is used to scan items in public folders. The user account must have permissions to access and modify items in the public folders.
The setting is used on Microsoft Exchange 2010 platform only and affects manual, realtime, and scheduled storage scanning. If you do not specify any address, public folders in Exchange
Store cannot be accessed or even listed.
157
158
Attachment Filtering
Specify attachments that are remove from messages during the manual scan.
Enable or disable the attachment stripping.
Strip attachments
Targets
Strip these attachments
Exclude these attachments
Specify which attachments are stripped from
messages. For more information, see “ Match
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Actions
Quarantine stripped attachments
Specify whether stripped attachments are quarantined.
CHAPTER 3
Administration with Web Console
Do not quarantine these attachments
Notifications
Replacement Text
Template
Specify files which are not quarantined even when they are stripped. For more information,
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Message Templates ”,
159
160
Virus Scanning
Specify messages and attachments that should be scanned for malicious code during the manual scan.
Scan messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
Disabling virus scanning disables grayware scanning and archive processing as well.
Heuristic Scanning Enable or disable the heuristic scanning. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
CHAPTER 3
Administration with Web Console
Targets
Scan these attachments
Exclude these attachments
Actions
Try to disinfect
The heuristic scan may affect the product performance and increase the risk of false malware alarms.
Specify attachments that are scanned for
viruses. For more information, see “ Match Lists ”,
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Quarantine infected attachments
Do not quarantine these infections
Infected files inside archives are not disinfected even when the setting is enabled.
Specify whether infected or suspicious attachments are quarantined.
Specify virus and malware infections that are never placed in the quarantine. For more
information, see “ Match Lists ”, 217.
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Message Templates ”,
161
162
Grayware Scanning
Specify how the product processes grayware items during the manual scan.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only - Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
CHAPTER 3
Administration with Web Console
Grayware exclusion list
Quarantine dropped grayware
Do not quarantine this grayware
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Specify whether grayware attachments are quarantined when dropped.
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Message
163
164
Archive Processing
Specify how the product processes archive files during the manual scan.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Limit max levels of nested archives
Specify files inside archives that are scanned for
viruses. For more information, see “ Match Lists ”,
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
CHAPTER 3
Administration with Web Console
Detect disallowed files inside archives
Specify whether files inside compressed archive files are processed for disallowed content.
If you want to detect disallowed content, specify files that are not allowed. For more information,
Actions
Action on archives with disallowed files
Specify the action to take on archives that contain disallowed content.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient at all.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Action on password protected archives
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
165
166
Quarantine dropped archives
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the password protected archive from the message.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Match Lists ”, 217.
3.5.3
Scheduled Scanning
The Scheduled Tasks list displays all scheduled tasks and date and time when they occur for the next time.
Click Add new task to create a new scheduled operation.
Click the scheduled task name to edit it or Remove to completely remove it.
CHAPTER 3
Administration with Web Console
Creating Scheduled Task
Click Add new task in the Scheduled Scanning page to start the
Scheduled Operation Wizard.
Step 1. Specify Scanning Task Name and Schedule
167
Enter the name for the new task and select how frequently you want the operation to be performed.
Active Specify whether you want the scheduled scanning task to be active immediately after you have created it.
General
Task name Specify the name of the scheduled operation.
Do not use any special characters in the task name.
Frequency of the operation
Specify how frequently you want the operation to be performed.
168
Start time
Start date
Once - Only once at the specified time.
Daily - Every day at the specified time, starting from the specified date.
Weekly - Every week at the specified time on the same day when the first operation is scheduled to start.
Monthly - Every month at the specified time on the same date when the first operation is scheduled to start.
Enter the start time of the task in hh:mm format.
Enter the start date of the task in mm/dd/yyyy format
Targets
Scan mailboxes
Scan public folders
Specify mailboxes that are scanned for viruses.
Do not scan mailboxes - Disable the mailbox scanning.
Scan all mailboxes - Scan all mailboxes.
Scan only included mailboxes - Scan all specified mailboxes. Click Edit to add or remove mailboxes that should be scanned.
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Edit to add or remove mailboxes that should not be scanned.
Specify public folders that are scanned for viruses.
Do not scan public folders - Disable the public folder scanning.
Scan all folders - Scan all public folders.
CHAPTER 3
Administration with Web Console
Scan only included public folders - Scan all specified public folders. Click Edit to add or remove public folders that should be scanned.
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Edit to add or remove public folders that should not be scanned.
IMPORTANT: You need to specify
Administrator's mailbox setting to list and scan public folders on Microsoft Exchange 2010
platform. For more information, see “ General ”,
Incremental scanning Specify whether you want to process all messages or only those messages that have not been processed previously during the manual or scheduled processing.
Options
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
169
170
Limit max levels of nested messages
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
CHAPTER 3
Administration with Web Console
Step 2. Specify Attachment Filtering Options
171
Choose settings for stripping attachments during the scheduled operation.
Enable or disable the attachment stripping.
Strip attachments from e-mail messages
Targets
Strip these attachments
Exclude these attachments
Specify which attachments are stripped from
messages. For more information, see “ Match
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Action
Quarantine stripped attachments
Specify whether stripped attachments are quarantined.
172
Do not quarantine these attachments
Specify files which are not quarantined even when they are stripped. For more information,
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Message Templates ”,
Step 3. Specify Virus Scanning Options
CHAPTER 3
Administration with Web Console
Choose how mailboxes and public folders are scanned for viruses during the scheduled operation.
Scan messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
If you disable the virus scan, grayware scanning and archive processing are disabled as well.
Heuristic Scanning Enable or disable the heuristic scanning. The heuristic scanning analyzes files for suspicious code behavior so that the product can detect unknown malware.
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
Targets
Scan these attachments
Exclude these attachments
Specify attachments that are scanned for
viruses. For more information, see “ Match Lists ”,
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Actions
Try to disinfect Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
173
174
Quarantine infected messages
Do not quarantine these infections
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Match
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Message Templates ”,
Step 4. Specify Grayware Scanning Options
CHAPTER 3
Administration with Web Console
Choose settings for grayware scanning during the scheduled operation.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only- Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
Grayware exclusion list
Quarantine dropped grayware
Do not quarantine this grayware
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Specify whether grayware attachments are quarantined when dropped.
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Message
175
176
Step 5. Specify Archive Processing Options
Choose settings for archive processing during the scheduled operation.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Limit max levels of nested archives
Detect disallowed files inside archives
Specify files inside archives that are scanned for
viruses. For more information, see “ Match Lists ”,
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
Specify files which are not allowed inside
archives. For more information, see “ Match
CHAPTER 3
Administration with Web Console
Actions
Action on archives with disallowed files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Action on password protected archives
Quarantine dropped archives
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the password protected archive to the recipient.
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
177
178
Step 6. Finish
The Scheduled Operation Wizard displays the summary of created operation. Click Finish to accept the new scheduled operation and to exit the wizard.
3.6
Quarantine
Quarantine in F-Secure Anti-Virus for Microsoft Exchange is handled through a SQL database. The product is able to quarantine e-mails and attachments which contain malicious or otherwise unwanted content, such as spam messages.
The Quarantine management is divided into two different parts:
Quarantine-related configuration, and the management of the quarantined content, for example searching for and deleting quarantined content. For more information about searching and deleting quarantined content,
see “ Quarantine Management ”, 219.
Status
CHAPTER 3
Administration with Web Console
179
The Quarantine Status page displays a summary of the quarantined messages and attachments:
Infected
Disallowed attachments
Grayware
Disallowed content
Suspicious
Spam
Unsafe
Scan failure
Displays the number of messages and attachments that are infected.
Displays the number of messages that contained attachments with disallowed files.
Displays the number of messages that have grayware items, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Displays the number of messages that have been found to contain disallowed keywords in the message subject or text.
Displays the number of suspicious content found, for example password-protected archives, nested archives and malformed messages.
Displays the number of messages that are classified as spam.
Displays the number of messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a spam or virus outbreak
Displays the number of files that could not be scanned, for example severely corrupted files.
180
3.6.1
Query
You can use the Quarantine Query page to search for the quarantined
content. For more information, see “ Searching the Quarantined Content ”,
3.6.2
Options
You can configure the quarantine storage location and threshold, how quarantined files are processed and quarantine logging options.
