- Computers & electronics
- Software
- Antivirus security software
- F-SECURE
- ANTI-VIRUS - FOR MICROSOFT EXCHANGE
- User manual
advertisement
F-Secure Anti-Virus for
Microsoft Exchange
Administrator’s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure
Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate,
F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure
Corporation reserves the right to modify specifications cited in this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.
Copyright © 1993-2010 F-Secure Corporation. All rights reserved.
Portions Copyright © 2003 Commtouch ® Software Ltd.
Copyright © 1997-2009 BitDefender.
This product includes software developed by the Apache Software Foundation (http:// www.apache.org/). Copyright © 2000-2007 The Apache Software Foundation. All rights reserved.
This product includes PHP, freely available from http://www.php.net/. Copyright © 1999-2007 The PHP
Group. All rights reserved.
This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution are Copyright © 2000-2002 Justin Mason and others, unless specified otherwise in that particular file.
All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the
“Artistic License”.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233
GB2374260
Contents
About This Guide 6
Chapter 1 Using F-Secure Anti-Virus for Microsoft Exchange 11
Administering F-Secure Anti-Virus for Microsoft Exchange ....................................... 12
Modifying Settings and Viewing Statistics with Web Console ........................ 15
Modifying Settings and Viewing Statistics in Centrally Administered Mode ... 16
Chapter 2 Centrally Managed Administration 19
1
Chapter 3 Administration with Web Console 103
2
Chapter 4 Quarantine Management 211
Viewing Details of the Quarantined Message .............................................. 220
Reprocessing the Quarantined Content ....................................................... 223
Releasing the Quarantined Content ............................................................. 224
Removing the Quarantined Content ............................................................. 225
Deleting Old Quarantined Content Automatically ......................................... 225
3
Chapter 5 Updating Virus and Spam Definition Databases 228
Automatic Updates with F-Secure Automatic Update Agent.................................... 229
Appendix A Variables in Warning Messages 231
Appendix B Sending E-mail Alerts And Reports 234
B.2.2 Grant the Relay Permission on the New Scoped Connector........................ 237
B.2.3 Specify SMTP Server for Alerts and Reports ............................................... 237
Appendix C Troubleshooting 238
Checking F-Secure Anti-Virus for Microsoft Exchange ........................................... 241
Checking F-Secure Anti-Virus for Microsoft Exchange Web Console .................... 243
4
Technical Support 246
5
A BOUT T HIS G UIDE
How This Guide Is Organized...................................................... 7
Conventions Used in F-Secure Guides ....................................... 9
6
About This Guide 7
How This Guide Is Organized
F-Secure Anti-Virus for Microsoft Exchange Administrator's Guide is divided into the following chapters:
Chapter 1.
Using F-Secure Anti-Virus for Microsoft Exchange.
Instructions how to use and administer F-Secure Anti-Virus for Microsoft
Exchange.
Chapter 2.
Centrally Managed Administration
. Instructions how to remotely administer F-Secure Anti-Virus for Microsoft Exchange and
F-Secure Content Scanner Server when they have been installed in centralized administration mode.
Chapter 3.
Administration with Web Console . Instructions how to
administer F-Secure Anti-Virus for Microsoft Exchange with the Web
Console.
Chapter 4.
. Instructions how you can manage and search quarantined mails with the F-Secure Anti-Virus for Microsoft
Exchange Web Console.
Chapter 5.
Updating Virus and Spam Definition Databases . Instructions
how to update your virus definition database.
Appendix A.
Variables in Warning Messages . Lists variables that can
be included in virus warning messages.
Appendix B.
Sending E-mail Alerts And Reports . Instructions how to
configure the product to send alerts to the administrator by e-mail.
Appendix C.
. Solutions to some common problems.
. Contains the contact information for assistance.
Describes the company background and products.
8
See the F-Secure Policy Manager Administrator's Guide for detailed information about installing and using the F-Secure Policy Manager components:
F-Secure Policy Manager Console, the tool for remote administration of F-Secure Anti-Virus for Microsoft Exchange.
F-Secure Policy Manager Server, which enables communication between F-Secure Policy Manager Console and the managed systems.
Fonts
CHAPTER 2
Conventions Used in F-Secure Guides
This section describes the symbols, fonts, and terminology used in this manual.
Symbols
WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data.
IMPORTANT: An exclamation mark provides important information that you need to consider.
REFERENCE - A book refers you to related information on the topic available in another document.
NOTE - A note provides additional information that you should consider.
l
TIP - A tip provides information that can help you perform a task more quickly or easily.
An arrow indicates a one-step procedure.
Arial bold (blue) is used to refer to menu names and commands, to buttons and other items in a dialog box.
Arial Italics (blue) is used to refer to other chapters in the manual, book titles, and titles of other manuals.
Arial Italics (black) is used for file and folder names, for figure and table captions, and for directory tree names.
Courier New is used for messages on your computer screen.
Courier New bold is used for information that you must type.
9
10
SMALL CAPS ( BLACK ) is used for a key or key combination on your keyboard.
Arial underlined (blue) is used for user interface links.
Arial italics is used for window and dialog box names.
PDF Document
This manual is provided in PDF (Portable Document Format). The PDF document can be used for online viewing and printing using Adobe®
Acrobat® Reader. When printing the manual, please print the entire manual, including the copyright and disclaimer statements.
For More Information
Visit F-Secure at http://www.f-secure.com for documentation, training courses, downloads, and service and support contacts.
In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at [email protected]
.
1
U SING F-S ECURE
A NTI -V IRUS FOR
M ICROSOFT E XCHANGE
Administering F-Secure Anti-Virus for Microsoft Exchange........ 12
Using Web Console.................................................................... 13
Using F-Secure Policy Manager Console................................... 16
11
12
1.1
Administering F-Secure Anti-Virus for Microsoft
Exchange
F-Secure Anti-Virus for Microsoft Exchange can be used either in the stand-alone mode or in the centrally administered mode, based on your selections during the installation and the initial setup.
Centralized
Administration
Mode
In the centralized administration mode, you can administer F-Secure
Anti-Virus for Microsoft Exchange with F-Secure Policy Manager.
You can use the F-Secure Anti-Virus for Microsoft Exchange Web
Console to start and stop F-Secure Anti-Virus for Microsoft Exchange, check its current status and to connect to F-Secure Web Club for support.
In centrally managed installations, F-Secure Anti-Virus for Microsoft
Exchange Web Console cannot be used for configuring the system or scanning settings, but you can manage the quarantined content with it.
Stand-alone
Mode
You can use F-Secure Anti-Virus for Microsoft Exchange Web Console to administer the product; monitor the status, modify settings, manage the quarantine and to start and stop the product if necessary.
CHAPTER 1
Using F-Secure Anti-Virus for Microsoft Exchange
1.2
Using Web Console
You can open F-Secure Anti-Virus for Microsoft Exchange Web Console in any of the following ways:
Go to Windows Start menu > Programs > F-Secure Anti-Virus for
Microsoft Exchange > F-Secure Anti-Virus for Microsoft
Exchange Web Console
Enter the address of F-Secure Anti-Virus for Microsoft Exchange and the port number in your web browser. Note that the protocol used is https. For example:
https://127.0.0.1:25023
When the Web Console login page opens, enter your user name and the password and click Log In . Note that you must have administrator rights to the host where F-Secure Anti-Virus for Microsoft Exchange Web
Console is installed.
1.2.1
Logging in for the First Time
Before you log in the F-Secure Anti-Virus for Microsoft Exchange Web
Console for the first time, check that javascript and cookies are enabled in the browser you use.
Microsoft Internet Explorer users:
The address of the F-Secure Anti-Virus for Microsoft Exchange
Web Console, https://127.0.0.1:25023/ , should be added to the
Trusted sites in Internet Explorer Security Options to ensure that
F-Secure Anti-Virus for Microsoft Exchange Web Console works properly in all environments.
13
14
When you log in for the first time, your browser displays a Security Alert dialog window about the security certificate for F-Secure Anti-Virus for
Microsoft Exchange Web Console. You can create a security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console before logging in, and then install the certificate during the login process.
If your company has an established process for creating and storing certificates, follow that process to create and store the security certificate for F-Secure Anti-Virus for Microsoft Exchange
Web Console.
Step 1. Create the security certificate
1.
Browse to the F-Secure Anti-Virus for Microsoft Exchange Web
Console installation directory, for example:
C:\Program Files (x86)\F-Secure\Web User Interface\bin\
2.
Locate the certificate creation utility, makecert.bat
, and double click it to run the utility.
3.
The utility creates a certificate that will be issued to all local IP addresses, and restarts the F-Secure Anti-Virus for Microsoft
Exchange Web Console service to take the certificate into use.
4.
Wait until the utility completes, and the window closes. Now you can proceed to logging in.
Step 2. Log in and install the security certificate
1.
Open F-Secure Anti-Virus for Microsoft Exchange Web Console.
2.
The Security Alert about the F-Secure Anti-Virus for Microsoft
Exchange Web Console certificate is displayed. If you install the certificate now, you will not see the Security Alert window again.
If you are using Internet Explorer 7, click Continue and then
Certificate Error .
3.
Click View Certificate to view the certificate information.
4.
The Certificate window opens. Click Install Certificate to install the certificate with the Certificate Import Wizard.
CHAPTER 1
Using F-Secure Anti-Virus for Microsoft Exchange
5.
The Certificate window opens. Click Install Certificate to proceed to the Certificate Import Wizard.
6.
Follow the instructions in the Certificate Import Wizard.
If you are using Internet Explorer 7, in the Place all certificates in the following store selection, select the Trusted Root Certification
Authorities store.
If you are using Internet Explorer 6, you are prompted to add the new certificate in the Certificate Root Store when the wizard has completed. Click Yes to do so.
7.
If the Security Alert window is still displayed, click Yes to proceed or log back in to the F-Secure Anti-Virus for Microsoft Exchange Web
Console.
8.
When the login page opens, log in to Web Console with your user name and the password.
9.
The Web Console displays Getting Started page when you log in for the first time. You can check and configure the following information in the Getting Started page to complete the installation:
Internal domains and senders
E-mail alerts and reports
Database updates
Product updates
1.2.2
Modifying Settings and Viewing Statistics with Web
Console
To change F-Secure Anti-Virus for Microsoft Exchange settings in stand-alone mode, open the F-Secure Anti-Virus for Microsoft Exchange
Web Console and select the variables you want to change from the left
pane. For detailed explanations of all variables, see “ Administration with
.
15
16
1.2.3
Checking the Product Status
You can check the overall product status on the Home page of F-Secure
Anti-Virus for Microsoft Exchange Web Console. Summary and Services tabs in the Home page displays an overview of each component status and most important statistics of the installed F-Secure Anti-Virus for
Microsoft Exchange components. From the Home page you can also open the product logs and proceed to configure the product components.
1.3
Using F-Secure Policy Manager Console
In the centralized administration mode, you can administer F-Secure
Anti-Virus for Microsoft Exchange with F-Secure Policy Manager. To open
F-Secure Policy Manager Console, select Windows Start menu >
Programs > F-Secure Policy Manager Console .
When the Policy Manager Console opens, go to the Advanced Mode user interface by selecting View > Advanced Mode .
F-Secure Policy Manager Console is used to create policies for F-Secure
Anti-Virus for Microsoft Exchange installations that are running on selected hosts or groups of hosts.
For detailed information on installing and using F-Secure Policy Manager console, see the F-Secure Policy Manager Administrator’s Guide.
1.3.1
Modifying Settings and Viewing Statistics in Centrally
Administered Mode
To change F-Secure Anti-Virus for Microsoft Exchange settings in the centrally administered mode, follow these instructions:
1.
Select F-Secure Anti-Virus for Microsoft Exchange from the
Properties pane.
2.
Make sure the Policy tab is selected and assign values to variables under the Settings branch.
CHAPTER 1
Using F-Secure Anti-Virus for Microsoft Exchange
3.
Modify settings by assigning new values to the basic leaf node variables (marked by the leaf icons) shown in the Policy tab of the
Properties pane. For detailed explanations of all variables, see
“ F-Secure Anti-Virus for Microsoft Exchange Settings ” , 20
Initially, every variable has a default value, which is displayed in gray.
Select the variable from the Properties pane and enter the new value in the Editor pane to change it. You can either type the new value or select it from a list box.
Click Clear to revert to the default value or Undo to cancel the most recent change that has not been distributed.
Settings that are configured during the installation and the initial setup require that you select the Final check box from the
Product View pane. For more information, see “ Changing
Settings That Have Been Modified During Installation or
4.
After you have modified settings and cretated a new policy, it must be distributed to hosts. Choose Distribute from the File menu.
5.
After distributing the policy, you have to wait for F-Secure Anti-Virus for Microsoft Exchange to poll the new policy file. Alternatively, click
Poll the server now in the Server Properties page in F-Secure
Anti-Virus for Microsoft Exchange Web Console.
For testing purposes you may also want to change the polling intervals. To do that, select the domain in F-Secure Policy
Manager console and set the Incoming Packages Polling
Interval and Outgoing Packages Update Interval variables to
30-45 seconds. The variables are located under each of the two trees in the F-Secure Management Agent / Settings /
Communications branch. Note that since the default polling interval is 10 minutes, it might take up to 10 minutes for the new setting to take effect.
To view statistics, select the Status tab of the Properties pane. Statistics are updated periodically and can be reset by choosing Reset Statistics on the Policy tab of the Properties pane. For more information, see
“ F-Secure Anti-Virus for Microsoft Exchange Statistics ” , 80
.
17
18
To manage the quarantined content, use F-Secure Anti-Virus for Microsoft
Exchange Web Console. For more information, see “ Quarantine
Changing Settings That Have Been Modified During Installation or Upgrade
If you want to change a setting that has been modified locally during installation or upgrade, you need to mark the setting as Final in the restriction editor. The settings descriptions in this manual indicate the settings for which you need to use the Final restriction. You can also check in F-Secure Policy Manager Console whether you need to use the
Final restriction for a setting. Do the following:
1.
Select the Policy tab and then select the setting you want to check.
2.
Select the Status tab to see if the setting has been modified locally.
If the setting is not shown in grayed font in the Status view, then the product uses the setting from the base policy and therefore the Final restriction is not needed.
If the setting is shown in normal black font, then the setting has been modified locally. You must mark the setting as Final when you change it.
2
C ENTRALLY M ANAGED
A DMINISTRATION
Overview..................................................................................... 20
F-Secure Anti-Virus for Microsoft Exchange Settings ................ 20
F-Secure Anti-Virus for Microsoft Exchange Statistics ............... 80
F-Secure Content Scanner Server Settings ............................... 86
F-Secure Content Scanner Server Statistics.............................. 96
F-Secure Management Agent Settings ...................................... 99
F-Secure Automatic Update Agent Settings............................. 101
19
20
2.1
Overview
If F-Secure Anti-Virus for Microsoft Exchange is installed in the centrally administered mode, F-Secure Anti-Virus for Microsoft Exchange is managed centrally with F-Secure Policy Manager. In the centralized administration mode, you can use the F-Secure Anti-Virus for Microsoft
Exchange Web Console for the quarantine management and to check the current status of F-Secure Anti-Virus for Microsoft Exchange, but you cannot change any settings with it.
2.2
F-Secure Anti-Virus for Microsoft Exchange
Settings
In the centralized administration mode, you can change settings and start operations using F-Secure Policy Manager Console. For more
information, see “ Using F-Secure Policy Manager Console ” , 16 .
2.2.1
General Settings
Notifications
Specify Notification Sender Address that is used by F-Secure Anti-Virus for Microsoft Exchange for sending warning and informational messages to the end-users (for example, recipients, senders and mailbox owners).
Make sure that the notification sender address is a valid SMTP address. A public folder cannot be used as the notification sender address.
CHAPTER 2
Centrally Managed Administration
Network Configuration
The mail direction is based on the Internal Domains and Internal SMTP senders settings and it is determined as follows:
1.
E-mail messages are considered internal if they come from internal
SMTP sender hosts and mail recipients belong to one of the specified internal domains (internal recipients).
2.
E-mail messages are considered outbound if they come from internal SMTP sender hosts and mail recipients do not belong to the specified internal domains (external recipients).
3.
E-mail messages that come from hosts that are not defined as internal SMTP sender hosts are considered inbound .
4.
E-mail messages submitted via MAPI or Pickup Folder are treated as if they are sent from the internal SMTP sender host.
If e-mail messages come from internal SMTP sender hosts and contain both internal and external recipients, messages are split and processed as internal and outbound respectively.
On Microsoft Exchange Server 2003, internal messages which are submitted via MAPI or Pickup Folder are not delivered via transport level. Therefore, those messages do not pass Transport Protection and they are checked on the storage level only.
Internal Domains
Internal SMTP
Senders
Specify internal domains. Messages coming to internal domains are considered to be inbound mail unless they come from internal SMTP sender hosts.
Separate each domain name with a space. You can use an asterisk (*) as a wildcard. For example, *example.com internal.example.net
Specify the IP addresses of hosts that belong to your organization. Specify all hosts within the organization that send messages to Exchange
Edge or Hub servers via SMTP as Internal
SMTP Senders.
21
22
Separate each IP address with a space. An IP address range can be defined as:
a network/netmask pair (for example,
10.1.0.0/255.255.0.0), or
a network/nnn CIDR specification (for example, 10.1.0.0/16).
You can use an asterisk (*) to match any number or dash (-) to define a range of numbers. For example,
172.16.4.4 172.16.*.1 172.16.4.0-16
172.16.250-255.*
If end-users in the organization use other than
Microsoft Outlook e-mail client to send and receive e-mail, it is recommended to specify all end-user workstations as Internal SMTP
Senders.
If the organization has Exchange Edge and Hub servers, the server with the Hub role installed should be added to the Internal SMTP Sender on the server where the Edge role is installed.
IMPORTANT: Do not specify the server where the Edge role is installed as Internal SMTP
Sender.
CHAPTER 2
Centrally Managed Administration
Lists and Templates
Match Lists
Specify file and match lists that can be used by other settings.
List name
Type
Filter
Description
Specify the name for the match list.
Specify whether the list contains keywords, file patterns or e-mail addresses.
Specify file names, extensions, keywords or email addresses that the match list contains.
Specify a short description for the list.
Message Templates
Specify message templates for notifications.
Template name
Subject line
Message body
Specify the name for the message template.
Specify the subject line of the notification message.
Specify the notification message text.
For more information about the variables you
can use in notification messages, see “ Variables in Warning Messages ” , 231 .
23
24
Quarantine
When the product places content to the Quarantine, it saves the content as separate files into the Quarantine Storage and inserts an entry to the
Quarantine Database with information about the quarantined content.
Quarantine Storage Specify the path to the Quarantine storage where all quarantined mails and attachments are placed.
Retain Items in
Quarantine
Delete Old Items
Every
If you change the Quarantine Storage setting, select the Final checkbox in the Restriction
Editor to override initial settings.
During the installation, F-Secure Anti-Virus for
Microsoft Exchange adjusts the access rights to the Quarantine Storage so that only the product, operating system and the local administrator can access it. If you change the Quarantine Storage setting, make sure that the new location has secure access permissions. For more
information, see “ Moving the Quarantine
Specify how long quarantined e-mails are stored in the Quarantine before they are deleted automatically.
The setting defines the default retention period for all Quarantine categories. To change the retention period for different categories, configure Quarantine Cleanup Exceptions settings.
Specify how often old items are deleted from the
Quarantine.
CHAPTER 2
Centrally Managed Administration
Quarantine Cleanup
Exceptions
The setting defines the default cleanup interval for all Quarantine categories. To change the cleanup interval for different categories, configure Quarantine Cleanup Exceptions settings.
Specify separate Quarantine retention periods and cleanup intervals for infected files, suspicious files, disallowed attachments, disallowed content, spam messages, scan failures and unsafe files.
Quarantine Size
Threshold
Specify the critical size (in megabytes) of the
Quarantine. If the Quarantine size reaches the specified value, the product sends an alert to the administrator.
If the threshold is specified as zero (0), the size of the Quarantine is not checked.
Quarantined Items
Threshold
Specify the critical number of items in the
Quarantine. When the Quarantine holds the critical number of items, the product sends an alert to the administrator.
If the threshold is specified as zero (0), the amount of items is not checked.
Notify When
Quarantine Threshold is Reached
Specify the level of the alert that is sent to administrator when threshold levels are reached.
Released Quarantine
Message Template
Specify the template for the message that is sent to the intented recipients when e-mail content is released from the quarantine. For more
information, see “ Lists and Templates ” , 23
.
25
26
Automatically
Process Unsafe
Messages
Max Attempts to
Process Unsafe
Messages
Final Action on
Unsafe Messages
Quarantine Log
Directory
Rotate Quarantine
Logs Every
Keep Rotated
Quarantine Logs
The product generates the message only when the item is removed from the Microsoft
Exchange Server store and sends it automatically when you release the item to intended recipients.
Specify how often the product tries to reprocess unsafe messages that are retained in the
Quarantine. Set the value to Disabled to process unsafe messages manually.
Specify how many times the product tries to reprocess unsafe messages that are retained in the Quarantine.
Use the Final Action on Unsafe Messages setting to specify the action that takes place if the message is retained in the Quarantine after the maximum attempts.
Specify the action on unsafe messages after the maximum number of reprocesses have been attempted.
Leave in Quarantine - Leave messages in the
Quarantine and process them manually.
Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients.
Specify the path to the directory where
Quarantine logfiles are placed.
Specify how often the product rotates
Quarantine logfiles. At the end of each rotation time a new log is created.
Specify how many rotated log flies are kept.
CHAPTER 2
Centrally Managed Administration
Sample Submission
You can use the product to send samples of unsafe e-mails and new, yet undefined malware to F-Secure for analysis.
Max Submission
Attempts
Resend Interval
Specify how many times the product attempts to send the sample if the submission fails.
Specify the time interval (in minutes) how long
F-Secure Anti-Virus for Microsoft Exchange should wait before trying to send the sample again if the previous submission failed.
Connection Timeout Specify the time (in seconds) how long the product tries to contact the F-Secure Hospital server.
Send Timeout Specify the time (in seconds) how long the product waits for the sample submission to complete.
Content Scanner Server
Edit the Content Scanner Server settings to change the general content scanning options.
Max Size of Data
Processed in Memory
Specify the maximum size (in kilobytes) of data to be transferred to the server via shared memory in the local interaction mode. When the amount of data exceeds the specified limit, a local temporary file will be used for data transfer.
If the option is set to zero (0), all data transfers via shared memory are disabled.
The setting is ignored if the local interaction mode is disabled.
27
28
Connection Timeout Specify the time interval (in seconds) how long
F-Secure Anti-Virus for Microsoft Exchange should wait for a response from F-Secure
Content Scanner Server before it stops attempting to send or receive data.
Working directory Specify the name and location of the working directory, where temporary files are placed.
IMPORTANT: This setting must be defined as
Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product.
During the installation, F-Secure Anti-Virus for
Microsoft Exchange automatically adjusts the access rights so that only the operating system and the local administrator can access files in the Working directory. If you change this setting after the installation, make sure that the new folder has secure access permissions.
If F-Secure Content Scanner Server uses a proxy server when it connects to the threat detection center and the proxy server requires authentication, the proxy authentication settings can be configured with F-Secure Anti-Virus for Microsoft Exchange Web
Console only. For more information , see “ Proxy Server ”, 201.
CHAPTER 2
Centrally Managed Administration
2.2.2
Transport Protection
You can configure inbound, outbound and internal message protection separately. For more information about the mail direction and
configuration options, see “ Network Configuration ” , 21
.
Attachment Filtering
Specify attachments to remove from inbound, outbound and internal messages based on the file name or the file extension.
Strip Attachments Enable or disable the attachment stripping.
List of Attachments to
Strip
Specify which attachments are stripped from
messages. For more information, see “ Lists and
.
Use Exclusions
Action on Stripped
Attachments
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Specify how disallowed attachments are handled.
Quarantine Stripped
Attachments
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether stripped attachments are quarantined.
The default option is Enabled .
Do Not Quarantine
These Attachments
Drop Attachment - Remove the attachment from the message and deliver the message to the recipient without the disallowed attachment.
Specify which files are not quarantined even when they are stripped. For more information,
see “ Lists and Templates ” , 23 .
29
30
Send Notification
Message to Recipient
Specify the template for the notification message that is sent to the intented recipient when disallowed or suspicious attachment is found.
Note that the notification message is not sent if the whole message is dropped.
Send Notification
Message to Sender
Specify the template for the notification message that is sent to the original sender of the message when disallowed or suspicious attachment is
found. For more information, see “ Lists and
.
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
Do Not Notify on
These Attachments
Specify attachments that do not generate notifications. When the product finds specified file or file extension, no notification is sent.
Notify Administrator Specify whether the administrator is notified when the product strips an attachment and the alert level of the notification..
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in:
F-Secure Management Agent/Settings/Alerting.
CHAPTER 2
Centrally Managed Administration
Virus Scanning
Specify inbound, outbound and internal messages and attachments that should be scanned for malicious code.
Disabling virus scanning disables archive processing and grayware scanning as well.
Scan Messages for
Viruses
List of Attachments to
Scan
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
.
Use Exclusions
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
Heuristic Scanning
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scan.
Enable or disable the heuristic scan. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
By default, the heuristic scan is enabled for inbound mails and disabled for outbound and internal mails.
Attempt to Disinfect
Infected Attachments
The heuristic scan may affect the product performance and increase the risk of false malware alarms.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
31
32
Infected files inside archives are not disinfected even when the setting is enabled.
Action on Infected
Messages
Specify whether to drop the infected attachment or the whole message when an infected message is found.
Drop Attachment - Remove the infected attachment from the message and deliver the message to the recipient without the attachment.
Quarantine Infected
Messages
Do Not Quarantine
These Infections
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the quarantine. If a message is infected with a virus or worm which has a name that matches a keyword specified in this list, the message is not
quarantined. For more information, see “ Lists and Templates ” , 23 .
Send Virus
Notification Message to Recipient
Specify the template for the notification message that is sent to the intented recipient when a virus or other malicious code is found.
Note that the notification message is not sent if the whole message is dropped.
Send Virus
Notification Message to Sender
Specify the template for the notification message that is sent to the original sender of the message when a virus or other malicious code is found.
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
CHAPTER 2
Centrally Managed Administration
Do Not Notify on
These Infections
For more information, see “ Lists and Templates ” ,
.
Specify infections that do not generate notifications. When the product finds the specified infection, no notification is sent. For
more information, see “ Lists and Templates ” , 23
.
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a virus in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in:
F-Secure Management Agent/Settings/Alerting.
33
34
Archive Processing
Specify how the product processes inbound, outbound and internal archive files.
Note that scanning inside archives takes time. Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
Archive processing is disabled when virus scanning is disabled.
Scan Archives
List of Files to Scan
Inside Archives
Specify whether files inside compressed archive files are scanned for viruses and other malicious code.
Specify files inside archives that are scanned for
viruses. For more information, see “ Lists and
.
Use Exclusions
Max Levels in Nested
Archives
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
Action on Max
Nested Archives
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scan.
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
CHAPTER 2
Centrally Managed Administration
Action on Password
Protected Archives
Detect Disallowed
Files Inside Archives
Drop the whole message - Do not deliver the message to the recipient.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the password protected archive to the recipient.
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
Specify whether files inside compressed archive files are processed for disallowed content.
Disallowed content is not processed when the archive scanning is disabled.
List of Disallowed
Files to Detect Inside
Archives
Specify files which are not allowed inside
archives. For more information, see “ Lists and
.
Action on Archives with Disallowed Files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
35
36
Quarantine Dropped
Archives
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
.
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange blocks a malformed, password protected, or overnested archive file.
If the archive is blocked because it contains malware, grayware or disallowed files, the administrator receives a notification about that instead of this notification.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in:
F-Secure Management Agent/Settings/Alerting.
Zero-Day Protection
Select whether Proactive Virus Threat Detection is enabled or disabled.
Proactive virus threat detection can identify new and unknown e-mail malware, including viruses and worms.
When proactive virus threat detection is enabled, the product analyzes e-mail messages for possible security threats. All possibly harmful messages are quarantined as unsafe.
Unsafe messages can be reprocessed periodically, as antivirus updates may confirm the unsafe message as safe or infected.
When proactive virus threat detection is disabled, mails are only scanned by antivirus engines.
CHAPTER 2
Centrally Managed Administration
Grayware Scanning
Specify how the product processes grayware items in inbound, outbound and internal messages.
Note that grayware scanning increases the scanning overhead. By default, grayware scanning is enabled for inbound messages only.
Grayware scanning is disabled when virus scanning is disabled.
Scan Messages for
Grayware
Enable or disable the grayware scan.
The default value is Enabled for inbound messages and Disabled for outbound and internal messages.
Action on Grayware Specify the action to take on items which contain grayware.
Pass Through - Leave grayware items in the message.
Drop Attachment - Remove grayware items from the message.
Drop the Whole Message - Do not deliver the message to the recipient.
Grayware Exclusion
List
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
Quarantine Dropped
Grayware
Specify whether grayware attachments are quarantined.
Do Not Quarantine
This Grayware
Specify grayware that are never placed in the
quarantine. For more information, see “ Lists and
.
37
38
Send Warning
Message to Recipient
Specify the template for the notification message that is sent to the intented recipient when a grayware item is found in a message.
Note that the notification message is not sent if the whole message is dropped.
Send Warning
Message to Sender
Specify the template for the notification message that is sent to the original sender of the message when a grayware item is found in a message.
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
For more information, see “ Lists and Templates ” ,
.
Do Not Notify on This
Grayware
Specify the list of keywords for grayware types that are not notified about.
If the product finds a grayware item with a name that matches the keyword, the recipient and the sender are not notified about the grayware item found.
Leave the list empty if you do not want to exclude any grayware types from notifications.
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a grayware item in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/
Alerting.
CHAPTER 2
Centrally Managed Administration
Content Filtering
Specify how F-Secure Anti-Virus filters disallowed content in inbound, outbound and internal messages.
Filter Disallowed
Content
Specify whether e-mail messages are scanned for disallowed content.
Disallowed Keywords in Message Subject
Specify the list of disallowed keywords to check in e-mail message subjects. For more
information, see “ Using Keywords in Content
.
Disallowed Keywords in Message Text
Specify the list of disallowed keywords to check in e-mail message text. For more information,
see “ Using Keywords in Content Filtering ” , 40
.
Action on Disallowed
Content
Specify the action to take on messages which contain disallowed keywords.
Report only - Deliver the message to the recipient and notify the administrator that the scanned message contained disallowed content.
Drop the whole message - Do not deliver the message to the recipient.
Quarantine - Quarantine the message with disallowed content.
Send Notification
Message to Recipient
Specify whether recipients are notified when disallowed content is found.
Send Notification
Message to Sender
Specify whether the original sender is notified when disallowed content is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Lists and Templates ” ,
.
39
40
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a message with disallowed content.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/
Alerting.
Using Keywords in Content Filtering
When the content filtering is enabled, all messages are checked against every keyword sequence that is specified in the selected list of keywords.
A keyword may contain any characters, including punctuation symbols, spaces, and other word separators. Keywords are case insensitive.
You can use ‘?’ character in a keyword to match any character in that position in the keyword and ‘*’ to match any number of characters.
Keyword examples: example another example co?p?rate
another*example
Matches any message text or subject that contains the word ‘example’.
Matches any message text or subject that contains the ‘another example’ text. Words
‘another’ and ‘example’ have to be separated with exactly one space character.
Matches any message text or subject that contains - for example - words ‘corporate’ or
‘cooperate’.
Matches any message text or subject that contains words ‘another’ and ‘example’ separated with any number of characters. For example, ‘another example’ or ‘another keyword example’.
CHAPTER 2
Centrally Managed Administration
To represent ‘?’ or ‘*’ characters themselves in keywords, use ‘\?’ and ‘\*’ sequences correspondingly. To represent ‘\’ character, use ‘\\’.
For example, to match the '*** SPAM ***' string, enter '\*\*\* spam \*\*\*'.
Spam Control
Change the settings in F-Secure Anti-Virus for Microsoft Exchange/
Settings / Transport Protection / Inbound Mail / Spam Control to configure how F-Secure Anti-Virus for Microsoft Exchange scans incoming mail for spam.
You can configure Spam Control settings for inbound messages, and only if you have F-Secure Spam Control installed.
The threat detection engine of F-Secure Anti-Virus for Microsoft
Exchange can identify spam and virus patterns from the message envelope, headers and body during the first minutes of the new spam or virus outbreak.
These settings are used only if F-Secure Spam Control is installed with the product. Otherwise they will be ignored.
Spam Filtering Specify whether inbound mails are scanned for spam.
Heuristic Spam
Analysis
Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering. For information on configuring
Realtime Blackhole Lists, consult F-Secure
Anti-Virus for Microsoft Exchange Deployment
Guide.
Specify whether heuristic spam analysis is used to filter inbound mails for spam.
41
42
If you enable the heuristic spam analysis , all messages that the threat detection engine does not classify as spam are further analyzed for spam.
When the heuristic spam analysis is disabled, only the threat detection engine filters messages for spam.
Heuristic spam analysis slows down the performance but improves the spam detection rate.
Spam Filtering Level Specify the spam filtering level. All messages with the spam filtering level lower than the specified value can pass through.
Decreasing the level allows less spam to pass, but more regular mails may be falsely identified as spam. Increasing the level allows more spam to pass, but a smaller number of regular e-mail messages are falsely identified as spam.
For example, if the spam filtering level is set to 3, more spam is filtered, but also more regular mails may be falsely identified as spam. If the spam filtering level is set to 7, more spam may pass undetected, but a smaller number of regular mails will be falsely identified as spam.
Action on Spam
Messages
Specify actions to take with messages considered as spam, based on the spam filtering level.
Quarantine - Place the message into the quarantine folder.
Forward - Forward the message to the e-mail address specified in the Forward Spam
Messages To E-mail Address setting.
Delete - Delete the message.
CHAPTER 2
Centrally Managed Administration
Add X-Header with
Spam Flag
Add X-Header with
Summary
Specify if a spam flag is added to the mail as the
X-Spam-Flag header in the following format:
X-Spam-Flag:<flag> where
<flag> is YES or NO ,
Specify if the summary of triggered hits is added to the mail as X-Spam-Status header in the following format:
X-Spam-Status: <flag>, hits=<scr> required=<sfl> tests=<tests>
Modify Spam
Message Subject where
<flag> is Yes or No ,
<scr> is the spam confidence rating returned by the spam scanner,
<sfl> is the current spam filtering level,
<tests> is the comma-separated list of tests run against the mail.
Specify if the product modifies the subject of mail messages considered as spam.
The default value is Enabled .
Specify the text that is added in the beginning of the subject of messages considered as spam.
Add This Text to
Spam Message
Subject
The default value is *** SPAM *** .
Forward Spam
Messages To E-mail
Address
Specify the e-mail address where messages considered as spam are forwarded when the
Action on Spam Messages setting is set to
Forward .
Safe Senders Specify safe senders. Messages originating from the specified addresses are never treated as spam.
43
44
Blocked Senders
Safe Recipients
Blocked Recipients
Max Message Size
Specify blocked senders. Messages originating from the specified addresses are always treated as spam.
Specify safe recipients. Messages sent to the specified addresses are never treated as spam.
Specify blocked recipients. Messages sent to the specified addresses are always treated as spam.
The product checks the sender address from the
SMTP message envelope, not from the message headers.
Specify the maximum size (in kilobytes) of messages to be scanned for spam. If the size of the message exceeds the maximum size, the message is not filtered for spam.
Since all spam messages are relatively small in size, it is recommended to use the default value.
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type
Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
CHAPTER 2
Centrally Managed Administration
Mail Disclaimer
When the disclaimer is enabled, a disclaimer text is added to all outbound messages.
You can configure Mail Disclaimer settings for outbound messages only.
IMPORTANT: Some malware add disclaimers to infected messages, so disclaimers should not be used for stating that the message is clean of malware.
Add Disclaimer
Disclaimer
Specify whether you want to add a disclaimer to all outbound messages.
Specify the text of disclaimer that is added at the end of outbound messages.
Security Options
Configure security options to limit actions on malformed and suspicious messages.
Action on Malformed
Mails
Specify the action for non-RFC compliant e-mails. If the message has an incorrect structure, the product cannot parse the message reliably.
Drop the Whole Message - Do not deliver the message to the recipient.
Pass Through - The product allows the message to pass through.