General Quarantine Options
CHAPTER 3
Administration with Web Console
181
When F-Secure Anti-Virus places content to the Quarantine, it saves the content as separate files into the Quarantine Storage and inserts an entry to the Quarantine Database with information about the quarantined
182 content.
Quarantine storage
Quarantine storage Specify the location of the quarantine storage directory. Before you change the
Quarantine storage directory, see “ Moving the Quarantine Storage ”, 235.
Make sure that F-Secure Anti-Virus for
Microsoft Exchange service has write access to this directory. Adjust the access rights to the directory so that only the
F-Secure Anti-Virus for Microsoft Exchange service and the local administrator can access files in the Quarantine.
Quarantine thresholds
Quarantine size threshold Specify the critical size (in megabytes) of the quarantine folder. If the specified value is reached, the product sends an alert. The default value is 200. If zero (0) is specified, the size of the Quarantine is not checked.
The allowed value range is from 0 to 10240.
Quarantined items
threshold
Specify the critical number of items in the
Quarantine storage. If the specified value is reached or exceeded, the product sends an alert. If zero (0) is specified, the number of items in the Quarantine storage is not checked. The default value is 100000 items.
CHAPTER 3
Administration with Web Console
Notify when quarantine threshold is reached
Specify how the administrator should be notified when the Quarantine Size Threshold and/or Quarantined Items Threshold are reached. No alert is sent if both thresholds are set to zero (0).
Message template
Released quarantine message template
Specify the template for the message that is sent to the intented recipients when e-mail content is released from the quarantine. For
more information, see “ Message Templates ”,
Quarantine Maintenance
183
When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients. For more information,
see “ Reprocessing the Quarantined Content ”, 231.
184
When removing quarantined messages from the quarantine, the product uses the currently configured quarantine retention and cleanup settings.
Reprocess unsafe messages
Automatically reprocess unsafe messages
Specify how often the product tries to reprocess unsafe messages that are retained in the Quarantine.
Set the value to Disabled to process unsafe messages manually.
Max attempts to process unsafe messages
Specify how many times the product tries to reprocess unsafe messages that are retained in the Quarantine.
Final action on unsafe messages
Specify the action on unsafe messages after the maximum number of reprocesses have been attempted.
Leave in Quarantine - Leave messages in the Quarantine and process them manually.
Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients.
Quarantine retention and cleanup
Retain items in quarantine
Specify how long quarantined items should be retained in the Quarantine before they are deleted.
Delete old quarantined items
Use the Quarantine Cleanup Exceptions table to change the retention period for a particular Quarantine category.
Specify how often the storage should be cleaned of old quarantined items.
Use the Quarantine Cleanup Exceptions table to change the cleanup interval for a particular Quarantine category.
Exceptions
CHAPTER 3
Administration with Web Console
Specify separate quarantine retention period and cleanup interval for any Quarantine category. If retention period and cleanup interval for a category are not defined in this table, then the default ones (specified above) are used.
Active -Enable or disable the selected entry in the table.
Quarantine category - Select a category the retention period or cleanup interval of which you want to modify. The categories are:
Infected
Suspicious
Disallowed attachment
Disallowed content
Spam
Scan failure
Unsafe
Grayware
Retention period - Specify an exception to the default retention period for the selected
Quarantine category.
Cleanup interval - Specify an exception to the default cleanup interval for the selected
Quarantine category.
185
186
Quarantine Database
You can specify the database where information about quarantined e-mails is stored and from which it is retrieved.
Quarantine database
SQL server name The name of the SQL server where the database is located.
Database name
User name
The name of the quarantine database. The default name is FSMSE_Quarantine.
The user name the product uses when accessing the database.
Password The password the product uses when accessing the database.
Click Test database connection to make sure that you can access the quarantine database with the configured user name and password.
Quarantine Logging
CHAPTER 3
Administration with Web Console
187
Specify where F-Secure Anti-Virus stores Quarantine log files.
Logging directory
Quarantine log directory
Logging options
Rotate quarantine logs
Keep rotated quarantine logs
Specify the path for Quarantine log files.
Specify how often the product rotates
Quarantine log files. At the end of each rotation time a new log file is created.
Specify how many rotated log fi les should be stored in the Quarantine.
188
3.7
Automatic Updates
With F-Secure Automatic Update Agent, virus and spam definition database updates are retrieved automatically when they are published to
F-Secure Update Server.
Tasks
Click Check for updates now to check that the product is using the latest database updates. If the virus and spam databases are not up-to-date, updates are downloaded automatically.
Click Change communication settings to configure how the product connects to F-Secure Update Server. For more information, see
“ Automatic Updates General Settings ”, 191.
Status
CHAPTER 3
Administration with Web Console
189
The Status page displays information on the latest update.
Channel name
Channel address
Latest installed update
Last check time
Displays the channel from where the updates are downloaded.
Displays the address of the Automatic Updates
Server.
Displays the version and name of the latest installed update.
Displays the date and time when the last update check was done.
190
Downloads
Last check result
Next check time
Displays the result of the last update check.
Displays the date and time for the next update check.
Last successful check time
Displays the date and time when the last successful update check was done.
The Downloads page displays information about downloaded and installed update packages.
3.7.1
Communications
Specify how the product connects to F-Secure Update Server.
Automatic Updates General Settings
CHAPTER 3
Administration with Web Console
191
Edit General settings to select whether you want to use automatic updates and how often the product checks for new updates.
192
Turn on automatic updating
Internet connection checking
Use HTTP Proxy
Enable and disable the automatic virus and spam database updates. By default, automatic updates are enabled.
Specify whether the product should check the connection to the Internet before trying to retrieve updates.
Select whether HTTP proxy should be used.
No - HTTP proxy is not used.
From browser settings - Use the same HTTP proxy settings as the default web browser.
User defined - Define the HTTP proxy. Enter the proxy address in the User defined proxy field.
Update Server
Allow fetching updates from
F-Secure Update
Server
Specify whether the product should connect to
F-Secure Update Server when it cannot connect to any user-specified update server. To edit the
list of update sources, see “ Policy Manager
Server failover time Define (in hours) the failover time to connect to
F-Secure Policy Manager Server or F-Secure
Policy Manager Proxy.
If the product cannot connect to any user-specified update server during the failover time, it retrieves the latest virus definition updates from F-Secure Update Server if Allow fetching updates from F-Secure Update Server is enabled.
Server polling interval Define (in minutes) how often the product checks F-Secure Policy Manager Proxies for new updates.
Policy Manager Proxies
CHAPTER 3
Administration with Web Console
193
Edit the list of virus definition database update sources and F-Secure
Policy Manager proxies. If no update servers are configured, the product retrieves the latest virus definition updates from F-Secure Update Server automatically.
To add a new update source address to the list, follow these instructions:
1. Click Add new proxy to add the new entry to the list.
2.
Enter the URL of the update source.
3.
Edit the priority of the update source.
The priority numbers are used to define the order in which the host tries to connect servers. Virus definition updates are downloaded from the primary sources first, secondary update sources can be used as a backup.
194
The product connects to the source with the smallest priority number first (1). If the connection to that source fails, it tries to connect to the source with the next smallest number (2) until the connection succeeds.
4.
Click OK to add the new update source to the list.
3.8
General Server Properties
CHAPTER 3
Administration with Web Console
195
The Host information displays the following details of the host:
WINS name
DNS names
IP addresses
Unique ID
In the centralized management mode, the page displays the following details of the F-Secure Policy Manager:
Management server
Last connection
Policy file counter
Policy file timestamp
196
Tasks
Click Poll the server now to poll F-secure Policy Manager Server for the latest policy file immediately.
Click Export settings to open a list of all F-Secure Anti-Virus for
Microsoft Exchange settings in a new Internet browser window.
Click Export statistics to open a list of all F-Secure Anti-Virus for
Microsoft Exchange statistics in a new Internet browser window.
To print current settings or statistics, click Download to download and save settings and statistics as a file.
Click F-Secure support tool to run the F-Secure Support Tool utility to gather a report for F-Secure Technical Support. For more information, see
“ F-Secure Support Tool ”, 109.