Pass Through and Report - The product allows the message to pass through, but sends a report to the administrator.
45
46
Max Levels of Nested
Messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
Action on Mails with
Exceeding Nesting
Levels
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
Specify the action to take on messages with nesting levels exceeding the upper level specified in the Max Levels of Nested Messages setting.
Drop the Whole Message - Messages with exceeding nesting levels are not delivered to the recipient.
Pass Through - Nested messages are scanned up to level specified in the Max Levels of Nested
Messages setting. Exceeding nesting levels are not scanned, but the message is delivered to the recipient.
CHAPTER 2
Centrally Managed Administration
Quarantine
Problematic
Messages
Specify if mails that contain malformed or broken attachments are quarantined for later analysis or recovery.
Notify Administrator Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange detects a malformed or a suspicious e-mail message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. The Alert Forwarding table can be found in: F-Secure Management Agent/Settings/
Alerting.
Trusted Senders and Recipients
You can use trusted senders and recipients lists to exclude some messages from the mail scanning and processing completely.
Trusted Senders
Trusted Recipients
Specify senders who are excluded from the mail scanning and processing.
Specify recipients who are excluded from the mail scanning and processing.
47
48
2.2.3
Storage Protection
Edit general Storage Protection settings to configure how mailboxes and public folders are scanned in the Exchange Store with real-time, manual and scheduled scanning.
Real-Time Scanning
The real-time scanning can automatically scan messages that have been created or received.
General
Specify which messages you want to scan during the real-time scanning.
Scan Only Messages
Created Within
Specify which messages are scanned with the real-time scanning, for example; Last hour , Last day , Last week . Messages that have been created before the specified time are not scanned.
Scan Timeout
This setting works only with Microsoft Exchange
Server 2007 or 2010.
Specify how long to wait for the real-time scan result. After the specified time, the client that tries to access the scanned message gets the
"virus scanning in progress" notificaion.
Virus Scanning
Specify messages and attachments in the Microsoft Exchange Storage that should be scanned for malicious code.
Disabling virus scanning disables archive processing and grayware scanning as well.
CHAPTER 2
Centrally Managed Administration
Scan Mailboxes Specify mailboxes that are scanned for viruses.
Disabled - Do not scan any mailboxes.
Scan All Mailboxes - Scan all mailboxes.
Scan Only Included Mailboxes - Scan mailboxes specified in the Included Mailboxes list.
Scan All Except Excluded Mailboxes - Scan all mailboxes except those specified in the
Excluded Mailboxes list.
Included Mailboxes Specify mailboxes that are scanned for viruses when the Scan Mailboxes setting is set to Scan
Only Included Mailboxes .
Excluded Mailboxes Specify mailboxes that are not scanned when the Scan Mailboxes setting is set to Scan All
Except Excluded Mailboxes .
Scan Public Folders Specify public folders that are scanned for viruses.
Disabled - Do not scan any public folders.
Scan All Folders - Scan all public folders.
Scan Only Included Folders - Scan public folders specified in the Included Folders list.
Scan All Except Excluded Folders - Scan all public folders except those specified in the
Excluded Folders list.
IMPORTANT: You need to specify the primary
SMTP address for the account which is used to scan items in public folders on Microsoft
Exchange 2010. The user account must have permissions to access and modify items in the public folders. For more information, see
.
49
50
Included Folders
Excluded Folders
Specify public folders that are scanned for viruses when the Scan Public Folders setting is set to Scan Only Included Folders .
Specify public folders that are not scanned when the Scan Public Folders setting is set to Scan All
Except Excluded Folders .
List of Attachments to
Scan
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
.
Use Exclusions Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scan.
Attempt to Disinfect
Infected Attachments
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Quarantine Infected
Attachments
Do Not Quarantine
This Infections
Replacement Text
Template
Specify whether infected and suspicious attachments are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Lists and
.
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Lists and Templates ” , 23
.
CHAPTER 2
Centrally Managed Administration
Archive Processing
Specify how the product processes archive files in Microsoft Exchange
Storage.
Archive processing is disabled when virus scanning is disabled.
Scan Archives
List of Files to Scan
Inside Archives
Use Exclusions
Specify if files inside archives are scanned for viruses and other malicious code.
Specify files that are scanned for viruses inside archives.
Specify files inside archives that are not scanned. Leave the list empty if you do not want to exclude any files from the scan.
Max Levels in Nested
Archives
Specify how many levels deep to scan in nested archives, if Scan Viruses Inside Archives is enabled.
Action on Max
Nested Archives
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
Specify the number of levels the product goes through before the action selected in Action on
Max Nested Archives takes place. The default setting is 3.
Specify the action to take on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested
Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
51
52
Action on Password
Protected Archives
Drop Archive - Archives with exceeding nesting levels are removed.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Quarantine Dropped
Archives
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
.
Grayware Scanning
Specify how the product processes grayware items in Microsoft Exchange
Storage.
Grayware scanning is disabled when virus scanning is disabled.
Scan Messages for
Grayware
Enable or disable the grayware scan.
Action on Grayware Specify the action to take on items which contain grayware.
Report only - Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
CHAPTER 2
Centrally Managed Administration
Grayware Exclusion
List
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
Quarantine Dropped
Grayware
Specify whether grayware attachments are quarantined.
Do Not Quarantine
These Grayware
Replacement Text
Template
Specify grayware that are never placed in the
quarantine. For more information, see “
.
Specify the template for the text that replaces the grayware attachment when the grayware attachment is removed from the message. For
more information, see “ Lists and Templates ” , 23
.
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type
Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
53
54
Manual Scanning
You can scan mailboxes and public folders for viruses and strip attachments manually at any time. To manually scan mailboxes and public folders you have specified in the settings, follow these instructions:
1.
Browse to the F-Secure Anti-Virus for Microsoft Exchange /
Operations / Manual Scanning branch in F-Secure Policy manager
Console.
2.
Click Start .
3.
Distribute the policy.
If you want to stop the manual scan in the middle of the scanning process, click Stop and distribute the policy.
General
Specify which messages you want to scan during the manual scan.
Scan Mailboxes Specify mailboxes that are scanned for viruses.
Disabled - Do not scan any mailboxes.
Scan All Mailboxes - Scan all mailboxes.
Scan Only Included Mailboxes - Scan mailboxes specified in the Included Mailboxes list.
Scan All Except Excluded Mailboxes - Scan all mailboxes except those specified in the
Excluded Mailboxes list.
Included Mailboxes Specify mailboxes that are scanned for viruses when the Scan Mailboxes setting is set to Scan
Only Included Mailboxes .
Excluded Mailboxes Specify mailboxes that are not scanned when the Scan Mailboxes setting is set to Scan All
Except Excluded Mailboxes .
Scan Public Folders Specify public folders that are scanned for viruses.
CHAPTER 2
Centrally Managed Administration
Disabled - Do not scan any public folders.
Scan All Folders - Scan all public folders.
Scan Only Included Folders - Scan public folders specified in the Included Folders list.
Scan All Except Excluded Folders - Scan all public folders except those specified in the
Excluded Folders list.
Included Folders
Excluded Folders
IMPORTANT: You need to specify the primary
SMTP address for the account which is used to scan items in public folders on Microsoft
Exchange 2010. The user account must have permissions to access and modify items in the public folders. For more information, see
.
Specify public folders that are scanned for viruses when the Scan Public Folders setting is set to Scan Only Included Folders .
Specify public folders that are not scanned when the Scan Public Folders setting is set to Scan All
Except Excluded Folders .
Incremental Scanning Specify which messages are scanned for viruses during the manual scan.
All Messages - Scan all messages.
Only Recent Messages - Scan only messages that have not been scanned during the previous manual or scheduled scan.
55
56
Attachment Filtering
Specify attachments that are removed from messages during the manual scan.
Strip Attachments Enable or disable the attachment stripping.
List of Attachments to
Strip
Specify which attachments are stripped from
messages. For more information, see “ Lists and
.
Use Exclusions Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Quarantine Stripped
Attachments
Specify whether stripped attachments are quarantined.
Do Not Quarantine
These Attachments
Replacement Text
Template
Specify which files are not quarantined even when they are stripped. For more information,
see “ Lists and Templates ” , 23 .
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Lists and Templates ” , 23
.
Virus Scanning
Specify messages and attachments that should be scanned for malicious code during the manual scan.
Scan Messages for
Viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
List of Attachments to
Scan
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
.
CHAPTER 2
Centrally Managed Administration
Use Exclusions
Heuristic Scanning
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scan.
Enable or disable the heuristic scan. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
Attempt to Disinfect
Infected Attachments
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Quarantine Infected
Attachments
Do Not Quarantine
These Infections
Replacement Text
Template
Specify whether infected or suspicious attachments are quarantined.
Specify infections that are never placed in the quarantine. If a message is infected with a virus or worm which has a name that matches a keyword specified in this list, the message is not
quarantined. For more information, see “ Lists and Templates ” , 23 .
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Lists and Templates ” , 23
.
57
58
Archive Processing
Specify how the product processes archive files during the manual scan.
Scan Archives
List of Files to Scan
Inside Archives
Use Exclusions
Specify if files inside archives are scanned for viruses and other malicious code.
Specify files that are scanned for viruses inside archives.
Specify files inside archives that are not scanned. Leave the list empty if you do not want to exclude any files from the scan.
Max Levels in Nested
Archives
Specify how many levels deep to scan in nested archives, if Scan Viruses Inside Archives is enabled.
Action on Max
Nested Archives
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
Specify the number of levels the product goes through before the action selected in Action on
Max Nested Archives takes place. The default setting is 3.
Specify the action to take on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested
Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
Drop Archive - Archives with exceeding nesting levels are removed.
CHAPTER 2
Centrally Managed Administration
Action on Password
Protected Archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Detect Disallowed
Files Inside Archives
Specify whether files inside compressed archive files are processed for disallowed content.
List of Disallowed
Files to Detect inside
Archives
Specify files which are not allowed inside
archives. For more information, see “ Lists and
.
Action on Archives with Disallowed Files
Specify the action to take on archives which contain disallowed files.
Pass through - Leave the archive to the message.
Drop archive - Remove the archive from the message.
Quarantine Dropped
Archives
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
.
59
60
Grayware Scanning
Specify how the product processes grayware items during the manual scan.
Scan Messages for
Grayware
Enable or disable the grayware scan.
Action on Grayware Specify the action to take on items which contain grayware.
Report only - Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
Grayware Exclusion
List
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from the scan.
Quarantine Dropped
Grayware
Specify whether grayware attachments are quarantined.
Do Not Quarantine
This Grayware
Replacement Text
Template
Specify grayware that are never placed in the
quarantine. For more information, see “
.
Specify the template for the text that replaces the grayware attachment when the grayware attachment is removed from the message. For
more information, see “ Lists and Templates ” , 23
.
CHAPTER 2
Centrally Managed Administration
File Type Recognition
Select whether you want to use Intelligent File Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File Type
Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Advanced
Configure how to handle nested messages and specify the administrator account to scan public folders.
Max Levels of Nested
Messages
Specify how many levels deep to scan in nested e-mail messages.
A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
Admin User
Credentials
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
Specify the primary SMTP address for the account which is used to scan items in public folders. The user account must have permissions to access and modify in the public folders.
The setting is used on Microsoft Exchange 2010 platform only and affects manual, realtime, and scheduled storage scanning. If you do not specify any address, public folders in Exchange
Store cannot be accessed or even listed.
61
62
Scheduled Scanning
You can schedule scan tasks to scan mailboxes and public folders periodically. The scheduled scanning table displays all scheduled tasks and date and time when the next scheduled task occurs for the next time.
To deactivate scheduled tasks in the list, clear the Active checkbox in front of the task. Check the checkbox to make it active again.
Click Add to add a new scheduled task to the list.
To duplicate a task, select it from the list and click Copy .
To edit a previously created task, click Edit .
To remove the selected task from the list, click Clear Row .
Click Clear Table to remove all tasks from the list.
Force Row enforces the current scheduled task to be active in all subdomains and hosts. Force Table enforces all current scheduled tasks to be active in all subdomains and hosts.
Creating Scheduled Task
Start the Scheduled Task Wizard by clicking Add .
Step 1. General Properties
CHAPTER 2
Centrally Managed Administration
63
Enter the name for the new task and select how frequently you want the operation to be performed.
Task name Specify the name of the scheduled operation.
Do not use any special characters in the task name.
Perform this task Specify how frequently you want the operation to be performed.
Once - Only once at the specified time.
Daily - Every day at the specified time, starting from the specified date.
Weekly - Every week at the specified time on the same day when the first operation is scheduled to start.
64
Start time
Start date
Step 2. Mailboxes
Monthly - Every month at the specified time on the same date when the first operation is scheduled to start.
Enter the start time of the task in hh:mm format.
Enter the start date of the task in mm/dd/yyyy format
Choose which mailboxes are processed during the scheduled operation.
Mailboxes Specify mailboxes that are processed during the scheduled scan.
Do not scan mailboxes - Disable the mailbox scanning.
Scan all mailboxes - Scan all mailboxes.
CHAPTER 2
Centrally Managed Administration
Scan only included mailboxes - Scan all specified mailboxes. Click Add or Remove to edit mailboxes that are scanned.
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Add or Remove to edit mailboxes that are not scanned.
The format to enter the included or excluded mailbox is the username, for example: user1
65
66
Step 3. Public Folders
Choose which public folders are processed during the scheduled operation.
Public folders Specify public folders that are processed during the scheduled scan.
Do not scan public folders - Disable the public folder scanning.
Scan all public folders - Scan all public folders.
Scan only included public folders - Scan all specified public folders. Click Add or Remove to edit public folders that are scanned.
CHAPTER 2
Centrally Managed Administration
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Add or Remove to edit public folders that are not scanned.
The format to enter the included or excluded mailbox is the name of the public folder.
IMPORTANT: You need to specify the primary
SMTP address for the account which is used to scan items in public folders on Microsoft
Exchange 2010. The user account must have permissions to access and modify items in the public folders. For more information, see
.
67
68
Step 4. Attachment Filtering
Choose settings for stripping attachments during the scheduled operation.
Enable or disable the attachment stripping.
Strip attachments from e-mail messages
Targets
Strip these attachments
Exclude these attachments from stripping
Specify which attachments are stripped from
messages. For more information, see “ Lists and
.
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
CHAPTER 2
Centrally Managed Administration
Actions
Quarantine stripped attachments
Do not quarantine these attachments
Specify whether stripped attachments are quarantined.
Specify file names and file extensions which are not quarantined even when they are stripped.
For more information, see “ Lists and Templates ” ,
.
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Lists and Templates ” , 23
.
69
70
Step 5. Virus Scanning
Choose settings for virus scanning during the scheduled operation.
Scan messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
General Options
Heuristic Scanning Enable or disable the heuristic scanning. The heuristic scanning analyzes files for suspicious code behavior so that the product can detect unknown malware.
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
Targets
CHAPTER 2
Centrally Managed Administration
Scan these attachments
Exclude these attachments from scanning
Actions
Try to disinfect infected attachments
Specify attachments that are scanned for
viruses. For more information, see “ Lists and
.
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Quarantine infected attachments
Do not quarantine these infections
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Lists and
.
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Lists and Templates ” , 23
.
71
72
Step 6. Grayware Scanning
Choose settings for grayware scanning during the scheduled operation.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only - Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
CHAPTER 2
Centrally Managed Administration
Grayware exclusion list
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Lists and
.
Quarantine grayware Specify whether grayware attachments are quarantined.
Do not quarantine this grayware
Specify grayware that are never placed in the
quarantine. For more information, see “
.
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Lists and
.
73
74
Step 7. Archive Processing
Choose settings for stripping attachments during the scheduled operation.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Specify files inside archives that are scanned for
viruses. For more information, see “ Lists and
.
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Max levels in nesting archives
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
CHAPTER 2
Centrally Managed Administration
Detect disallowed files inside archives
Specify whether files inside compressed archive files are processed for disallowed content.
Action on password protected archives
Disallowed content is not processed when the archive scanning is disabled.
Actions
Action on archives with disallowed files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without the archive.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
75
76
Pass through - Deliver the message with the password protected archive to the recipient.
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Quarantine dropped archives
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
.
Step 8. Processing Options
CHAPTER 2
Centrally Managed Administration
77
Choose advanced processing options for all the messages processed during the scheduled operation.
Processing options
Incremental scanning Specify whether you want to process all messages or only those messages that have not been processed previously during the manual or scheduled processing.
Max levels of nested messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
78
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
File type recognition
Use intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Step 9. Summary
CHAPTER 2
Centrally Managed Administration
79
The Scheduled Task Wizard displays the summary of created operation.
Click Finish to accept the new scheduled operation and to exit the wizard.
80
2.3
F-Secure Anti-Virus for Microsoft Exchange
Statistics
To view statistics, open the Status tab from the Properties pane and open the Statistics subtree. It displays statistics for the host for each F-Secure
Anti-Virus for Microsoft Exchange installation. If a policy domain is selected, the Status view displays the number of hosts in the domain and which hosts are disconnected from F-Secure Policy Manager.
Resetting Statistics
You can reset statistics by using controls under the F-Secure Anti-Virus for Microsoft Exchange / Operations branch.
To reset transport scanning statistics, follow these instructions:
1.
Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Transport Statistics / Statistics to Reset branch.
2.
Set statistics you want to reset to Yes .
3.
Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Transport Statistics / Reset branch.
4.
Click Start in the Editor pane.
To reset storage scanning statistics, follow these instructions:
1.
Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Storage Statistics / Statistics to Reset branch.
2.
Set Real-Time Scanning to Yes .
3.
Go to the Anti-Virus for Microsoft Exchange / Operations / Reset
Storage Statistics / Reset branch.
4.
Click Start in the Editor pane.
The Status above the button displays " Operation still in progress " until the program reports that statistics have been reset.
CHAPTER 2
Centrally Managed Administration
2.3.1
Common
Version
Previous Reset of
Statistics
MIB Version
Installation Directory
Build
Common
Status
Displays the F-Secure Anti-Virus for
Microsoft Exchange version number.
Displays the last date and time when the statistics were reset.
Displays the MIB version number.
Displays the complete path where F-Secure
Anti-Virus for Microsoft Exchange is installed.
Displays the F-Secure Anti-Virus for
Microsoft Exchange build number.
Displays the product name and lists all installed hotfixes.
Displays whether F-Secure Anti-Virus for
Microsoft Exchange is running (started), stopped, or whether the current status of the agent is unknown.
81
82
2.3.2
Transport Protection
You can view the inbound, outbound and internal message statistics separately.
Previous Reset of
Statistics
Displays the date and time of the last reset of statistics.
Number of Processed
Messages
Displays the total number of processed messages since the last reset of statistics.
Number of Infected
Messages
Number of High &
Medium Virus Risk
Messages
Displays the number of messages with attachments that are infected and cannot be automatically disinfected.
Displays the number of messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a virus outbreak.
Number of Grayware
Messages
Displays the number of messages that have been found to contain grayware.
Number of
Suspicious Messages
Displays the number of suspicious content found, for example password-protected archives, nested archives and malformed messages.
Displays the number of filtered attachments.
Number of Stripped
Attachments
Number of Filtered
Messages
Displays the number of messages that have been found to contain disallowed keywords in the message subject or text.
Number of Spam
Messages
Displays the number of messages that are classified as spam.
Last Infection Found Displays the name of the last infection found.
Last Time Infection
Found
Displays the time when the last infection was found.
CHAPTER 2
Centrally Managed Administration
2.3.3
Storage Protection
Common
Number of Mailboxes Displays the number of currently protected user mailboxes.
Number of Public
Folders
Displays the number of currently protected public folders.
Real-time and Background Scanning
Previous Reset of
Statistics
Displays the date and time of the last reset of statistics.
Number of Processed
Items
Displays the total number of processed items since the last reset of statistics.
Number of Infected
Items
Displays the number of items that are infected and cannot be automatically disinfected.
Number of Grayware
Items
Displays the number of items that have been found to contain grayware.
Number of
Suspicious Items
Displays the number of suspicious content found, for example password-protected archives and nested archives.
Last Infection Found Displays the name of the last infection found.
Last Time Infection
Found
Displays the time when the last infection was found.
83
84
Manual Scanning
Total Number of
Mailboxes
Number of Processed
Mailboxes
Displays the number of mailboxes that have been processed.
Total Number of
Public Folders
Displays the total number of mailboxes in
Exchange Store that the product processes during the manual scan.
Displays the total number of Public folders in the
Exchange Store that the product processes during the manual scan.
Number of Processed
Public Folders
Displays the number of public folders that have been processed.
Estimated Time Left Displays the estimated time left to finish the current manual scan.
Elapsed Time Displays the time that has elapsed since the manual scan was started.
Number of Processed
Items
Displays the total number of processed items during the previous manual scan.
Number of Infected
Items
Displays the number of items that were infected and could not be automatically disinfected during the previous manual scan.
Number of Grayware
Items
Displays the number of items that have been found to contain grayware.
Number of
Suspicious Items
Number of Stripped
Attachments
Displays the number of suspicious content found during the previous manual scan, for example password-protected archives and nested archives.
Displays the number of filtered attachments during the previous manual scan.
CHAPTER 2
Centrally Managed Administration
Last Infection Found Displays the name of the last infection found.
Last Time Infection
Found
Previous Scanning
Displays the time when the last infection was found.
Displays the date and time of the previous manual scan.
2.3.4
Quarantine
The quarantine statistics display the total number of quarantined items, the current size of the quarantine storage (in megabytes), and the detailed statistics of quarantined items by category. For more information,
see “ Quarantine Management ” , 211
.
85
86
2.4
F-Secure Content Scanner Server Settings
Use the variables under the F-Secure Content Scanner Server / Settings branch to define the settings for content providers and to change the general content scanning options.
2.4.1
Interface
Specify how the server will interact with clients.
IP Address
TCP Port
Specifies the service listen address in case of multiple network interface cards or multiple IP addresses. If you do not assign an IP address
(0.0.0.0), the server responds to all IP addresses assigned to the host.
Specifies the TCP port that the server listens for incoming requests. The default port number is
18971. If you change this port number, you must modify the connection settings of the client accordingly, so that the client sends requests to the same port.
Accept Connections Specifies a comma-separated list of IP addresses the server accepts incoming requests from. If the list is empty, the server accepts connections from any host.
Max Connections Specifies the maximum number of simultaneous connections the server can accept. Value zero
(0) means no limit.
Max Connections Per
Host
Specifies the maximum number of simultaneous connections the server can accept from a particular host. Value zero (0) means no limit.
CHAPTER 2
Centrally Managed Administration
Send Content
Timeout
Receive Content
Timeout
Specifies how long the server should wait before it timeouts on sending data to the client.
Specifies how long the server should wait before it timeouts when receiving data from the client.
Keep Alive Timeout Specifies the length of time before the server closes an inactive/idle connection. This ensures that all connections are closed if the protocol fails to close a connection.
2.4.2
Virus Scanning
Specify scanning engines to be used when F-Secure Content Scanner
Server scans files for viruses, and the files that should be scanned.
Scan Engines
Action if Engine
Malfunctions
Scan Inside Archives
Scan engines can be enabled or disabled . If you want to disable the scan just for certain files, enter the appropriate file extensions to
Excluded extensions field and separate each extension with a space. The Excluded extensions field supports * and ?
wildcards.
Specify how the product reacts if it cannot scan a file.
Return Scan Error - Drop the file being scanned and send a scan error.
Scan with Other Engines - Scan the file with other available scan engines.
Specify whether files inside compressed archive files should be scanned for viruses, if they are not excluded from scanning.
87
88
Max Levels in Nested
Archives
Suspect Max Nested
Archives
Suspect Password
Protected Archives
Scanning inside archives takes time.
Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
If Scan Inside Archives is enabled, F-Secure
Content Scanner Server can scan files inside archives that may exist inside of other archives. Furthermore, these nested archives can contain other archives.
Specify the number of levels F-Secure
Content Scanner Server goes through before the action selected in Suspect Max
Nested Archives takes place. The default setting is 3.
Increasing the value increases the load on the system and thus decreases the overall system performance. This means that the system becomes more vulnerable for DoS
(Denial-of-Service) attacks.
If the amount of nested archives exceeds the value specified in the Max Levels in Nested
Archives , the file is stopped if Treat as
Unsafe is selected. If Treat as Safe is selected, the archive file is sent to the user.
Compressed archive files can be protected with passwords. These archives can be opened only with a valid password, so
F-Secure Content Scanner Server cannot scan their content. Password protected archives can be stopped by selecting Treat as Unsafe . If Treat as Safe is selected, password protected archives are delivered to recipient.
CHAPTER 2
Centrally Managed Administration
Acceptable Unpacked
Size Threshold
Scan Extensions Inside
Archives
Extensions Allowed in
Password Protected
Archives
Max Scan Timeout
Specify the acceptable unpacked size (in kilobytes) for archive files. If the unpacked size of an archive file exceeds this threshold, the server will consider the archive suspicious and corresponding action will be taken.
Enter all the extensions you want to scan inside archives.
Define a space-separated list of the file extensions allowed in password protected archives. Wildcards (*, ?) can be used.
Example: "DO? *ML".
Specify the maximum time that one scanning task can last. The Max Scan Timeout is 10 minutes by default.
89
90
2.4.3
Virus Statistics
Select the number of most active viruses and the number of days to be displayed on the Top 10 virus list.
Time Period
Viruses to Show
Send Statistics to
F-Secure World Map
Mail Server Address
Specify the time period for the most active viruses list. The product shows statistics about most active viruses detected during the specified time period. The possible value range is from 1 hour to 90 days.
Specify the number of most active viruses to be displayed for the time period specified in the ' Time Period ' setting. The possible values are Top 5 , Top 10 and Top 30 .
The product can collect and send statistics about viruses and other malware to the
F-Secure World Map service.
When the F-Secure World Map support is enabled, the product sends encrypted e-mail reports periodically to the service. These reports list only the name and the amount of found malware and they do not contain any sensitive information such as IP or e-mail addresses or user names.
You can also forward unencrypted reports to a configurable e-mail address and use the same statistics for your own internal purposes.
Specify the IP address of the mail server that is used to send e-mail.
CHAPTER 2
Centrally Managed Administration
Mail Server Port
E-mail Addresses for
Unencrypted Reports
Specify the port number of the mail server that is used to send e-mail.
Specify e-mail addresses where you want to send unencrypted virus statistics reports.
Separate each address with a comma or space.
2.4.4
Database Updates
Specify how you want to keep the virus definition databases up-to-date.
Verify Integrity of
Downloaded Databases
Notify When Databases
Become Old
Notify When Databases
Older Than
Specify whether the product should verify that the downloaded virus definition databases are the original databases published by F-Secure Corporation and that they have not been altered or corrupted in any way before taking them to use.
Specify whether F-Secure Content Scanner
Server should notify the administrator if virus definition databases have not been updated recently.
Specify the time (in days) how old virus definition databases can be before F-Secure
Content Scanner Server sends the notification to the administrator.
91
92
2.4.5
Spam Filtering
Specify the number of Spam Scanner instances to be created and used for spam analysis.
Number of spam scanner instances
Specify the number of Spam Scanner instances to be created and used for spam analysis. As one instance of the spam scanner is capable of processing one mail message at a time, this setting defines how many messages will undergo spam analysis simultaneously.
You might need to modify this setting if you enable Realtime Blackhole Lists (DNSBL/
RBL) for spam filtering. For more information, consult F-Secure Anti-Virus for
Microsoft Exchange Deployment Guide.
You have to restart the Content Scanner
Server after you change this setting and distribute the policy to take the new setting into use.
IMPORTANT: Spam analysis is a processor-intensive operation and each spam scanner instance takes approximately
25MB of memory (process fsavsd.exe). Do not increase the number of instances unless the product is running on a powerful computer.
CHAPTER 2
Centrally Managed Administration
2.4.6
Threat Detection Engine
Configure the virus outbreak and spam threat detection.
VOD Cache Size
Class Cache Size
Spam Detection
Specify the maximum number of patterns to cache for the virus outbreak detection service.
By default, the cache size is 10000 cached patterns.
Specify the maximum number of patterns to cache for spam detection service. By default, the cache size is 10000 cached patterns.
Increasing cache sizes may increase the threat detection performance but it requires more disk space and may degrade the threat detection rate. Cache sizes can be disabled (set the size to 0) for troubleshooting purposes.
Specify whether the threat detection engine is used while scanning inbound messages for spam.
Action on Connection
Failure
Specify the action for messages when the threat detection center cannot be contacted and the threat detection engine cannot classify the message.
Pass through - The message is passed through without scanning it for spam.
93
94
Trusted Networks
Heuristic Scanning - F-Secure Content Scanner
Server checks the message using spam heuristics.
Specify networks and hosts in the mail relay network which can be trusted not to be operated by spammers and do not have open relays or open proxies.
Define the network as a network/netmask pair
(10.1.0.0/255.255.0.0), with the network/nnn
CIDR specification (10.1.0.0/16), or use ‘*’ wildcard to match any number and ‘-’ to define a range of numbers (172.16.*.1, 172.16.4.10-110).
2.4.7
Proxy Configuration
Specify proxy server parameters that Content Scanner Server uses when it connects to the threat detection center.
Use Proxy Server Specify whether F-Secure Content Scanner
Server uses a proxy server when it connects to the threat detection center.
Proxy Server Address Specify the address of the proxy server.
Proxy Server Port Specify the port number of the proxy server.
CHAPTER 2
Centrally Managed Administration
2.4.8
Advanced
Specify the location and the minimum size of the Working directory.
Working Directory Specify where temporary files are stored.
The Working directory should be on a local hard disk for the best performance. Make sure that there is enough free disk space for temporary files.
During the setup, access rights are adjusted so that only the operating system and the local administrator can access files in the
Working directory. If you make changes to
Working Directory settings, make sure that the new directory has the same rights.
Working Directory Clean
Interval
Specify the time after which the inactive temporary files in the Working directory are deleted. The default clean interval is 30 minutes.
Free Space Threshold
IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product.
Max Number of
Concurrent Transactions
Specify when F-Secure Content Scanner
Server should send a low disk space alert to the administrator. The default setting is 100 megabytes.
Specifies the maximum number of transactions the server processes simultaneously.
95
96
2.5
F-Secure Content Scanner Server Statistics
The Statistics branch in the F-Secure Content Scanner Server tree displays the version of F-Secure Content Scanner Server that is currently installed on the selected host and the location of F-Secure Content
Scanner Server installation directory.
2.5.1
Server
The Server branch contains the following information:
Version
Status
The version of the F-Secure Content
Scanner Server.
The status of F-Secure Content Scanner
Server, whether it has been started and it is running or it is stopped.
Start Time
Previous Reset of
Statistics
The date and time when the server was started.
The date and time of the last reset of statistics.
Number of Scanned Files The number of files that have been scanned.
Last Database Update The last date and time when virus definition database was updated.
Database Update Version The currently used version of the database update. The version is shown in
YYYY-MM-DD_NN format, where
YYYY-MM-DD is the release date of the update and NN is the number of the update for that day.
Last Infection Found The name of the last infection that was encountered.
Last Time Infection
Found
CHAPTER 2
Centrally Managed Administration
The date and time when the last infection was found.
2.5.2
Scan Engines
The Scan Engines table displays the scan engine statistics and information.
Name
Version
Status
Last Database Update
Database Date
Last Infection Found
Last Time Infection
Found
Processed Files
Displays the name of the scan engine.
Displays the version number of the scan engine.
Displays the status of the scan engine. The scan engine can be loaded and enabled or disabled by the administrator, or not loaded at all.
Displays the last date and time when virus definition database was taken into use by the scan engine.
Displays the date the virus signature database for the scan engine was created.
Displays the last infection found by the scan engine.
Displays the date and time of the last infection found by the scan engine.
Displays the number of files processed by the scan engine.
97
98
Infected Files
Disinfected Files
Database Version
Displays the number of infected files found by the scan engine.
Displays the number of files successfully disinfected by the scan engine.
Displays the current version of database updates used by the scan engine.
2.5.3
Common
The Common statistics branch displays the list of installed product hotfixes.
2.5.4
Spam Control
The Spam Control branch displays the following information:
Spam Scanner Version
Status
Previous Reset of
Statistics
Database Version
Last Database Update
Displays the version and build number of the
Spam Scanner.
Displays the status of the Spam Scanner.
Displays when the Spam Scanner statistics were reset last time.
Displays the version of the database currently used by the Spam Scanner.
Displays the date and time when the Spam
Scanner database was last updated.
CHAPTER 2
Centrally Managed Administration
Number of Processed
Messages
Total Spam Statistics
Displays the total number of e-mail messages that have been analyzed for spam.
These statistics show how many mail messages have been identified with each spam confidence level rating.
2.5.5
Virus Statistics
The Virus Statistics branch displays the following information:
Last Updated
Most Active Viruses
Displays the date and time when the virus statistics were updated last time.
Displays the list of most active viruses.
2.6
F-Secure Management Agent Settings
If the F-Secure Anti-Virus for Microsoft Exchange is working in centrally administered mode, you have to make sure F-Secure Anti-Virus for
Microsoft Exchange sends and receives data from F-Secure Policy
Manager Server. To do this, change communications settings from
F-Secure Management Agent.
For detailed information on F-Secure Management Agent, see the
F-Secure Policy Manager Administrator's Guide.
Communications
Host Configuration Mode Shows whether the host is stand-alone or centrally administered.
Active Protocol Sets the active protocol.
99
100
Protocols
Spool Time Limit
Slow Connection
Definition
A subdirectory containing the settings for the
File Sharing and the HTTP protocol. These settings should be carefully checked before distribution. Errors can result in problems with communicating with the hosts.
The maximum time the host will store the information it is unable to transmit.
This setting can be used to disallow
F-Secure Management Agent from downloading large remote installation packages over slow network connections.
F-Secure Management Agent measures the speed of the network link to F-Secure Policy
Manager Server and stops the download if the minimum speed specified by this setting is not met.
HTTP
Management Server
Address
Incoming Packages
Polling Interval
Outgoing Packages
Update Interval
URL of the F-Secure Policy Manager Server.
The URL should not have a slash at the end.
For example:
“ http://fsms.example.com
”.
Defines how often the host tries to fetch incoming packages (such as Base Policy files or new virus signature databases) from the F-Secure Policy Manager Server.
Defines how often the host tries to transmit to the administrator information that is periodically updated (such as statistics).
CHAPTER 2
Centrally Managed Administration
2.7
F-Secure Automatic Update Agent Settings
Using F-Secure Automatic Update Agent is the most convenient way to keep the databases updated. It connects to F-Secure Policy Manager
Server or the F-Secure Update Server automatically.
In order to update the spam definition databases F-Secure
Automatic Update Agent must be installed on the same computer as F-Secure Spam Control.
Communications
Automatic updates
Internet connection checking
HTTP settings
Enable or disable automatic virus and spam definition updates.
By default, automatic updates are enabled.
Specify whether the product should check the connection to the Internet before trying to retrieve updates.
Assume always connected - The computer is connected to the Internet all the time.
Detect connection - The product detects when the computer is connected to the Internet.
Detect traffic - The product assumes that the computer is connected to the Internet only when other applications use the network.
Detect connection is the default setting.
Select whether to use an HTTP proxy when retrieving automatic updates.
If F-Secure Automatic Update Agent connects to the Internet through a proxy server, specify the
HTTP proxy addess in the User-defined proxy settings > Address field.
101
102
PM Proxies
Intermediate server failover time
Intermediate server polling interval
Allow fetching updates from
F-Secure Update
Server
Enter the HTTP proxy server address.
Specify F-Secure Policy Manager Proxies that you want to use as sources for automatic updates.
If no F-Secure Policy Manager Proxies are configured, the product retrieves the latest virus definition updates from F-Secure Update Server automatically.
Specify (in hours) the failover time to connect to
F-Secure Policy Manager Server or F-Secure
Policy Manager Proxy.
If the product cannot connect to any user-specified update server during the failover time, it retrieves the latest virus definition updates from F-Secure Update Server if Allow fetching updates from F-Secure Update Server is enabled.
Specify (in minutes) how often the product checks one of the update sources for new updates.
Specify whether the product should connect to
F-Secure Update Server when it cannot connect to any user-specified update server. Specify PM
Proxies to configure the update servers.