3.8.1
Administration
Configure Administration settings to
change the management mode, specify where and how alerts are sent, configure the F-Secure Anti-Virus for Microsoft Exchange Web
Console, define the network configuration and SMPT adddress for e-mail notifications, and specify how the samples of unsafe e-mails should be sent to
F-Secure.
Management Mode
CHAPTER 3
Administration with Web Console
197
Communication method
If you use F-Secure Policy Manager Server, specify the URL of F-Secure
Policy Manager Server. Do not add a slash at the end of the URL.
For example: “http://fsms.example.com”.
Select Stand-alone if you use F-Secure Anti-Virus for Exchange Web
Console to administer the product.
Logging
Specify the maximum file size of the F-Secure log file.
198
Alerting
You can specify where an alert is sent according to its severity level. You can send the alert to any of the following:
F-Secure Policy Manager
Windows Event Log
If you choose to forward alerts to e-mail, specify the SMTP server address, alert message subject line and the return address of the alert e-mail.
To forward alerts to an e-mail, follow these instructions:
1. Click Add new recipient to add a new entry in the E-mail Address table.
2.
Type the e-mail address of the alert recipient.
3.
Select the types of alerts that are to be sent to this address.
CHAPTER 3
Administration with Web Console
4.
Click Apply .
Informational and warning-level alerts are not sent to F-Secure Policy
Manager Console by default. If you want to use centralized administration mode, it is recommended to have all alerts sent to F-Secure Policy
Manager Console.
199
200
Web Console
Change Web Console settings to configure how you connect to F-Secure
Anti-Virus for Microsoft Exchange Web Console.
General
Limit session timeout Specify the length of time a client can be connected to the server. When the session expires, the F-Secure Anti-Virus for Microsoft
Exchange Web Console terminates the session and displays a warning. The default value is 60 minutes.
Connections
Listen on address Specify the IP address of the F-Secure
Anti-Virus for Microsoft Exchange Web Console
Server.
Port
Allowed hosts
Language
CHAPTER 3
Administration with Web Console
Specify the port where the server listens for connections. The default port is 25023.
Specify a list of hosts which are allowed to connect to F-Secure Anti-Virus for Microsoft
Exchange Web Console.
To add a new host in the list, click Add new hosts and enter the IP address of the host.
To edit the host entry, click the IP address.
To delete the entry, click remove at the end of the host entry row.
Specify the language that you want to use in
F-Secure Anti-Virus for Microsoft Exchange Web
Console. Currently supported languages are:
English, French, German, Italian, Japanese, and
Spanish.
Reload F-Secure Anti-Virus for Microsoft
Exchange Web Console after you change the language to take the new language into use.
201
202
3.8.2
Network Configuration
The mail direction is based on the Internal domains and Internal SMTP
senders settings and it is determined as follows:
1. E-mail messages are considered internal if they come from internal
SMTP sender hosts and mail recipients belong to one of the specified internal domains (internal recipients).
2. E-mail messages are considered outbound if they come from internal SMTP sender hosts and mail recipients do not belong to the specified internal domains (external recipients).
3. E-mail messages that come from hosts that are not defined as internal SMTP sender hosts are considered inbound.
4. E-mail messages submitted via MAPI or Pickup Folder are treated as if they are sent from the internal SMTP sender host.
If e-mail messages come from internal SMTP sender hosts and contain both internal and external recipients, messages are split and processed as internal and outbound respectively.
CHAPTER 3
Administration with Web Console
On Microsoft Exchange Server 2003, internal messages which are submitted via MAPI or Pickup Folder are not delivered via transport level. Therefore, those messages do not pass Transport Protection and they are checked on the storage level only.
To scan or filter messages from internal hosts on Microsoft
Exchange Server 2003, use corresponding real-time scanning settings in the storage protection section.
Internal Domains
Internal SMTP senders
Specify internal domains.
Separate each domain name with a space. You can use an asterisk (*) as a wildcard. For example, *example.com internal.example.net
Specify the IP addresses of hosts that belong to your organization. Specify all hosts within the organization that send messages to Exchange
Edge or Hub servers via SMTP as Internal
SMTP Senders.
Separate each IP address with a space. An IP address range can be defined as:
a network/netmask pair (for example,
10.1.0.0/255.255.0.0), or
a network/nnn CIDR specification (for example, 10.1.0.0/16).
You can use an asterisk (*) to match any number or dash (-) to define a range of numbers. For example,
172.16.4.4 172.16.*.1 172.16.4.0-16
172.16.250-255.*
203
204
3.8.3
Notifications
If end-users in the organization use other than
Microsoft Outlook e-mail client to send and receive e-mail, it is recommended to specify all end-user workstations as Internal SMTP
Senders.
If the organization has Exchange Edge and Hub servers, the server with the Hub role installed should be added to the Internal SMTP Sender on the server where the Edge role is installed.
IMPORTANT: Do not specify the server where the Edge role is installed as Internal SMTP
Sender.
CHAPTER 3
Administration with Web Console
Specify Notification Sender Address that is used by F-Secure Anti-Virus for Microsoft Exchange for sending warning and informational messages to the end-users (for example, recipients, senders and mailbox owners).
Make sure that the notification sender address is a valid SMTP address. A public folder cannot be used as the notification sender address.
3.8.4
Sample Submission
205
206
You can use the product to send samples of unsafe e-mails and new, yet undefined malware to F-Secure for analysis.
Max submission attempts
Resend interval
Specify how many times the product attempts to send the sample if the submission fails.
Specify the time interval (in minutes) how long
F-Secure Anti-Virus for Microsoft Exchange should wait before trying to send the sample again if the previous submission failed.
Connection timeout Specify the time (in seconds) how long the product tries to contact the F-Secure Hospital server.
Send timeout Specify the time (in seconds) how long the product waits for the sample submission to complete.
3.8.5
Engines
CHAPTER 3
Administration with Web Console
207
The Engines Status page displays server statistics and the current status of scanning engines.
Server Statistics
Number of scanned files
The number of files that have been scanned.
Last virus database update
Virus database update version
The last date and time when the virus definition database was updated.
The version number of the virus definition database.
Last time infection found
The date and time when the last infection was found.
Last infection found The name of the last infection that was found.
208
Scan Engines
The Scan Engines list displays scan engines and the database update statistics.
If you want to disable the scan for certain files with a specified scan engine, click Properties and enter the file extensions you want to exclude from the scan.
Database Updates
CHAPTER 3
Administration with Web Console
209
Configure Database Update options to set notification alerts when virus and spam definition databases are outdated.
Database age checking
Notify when databases are older than
Specify when virus definition databases are outdated. If databases are older than the specified amount of days, F-Secure Content
Scanner Server sends an alert to the administrator.
Notify when databases become old
Specify the alert F-Secure Content Scanner
Server should send to the administrator when virus definition databases are not up-to-date.
210
Proxy Server
Configure the Alert Forwarding table to specify where the alert is sent based on the severity
level. For more information, see “ Alerting ”, 198.
Database verification
Verify integrity of downloaded databases
Specify whether the product verifies that the downloaded virus definition databases are the original databases published by F-Secure
Corporation and that they have not been altered or corrupted in any way before taking them to use.
F-Secure Content Scanner Server can use a proxy server to connect to the threat detection center.
CHAPTER 3
Administration with Web Console
Use proxy server Specify whether F-Secure Content Scanner
Server uses a proxy server when it connects to the threat detection center.
Proxy configuration
Proxy server address Specify the address of the proxy server.
Proxy server port
Authentication method
Specify the port number of the proxy server.
Specify the authentication method to use to authenticate to the proxy server.
User name
Password
Domain
NoAuth - The proxy server does not require authentication.
Basic - The proxy uses the basic authentication scheme.
NTLM - The proxy uses NTLM authentication scheme.
Specify the user name for the proxy server authentication.
Specify the password for the proxy server authentication.
Specify the domain name for the proxy server authentication.
The proxy authentication settings can be configured with F-Secure
Anti-Virus for Microsoft Exchange Web Console only.
211
212
Threat Detection
F-Secure Anti-Virus can identify spam and virus outbreak patterns from messages.
Cache
VOD cache size Specify the maximum number of patterns to cache for the virus outbreak detection service.
By default, the cache size is 10000 cached patterns.
Class cache size Specify the maximum number of patterns to cache for spam detection service. By default, the cache size is 10000 cached patterns.