3
A DMINISTRATION
W EB C ONSOLE
WITH
Overview................................................................................... 104
Home........................................................................................ 104
Transport Protection ................................................................. 109
Storage Protection.................................................................... 135
Spam Control............................................................................ 129
Quarantine................................................................................ 172
Automatic Updates ................................................................... 181
Engines..................................................................................... 198
General Server Properties........................................................ 187
103
104
3.1
Overview
This section describes how to use Web Console to administer F-Secure
Anti-Virus for Microsoft Exchange.
If F-Secure Anti-Virus for Microsoft Exchange is installed in the stand-alone mode, it can be administered with F-Secure Anti-Virus for
Microsoft Exchange Web Console. The Web Console is installed with
F-Secure Anti-Virus for Microsoft Exchange.
To open the Web Console, see “ Using Web Console ” , 13
.
3.2
Home
The Web Console displays Getting Started page when you log in for the first time. You can check and configure the following information in the
Getting Started page to complete the installation:
Internal domains and senders
E-mail alerts and reports
Database updates
Product updates
Summary
CHAPTER 3
Administration with Web Console
105
The Summary tab displays the current status of the product components.
Normal ; the feature is enabled and everything is working as it should.
Informational ; the feature is disabled.
Warning ; the feature or an antivirus engine is disabled or virus and spam definition databases are not up-to-date.
Error ; the license has expired, the feature is not installed, all antivirus engines are disabled or a component is not loaded,
F-Secure Content Scanner Server is not up and running or virus and spam definition databases are really old.
106
Scan Tasks
Click Find quarantined e-mail or attachment to manually scan mailboxes and public folders for viruses and strip attachments in them.
For instructions, see “ Manual Scanning ” , 146
.
Quarantine Tasks
Click Find quarantined content to search for the quarantined content.
For more information, see “ Searching the Quarantined Content ” , 214 .
Log Files
Click View F-Secure Log to view the F-Secure log file (LogFile.log) in a new Internet browser window. Click Download to download and save the
LogFile.log for later use.
Click View Automatic Update Log to view the update log file.
Services
CHAPTER 3
Administration with Web Console
107
Under the Services tab, you can start, stop and restart F-Secure
Anti-Virus for Microsoft Exchange, F-Secure Content Scanner Server and
F-Secure Automatic Update Agent.
108
Virus Statistics
Virus Statistics tab displays information on the most active viruses found during the scan.
F-Secure World Map Support
The product can collect and send statistics about viruses and other malware to the F-Secure World Map service.
If you enable F-Secure World Map support, make sure that the server can
relay messages properly. For more information, see “ Sending E-mail
CHAPTER 3
Administration with Web Console
3.3
Transport Protection
You can configure inbound, outbound and internal message protection separately. For more information about the mail direction and
configuration options, see “ Network Configuration ” , 194 .
After you apply new transport protection settings, it can take up to
20 seconds for the new settings to take effect.
Status
109
The Status page displays a summary of the processed inbound, outbound and internal mail messages:
Processed messages Displays the total number of processed messages since the last reset of statistics.
110
Infected messages Displays the number of messages with attachments that are infected and cannot be automatically disinfected.
High & Medium virus risk messages
Displays the number of messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a virus outbreak.
Grayware messages Displays the number of messages that have grayware items, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Suspicious messages Displays the number of suspicious content found, for example password-protected archives, nested archives and malformed messages.
Stripped attachments Displays the number of filtered attachments.
Filtered messages Displays the number of messages that have been found to contain disallowed keywords in the message subject or text.
Spam messages
Last Infections
Displays the number of messages that are classified as spam.
Displays the name of the last infection found in inbound, outbound, and internal messages.
3.3.1
Attachment Filtering
CHAPTER 3
Administration with Web Console
111
Specify attachments to remove from inbound, outbound and internal messages based on the file name or the file extension.
Enable or disable the attachment stripping.
Strip Attachments from e-mail messages
Targets
Strip these attachments
Exclude these attachments
Specify which attachments are stripped from
messages. For more information, see “ Match
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
112
Actions
Action on disallowed attachments
Specify how disallowed attachments are handled.
Drop Attachment - Remove the attachment from the message and deliver the message to the recipient without the disallowed attachment.
Quarantine stripped attachments
Do not quarantine these attachments
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether stripped attachments are quarantined.
Specify files which are not quarantined even when they are stripped. For more information,
Notifications
Send notification message to recipient(s)
Specify whether recipients are notified when disallowed or suspicious attachment is found.
Note that the notification message is not sent if the whole message is dropped.
Send notification message to sender
Specify whether the original sender is notified when disallowed or suspicious attachment is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Message
Do not notify on these attachments
Specify attachments that do not generate notifications. When the product finds specified file or file extension, no notification is sent.
Send alert to administrator
CHAPTER 3
Administration with Web Console
Specify whether the administrator is notified when the product strips an attachment. If you enable the notification, specify the alert level of the notification.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. For more information, see “ Alerting ”, 190.
113
114
3.3.2
Virus Scanning
Specify inbound, outbound and internal messages and attachments that should be scanned for malicious code.
Disabling virus scanning disables grayware scanning and archive processing as well.
Scan e-mail messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
Heuristic Scanning Enable or disable the heuristic scan. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
CHAPTER 3
Administration with Web Console
By default, the heuristic scan is enabled for inbound mails and disabled for outbound and internal mails.
The heuristic scan may affect the product performance and increase the risk of false malware alarms.
Proactive virus threat detection
Select whether Proactive Virus Threat Detection is enabled or disabled.
Proactive virus threat detection can identify new and unknown e-mail malware, including viruses and worms.
When proactive virus threat detection is enabled, the product analyzes e-mail messages for possible security threats. All possibly harmful messages are quarantined as unsafe.
Unsafe messages can be reprocessed periodically, as antivirus updates may confirm the unsafe message as safe or infected.
When proactive virus threat detection is disabled, mails are only scanned by antivirus engines.
Targets
Scan these attachments
Specify attachments that are scanned for
viruses. For more information, see “
Exclude these attachments
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Actions
Try to disinfect Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
115
116
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Action on infected messages
Quarantine infected messages
Do not quarantine these infections
Specify whether infected messages are disinfected or dropped.
Drop Attachment - Remove the infected attachment from the message and deliver the message to the recipient without the attachment.
Drop the Whole Message - Do not deliver the message to the recipient at all.
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Match
Notifications
Send notification message to recipient(s)
Specify whether recipients are notified when a virus or other malicious code is found.
Note that the notification message is not sent if the whole message is dropped.
Send notification message to sender
Specify whether the original sender is notified when a virus or other malicious code is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Message
CHAPTER 3
Administration with Web Console
Do not notify on these infections
Specify infections that do not generate notifications. When the product finds the specified infection, no notification is sent.
Send alert to administrator
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a virus in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. For more information, see “ Alerting ”, 190.
3.3.3
Grayware Scanning
117
Specify how the product processes grayware items in inbound, outbound and internal messages.
118
Note that grayware scanning increases the scanning overhead. By default, grayware scanning is enabled for inbound messages only.
Grayware scanning is disabled when virus scanning is disabled.
Scan e-mail messages for grayware
Enable or disable the grayware scan.
Actions
Action on grayware Specify the action to take on items which contain grayware.
Pass through - Leave grayware items in the message.
Drop attachment - Remove grayware items from the message.
Grayware exclusion list
Drop the whole message - Do not deliver the message to the recipient.
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Quarantine dropped grayware
Specify whether grayware attachments are quarantined when dropped.
Do not quarantine this grayware
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Send warning message to recipient(s)
Specify the template for the notification message that is sent to the intented recipient when a grayware item is found in a message.
CHAPTER 3
Administration with Web Console
Note that the notification message is not sent if the whole message is dropped.
Send warning message to sender
Do not notify on this grayware
Send alert to administrator
Specify the template for the notification message that is sent to the original sender of the message when a grayware item is found in a message.
Leave notification message fields empty if you do not want to send any notification messages.
By default, notification messages are not sent.
For more information, see “ Message
Specify a list of keywords for grayware types on which no notifications are sent.
If the product finds a grayware item with a name that matches the keyword, the recipient and the sender are not notified about the grayware item found.
Leave the list empty if you do not want to exclude any grayware types from notifications.
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a grayware item in a message.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. For more information, see “ Alerting ”, 190.
119
120
3.3.4
Archive Processing
Specify how F-Secure Anti-Virus for Microsoft Exchange processes inbound, outbound and internal archive files.
Note that scanning inside archives takes time. Disabling scanning inside archives improves performance, but it also means that the network users need to use up-to-date virus protection on their workstations.
Archive processing is disabled when the virus scanning is disabeld.
Scan archives Specify whether files inside compressed archive files are scanned for viruses.
Targets
List of files to scan inside archives
Specify files inside archives that are scanned for
viruses. For more information, see “ Match Lists ” ,
CHAPTER 3
Administration with Web Console
Exclude these files
Limit max levels of nested archives
Detect disallowed files inside archives
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
Specify files which are not allowed inside
archives. For more information, see “ Match
Actions
Action on archives with disallowed files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
121
122
Action on password protected archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the password protected archive to the recipient.
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient.
Quarantine dropped archives
The default value is Drop archive for inbound and outbound mail, and Pass through for internal mail.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
.
Notifications
Send alert to administrator
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange blocks a suspicious overnested or password protected archive file.
If the archive is blocked because it contains malware, grayware or disallowed files, the administrator receives a notification about that instead of this notification.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. For more information, see “ Alerting ”, 190.
3.3.5
Content Filtering
CHAPTER 3
Administration with Web Console
123
Specify how F-Secure Anti-Virus for Microsoft Exchange filters disallowed content in inbound, outbound and internal messages.
Filter out e-mail messages with disallowed/ undesirable content
Targets
Specify whether e-mail messages are scanned for disallowed content.
Disallowed keywords in message subject
Specify the list of disallowed keywords to check in e-mail message subjects. For more
information, see “ Using Keywords in Content
.
Disallowed keywords in message text
Specify the list of disallowed keywords to check in e-mail message text. For more information,
see “ Using Keywords in Content Filtering ” , 125 .
124
Actions
Action on disallowed content
Specify the action to take on messages which contain disallowed keywords.
Report only - Deliver the message to the recipient and notify the administrator that the scanned message contained disallowed content.
Drop the whole message - Do not deliver the message to the recipient.
Quarantine - Quarantine the message with disallowed content.
Notifications
Send notification message to recipient(s)
Send notification message to sender
Specify whether recipients are notified when disallowed content is found.
Send alert to administrator
Specify whether the original sender is notified when disallowed content is found.
To enable the notification, select a template for the notification message. To disable the notification, leave the notification field empty.
For more information, see “ Message
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange finds a message with disallowed content.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. For more information, see “ Alerting ”, 190.
CHAPTER 3
Administration with Web Console
Using Keywords in Content Filtering
When the content filtering is enabled, all messages are checked against every keyword sequence that is specified in the selected list of keywords.
A keyword may contain any characters, including punctuation symbols, spaces, and other word separators. Keywords are case insensitive.
You can use ‘?’ character in a keyword to match any character in that position in the keyword and ‘*’ to match any number of characters.
Keyword examples: example another example co?p?rate
another*example
Matches any message text or subject that contains the word ‘example’.
Matches any message text or subject that contains the ‘another example’ text. Words
‘another’ and ‘example’ have to be separated with exactly one space character.
Matches any message text or subject that contains - for example - words ‘corporate’ or
‘cooperate’.
Matches any message text or subject that contains words ‘another’ and ‘example’ separated with any number of characters. For example, ‘another example’ or ‘another keyword example’.
To represent ‘?’ or ‘*’ characters themselves in keywords, use ‘\?’ and ‘\*’ sequences correspondingly. To represent ‘\’ character, use ‘\\’.
For example, to match the '*** SPAM ***' string, enter '\*\*\* spam \*\*\*'.
125
126
3.3.6
Other Options
Configure other options to limit actions on malformed and problematic messages.
File Type Recognition
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
CHAPTER 3
Administration with Web Console
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Trusted senders and recipients
List of trusted senders
Specify senders who are excluded from the mail scanning and processing.
List of trusted recipients
Specify recipients who are excluded from the mail scanning and processing.
For more information, see “ Match Lists ” , 208 .
Mail disclaimer Specify whether you want to add a disclaimer to all outbound messages.
Click Edit disclaimer to edit the disclaimer text.
Mail disclaimer is available only for outbound messages.
Some malware add disclaimers to infected messages, so disclaimers should not be used for stating that the message is clean of malware.
Options
Limit max levels of nested messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
127
128
Actions
Action on mails with exceeding nesting levels
Specify the action to take on messages with nesting levels exceeding the upper level specified in the Max Levels of Nested Messages setting.
Drop the Whole Message - Messages with exceeding nesting levels are not delivered to the recipient.
Pass Through - Nested messages are scanned up to level specified in the Max Levels of Nested
Messages setting. Exceeding nesting levels are not scanned, but the message is delivered to the recipient.
Action on malformed mails
Specify the action for non-RFC compliant e-mails. If the message has an incorrect structure, the product cannot parse the message reliably.
Quarantine problematic messages
Notifications
Send alert to administrator
Drop the Whole Message - Do not deliver the message to the recipient.
Pass Through - The product allows the message to pass through.
Pass Through and Report - The product allows the message to pass through, but sends a report to the administrator.
Specify if mails that contain malformed or broken attachments are quarantined for later analysis or recovery.
Specify whether the administrator is notified when F-Secure Anti-Virus for Microsoft
Exchange detects a malformed or a suspicious e-mail message.
CHAPTER 3
Administration with Web Console
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. For more information, see “ Alerting ”, 190.
129
3.4
Spam Control
The threat detection engine of F-Secure Anti-Virus for Microsoft
Exchange can identify spam and virus patterns from the message envelope, headers and body during the first minutes of the new spam of virus outbreak.
You can configure Spam Control settings for inbound messages, and only if you have F-Secure Spam Control installed.
130
3.4.1
Status
The Status page displays the statistics of the spam scanner:
Spam scanner version
Number of processed messages
Displays the total number of processed messages since the last reset of statistics.
Last updated
Displays the version number of the installed spam scanner.
Database version
Displays the date and time when the latest spam definition update was retrieved.
Displays the version of the installed spam definition database.
Spam confidence level / number of messages
Displays the number of messages found with specified spam confidence levels.
3.4.2
Settings
CHAPTER 3
Administration with Web Console
131
Specify how F-Secure Anti-Virus for Microsoft Exchange processes inbound spam messages.
These settings are used only if F-Secure Spam Control is installed with the product, otherwise these settings are not available.
Check inbound e-mail messages for spam
Specify whether inbound mails are scanned for spam.
Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering. For information on configuring
Realtime Blackhole Lists, consult the F-Secure
Anti-Virus for Microsoft Exchange Deployment
Guide.
132
Options
Heuristic spam analysis
Spam filtering level
Specify whether heuristic spam analysis is used to filter inbound mails for spam.
If you enable the heuristic spam analysis , all messages that the threat detection engine does not classify as spam are further analyzed for spam.
When the heuristic spam analysis is disabled, only the threat detection engine filters messages for spam.
Heuristic spam analysis slows down the performance but improves the spam detection rate.
Specify the spam filtering level. Decreasing the level allows less spam to pass, but more regular mails may be falsely identified as spam.
Increasing the level allows more spam to pass, but a smaller number of regular e-mail messages are falsely identified as spam.
For example, if the spam filtering level is set to 3, more spam is filtered, but also more regular mails may be falsely identified as spam. If the spam filtering level is set to 7, more spam may pass undetected, but a smaller number of regular mails will be falsely identified as spam.
The allowed values are from 0 to 9.
Click More options to configure advanced spam filtering options:
Max message size - Specify the maximum size
(in kilobytes) of messages to be scanned for spam. If the size of the message exceeds the maximum size, the message is not filtered for spam.
CHAPTER 3
Administration with Web Console
Spam confidence level
Forward spam messages to e-mail address -
Specify the e-mail address where messages considered as spam are forwarded when the
Action on Spam Messages setting is set to
Forward .
Click Add new action to add a new action for messages with the spam level above the specified Spam Filtering Level.
Speficy the spam level and select action to take:
Quarantine - Place the message into the quarantine folder.
Forward - Forward the message to the specified e-mail address.
Delete - Delete the message.
Actions on passed through messages
Add X-header with spam flag
Specify if a spam flag is added to the mail as the
X-Spam-Flag header in the following format:
X-Spam-Flag:<flag> where
<flag> is YES or NO ,
Add X-header with summary
Specify if the summary of triggered hits is added to the mail as X-Spam-Status header in the following format:
X-Spam-Status: <flag>, hits=<scr> required=<sfl> tests=<tests>
133
134
Modify spam message subject where
<flag> is Yes or No ,
<scr> is the spam confidence rating returned by the spam scanner,
<sfl> is the current spam filtering level,
<tests> is the comma-separated list of tests run against the mail.
Specify if the product modifies the subject of mail messages considered as spam.
Add this text to spam message subject
Specify the text that is added in the beginning of the subject of messages considered as spam.
By default, the text is: *** SPAM *** .
Safe/Blocked senders and recipients
List of safe senders Specify safe senders. Messages originating from the specified addresses are never treated as spam.
List of safe recipients Specify safe recipients. Messages sent to the specified addresses are never treated as spam.
List of blocked senders
Specify blocked senders. Messages originating from the specified addresses are always treated as spam.
List of blocked recipients
Specify blocked recipients. Messages sent to the specified addresses are always treated as spam.
The product checks the sender address from the
SMTP message envelope, not from the message headers.
CHAPTER 3
Administration with Web Console
3.5
Storage Protection
Configure Storage Protection settings to specify how e-mail messages and attachments in selected mailboxes and public folders should be scanned.
Status
135
The Status page displays a summary of the protected mailboxes and public folders and infections found.
Number of mailboxes Displays the number of currently protected user mailboxes.
Number of public folders
Processed items
Displays the number of currently protected public folders.
Displays the total number of processed items since the last reset of statistics.
136
Infected items
Grayware items
Displays the number of items that are infected and cannot be automatically disinfected.
Displays the number of grayware items, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Suspicious items Displays the number of suspicious content found, for example password-protected archives and nested archives.
Last infection found Displays the name of the last infection found.
Last time infection found
Displays the time when the last infection was found.
CHAPTER 3
Administration with Web Console
3.5.1
Real-Time Scanning
The real-time scanning can automatically scan messages that have been created or received.
General
137
Real-time scanning scans messages in mailboxes and public folders for viruses.
Scanning
Scan only messages created within
Specify which messages are scanned with the real-time scanning, for example; Last hour , Last day , Last week . Messages that have been created before the specified time are not scanned.
138
This setting works only with Microsoft Exchange
Server 2007 and 2010.
Scan timeout Specify how long to wait for the real-time scan result. After the specified time, the client that tries to access the scanned message gets the
"virus scanning in progress" notificaion.
File Type Recognition
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Virus Scanning
CHAPTER 3
Administration with Web Console
139
Specify messages and attachments in the Microsoft Exchange Storage that should be scanned for malicious code.
Targets
Scan mailboxes Specify mailboxes that are scanned for viruses.
Do not scan mailboxes - Disable the mailbox scanning.
Scan all mailboxes - Scan all mailboxes.
Scan only included mailboxes - Scan all specified mailboxes. Click Edit to add or remove mailboxes that should be scanned.
140
Scan public folders
Scan these attachments
Exclude these attachments
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Edit to add or remove mailboxes that should not be scanned.
Specify public folders that are scanned for viruses.
Do not scan public folders - Disable the public folder scanning.
Scan all folders - Scan all public folders.
Scan only included public folders - Scan all specified public folders. Click Edit to add or remove public folders that should be scanned.
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Edit to add or remove public folders that should not be scanned.
IMPORTANT: You need to specify
Administrator's mailbox setting to list and scan public folders on Microsoft Exchange 2010
platform. For more information, see “ General ” ,
Specify attachments that are scanned for
viruses. For more information, see “ Match Lists ” ,
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Actions
Try to disinfect Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
CHAPTER 3
Administration with Web Console
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Quarantine infected attachments
Do not quarantine these infections
Specify whether infected attachments are quarantined.
Specify virus and malware infections that are never placed in the quarantine. For more
information, see “ Match Lists ” , 208 .
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Message Templates ” ,
141
142
Grayware Scanning
Specify how the product processes grayware items during real-time scanning.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only - Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
CHAPTER 3
Administration with Web Console
Grayware exclusion list
Quarantine dropped grayware
Specify whether grayware attachments are quarantined when dropped.
Do not quarantine this grayware
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Message
143
144
Archive Processing
Specify how F-Secure Anti-Virus for Microsoft Exchange processes archive files in Microsoft Exchange Storage.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Limit max levels of nested archives
Specify files that are scanned for viruses inside archives.
Specify files inside archives that are not scanned. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels deep to scan in nested archives, if Scan Viruses Inside Archives is enabled.
CHAPTER 3
Administration with Web Console
A nested archive is an archive that contains another archive inside. If zero (0) is specified, the maximum nesting level is not limited.
Specify the number of levels the product goes through before the action selected in Limit max
Levels of Nested Archives takes place. The default setting is 3.
Actions
Action on max nested archives
Specify the action to take on nested archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass Through - Nested archives are scanned up to level specified in the Max Levels in Nested
Archives setting. Exceeding nesting levels are not scanned, but the archive is not removed.
Drop archive - Archives with exceeding nesting levels are removed.
Action on password protected archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Leave the password protected archive in the message.
Drop archive - Remove the password protected archive from the message.
Quarantine dropped archives
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
.
145
146
3.5.2
Manual Scanning
You can scan mailboxes and public folders for viruses and strip attachments manually at any time.
Statistics
The Statistics page displays a summary of the messages processed during the latest manual scan:
Status Displays whether the manual scan is running or stopped.
Number of processed mailboxes
Displays the number of mailboxes that have been scanned and the total number that will be scanned when the manual scan is complete.
Number of processed public folders
Displays the number of public folders that have been scanned and the total number that will be scanned when the manual scan is complete.
CHAPTER 3
Administration with Web Console
Estimated time left
Elapsed time
Processed items
Displays the time left when the manual scan is running.
Displays how long it has been since the manual scan started.
Displays the number of items processed during the scan.
Displays the number of infected items found.
Infected items
Grayware items
Suspicious items
Displays the number of grayware items found, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Displays the number of suspicious content found, for example password-protected archives and nested archives.
Stripped attachments Displays the number of filtered attachments.
Last infection found Displays the name of the last infection found.
Last time infection found
Displays the date when the last infection was found.
Tasks
If the manual scan scans an item that has not been previously scanned for viruses and the real-time scan is on, the scan result may appear on the real-time scan statistics.
Click Start Scanning to start the manual scan.
Click Stop Scanning to stop the manual scan.
Click View Scanning Report to view the latest manual scan report.
147
148
General
Specify which messages you want to scan during the manual scan.
Targets
Scan mailboxes Specify mailboxes that are scanned for viruses.
Do not scan mailboxes - Do not scan any mailboxes during the manual scan.
Scan all mailboxes - Scan all mailboxes.
Scan only included mailboxes - Scan all specified mailboxes. Click Edit to add or remove mailboxes that should be scanned.
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Edit to add or remove mailboxes that should not be scanned.
CHAPTER 3
Administration with Web Console
Scan public folders Specify public folders that are scanned for viruses.
Do not scan public folders - Do not scan any public folders during the manual scan.
Scan all folders - Scan all public folders.
Scan only included public folders - Scan all specified public folders. Click Edit to add or remove public folders that should be scanned.
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Edit to add or remove public folders that should not be scanned.
IMPORTANT: You need to specify
Administrator's mailbox setting to list and scan public folders on Microsoft Exchange 2010
platform. For more information, see “ General ” ,
Incremental Scanning Specify which messages are scanned for viruses during the manual scan.
All messages - Scan all messages.
Only Recent Messages - Scan only messages that have not been scanned during the previous manual or scheduled scan.
File Type Recognition
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
149
150
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
Options
Limit max levels of nested messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
Advanced
Administrator's mailbox
Specify the primary SMTP address for the account which is used to scan items in public folders. The user account must have permissions to access and modify items in the public folders.
The setting is used on Microsoft Exchange 2010 platform only and affects manual, realtime, and scheduled storage scanning. If you do not specify any address, public folders in Exchange
Store cannot be accessed or even listed.
Attachment Filtering
CHAPTER 3
Administration with Web Console
151
Specify attachments that are remove from messages during the manual scan.
Enable or disable the attachment stripping.
Strip attachments
Targets
Strip these attachments
Exclude these attachments
Specify which attachments are stripped from
messages. For more information, see “ Match
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Actions
Quarantine stripped attachments
Specify whether stripped attachments are quarantined.
152
Do not quarantine these attachments
Specify files which are not quarantined even when they are stripped. For more information,
Notifications
Replacement Text
Template
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Message Templates ” ,
Virus Scanning
CHAPTER 3
Administration with Web Console
153
Specify messages and attachments that should be scanned for malicious code during the manual scan.
Scan messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
Disabling virus scanning disables grayware scanning and archive processing as well.
Heuristic Scanning Enable or disable the heuristic scanning. The heuristic scan analyzes files for suspicious code behavior so that the product can detect unknown malware.
154
Targets
Scan these attachments
Exclude these attachments
Actions
Try to disinfect
The heuristic scan may affect the product performance and increase the risk of false malware alarms.
Specify attachments that are scanned for
viruses. For more information, see “
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Quarantine infected attachments
Do not quarantine these infections
Specify whether infected or suspicious attachments are quarantined.
Specify virus and malware infections that are never placed in the quarantine. For more
information, see “ Match Lists ” , 208 .
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Message Templates ” ,
Grayware Scanning
CHAPTER 3
Administration with Web Console
155
Specify how the product processes grayware items during the manual scan.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only - Leave grayware items in the message and notify the administrator.
Drop attachment - Remove grayware items from the message.
156
Grayware exclusion list
Quarantine dropped grayware
Specify whether grayware attachments are quarantined when dropped.
Do not quarantine this grayware
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Message
Archive Processing
CHAPTER 3
Administration with Web Console
157
Specify how the product processes archive files during the manual scan.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Limit max levels of nested archives
Specify files inside archives that are scanned for
viruses. For more information, see “ Match Lists ” ,
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
158
Detect disallowed files inside archives
Specify whether files inside compressed archive files are processed for disallowed content.
If you want to detect disallowed content, specify files that are not allowed. For more information,
Actions
Action on archives with disallowed files
Specify the action to take on archives that contain disallowed content.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Drop the whole message - Do not deliver the message to the recipient at all.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message.
Action on password protected archives
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the archive to the recipient.
CHAPTER 3
Administration with Web Console
Quarantine dropped archives
Drop archive - Remove the password protected archive from the message.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Match Lists ” , 208 .
3.5.3
Scheduled Scanning
159
The Scheduled Tasks list displays all scheduled tasks and date and time when they occur for the next time.
Click Add new task to create a new scheduled operation.
Click the scheduled task name to edit it or Remove to completely remove it.
160
Creating Scheduled Task
Click Add new task in the Scheduled Scanning page to start the
Scheduled Operation Wizard .
Step 1. Specify Scanning Task Name and Schedule
Enter the name for the new task and select how frequently you want the operation to be performed.
Active Specify whether you want the scheduled scanning task to be active immediately after you have created it.
General
Task name Specify the name of the scheduled operation.
Do not use any special characters in the task name.
Frequency of the operation
Specify how frequently you want the operation to be performed.
CHAPTER 3
Administration with Web Console
Start time
Start date
Once - Only once at the specified time.
Daily - Every day at the specified time, starting from the specified date.
Weekly - Every week at the specified time on the same day when the first operation is scheduled to start.
Monthly - Every month at the specified time on the same date when the first operation is scheduled to start.
Enter the start time of the task in hh:mm format.
Enter the start date of the task in mm/dd/yyyy format
Targets
Scan mailboxes
Scan public folders
Specify mailboxes that are scanned for viruses.
Do not scan mailboxes - Disable the mailbox scanning.
Scan all mailboxes - Scan all mailboxes.
Scan only included mailboxes - Scan all specified mailboxes. Click Edit to add or remove mailboxes that should be scanned.
Scan all except excluded mailboxes - Do not scan specified mailboxes but scan all other.
Click Edit to add or remove mailboxes that should not be scanned.
Specify public folders that are scanned for viruses.
Do not scan public folders - Disable the public folder scanning.
Scan all folders - Scan all public folders.
161
162
Scan only included public folders - Scan all specified public folders. Click Edit to add or remove public folders that should be scanned.
Scan all except excluded public folders - Do not scan specified public folders but scan all other.
Click Edit to add or remove public folders that should not be scanned.
IMPORTANT: You need to specify
Administrator's mailbox setting to list and scan public folders on Microsoft Exchange 2010
platform. For more information, see “ General ” ,
Incremental scanning Specify whether you want to process all messages or only those messages that have not been processed previously during the manual or scheduled processing.
Options
Intelligent file type recognition
Select whether you want to use Intelligent File
Type Recognition or not.
Trojans and other malicious code can disguise themselves with filename extensions which are usually considered safe to use. Intelligent File
Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed.
Using Intelligent File Type Recognition strengthens the security, but can degrade the system performance.
CHAPTER 3
Administration with Web Console
Limit max levels of nested messages
Specify how many levels deep to scan in nested e-mail messages. A nested e-mail message is a message that includes one or more e-mail messages as attachments. If zero (0) is specified, the maximum nesting level is not limited.
It is not recommended to set the maximum nesting level to unlimited as this will make the product more vulnerable to DoS
(Denial-of-Service) attacks.
163
164
Step 2. Specify Attachment Filtering Options
Choose settings for stripping attachments during the scheduled operation.
Enable or disable the attachment stripping.
Strip attachments from e-mail messages
Targets
Strip these attachments
Exclude these attachments
Specify which attachments are stripped from
messages. For more information, see “ Match
Specify attachments that are not filtered. Leave the list empty if you do not want to exclude any attachments from the filtering.
Action
Quarantine stripped attachments
Specify whether stripped attachments are quarantined.
CHAPTER 3
Administration with Web Console
Do not quarantine these attachments
Specify files which are not quarantined even when they are stripped. For more information,
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the stripped attachment is removed from the message. For
more information, see “ Message Templates ” ,
Step 3. Specify Virus Scanning Options
165
Choose how mailboxes and public folders are scanned for viruses during the scheduled operation.
Scan messages for viruses
Enable or disable the virus scan. The virus scan scans messages for viruses and other malicious code.
166
Heuristic Scanning
If you disable the virus scan, grayware scanning and archive processing are disabled as well.
Enable or disable the heuristic scanning. The heuristic scanning analyzes files for suspicious code behavior so that the product can detect unknown malware.
Heuristic scanning may affect the product performance and increase the risk of false malware alarms.
Targets
Scan these attachments
Exclude these attachments
Specify attachments that are scanned for
viruses. For more information, see “ Match Lists ” ,
Specify attachments that are not scanned.
Leave the list empty if you do not want to exclude any attachments from the scanning.
Actions
Try to disinfect Specify whether the product should try to disinfect an infected attachment before processing it. If the disinfection succeeds, the product does not process the attachment further.
Disinfection may affect the product performance.
Infected files inside archives are not disinfected even when the setting is enabled.
Quarantine infected messages
Do not quarantine these infections
Specify whether infected or suspicious messages are quarantined.
Specify infections that are never placed in the
quarantine. For more information, see “ Match
CHAPTER 3
Administration with Web Console
Notifications
Replacement text template
Specify the template for the text that replaces the infected attachment when the infected attachment is removed from the message. For
more information, see “ Message Templates ” ,
Step 4. Specify Grayware Scanning Options
167
Choose settings for grayware scanning during the scheduled operation.
Scan messages for grayware
Actions
Enable or disable the grayware scan.
Action on grayware Specify the action to take on items which contain grayware.
Report only - Leave grayware items in the message and notify the administrator.
168
Grayware exclusion list
Drop attachment - Remove grayware items from the message.
Specify the list of keywords for grayware types that are not scanned. Leave the list empty if you do not want to exclude any grayware types from
the scan. For more information, see “ Match
Quarantine dropped grayware
Specify whether grayware attachments are quarantined when dropped.
Do not quarantine this grayware
Specify grayware that are never placed in the
quarantine. For more information, see “ Match
Notifications
Replacement text template
Specify the template for the text that replaces the grayware item when it is removed from the
message. For more information, see “ Message
CHAPTER 3
Administration with Web Console
Step 5. Specify Archive Processing Options
169
Choose settings for archive processing during the scheduled operation.
Scan archives Specify if files inside archives are scanned for viruses and other malicious code.
Targets
List of files to scan inside archives
Exclude these files
Limit max levels of nested archives
Detect disallowed files inside archives
Specify files inside archives that are scanned for
viruses. For more information, see “ Match Lists ” ,
Specify files that are not scanned inside archives. Leave the list empty if you do not want to exclude any files from the scanning.
Specify how many levels of archives inside other archives the product scans when Scan Viruses
Inside Archives is enabled.
Specify files which are not allowed inside
archives. For more information, see “ Match
170
Actions
Action on archives with disallowed files
Specify the action to take on archives which contain disallowed files.
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Action on max nested archives
Specify the action to take on archives with nesting levels exceeding the upper level specified in the Max Levels in Nested Archives setting.
Action on password protected archives
Pass through - Deliver the message with the archive to the recipient.
Drop archive - Remove the archive from the message and deliver the message to the recipient without it.
Specify the action to take on archives which are protected with passwords. These archives can be opened only with a valid password, so the product cannot scan their content.
Pass through - Deliver the message with the password protected archive to the recipient.
Quarantine dropped archives
Drop archive - Remove the password protected archive from the message and deliver the message to the recipient without it.
Specify whether archives that are not delivered to recipients are placed in the quarantine. For
more information, see “ Quarantine
.
Step 6. Finish
CHAPTER 3
Administration with Web Console
171
The Scheduled Operation Wizard displays the summary of created operation. Click Finish to accept the new scheduled operation and to exit the wizard.
172
3.6
Quarantine
Quarantine in F-Secure Anti-Virus for Microsoft Exchange is handled through a SQL database. The product is able to quarantine e-mails and attachments which contain malicious or otherwise unwanted content, such as spam messages.
The Quarantine management is divided into two different parts:
Quarantine-related configuration, and the management of the quarantined content, for example searching for and deleting quarantined content. For more information about searching and deleting quarantined content,
see “ Quarantine Management ” , 211
.
Status
The Quarantine Status page displays a summary of the quarantined messages and attachments:
Infected
Disallowed attachments
Grayware
Disallowed content
Suspicious
Displays the number of messages and attachments that are infected.
Displays the number of messages that contained attachments with disallowed files.
Displays the number of messages that have grayware items, including spyware, adware, dialers, joke programs, remote access tools and other unwanted applications.
Displays the number of messages that have been found to contain disallowed keywords in the message subject or text.
Displays the number of suspicious content found, for example password-protected archives, nested archives and malformed messages.
Spam
Unsafe
Scan failure
CHAPTER 3
Administration with Web Console
Displays the number of messages that are classified as spam.
Displays the number of messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a spam or virus outbreak
Displays the number of files that could not be scanned, for example severely corrupted files.
3.6.1
Query
You can use the Quarantine Query page to search for the quarantined
content. For more information, see “ Searching the Quarantined Content ” ,
.
3.6.2
Options
You can configure the quarantine storage location and threshold, how quarantined files are processed and quarantine logging options.
173
174
General Quarantine Options
When F-Secure Anti-Virus for Microsoft Exchange places content to the
Quarantine, it saves the content as separate files into the Quarantine
Storage and inserts an entry to the Quarantine Database with information about the quarantined content.
Quarantine storage
Quarantine storage Specify the location of the quarantine storage directory. Before you change the
Quarantine storage directory, see “ Moving the Quarantine Storage ” , 226
.
CHAPTER 3
Administration with Web Console
Make sure that F-Secure Anti-Virus for
Microsoft Exchange service has write access to this directory. Adjust the access rights to the directory so that only the
F-Secure Anti-Virus for Microsoft Exchange service and the local administrator can access files in the Quarantine.
Quarantine thresholds
Quarantine size threshold Specify the critical size (in megabytes) of the quarantine folder. If the specified value is reached, the product sends an alert. The default value is 200. If zero (0) is specified, the size of the Quarantine is not checked.
The allowed value range is from 0 to 10240.
Quarantined items threshold
Notify when quarantine threshold is reached
Specify the critical number of items in the
Quarantine storage. If the specified value is reached or exceeded, the product sends an alert. If zero (0) is specified, the number of items in the Quarantine storage is not checked. The default value is 100000 items.