CHAPTER 3
Administration with Web Console
Increasing cache sizes may increase the threat detection performance but it requires more disk space and may degrade the threat detection rate. Cache sizes can be disabled (set the size to 0) for troubleshooting purposes.
Click Clear cache to clear the detection service cache.
Spam Scanning
Spam detection Enable or disable the threat detection service while scanning inbound messages for spam.
Action on connection failure
Specify the action for messages when the threat detection center cannot be contacted and the threat detection engine cannot classify the message.
Trusted networks
Pass through - The message is passed through without scanning it for spam.
Heuristic Scanning - F-Secure Content Scanner
Server checks the message using spam heuristics.
Specify networks and hosts in the mail relay network which can be trusted not to be operated by spammers and do not have open relays or open proxies.
Define the network as a network/netmask pair
(10.1.0.0/255.255.0.0), with the network/nnn
CIDR specification (10.1.0.0/16), or use ‘*’ wildcard to match any number and ‘-’ to define a range of numbers (172.16.*.1, 172.16.4.10-110).
213
214
Advanced
Configure Advanced options to set the working directory and optimize the product performance.
Working directory
Working directory Specify the working directory. Enter the complete path to the field or click Browse to browse to the path you want to set as the new working directory.
Working directory clean interval
Specify how often the working directory is cleaned of all files that may be left there. By default, files are cleaned every 30 minutes.
CHAPTER 3
Administration with Web Console
Free space threshold Set the free space threshold of the working directory. F-Secure Content Scanner Server sends an alert to the administrator when the drive has less than the specified amount of space left.
Performance
Maximum size of data processed in memory
Specify the maximum size (in kilobytes) of data to be transferred to the server via shared memory in the local interaction mode. When the amount of data exceeds the specified limit, a local temporary file will be used for data transfer.
If the option is set to zero (0), all data transfers via shared memory are disabled.
The setting is ignored if the local interaction mode is disabled.
Maximum number of concurrent transactions
Maximum scan timeout
Specify how many files F-Secure Content
Scanner Server should process simultaneously.
Specify how long a scan task can be carried out before it is automatically cancelled.
215
216
Number of spam scanner instances
Specify the number of Spam Scanner instances to be created and used for spam analysis. As one instance of the spam scanner is capable of processing one mail message at a time, this setting defines how many messages undergo the spam analysis simultaneously.
You have to restart the Content Scanner Server after you change this setting to take the new setting into use.
IMPORTANT: Spam analysis is a processor-intensive operation and each spam scanner instance takes approximately 25MB of memory (process fsavsd.exe). Do not increase the number of instances unless the product is running on a powerful computer.
3.8.6
Lists and Templates
Match Lists are lists of file name patterns, keywords, or e-mail addresses
that can be used with certain product settings.
Message Templates can be used for notification messages.
Match Lists
CHAPTER 3
Administration with Web Console
217
Click the name of an existing match list to edit the list or Add new list to create a new match list.
List name
Type
Filter
Select the match list you want to edit. If you are creating a new match list, specify the name for the new match list.
Specify whether the list contains keywords, file patterns or email addresses.
Specify file names, extensions, keywords or email addresses that the match list contains.
You can use wildcards.
To add multiple patterns to the filter, add each list item to a new line.
218
Message Templates
Click the name of an existing template to edit it or Add new item to create a new template.
Name
Subject/Filename
Message body
Description
Select the template you want to edit. If you are creating a new template, specify the name for the new template.
Specify the subject line of the notification message.
Specify the notification message text.
For more information about the variables you
can use in notification messages, see “ Variables in Warning Messages ”, 241.
Specify a short description for the template.
4
Q UARANTINE
M ANAGEMENT
Introduction............................................................................... 220
Configuring Quarantine Options............................................... 222
Quarantine Status..................................................................... 222
Searching the Quarantined Content......................................... 222
Query Results Page ................................................................. 227
Quarantine Operations ............................................................. 229
Moving the Quarantine Storage................................................ 235
219
220
4.1
Introduction
You can manage and search quarantined mails with the F-Secure
Anti-Virus for Microsoft Exchange Web Console. You can search for quarantined content by using different search criteria, including the quarantine ID, recipient and sender address, the time period during which the message was quarantined, and so on. You can reprocess and delete messages, and specify storage and automatic deletion times based on the reason for quarantining the message.
If you have multiple F-Secure Anti-Virus for Microsoft Exchange installations, you can manage the quarantined content on all of them from one single F-Secure Anti-Virus for Microsoft Exchange Web Console.
The quarantine consists of:
Quarantine Database
The quarantine database contains information about the quarantined messages and attachments. If there are several F-Secure Anti-Virus for
Microsoft Exchange installations in the network, they can either have their own quarantine databases, or they can use a common quarantine database. An SQL database server is required for the quarantine database.
For more information on the SQL database servers that can be used for deploying the quarantine database, consult the F-Secure
Anti-Virus for Microsoft Exchange Deployment Guide.
The following versions of Microsoft SQL are recommended:
Microsoft SQL Server 2000 (Enterprise, Standard or Workgroup
Edition) with SP 4
Microsoft SQL Server 2000 Desktop Engine (MSDE) with PS 4
Microsoft SQL Server 2005 (Enterprise, Standard, Workgroup or
Express Edition) with the latest service pack
Microsoft SQL Server 2008 (Enterprise, Standard, Workgroup or
Express Edition)
CHAPTER 4
Quarantine Management
Microsoft SQL Server 2005 Express Edition is distributed with the product and can be installed during F-Secure Anti-Virus for Microsoft Exchange setup.
We do not recommend using MSDE or Microsoft SQL Server 2005/
2008 Express Edition if you plan to use centralized quarantine management or if your organization sends and receives a large amount of e-mails. For more information about the limitations of
Microsoft SQL Server 2005/2008 Express Edition and MSDE, see the product deployment guide.
Quarantine Storage
The quarantine storage where the quarantined messages and attachments are stored is located on the server where F-Secure
Anti-Virus for Microsoft Exchange is installed. If there are several
F-Secure Anti-Virus for Microsoft Exchange installations in the network, they all have their own storages. The storages are accessible from a single F-Secure Anti-Virus for Microsoft Exchange Web Console.
4.1.1
Quarantine Reasons
The quarantine storage can store:
Messages and attachments that are infected and cannot be automatically disinfected. (Infected)
Suspicious content, for example password-protected archives, nested archives and malformed messages. (Suspicious)
Messages and attachments that have been blocked by their filename or filename extension. (Disallowed attachment)
Messages that contain disallowed words in the subject line or message body. (Disallowed content)
Messages that are considered as spam. (Spam)
Messages that contain grayware. (Grayware)
Files that could not be scanned, for example severely corrupted files. (Scan failure)
Messages that contain patterns that can be assumed to be a part of a spam or virus outbreak. (Unsafe)
221
222
4.2
Configuring Quarantine Options
In stand-alone installations, all the quarantine settings can be configured on the Quarantine page in F-Secure Anti-Virus for Microsoft Exchange
Web Console. For more information on the settings, see “ Quarantine ”,
4.3
Quarantine Status
The Quarantine status page displays the number of quarantined items in each quarantine category, and the total size of the quarantine.
4.3.1
Quarantine Logging
To view the Quarantine Log, open the Quarantine page. Then click the
View Quarantine Log link.
In centrally managed installations, the quarantine settings are configured with F-Secure Policy Manager in the F-Secure Anti-Virus for Microsoft
Exchange / Settings / Quarantine branch. For more information, see
The actual quarantine management is done through F-Secure Anti-Virus for Microsoft Exchange Web Console.
4.4
Searching the Quarantined Content
You can search the quarantined content on the Quarantine Query page in the F-Secure Anti-Virus for Microsoft Exchange Web Console.
CHAPTER 4
Quarantine Management
223
You can use any of the following search criteria. Leave all fields empty to see all quarantined content.
Quarantine ID
Object type
Enter the quarantine ID of the quarantined message. The quarantine ID is displayed in the notification sent to the user about the quarantined message and in the alert message.
Select the type of the quarantined content.
Mails and attachments - Search for both quarantined mails and attachments.
Attachment - Search for quarantined attachments.
Mail - Search for quarantined mails.
224
Reason
Reason details
Sender
Recipients
Subject
Message ID
Sender Host
Name
Location
Select the quarantining reason from the drop-down menu. For more information, see
Specify details about the scanning or processing results that caused the message to be quarantined. For example:
The message is infected - specify the name of the infection that was found in an infected message.
Enter the e-mail address of the message sender.
You can only search for one address at a time, but you can widen the search by using the wildcards.
Enter the e-mail address of the message recipient.
Enter the message subject to be used as search criteria.
Enter the Message ID of the quarantined mail.
Enter the address of the sender mail server or client.
You can specify Message ID and Sender Host only when you search for quarantined mails.
Enter the file name of the quarantined attachment.
Enter the location of the mailbox or public folder where the quarantined attachment was found.
You can specify Name and Location only when you search for quarantined attachments.
Show only
Search period
Sort Results
Display
CHAPTER 4
Quarantine Management
You can use this option to view the current status of messages that you have set to be reprocessed, released or deleted. Because processing a large number of e-mails may take time, you can use this option to monitor how the operation is progressing.
The options available are:
Unprocessed e-mails - Displays only e-mails that the administrator has not set to be released, reprocessed or deleted.
E-mails to be released - Displays only e-mails that are currently set to be released, but have not been released yet.
E-mails to be reprocessed - Displays only e-mails that are currently set to be reprocessed, but have not been reprocessed yet.
E-mails to be released or reprocessed - Displays e-mails that are currently set to be reprocessed or released, but have not been reprocessed or released yet.
Select the time period when the data has been quarantined. Select Exact start and end dates to specify the date and time (year, month, day, hour, minute) when the data has been quarantined.
Specify how the search results are sorted by selecting one of the options in the Sort Results drop-down listbox: based on Date, Sender,
Recipients, Subject or Reason.
Select how many items you want to view per page.
225
226
Click Query to start the search. The Quarantine Query Results page is displayed once the query is completed.
If you want to clear all the fields on the Query page, click Reset .
Using Wildcards
You can use the following SQL wildcards in the quarantine queries:
Wildcard
%
Explanation
Any string of zero or more characters.
_ (underscore)
[ ]
[^]
Any single character.
Any single character within the specified range ([a-f]) or set ([abcdef]).
Any single character not within the specified range ([^a-f]) or set ([^abcdef]).
If you want to search for '%', '_' and '[' as regular symbols in one of the fields, you must enclose them into square brackets: '[%]', '[_]',
'[[]'
CHAPTER 4
Quarantine Management
227
4.5
Query Results Page
The Quarantine Query Results page displays a list of mails and attachments that were found in the query. To view detailed information about a quarantined content, click the Quarantine ID (QID) number link in
the QID column. For more information, see “ Viewing Details of the
The Query Results page displays status icons of the content that was found in the search:
Icon E-mail status
Quarantined e-mail. The administrator has not specified any actions to be taken on this e-mail.
Quarantined e-mail with attachments. The administrator has not specified any actions to be taken on this e-mail.
Quarantined e-mail that the administrator has set to be released. The release operation has not been completed yet.
Quarantined e-mail that the administrator has set to be reprocessed. The reprocessing operation has not been completed yet.
Quarantined e-mail that the administrator has set to be deleted. The deletion operation has not been completed yet.
Quarantined e-mail that the administrator has submitted to
F-Secure for analysis.
228
Icon E-mail status
Quarantined e-mail set to be released, which failed.
Quarantined e-mail set to be reprocessed, which failed.
Quarantined e-mail set to be submitted to F-Secure, which failed.
For information how to process quarantined content, see “ Quarantine
4.5.1
Viewing Details of the Quarantined Message
To view the details of a quarantined message, do the following:
1. On the Query Search Results page, click the Quarantine ID (QID) number link in the QID column.
2.
The Quarantined Content Details page opens.
The Quarantined Content Details page displays the following information about the quarantined mails and attachments:
QID
Submit time
Processing server
Sender
Recipients
Sender host
Quarantine ID.
The date and time when the item was placed in the quarantine.
The F-Secure Anti-Virus for Microsoft Exchange server that processed the message.
Quarantined messages only.
The address of the message sender
The addresses of all the message recipients.
The address of the sender mail server or client.
Quarantined messages only.
CHAPTER 4
Quarantine Management
Location
Subject
Message size
Attachment name
Attachment size
The location of the mailbox or public folder where the quarantined attachment was found.
Quarantined attachments only.
The message subject
The size of the quarantined message.
Quarantined messages only.
The name of the attachment. Quarantined attachments only.
The size of the attachment file. Quarantined attachments only.
The reason why the content was quarantined.
Quarantine reason
Click the Show link to access the content of the quarantined message.
Click Download to download the quarantined message or attachment to your computer to check it.
WARNING: In many countries, it is illegal to read other people’s messages.
For information how to process quarantined content, see “ Quarantine
4.6
Quarantine Operations
Quarantined mails and attachments can be reprocessed, released and removed from the quarantine storage after you have searched the quarantined content you want to process.
229
230
Quarantined Mail Operations
You can select an operation to perform on the messages that were found in the query:
Click Reprocess to scan the currently selected e-mail again, or click Reprocess All to scan all e-mail messages that were found.
For more information, see “ Reprocessing the Quarantined
Click Release to deliver the currently selected e-mail without further processing, or click Release All to deliver all e-mail
messages that were found. For more information, see “ Releasing the Quarantined Content ”, 232.
WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned.
Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that
were found. For more information, see “ Removing the
Click Send to F-Secure to submit a sample of quarantined content to F-Secure for analysis.
Quarantined Attachment Operations
You can select an operation to perform on the attachments that were found in the query:
Click Send to deliver the currently selected attachment, or click
Send All to deliver all attachments that were found.
Attachments sent from the quarantine go through the transport and storage protection and are scanned again. For more
information, see “ Releasing the Quarantined Content ”, 232.
Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that
were found. For more information, see “ Removing the
CHAPTER 4
Quarantine Management
4.6.1
Reprocessing the Quarantined Content
When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients.
if you reprocess a quarantined spam e-mail, the reprocessed content may receive a lower spam score than it did originally and it may reach the recipient.
For example, if some content was placed in the quarantine because of an error situation, you can use the time period when the error occurred as search criteria, and then reprocess the content. This is done as follows:
1. Open the Quarantine > Query page in the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
2.
Select the start and end dates and times of the quarantining period from the Start time and End Time drop-down menus.
3.
If you want to specify how the search results are sorted, select the sorting criteria and order from the Sort results and order drop-down menus.
4.
Select the number of items to be displayed on a results page from the
Display drop-down menu.
5.
Click the Query button.
6.
When the query is finished, the query results page is displayed. Click the Reprocess All button to reprocess the displayed quarantined content.
7.
The progress of the reprocessing operation is displayed in the
F-Secure Anti-Virus for Microsoft Exchange Web Console.
The e-mails that have been reprocessed and found clean are delivered to the intended recipients. They are also automatically deleted from the quarantine.
E-mails that have been reprocessed and found infected, suspicious or broken return to the quarantine.
231
232
4.6.2
Releasing the Quarantined Content
When you release quarantined content, the product sends the content to intented recipients without any further processing on the protection level that blocked the content previously. For example, if you have a password-protected archive in the quarantine that you want to deliver to the recipient, you can release it.
WARNING: Releasing quarantined content is a security risk, as the content is delivered to the recipient without being scanned.
If you release a message that was quarantined on the transport protection level, the released message is not checked on the transport level again, but the real-time scanning on the storage protection level processes the message before it is delivered to the mailbox of the recipient. If the storage level check catches the message, it is not released and remains in the Quarantine.
If you need to release a quarantined message, follow these instructions:
1. Open the Quarantine > Query page in the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
2.
Enter the Quarantine ID of the message in the Quarantine ID field.
The Quarantine ID is included in the notification message delivered to the user.
3.
Click Query to find the quarantined content.
4.
Quarantine may contain either the original e-mail message or just the attachment that was quarantined.
a. When the quarantined content is an e-mail message, click the
Release to release the displayed quarantined content. The
Release Quarantined Content dialog opens.
b. When the quarantine contains an attachment, click Send . The quarantined attachment is attached to the template specified in
General Quarantine Options that is sent to the recipient.