Specify how the administrator should be notified when the Quarantine Size Threshold and/or Quarantined Items Threshold are reached. No alert is sent if both thresholds are set to zero (0).
Message template
Released quarantine message template
Specify the template for the message that is sent to the intented recipients when e-mail content is released from the quarantine. For
more information, see “ Message Templates ” ,
175
176
Quarantine Maintenance
When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients. For more information,
see “ Reprocessing the Quarantined Content ” , 223 .
When removing quarantined messages from the quarantine, the product uses the currently configured quarantine retention and cleanup settings.
Reprocess unsafe messages
Automatically reprocess unsafe messages
Specify how often the product tries to reprocess unsafe messages that are retained in the Quarantine.
Set the value to Disabled to process unsafe messages manually.
Max attempts to process unsafe messages
Specify how many times the product tries to reprocess unsafe messages that are retained in the Quarantine.
CHAPTER 3
Administration with Web Console
Final action on unsafe messages
Specify the action on unsafe messages after the maximum number of reprocesses have been attempted.
Leave in Quarantine - Leave messages in the Quarantine and process them manually.
Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients.
Quarantine retention and cleanup
Retain items in quarantine
Specify how long quarantined items should be retained in the Quarantine before they are deleted.
Delete old quarantined items
Exceptions
Use the Quarantine Cleanup Exceptions table to change the retention period for a particular Quarantine category.
Specify how often the storage should be cleaned of old quarantined items.
Use the Quarantine Cleanup Exceptions table to change the cleanup interval for a particular Quarantine category.
Specify separate quarantine retention period and cleanup interval for any Quarantine category. If retention period and cleanup interval for a category are not defined in this table, then the default ones (specified above) are used.
Active -Enable or disable the selected entry in the table.
Quarantine category - Select a category the retention period or cleanup interval of which you want to modify. The categories are:
177
178
Infected
Suspicious
Disallowed attachment
Disallowed content
Spam
Scan failure
Unsafe
Grayware
Retention period - Specify an exception to the default retention period for the selected
Quarantine category.
Cleanup interval - Specify an exception to the default cleanup interval for the selected
Quarantine category.
Quarantine Database
CHAPTER 3
Administration with Web Console
179
You can specify the database where information about quarantined e-mails is stored and from which it is retrieved.
Quarantine database
SQL server name The name of the SQL server where the database is located.
Database name
User name
The name of the quarantine database. The default name is FSMSE_Quarantine .
The user name the product uses when accessing the database.
Password The password the product uses when accessing the database.
Click Test database connection to make sure that you can access the quarantine database with the configured user name and password.
180
Quarantine Logging
Specify where F-Secure Anti-Virus for Microsoft Exchange stores
Quarantine log files.
Logging directory
Quarantine log directory
Logging options
Rotate quarantine logs
Specify the path for Quarantine log files.
Specify how often the product rotates
Quarantine log files. At the end of each rotation time a new log file is created.
Keep rotated quarantine logs
Specify how many rotated log flies should be stored in the Quarantine.
CHAPTER 3
Administration with Web Console
3.7
Automatic Updates
With F-Secure Automatic Update Agent, virus and spam definition database updates are retrieved automatically when they are published to
F-Secure Update Server.
Tasks
Click Check for updates now to check that the product is using the latest database updates. If the virus and spam databases are not up-to-date, updates are downloaded automatically.
Click Change communication settings to configure how the product connects to F-Secure Update Server. For more information, see
“ Automatic Updates General Settings ” , 184 .
181
182
Status
The Status page displays information on the latest update.
Channel name
Channel address
Latest installed update
Last check time
Last check result
Next check time
Displays the channel from where the updates are downloaded.
Displays the address of the Automatic Updates
Server.
Displays the version and name of the latest installed update.
Displays the date and time when the last update check was done.
Displays the result of the last update check.
Displays the date and time for the next update check.
Downloads
CHAPTER 3
Administration with Web Console
Last successful check time
Displays the date and time when the last successful update check was done.
183
The Downloads page displays information about downloaded and installed update packages.
3.7.1
Communications
Specify how the product connects to F-Secure Update Server.
184
Automatic Updates General Settings
Edit General settings to select whether you want to use automatic updates and how often the product checks for new updates.
CHAPTER 3
Administration with Web Console
185
Turn on automatic updating
Internet connection checking
Use HTTP Proxy
Enable and disable the automatic virus and spam database updates. By default, automatic updates are enabled.
Specify whether the product should check the connection to the Internet before trying to retrieve updates.
Select whether HTTP proxy should be used.
No - HTTP proxy is not used.
From browser settings - Use the same HTTP proxy settings as the default web browser.
User defined - Define the HTTP proxy. Enter the proxy address in the User defined proxy field.
Update Server
Allow fetching updates from
F-Secure Update
Server
Specify whether the product should connect to
F-Secure Update Server when it cannot connect to any user-specified update server. To edit the
list of update sources, see “ Policy Manager
.
Server failover time Define (in hours) the failover time to connect to
F-Secure Policy Manager Server or F-Secure
Policy Manager Proxy.
If the product cannot connect to any user-specified update server during the failover time, it retrieves the latest virus definition updates from F-Secure Update Server if Allow fetching updates from F-Secure Update Server is enabled.
Server polling interval Define (in minutes) how often the product checks F-Secure Policy Manager Proxies for new updates.
186
Policy Manager Proxies
Edit the list of virus definition database update sources and F-Secure
Policy Manager proxies. If no update servers are configured, the product retrieves the latest virus definition updates from F-Secure Update Server automatically.
To add a new update source address to the list, follow these instructions:
1.
Click Add new proxy to add the new entry to the list.
2.
Enter the URL of the update source.
3.
Edit the priority of the update source.
The priority numbers are used to define the order in which the host tries to connect servers. Virus definition updates are downloaded from the primary sources first, secondary update sources can be used as a backup.
CHAPTER 3
Administration with Web Console
The product connects to the source with the smallest priority number first (1). If the connection to that source fails, it tries to connect to the source with the next smallest number (2) until the connection succeeds.
4.
Click OK to add the new update source to the list.
3.8
General Server Properties
187
The Host information displays the following details of the host:
WINS name
DNS names
IP addresses
Unique ID
188
In the centralized management mode, the page displays the following details of the F-Secure Policy Manager:
Management server
Last connection
Policy file counter
Policy file timestamp
Tasks
Click Poll the server now to poll F-secure Policy Manager Server for the latest policy file immediately.
Click Export settings to open a list of all F-Secure Anti-Virus for
Microsoft Exchange settings in a new Internet browser window.
Click Export statistics to open a list of all F-Secure Anti-Virus for
Microsoft Exchange statistics in a new Internet browser window.
To print current settings or statistics, click Download to download and save settings and statistics as a file.
Click F-Secure support tool to run the F-Secure Support Tool utility to gather a report for F-Secure Technical Support. For more information, see
“ F-Secure Support Tool ” , 247 .
3.8.1
Administration
Configure Administration settings to
change the management mode, specify where and how alerts are sent, configure the F-Secure Anti-Virus for Microsoft Exchange Web
Console, define the network configuration and SMPT adddress for e-mail notifications, and specify how the samples of unsafe e-mails should be sent to
F-Secure.
Management Mode
CHAPTER 3
Administration with Web Console
189
Communication method
If you use F-Secure Policy Manager Server, specify the URL of F-Secure
Policy Manager Server. Do not add a slash at the end of the URL.
For example: “ http://fsms.example.com
”.
Select Stand-alone if you use F-Secure Anti-Virus for Exchange Web
Console to administer the product.
Logging
Specify the maximum file size of the F-Secure log file.
190
Alerting
You can specify where an alert is sent according to its severity level. You can send the alert to any of the following:
F-Secure Policy Manager
Windows Event Log
If you choose to forward alerts to e-mail, specify the SMTP server address, alert message subject line and the return address of the alert e-mail.
To forward alerts to an e-mail, follow these instructions:
1.
Click Add new recipient to add a new entry in the E-mail Address table.
2.
Type the e-mail address of the alert recipient.
3.
Select the types of alerts that are to be sent to this address.
CHAPTER 3
Administration with Web Console
4.
Click Apply .
Informational and warning-level alerts are not sent to F-Secure Policy
Manager Console by default. If you want to use centralized administration mode, it is recommended to have all alerts sent to F-Secure Policy
Manager Console.
191
192
Web Console
Change Web Console settings to configure how you connect to F-Secure
Anti-Virus for Microsoft Exchange Web Console.
General
Limit session timeout Specify the length of time a client can be connected to the server. When the session expires, the F-Secure Anti-Virus for Microsoft
Exchange Web Console terminates the session and displays a warning. The default value is 60 minutes.
Connections
Listen on address Specify the IP address of the F-Secure
Anti-Virus for Microsoft Exchange Web Console
Server.
Port
Allowed hosts
Language
CHAPTER 3
Administration with Web Console
Specify the port where the server listens for connections. The default port is 25023.
Specify a list of hosts which are allowed to connect to F-Secure Anti-Virus for Microsoft
Exchange Web Console.
To add a new host in the list, click Add new hosts and enter the IP address of the host.
To edit the host entry, click the IP address.
To delete the entry, click remove at the end of the host entry row.
Specify the language that you want to use in
F-Secure Anti-Virus for Microsoft Exchange Web
Console. Currently supported languages are:
English, French, German, Italian, Japanese, and
Spanish.
Reload F-Secure Anti-Virus for Microsoft
Exchange Web Console after you change the language to take the new language into use.
193
194
3.8.2
Network Configuration
The mail direction is based on the Internal domains and Internal SMTP senders settings and it is determined as follows:
1.
E-mail messages are considered internal if they come from internal
SMTP sender hosts and mail recipients belong to one of the specified internal domains (internal recipients).
2.
E-mail messages are considered outbound if they come from internal SMTP sender hosts and mail recipients do not belong to the specified internal domains (external recipients).
3.
E-mail messages that come from hosts that are not defined as internal SMTP sender hosts are considered inbound .
4.
E-mail messages submitted via MAPI or Pickup Folder are treated as if they are sent from the internal SMTP sender host.
If e-mail messages come from internal SMTP sender hosts and contain both internal and external recipients, messages are split and processed as internal and outbound respectively.
CHAPTER 3
Administration with Web Console
On Microsoft Exchange Server 2003, internal messages which are submitted via MAPI or Pickup Folder are not delivered via transport level. Therefore, those messages do not pass Transport Protection and they are checked on the storage level only.
Internal Domains
Internal SMTP senders
Specify internal domains.
Separate each domain name with a space. You can use an asterisk (*) as a wildcard. For example, *example.com internal.example.net
Specify the IP addresses of hosts that belong to your organization. Specify all hosts within the organization that send messages to Exchange
Edge or Hub servers via SMTP as Internal
SMTP Senders.
Separate each IP address with a space. An IP address range can be defined as:
a network/netmask pair (for example,
10.1.0.0/255.255.0.0), or
a network/nnn CIDR specification (for example, 10.1.0.0/16).
You can use an asterisk (*) to match any number or dash (-) to define a range of numbers. For example,
172.16.4.4 172.16.*.1 172.16.4.0-16
172.16.250-255.*
If end-users in the organization use other than
Microsoft Outlook e-mail client to send and receive e-mail, it is recommended to specify all end-user workstations as Internal SMTP
Senders.
If the organization has Exchange Edge and Hub servers, the server with the Hub role installed should be added to the Internal SMTP Sender on the server where the Edge role is installed.
195
196
3.8.3
Notifications
IMPORTANT: Do not specify the server where the Edge role is installed as Internal SMTP
Sender.
Specify Notification Sender Address that is used by F-Secure Anti-Virus for Microsoft Exchange for sending warning and informational messages to the end-users (for example, recipients, senders and mailbox owners).
Make sure that the notification sender address is a valid SMTP address. A public folder cannot be used as the notification sender address.
3.8.4
Sample Submission
CHAPTER 3
Administration with Web Console
197
You can use the product to send samples of unsafe e-mails and new, yet undefined malware to F-Secure for analysis.
Max submission attempts
Resend interval
Specify how many times the product attempts to send the sample if the submission fails.
Specify the time interval (in minutes) how long
F-Secure Anti-Virus for Microsoft Exchange should wait before trying to send the sample again if the previous submission failed.
Connection timeout Specify the time (in seconds) how long the product tries to contact the F-Secure Hospital server.
198
3.8.5
Engines
Send timeout Specify the time (in seconds) how long the product waits for the sample submission to complete.
The Engines Status page displays server statistics and the current status of scanning engines.
Server Statistics
Number of scanned files
The number of files that have been scanned.
Last virus database update
The last date and time when the virus definition database was updated.
CHAPTER 3
Administration with Web Console
Virus database update version
Last time infection found
The version number of the virus definition database.
The date and time when the last infection was found.
Last infection found The name of the last infection that was found.
Scan Engines
The Scan Engines list displays scan engines and the database update statistics.
If you want to disable the scan for certain files with a specified scan engine, click Properties and enter the file extensions you want to exclude from the scan.
199
200
Database Updates
Configure Database Update options to set notification alerts when virus and spam definition databases are outdated.
Database age checking
Notify when databases are older than
Specify when virus definition databases are outdated. If databases are older than the specified amount of days, F-Secure Content
Scanner Server sends an alert to the administrator.
Notify when databases become old
Specify the alert F-Secure Content Scanner
Server should send to the administrator when virus definition databases are not up-to-date.
Configure the Alert Forwarding table to specify where the alert is sent based on the severity level. For more information, see “ Alerting ”, 190.
CHAPTER 3
Administration with Web Console
Proxy Server
Database verification
Verify integrity of downloaded databases
Specify whether the product verifies that the downloaded virus definition databases are the original databases published by F-Secure
Corporation and that they have not been altered or corrupted in any way before taking them to use.
201
F-Secure Content Scanner Server can use a proxy server to connect to the threat detection center.
202
Use proxy server Specify whether F-Secure Content Scanner
Server uses a proxy server when it connects to the threat detection center.
Proxy configuration
Proxy server address Specify the address of the proxy server.
Proxy server port
Authentication method
Specify the port number of the proxy server.
Specify the authentication method to use to authenticate to the proxy server.
User name
Password
Domain
NoAuth - The proxy server does not require authentication.
Basic - The proxy uses the basic authentication scheme.
NTLM - The proxy uses NTLM authentication scheme.
Specify the user name for the proxy server authentication.
Specify the password for the proxy server authentication.
Specify the domain name for the proxy server authentication.
The proxy authentication settings can be configured with F-Secure
Anti-Virus for Microsoft Exchange Web Console only.
Threat Detection
CHAPTER 3
Administration with Web Console
203
F-Secure Anti-Virus for Microsoft Exchange can identify spam and virus outbreak patterns from messages.
Cache
VOD cache size Specify the maximum number of patterns to cache for the virus outbreak detection service.
By default, the cache size is 10000 cached patterns.
Class cache size Specify the maximum number of patterns to cache for spam detection service. By default, the cache size is 10000 cached patterns.
204
Increasing cache sizes may increase the threat detection performance but it requires more disk space and may degrade the threat detection rate. Cache sizes can be disabled (set the size to 0) for troubleshooting purposes.
Click Clear cache to clear the detection service cache.
Spam Scanning
Spam detection Enable or disable the threat detection service while scanning inbound messages for spam.
Action on connection failure
Specify the action for messages when the threat detection center cannot be contacted and the threat detection engine cannot classify the message.
Trusted networks
Pass through - The message is passed through without scanning it for spam.
Heuristic Scanning - F-Secure Content Scanner
Server checks the message using spam heuristics.
Specify networks and hosts in the mail relay network which can be trusted not to be operated by spammers and do not have open relays or open proxies.
Define the network as a network/netmask pair
(10.1.0.0/255.255.0.0), with the network/nnn
CIDR specification (10.1.0.0/16), or use ‘*’ wildcard to match any number and ‘-’ to define a range of numbers (172.16.*.1, 172.16.4.10-110).
Advanced
CHAPTER 3
Administration with Web Console
205
Configure Advanced options to set the working directory and optimize the product performance.
Working directory
Working directory Specify the working directory. Enter the complete path to the field or click Browse to browse to the path you want to set as the new working directory.
Working directory clean interval
Specify how often the working directory is cleaned of all files that may be left there. By default, files are cleaned every 30 minutes.
206
Free space threshold Set the free space threshold of the working directory. F-Secure Content Scanner Server sends an alert to the administrator when the drive has less than the specified amount of space left.
Performance
Maximum size of data processed in memory
Specify the maximum size (in kilobytes) of data to be transferred to the server via shared memory in the local interaction mode. When the amount of data exceeds the specified limit, a local temporary file will be used for data transfer.
If the option is set to zero (0), all data transfers via shared memory are disabled.
The setting is ignored if the local interaction mode is disabled.
Maximum number of concurrent transactions
Specify how many files F-Secure Content
Scanner Server should process simultaneously.
Maximum scan timeout
Number of spam scanner instances
Specify how long a scan task can be carried out before it is automatically cancelled.
Specify the number of Spam Scanner instances to be created and used for spam analysis. As one instance of the spam scanner is capable of processing one mail message at a time, this setting defines how many messages undergo the spam analysis simultaneously.
You have to restart the Content Scanner Server after you change this setting to take the new setting into use.
CHAPTER 3
Administration with Web Console
IMPORTANT: Spam analysis is a processor-intensive operation and each spam scanner instance takes approximately 25MB of memory (process fsavsd.exe). Do not increase the number of instances unless the product is running on a powerful computer.
207
208
3.8.6
Lists and Templates
Match Lists are lists of file name patterns, keywords, or e-mail addresses
that can be used with certain product settings.
Message Templates can be used for notification messages.
Match Lists
Click the name of an existing match list to edit the list or Add new list to create a new match list.
List name
Type
Select the match list you want to edit. If you are creating a new match list, specify the name for the new match list.
Specify whether the list contains keywords, file patterns or email addresses.
Filter
Message Templates
CHAPTER 3
Administration with Web Console
Specify file names, extensions, keywords or email addresses that the match list contains.
To create a filter based on file name extensions, enter only the exension to the list (for example,
EXE).
209
Click the name of an existing template to edit it or Add new item to create a new template.
Name
Subject/Filename
Select the template you want to edit. If you are creating a new template, specify the name for the new template.
Specify the subject line of the notification message.