CHAPTER 4
Quarantine Management
5.
Specify whether you want to release the content to the original recipient or specify an address where the content is to be forwarded.
It may not be legal to forward the e-mail to anybody else than the original recipient.
6.
Specify what happens to the quarantined content after it has been released by selecting one of the Action after release options:
Leave in the quarantine
Delete from the quarantine
7.
Click Release or Send . The content is now delivered to the recipient.
4.6.3
Removing the Quarantined Content
Quarantined messages are removed from the quarantine based on the currently configured quarantine retention and cleanup settings. For an
example on how to configure those settings, see “ Deleting Old
Quarantined Content Automatically ”, 234.
If you want to remove a large amount of quarantined messages at once, for example all the messages that have been categorized as spam, do the following:
1. Open the Quarantine > Query page in the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
2.
Select the quarantining reason, Spam, from the Reason drop-down listbox.
3.
Click Query .
4.
When the query is finished, the query results page is displays all quarantined messages that have been classified as spam. Click the
Delete All button to delete all the displayed quarantined content.
5.
You are prompted to confirm the deletion. Click OK . The content is now removed from the quarantine.
233
234
4.6.4
Deleting Old Quarantined Content Automatically
Quarantined content is deleted automatically based on the Quarantine
Retention and Cleanup settings in the Maintenance tab on the Quarantine
> Options page. By default all types of quarantined content are stored in quarantine for one month, and quarantine clean-up task is executed once an hour.
You can specify exceptions to the default retention and clean-up times in the Exceptions table. These exceptions are based on the quarantine category. If you want, for example, to have infected messages deleted sooner, you can specify an exception rule for them as follows:
1. Go to the Quarantine > Options page.
2.
Open the Maintenance tab.
3.
Click Add new exception at the Exceptions table. A New Quarantine
Cleanup Exception dialog opens.
4.
Select the Quarantine category for which you want to specify the exception. Specify a Retention period and a Cleanup interval for the selected category.
5.
To turn on the exception, make sure that the Active check box is selected. Click Ok .
6.
Click Apply to apply the new changes.
CHAPTER 4
Quarantine Management
4.7
Moving the Quarantine Storage
When you want to change the Quarantine storage location either using the F-Secure Policy Manager Console or F-Secure Anti-Virus for
Microsoft Exchange Web Console, note that the product does not create the new directory automatically. Before you change the Quarantine storage directory, make sure that the directory exists and it has proper security permissions.
You can use the xcopy command to create and change the Quarantine storage directory by copying the existing directory with the current ownership and ACL information. In the following example, the Quarantine storage is moved from C:\Program Files\F-Secure\Quarantine
Manager\quarantine to D:\Quarantine:
1. Stop F-Secure Quarantine Manager service to prevent any quarantine operations while you move the location of the Quarantine storage. Run the following command from the command prompt: net stop "F-Secure Quarantine Manager"
2.
Run the following command from the command prompt to copy the current content to the new location: xcopy "C:\Program Files\F-Secure\Quarantine
Manager\quarantine" D:\Quarantine\ /O /X /E
Note the use of backslashes in the source and destination directory paths.
3.
Change the path for FSMSEQS$ shared folder. If the product is installed in the local quarantine management mode, you can skip this step.
235
236
To change the FSMSEQS$ path, follow these steps: a. Open Windows Control Panel > Administrative Tools > Computer
Management.
b. Open System Tools > Shared Folders > Shares. and find
FSMSEQS$ there.
c. Right-click FSMSEQS$ and select Stop Sharing. Confirm that you want to stop sharing FSMSEQS$.
d. Right-click FSMSEQS$ again and select New Share.
e. Follow Share a Folder Wizard instructions to create FSMSEQS$ shared folder. i.
Specify the new directory (in this example, D:\Quarantine) as the folder path, FSMSEQS$ as the share name and F-Secure
Quarantine Storage as the description. ii. On the Permissions page, select Administrators have full access; other users have read-only access. Note that the
Quarantine storage has file/directory security permissions set only for the SYSTEM and Administrators group.
f.
Click Finish .
4.
Change the location of the Quarantine storage from the F-Secure
Policy Manager Console (F-Secure Anti-Virus for Exchange/Settings/
Quarantine/Quarantine Storage) or F-Secure Anti-Virus for Microsoft
Exchange Web Console (Anti-Virus for Microsoft Exchange >
Quarantine > Options > Quarantine Storage).
5.
Make sure that the product has received new settings.
6.
Restart F-Secure Quarantine Manager service. Run the following command from the command prompt: net start "F-Secure Quarantine Manager"
For more information about the xcopy command and options, refer to MS Windows Help and Support.
5
U PDATING V IRUS
S PAM D EFINITION
AND
D ATABASES
Overview................................................................................... 238
Automatic Updates with F-Secure Automatic Update Agent.... 239
Configuring Automatic Updates................................................ 239
237
238
Overview
It is of the utmost importance that virus definition databases are kept up-to-date. F-Secure Anti-Virus for Microsoft Exchange takes care of this task automatically.
Information about the latest virus database update can be found at: http://www.f-secure.com/download-purchase/updates.shtml
CHAPTER 5
Updating Virus and Spam Definition Databases
Automatic Updates with F-Secure Automatic Update
Agent
Using F-Secure Automatic Update Agent is the most convenient way to keep the databases updated. It connects to F-Secure Policy Manager
Server or the F-Secure Update Server automatically. F-Secure Automatic
Update Agent uses incremental technology and network traffic detection to make sure that it works without disturbing other Internet traffic even over a slow line.
You may install and use F-Secure Automatic Update Agent in conjunction with licensed F-Secure's antivirus and security products. F-Secure
Automatic Update Agent shall be used only for receiving updates and related information on F-Secure's antivirus and security products.
F-Secure Automatic Update Agent may not be used for any other purpose or service.
Configuring Automatic Updates
F-Secure Automatic Update Agent user interface provides information about downloaded virus and spam definition updates. To access the
F-Secure Automatic Update Agent user interface, open the F-Secure
Anti-Virus for Microsoft Exchange Web Console, and go to the Automatic
Updates page. For more information, see “ Automatic Updates ”, 188.
In centrally managed installations, you can use the F-Secure Anti-Virus for Microsoft Exchange Web Console only for monitoring the F-Secure
Automatic Update Agent settings. To change these settings, you need to use F-Secure Policy Manager Console. For more information, see
“ F-Secure Automatic Update Agent Settings ”, 105.
239
240
If necessary, reconfigure the firewall and other devices that may block the database downloads.
In common deployment scenarios, make sure that the following ports are open:
DNS (53, UDP and TCP)
HTTP (80)
Port used to connect to F-Secure Policy Manager Server
A
APPENDIX:
Variables in Warning
Messages
List of Variables ........................................................................ 242
241
242
List of Variables
The following table lists the variables that can be included in the warning and informational messages sent by the product if an infection is found or content is blocked.
If both stripping and scanning are allowed and the Agent found both types of disallowed content (infected and to be stripped) in an e-mail message, a warning message will be sent to the end-user instead of an informational one, if it is required.
These variables will be dynamically replaced by their actual names. If an actual name is not present, the corresponding variable will be replaced with [Unknown].
Variable Description
$ANTI-VIRUS-SERVER The DNS/WINS name or IP address of
F-Secure Anti-Virus for Microsoft Exchange.
$NAME-OF-SENDER
$NAME-OF-RECIPIENT The e-mail addresses where the original content is sent.
$SUBJECT
$DIRECTION
The e-mail address where the original content comes from.
The original e-mail message subject.
The direction of e-mail message (inbound, outbound or internal).
$REPORT-BEGIN
$REPORT-END
Marks the beginning of the scan report. This variable does not appear in the warning message.
Marks the end of the scan report. This variable does not appear in the warning message.
$REPORT-BEGIN, $REPORT-END, $DIRECTION macros are not applicable in the replacement text used on real-time scanning in the Exchange storage.
APPENDIX A
Variables in Warning Messages
The following table lists variables that can be included in the scan report, in other words the variables that can be used in the warning message between $REPORT-BEGIN and $REPORT-END.
Variable Description
$AFFECTED-FILENAME The name of the original file or attachment.
$AFFECTED-FILESIZE The size of the original file or attachment.
$THREAT The name of the threat that was found in the content. For example, it can contain the name of the found infection, etc.
$TAKEN-ACTION
$QUARANTINE-ID
The action that was taken to remove the threat. These include the following: dropped, disinfected, etc.
The identification number of the quarantined attachment or file.
243
B
APPENDIX:
Sending E-mail Alerts
And Reports
Overview................................................................................... 245
Solution..................................................................................... 245
244
APPENDIX B
Sending E-mail Alerts And Reports
B.1
Overview
You can configure the product to send alerts to the administrator by e-mail. F-Secure Management Agent that handles the alerting uses a simple SMTP protocol (without authentication and encryption) to send alerts to the specified e-mail address.
The product can send e-mail based reports to F-Secure World Map system. These reports are sent using the simple SMTP protocol with an empty address ("<>") as the source.
In Microsoft Exchange Server 2007 and 2010, the message relaying is tightly restricted, even on servers that are not connected to the Internet.
By default, only e-mail messages that come from authenticated or allowed sources can be relayed.
This means that the product cannot send SMTP alerts and reports unless some changes are done in the Microsoft Exchange Server 2007 and 2010 configurations. These changes can be done before or after the product has been deployed.
245
B.2
Solution
In order to make F-Secure alerts and reports relayed through Microsoft
Exchange Server 2007 or 2010, you need to create a special receive connector configure it to allow anonymous, non-authenticated submissions. This connector has to be created on Exchange Edge and/or
Hub server(s) that are specified as the SMTP server where the product sends alerts and reports to.
246
B.2.1 Creating a Scoped Receive Connector
The connector can be created from the Exchange management shell.
Run the following command to create a scoped receive connector on the local server:
New-ReceiveConnector -Name <connector_name> -Bindings
<listen_ip_port> -RemoteIPRanges <accepted_hosts>
-AuthMechanism Tls -PermissionGroups "AnonymousUsers"
-RequireEHLODomain $false -RequireTLS $false where:
<connector_name> is the name for the connector,
<listen_ip_port> is the IP address and port number
(separated by a colon) that the receive connector listens for inbound messages, and
<accepted_hosts> is the IP address or IP address range from which inbound connections are accepted.
The IP address or IP address range can be entered in one of the following formats:
IP address: 192.168.1.1
IP address range: 192.168.1.10-192.168.1.20
IP address with subnet 192.168.1.0 (255.255.255.0)
IP address by using Classless Interdomain Routing (CIDR) notation: 192.168.1.0/24
For example, to create a new connector that listens on all configured local
IP addresses and accepts connections from the local host only, run the following command in the Exchange management shell:
New-ReceiveConnector -Name "F-Secure alerts and reports"
-Bindings 0.0.0.0:25 -RemoteIPRanges 127.0.0.1 -AuthMechanism
Tls -PermissionGroups "AnonymousUsers" -RequireEHLODomain
$false -RequireTLS $false
APPENDIX B
Sending E-mail Alerts And Reports
To create a new connector that is bound to a single IP addresses and accepts connections from the specified remote servers, run the following command:
New-ReceiveConnector -Name "F-Secure alerts and reports"
-Bindings 192.168.58.128:25 -RemoteIPRanges 192.168.58.129,
192.168.58.131 -AuthMechanism Tls -PermissionGroups
"AnonymousUsers" -RequireEHLODomain $false -RequireTLS $false
B.2.2 Grant the Relay Permission on the New Scoped
Connector
The receive connector accepts anonymous SMTP submissions but messages are not relayed. To relay messages, grant ms-Exch-SMTP-Accept-Any-Recipient the permission to the anonymous account. To do this, run the following command:
Get-ReceiveConnector <connector_name> | Add-ADPermission
-User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights
"ms-Exch-SMTP-Accept-Any-Recipient" where:
<connector_name> is the name of the connector you created.
For example:
Get-ReceiveConnector "F-Secure alerts and reports" |
Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON"
-ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
B.2.3 Specify SMTP Server for Alerts and Reports
Check that the product is properly configured and the address and port of the SMTP server corresponds to the address and port on which the receive connector listens for inbound messages. Remember to specify the return address for e-mail alerts.
247
C
APPENDIX:
Troubleshooting
Overview................................................................................... 249
Starting and Stopping........................................................... 249
Viewing the Log File ................................................................. 250
Common Problems and Solutions............................................ 250
Frequently Asked Questions .................................................... 255
248
APPENDIX C
Troubleshooting
C.1
Overview
If you have a problem that is not covered in here, see “ Technical Support ”,
249
C.2
Starting and Stopping
If you ever need to start or stop F-Secure Anti-Virus for Microsoft
Exchange, you can do it in the following ways:
Open the Services applet from the Administrative tools folder in the Windows Control Panel and select F-Secure Anti-Virus for
Microsoft Exchange. To stop F-Secure Anti-Virus for Microsoft
Exchange, click Stop . To start the service, click Start .
Open the F-Secure Anti-Virus for Microsoft Exchange Web
Console and select Home > Services. Click Start to activate
F-Secure Anti-Virus for Microsoft Exchange and Stop to stop it.
From the command line when the product is installed on
Microsoft Exchange Server 2003: enter NET STOP FSHKMNGR to the command line to stop the service, and NET START FSHKMNGR to start the service.
From the command line when the product is installed on
Microsoft Exchange Server 2007 or 2010: enter NET STOP
FSAVMSED to the command line to stop the service, and NET
START FSAVMSED to start the service.
When F-Secure Anti-Virus for Microsoft Exchange is stopped, all e-mail messages sent and notes posted to public folders pass through normally, but they are not scanned for viruses or spam.
250
C.3
Viewing the Log File
F-Secure Anti-Virus for Microsoft Exchange uses the log file Logfile.log that is maintained by F-Secure Management Agent and contains all alerts generated by F-Secure components installed on the host. Logfile.log can be found on all hosts running F-Secure Management Agent. You can view the Logfile.log with any text editor, for example Windows Notepad. Open the logfile.log from F-Secure Settings and Statistics / F-Secure
Management Agent properties / Show log file, or from the Summary page of F-Secure Anti-Virus for Microsoft Exchange Web Console by clicking
View F-Secure Log .
F-Secure Management Agent uses Logfile.log (in F-Secure / Common directory) for logging of all the alerts on the host.
Logfile.log contains all the alerts generated by the host, regardless of the severity. Logfile.log file size can be configured in F-Secure Management
Agent / Settings / Alerting / Alert Agents / Logfile / Maximum File Size.
Quarantine Logs
Quarantine logs are not stored in Logfile.log. By default, quarantine logs are stored in the quarantine log directory. You can view quarantine logs with any text editor.
To specify the path to the directory where Quarantine logfiles are placed, change the Quarantine > Quarantine Log Directory setting in F-Secure
Policy Manager or Quarantine > Options > Logging > Quarantine log
directory setting in F-Secure Anti-Virus for Microsoft Exchange Web
Console. For more information, see “ Quarantine
C.4
Common Problems and Solutions
If you think that you have some problem with F-Secure Anti-Virus for
Microsoft Exchange, check that both F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Content Scanner Server are up and running.
APPENDIX C
Troubleshooting
Checking F-Secure Anti-Virus for Microsoft
Exchange
1.
Make sure that F-Secure Anti-Virus for Microsoft Exchange service and all its processes have started.
Open Services in the Windows Control Panel and check that the
F-Secure Anti-Virus for Microsoft Exchange service has started.
Open the Windows Task Manager and check that the following processes are running: fshkmngr.exe
fsavmsed.exe
(when the product is installed on Microsoft
Exchange Server 2003)
(when the product is installed on Microsoft
Exchange Server 2007 or 2010) fsmb32.exe
fameh32.exe
fch32.exe
fnrb32.exe
fsobmngr.exe
fsm32.exe
fsma32.exe
2.
To make sure that F-Secure Content Scanner Server accepts connections, run the following command from the command line on the Microsoft Exchange Server: telnet 127.0.0.1 18971
If you get the cursor blinking in the upper left corner, it means that the connection has been established and F-Secure Content Scanner
Server can accept incoming connections.
If you get "Connection to the host lost" or other error message or if the cursor does not go to the upper left corner, it means that the connection attempt was unsuccessful. If the telnet connection attempt
251
252 was unsuccessful, make sure that F-Secure Content Scanner Server is up and running and that there is no local firewall on the server blocking the access.
Checking F-Secure Content Scanner Server
Problem:
When the F-Secure Anti-Virus for Microsoft Exchange tries to send an attachment to F-Secure Content Scanner Server, the attachment is not scanned and the e-mail does not reach the recipient.
Solution:
The problem is that F-Secure Anti-Virus for Microsoft Exchange is unable to contact F-Secure Content Scanner Server.
A service or process may not be running on F-Secure Content Scanner
Server. Make sure that all processes and services of F-Secure Content
Scanner Server have started. Check the Services in Windows Control
Panel. The following services should be started:
F-Secure Content Scanner Server
F-Secure Management Agent
F-Secure Network Request Broker
Check the Task Manager. The following processes should be running: fsmb32.exe
fsavsd.exe
fsdbuh.exe
fnrb32.exe
fsma32.exe
fih32.exe
fch32.exe
fameh32.exe
If any of these processes are not started, uninstall and reinstall F-Secure
Anti-Virus Content Scanner Server service.
APPENDIX C
Troubleshooting
Checking F-Secure Anti-Virus for Microsoft
Exchange Web Console
Problem:
I cannot open or access F-Secure Anti-Virus for Microsoft Exchange Web
Console.
Solution:
1.
Make sure that F-Secure Web Console daemon has started and is running. Check the Services in Windows Control Panel. The following service should be started:
F-Secure Web Console Daemon
Check the Task Manager. The following process should be running:
fswebuid.exe
2.
If you try to connect to the F-Secure Anti-Virus for Microsoft
Exchange Web Console from a remote host, make sure that the connection is not blocked by a firewall or proxy server.
C.4.1 Installing Service Packs
If you wish to install a Microsoft Exchange Server Service Pack and
F-Secure Anti-Virus for Microsoft Exchange is already installed, stop
F-Secure Anti-Virus for Microsoft Exchange before installing the Service
Pack and restart it after the Service Pack installation.
253
254
C.4.2 Securing the Quarantine
Problem:
I have installed F-Secure Anti-Virus for Microsoft Exchange and I'm worried about security of the local Quarantine storage where stripped attachments are quarantined. What do you recommend me?
Solution:
F-Secure Anti-Virus for Microsoft Exchange creates and adjusts access rights to the local Quarantine storage during the installation. Keep in mind the following when setting up the local Quarantine storage:
Do not place the Quarantine storage on a FAT drive. FAT file system does not support access rights on directories and files for different users. If you place the Quarantine storage on a FAT drive everyone who has access to that drive will be able to get access to the quarantined content.
Create and adjust access rights to the Quarantine storage manually if you use one on a network drive.
Create and adjust access rights to the Quarantine storage manually when you change its path from F-Secure Policy
Manager Console or F-Secure Anti-Virus for Microsoft Exchange
Web Console.
C.4.3 Administration Issues
Some settings are initially configured during the installation of
F-Secure Anti-Virus for Microsoft Exchange and F-Secure
Content Scanner Server. They can be viewed on the Status tab of
F-Secure Policy Manager Console.
When changing such settings in F-Secure Policy Manager
Console for the first time, you must enforce the change by selecting the Final check box.
APPENDIX C
Troubleshooting
C.5
Frequently Asked Questions
All support issues, frequently asked questions and hotfixes can be found under the support pages at http://support.f-secure.com/ . For more
information, see “ Technical Support ”, 108.
255
Technical Support
F-Secure Online Support Resources........................................ 109
Web Club.................................................................................. 111
Virus Descriptions on the Web ................................................. 111
108
Technical Support 109
F-Secure Online Support Resources
F-Secure Technical Support is available through F-Secure support web pages, e-mail and by phone. Support requests can be submitted through a form on F-Secure support web pages directly to F-Secure support.
F-Secure support web pages for any F-Secure product can be accessed at http://support.f-secure.com/ . All support issues, frequently asked questions and hotfixes can be found under the support pages.
If you have questions about F-Secure Anti-Virus for Microsoft Exchange not covered in this manual or on the F-Secure support web pages, you can contact your local F-Secure distributor or F-Secure Corporation directly.
For technical assistance, please contact your local F-Secure Business
Partner. Send your e-mail to:
Anti-Virus-<country>@f-secure.com
Example: [email protected]
If there is no authorized F-Secure Anti-Virus Business Partner in your country, you can submit a support request directly to F-Secure. There is an online "Web submit form" accessible through F-Secure support web pages under the "Contact Support" page. Fill in all the fields and describe the problem as accurately as possible. Please include the FSDiag report taken from the problematic server with the support request.
F-Secure
Support
Tool
Before contacting support, please run the F-Secure Support Tool
FSDiag.exe on each of the hosts running F-Secure Anti-Virus for
Microsoft Exchange and F-Secure Content Scanner Server. This utility gathers basic information about hardware, operating system, network configuration and installed F-Secure and third-party software. You can run the F-Secure Support Tool from the F-Secure Anti-Virus for Microsoft
Exchange Web Console as follows:
1.
Log in to the Web Console.
2.
Type https://127.0.0.1:25023/fsdiag/ in the browser’s address field or or click F-Secure support tool on General Server Properties page.
110
3.
The F-Secure Support Tool starts and the dialog window displays the progress of the data collection.
Note that in some web browsers, the window may appear behind the main browser window.
4.
When the tool has finished collecting the data, click Report to download and save the collected data.
You can also find and run the FSDiag.exe utility under the
F-Secure\Common folder, if you prefer not to do it through the F-Secure
Anti-Virus for Microsoft Exchange Web Console. The tool generates a file called FSDiag.tar.gz.
Please include the following information with your support request:
Version number of F-Secure Management Agent, F-Secure
Anti-Virus for Microsoft Exchange, F-Secure Policy Manager
Server, and F-Secure Policy Manager Console. Include the build number if available.
Description how F-Secure components are configured.
The name and the version number of the operating system on which F-Secure products and protected systems are running. For
Windows, include the build number and Service Pack number.
The version number and the configuration of your Microsoft
Exchange Server. If possible, describe your network configuration and topology.
A detailed description of the problem, including any error messages displayed by the program, and any other details that could help us replicate the problem.
Logfile.log from the machines running F-Secure products. This file can be found under Program Files\F-Secure\Common. If you are sending the FSDiag report you do not need to send the
Logfile.log separately, because it is already included in the
FSDiag report.
If the whole product or a component crashed, include the drwtsn32.log file from the Windows NT directory and the latest records from the Windows Application Log.
Technical Support 111
Web Club
The F-Secure Web Club provides assistance and updated versions of the
F-Secure products. To connect to the Web Club on our Web site, open the
F-Secure Anti-Virus for Microsoft Exchange Web Console, and click the
Web Club link in the banner.
Alternatively, right-click on the F-Secure icon in the Window taskbar, and choose the Web Club command.
To connect to the Web Club directly from within your Web browser, go to: http://www.f-secure.com/en_EMEA/downloads/product-updates/
Virus Descriptions on the Web
F-Secure Corporation maintains a comprehensive collection of virus-related information on its Web site. To view the Virus Information
Database, connect to: http://www.f-secure.com/security_center/
About F-Secure Corporation
F-Secure Corporation protects consumers and businesses against computer viruses and other online threats from the Internet and mobile networks. We want to be the most reliable provider of internet security services in the market. One way to demonstrate this is the speed of our response.
F-Secure’s award-winning solutions for real-time virus protection are available as a service subscription through more than 170 Internet service providers and mobile operator partners around the world, making F-Secure the global leader in the market of internet and computer security. The solutions are also available as licensed products through thousands of resellers globally.
F-Secure aspires to be the most reliable mobile and computer security provider, helping make computer and smartphone users' networked lives safe and easy. This is substantiated by the company’s independently proven ability to respond faster to new threats than its main competitors. Founded in 1988 and headquartered in Finland, F-Secure has been listed on the OMX Nordic
Exchange Helsinki since 1999. The company has consistently been one of the fastest growing publicly listed companies in the industry.
The latest news on real-time virus threat scenarios is available at the http://www.f-secure.com/weblog/
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project