210
Message body
Description
Specify the notification message text.
For more information about the variables you
can use in notification messages, see “ Variables in Warning Messages ” , 231 .
Specify a short description for the template.
4
Q UARANTINE
M ANAGEMENT
Introduction............................................................................... 212
Configuring Quarantine Options............................................... 214
Quarantine Status..................................................................... 214
Searching the Quarantined Content......................................... 214
Query Results Page ................................................................. 219
Quarantine Operations ............................................................. 221
Moving the Quarantine Storage................................................ 226
211
212
4.1
Introduction
You can manage and search quarantined mails with the F-Secure
Anti-Virus for Microsoft Exchange Web Console. You can search for quarantined content by using different search criteria, including the quarantine ID, recipient and sender address, the time period during which the message was quarantined, and so on. You can reprocess and delete messages, and specify storage and automatic deletion times based on the reason for quarantining the message.
If you have multiple F-Secure Anti-Virus for Microsoft Exchange installations, you can manage the quarantined content on all of them from one single F-Secure Anti-Virus for Microsoft Exchange Web Console.
The quarantine consists of:
Quarantine Database
The quarantine database contains information about the quarantined messages and attachments. If there are several F-Secure Anti-Virus for
Microsoft Exchange installations in the network, they can either have their own quarantine databases, or they can use a common quarantine database. An SQL database server is required for the quarantine database.
For more information on the SQL database servers that can be used for deploying the quarantine database, consult the F-Secure
Anti-Virus for Microsoft Exchange Deployment Guide.
The following SQL databases can be used for storing information about the quarantined content:
Microsoft SQL Server 2000 Desktop Engine (MSDE)
Microsoft SQL Server 2000
Microsoft SQL Server 2005
CHAPTER 4
Quarantine Management
MSDE is delivered together with the product. If you want to use another database (Microsoft SQL Server 2000), you must buy it and get your own license before you start to deploy F-Secure Anti-Virus for Microsoft
Exchange.
Quarantine Storage
The quarantine storage where the quarantined messages and attachments are stored is located on the server where F-Secure
Anti-Virus for Microsoft Exchange is installed. If there are several
F-Secure Anti-Virus for Microsoft Exchange installations in the network, they all have their own storages. The storages are accessible from a single F-Secure Anti-Virus for Microsoft Exchange Web Console.
4.1.1
Quarantine Reasons
The quarantine storage can store:
Messages and attachmentts that are infected and cannot be automatically disinfected.
(Infected)
Suspicious content, for example password-protected archives, nested archives and malformed messages.
(Suspicious)
Messages and attachments that have been blocked by their filename or filename extension.
(Disallowed attachment)
Messages that contain disallowed words in the subject line or message body. (Disallowed content)
Messages that are considered as spam.
(Spam)
Messages that contain grayware.
(Grayware)
Files that could not be scanned, for example severely corrupted files.
(Scan failure)
Messages that contain patterns that can be assumed to be a part of a spam or virus outbreak.
(Unsafe)
213
214
4.2
Configuring Quarantine Options
In stand-alone installations, all the quarantine settings can be configured on the Quarantine page in F-Secure Anti-Virus for Microsoft Exchange
Web Console. For more information on the settings, see “ Quarantine ” ,
.
4.3
Quarantine Status
The Quarantine status page displays the number of quarantined items in each quarantine category, and the total size of the quarantine.
4.3.1
Quarantine Logging
To view the Quarantine Log, open the Quarantine page. Then click the
View Quarantine Log link.
In centrally managed installations, the quarantine settings are configured with F-secure Policy Manager in the F-Secure Anti-Virus for Microsoft
Exchange / Settings / Quarantine branch. For more information, see
.
The actual quarantine management is done through F-Secure Anti-Virus for Microsoft Exchange Web Console.
4.4
Searching the Quarantined Content
You can search the quarantined content on the Quarantine Query page in the F-Secure Anti-Virus for Microsoft Exchange Web Console.
CHAPTER 4
Quarantine Management
215
You can use any of the following search criteria. Leave all fields empty to see all quarantined content.
Quarantine ID
Object type
Enter the quarantine ID of the quarantined message. The quarantine ID is displayed in the notification sent to the user about the quarantined message and in the alert message.
Select the type of the quarantined content.
Mails and attachments - Search for both quarantined mails and attachments.
Attachment - Search for quarantined attachments.
Mail - Search for quarantined mails.
216
Reason
Reason details
Sender
Recipients
Subject
Message ID
Sender Host
Name
Location
Select the quarantining reason from the drop-down menu. For more information, see
“ Quarantine Reasons ” , 213 .
Specify details about the scanning or processing results that caused the message to be quarantined. For example:
The message is infected - specify the name of the infection that was found in an infected message.
Enter the e-mail address of the message sender.
You can only search for one address at a time, but you can widen the search by using the wildcards.
Enter the e-mail address of the message recipient.
Enter the message subject to be used as search criteria.
Enter the Message ID of the quarantined mail.
Enter the address of the sender mail server or client.
You can specify Message ID and Sender Host only when you search for quarantined mails.
Enter the file name of the quarantined attachment.
Enter the location of the mailbox or public folder where the quarantined attachment was found.
You can specify Name and Location only when you search for quarantined attachments.
Show only
Display
Search period
Sort Results
CHAPTER 4
Quarantine Management
You can use this option to view the current status of messages that you have set to be reprocessed, released or deleted. Because processing a large number of e-mails may take time, you can use this option to monitor how the operation is progressing.
The options available are:
Unprocessed e-mails - Displays only e-mails that the administrator has not set to be released, reprocessed or deleted.
E-mails to be released - Displays only e-mails that are currently set to be released, but have not been released yet.
E-mails to be reprocessed - Displays only e-mails that are currently set to be reprocessed, but have not been reprocessed yet.
E-mails to be released or reprocessed - Displays e-mails that are currently set to be reprocessed or released, but have not been reprocessed or released yet.
Select the time period when the data has been quarantined. Select Exact start and end dates to specify the date and time (year, month, day, hour, minute) when the data has been quarantined.
Specify how the search results are sorted by selecting one of the options in the Sort Results drop-down listbox: based on Date , Sender ,
Recipients , Subject or Reason .
Select how many items you want to view per page.
217
218
Click Query to start the search. The Quarantine Query Results page is displayed once the query is completed.
If you want to clear all the fields on the Query page, click Reset .
Using Wildcards
You can use the following SQL wildcards in the quarantine queries:
Wildcard
%
Explanation
Any string of zero or more characters.
_ (underscore)
[ ]
[^]
Any single character.
Any single character within the specified range ([a-f]) or set ([abcdef]).
Any single character not within the specified range ([^a-f]) or set ([^abcdef]).
If you want to search for '%', '_' and '[' as regular symbols in one of the fields, you must enclose them into square brackets: '[%]', '[_]',
'[[]'
CHAPTER 4
Quarantine Management
219
4.5
Query Results Page
The Quarantine Query Results page displays a list of mails and attachments that were found in the query. To view detailed information about a quarantined content, click the Quarantine ID (QID) number link in
the QID column. For more information, see “ Viewing Details of the
The Query Results page displays status icons of the content that was found in the search:
Icon E-mail status
Quarantined e-mail. The administrator has not specified any actions to be taken on this e-mail.
Quarantined e-mail with attachments. The administrator has not specified any actions to be taken on this e-mail.
Quarantined e-mail that the administrator has set to be released. The release operation has not been completed yet.
Quarantined e-mail that the administrator has set to be reprocessed. The reprocessing operation has not been completed yet.
Quarantined e-mail that the administrator has set to be deleted. The deletion operation has not been completed yet.
Quarantined e-mail that the administrator has submitted to
F-Secure for analysis.
220
Icon E-mail status
Quarantined e-mail set to be released, which failed.
Quarantined e-mail set to be reprocessed, which failed.
Quarantined e-mail set to be submitted to F-Secure, which failed.
For information how to process quarantined content, see “ Quarantine
4.5.1
Viewing Details of the Quarantined Message
To view the details of a quarantined message, do the following:
1.
On the Query Search Results page, click the Quarantine ID (QID) number link in the QID column.
2.
The Quarantined Content Details page opens.
The Quarantined Content Details page displays the following information about the quarantined mails and attachments:
QID
Submit time
Processing server
Sender
Recipients
Sender host
Quarantine ID.
The date and time when the item was placed in the quarantine.
The F-Secure Anti-Virus for Microsoft Exchange server that processed the message.
Quarantined messages only.
The address of the message sender
The addresses of all the message recipients.
The address of the sender mail server or client.
Quarantined messages only.
CHAPTER 4
Quarantine Management
Location
Subject
Message size
Attachment name
Attachment size
The location of the mailbox or public folder where the quarantined attachment was found.
Quarantined attachments only.
The message subject
The size of the quarantined message.
Quarantined messages only.
The name of the attachment. Quarantined attachments only.
The size of the attachment file. Quarantined attachments only.
The reason why the content was quarantined.
Quarantine reason
Click the Show link to access the content of the quarantined message.
Click Download to download the quarantined message or attachment to your computer to check it.
WARNING: In many countries, it is illegal to read other people’s messages.
For information how to process quarantined content, see “ Quarantine
4.6
Quarantine Operations
Quarantined mails and attachments can be reprocessed, released and removed from the quarantine storage after you have searched the quarantined content you want to process.
221
222
Quarantined Mail Operations
You can select an operation to perform on the messages that were found in the query:
Click Reprocess to scan the currently selected e-mail again, or click Reprocess All to scan all e-mail messages that were found.
For more information, see “ Reprocessing the Quarantined
Click Release to deliver the currently selected e-mail without further processing, or click Release All to deliver all e-mail
messages that were found. For more information, see “ Releasing the Quarantined Content ” , 224 .
WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned.
Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that
were found. For more information, see “ Removing the
.
Click Send to F-Secure to submit a sample of quarantined content to F-Secure for analysis.
Quarantined Attachment Operations
You can select an operation to perform on the attachments that were found in the query:
Click Send to deliver the currently selected attachment, or click
Send All to deliver all attachments that were found.
Attachments sent from the quarantine go through the transport and storage protection and are scanned again. For more
information, see “ Releasing the Quarantined Content ” , 224
.
Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that
were found. For more information, see “ Removing the
.
CHAPTER 4
Quarantine Management
4.6.1
Reprocessing the Quarantined Content
When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients.
if you reprocess a quarantined spam e-mail, the reprocessed content may receive a lower spam score than it did originally and it may reach the recipient.
For example, if some content was placed in the quarantine because of an error situation, you can use the time period when the error occurred as search criteria, and then reprocess the content. This is done as follows:
1.
Open the Quarantine > Query page in the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
2.
Select the start and end dates and times of the quarantining period from the Start time and End Time drop-down menus.
3.
If you want to specify how the search results are sorted, select the sorting criteria and order from the Sort results and order drop-down menus.
4.
Select the number of items to be displayed on a results page from the
Display drop-down menu.
5.
Click the Query button.
6.
When the query is finished, the query results page is displayed. Click the Reprocess All button to reprocess the displayed quarantined content.
7.
The progress of the reprocessing operation is displayed in the
F-Secure Anti-Virus for Microsoft Exchange Web Console.
The e-mails that have been reprocessed and found clean are delivered to the intended recipients. They are also automatically deleted from the quarantine.
E-mails that have been reprocessed and found infected, suspicious or broken return to the quarantine.
223
224
4.6.2
Releasing the Quarantined Content
When quarantined content is released, it is sent to the intended recipients without any further processing. For example, if you have a password-protected archive in the quarantine that you want to deliver to the recipient, you can release it.
WARNING: Releasing quarantined content is a security risk, as the content is delivered to the recipient without being scanned.
If you need to release a quarantined message, follow these instructions:
1.
Open the Quarantine > Query page in the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
2.
Enter the Quarantine ID of the message in the Quarantine ID field.
The Quarantine ID is included in the notification message delivered to the user.
3.
Click Query to find the quarantined content.
4.
Quarantine may contain either the original e-mail message or just the attachment that was quarantined.
a.
When the quarantined content is an e-mail message, click the
Release to release the displayed quarantined content. The
Release Quarantined Content dialog opens.
b.
When the quarantine contains an attachment, click Send . The quarantined attachment is attached to the template specified in
General Quarantine Options that is sent to the recipient.
5.
Specify whether you want to release the content to the original recipient or specify an address where the content is to be forwarded.
It may not be legal to forward the e-mail to anybody else than the original recipient.
6.
Specify what happens to the quarantined content after it has been released by selecting one of the Action after release options:
Leave in the quarantine
Delete from the quarantine
7.
Click Release or Send . The content is now delivered to the recipient.
CHAPTER 4
Quarantine Management
4.6.3
Removing the Quarantined Content
Quarantined messages are removed from the quarantine based on the currently configured quarantine retention and cleanup settings. For an
example on how to configure those settings, see “ Deleting Old
Quarantined Content Automatically ” , 225 .
If you want to remove a large amount of quarantined messages at once, for example all the messages that have been categorized as spam, do the following:
1.
Open the Quarantine > Query page in the F-Secure Anti-Virus for
Microsoft Exchange Web Console.
2.
Select the quarantining reason, Spam , from the Reason drop-down listbox.
3.
Click Query .
4.
When the query is finished, the query results page is displays all quarantined messages that have been classified as spam. Click the
Delete All button to delete all the displayed quarantined content.
5.
You are prompted to confirm the deletion. Click OK . The content is now removed from the quarantine.
4.6.4
Deleting Old Quarantined Content Automatically
Quarantined content is deleted automatically based on the Quarantine
Retention and Cleanup settings in the Maintenance tab on the Quarantine
> Options page. By default all types of quarantined content are stored in quarantine for one month, and quarantine clean-up task is executed once an hour.
You can specify exceptions to the default retention and clean-up times in the Exceptions table. These exceptions are based on the quarantine category. If you want, for example, to have infected messages deleted sooner, you can specify an exception rule for them as follows:
1.
Go to the Quarantine > Options page.
2.
Open the Maintenance tab.
225
226
3.
Click Add new exception at the Exceptions table. A New Quarantine
Cleanup Exception dialog opens.
4.
Select the Quarantine category for which you want to specify the exception. Specify a Retention period and a Cleanup interval for the selected category.
5.
To turn on the exception, make sure that the Active check box is selected. Click Ok .
6.
Click Apply to apply the new changes.
4.7
Moving the Quarantine Storage
When you want to change the Quarantine storage location either using the F-Secure Policy Manager Console or F-Secure Anti-Virus for
Microsoft Exchange Web Console, note that the product does not create the new directory automatically. Before you change the Quarantine storage directory, make sure that the directory exists and it has proper security permissions.
You can use the xcopy command to create and change the Quarantine storage directory by copying the existing directory with the current ownership and ACL information. In the following example, the Quarantine storage is moved from C:\Program Files\F-Secure\Quarantine
Manager\quarantine to D:\Quarantine :
1.
Stop F-Secure Quarantine Manager service to prevent any quarantine operations while you move the location of the Quarantine storage. Run the following command from the command prompt: net stop "F-Secure Quarantine Manager"
2.
Run the following command from the command prompt to copy the current content to the new location: xcopy "C:\Program Files\F-Secure\Quarantine
Manager\quarantine" D:\Quarantine\ /O /X /E
Note the use of backslashes in the source and destination directory paths.
CHAPTER 4
Quarantine Management
3.
Change the path for FSMSEQS$ shared folder. If the product is installed in the local quarantine management mode, you can skip this step.
To change the FSMSEQS$ path, follow these steps: a.
Open Windows Control Panel > Administrative Tools > Computer
Management .
b.
Open System Tools > Shared Folders > Shares . and find
FSMSEQS$ there.
c.
Right-click FSMSEQS$ and select Stop Sharing . Confirm that you want to stop sharing FSMSEQS$ .
d.
Right-click FSMSEQS$ again and select New Share .
e.
Follow Share a Folder Wizard instructions to create FSMSEQS$ shared folder. i.
Specify the new directory (in this example, D:\Quarantine ) as the folder path, FSMSEQS$ as the share name and F-Secure
Quarantine Storage as the description. ii.
On the Permissions page, select Administrators have full access; other users have read-only access. Note that the
Quarantine storage has file/directory security permissions set only for the SYSTEM and Administrators group.
f.
Click Finish .
4.
Change the location of the Quarantine storage from the F-Secure
Policy Manager Console ( F-Secure Anti-Virus for Exchange/Settings/
Quarantine/Quarantine Storage ) or F-Secure Anti-Virus for Microsoft
Exchange Web Console ( Anti-Virus for Microsoft Exchange >
Quarantine > Options > Quarantine Storage ).
5.
Make sure that the product has received new settings.
6.
Restart F-Secure Quarantine Manager service. Run the following command from the command prompt: net start "F-Secure Quarantine Manager"
For more information about the xcopy command and options, refer to MS Windows Help and Support.
227
5
U PDATING V IRUS
S PAM D EFINITION
AND
D ATABASES
Overview................................................................................... 229
Automatic Updates with F-Secure Automatic Update Agent.... 229
Configuring Automatic Updates................................................ 229
228
CHAPTER 5
Updating Virus and Spam Definition Databases
Overview
It is of the utmost importance that virus definition databases are kept up-to-date. F-Secure Anti-Virus for Microsoft Exchange takes care of this task automatically.
Information about the latest virus database update can be found at:
http://www.f-secure.com/download-purchase/updates.shtml
Automatic Updates with F-Secure Automatic Update
Agent
Using F-Secure Automatic Update Agent is the most convenient way to keep the databases updated. It connects to F-Secure Policy Manager
Server or the F-Secure Update Server automatically. F-Secure Automatic
Update Agent uses incremental technology and network traffic detection to make sure that it works without disturbing other Internet traffic even over a slow line.
You may install and use F-Secure Automatic Update Agent in conjunction with licensed F-Secure's antivirus and security products. F-Secure
Automatic Update Agent shall be used only for receiving updates and related information on F-Secure's antivirus and security products.
F-Secure Automatic Update Agent may not be used for any other purpose or service.
Configuring Automatic Updates
F-Secure Automatic Update Agent user interface provides information about downloaded virus and spam definition updates. To access the
F-Secure Automatic Update Agent user interface, open the F-Secure
Anti-Virus for Microsoft Exchange Web Console, and go to the Automatic
Updates
page. For more information, see “ Automatic Updates ” , 181 .
229
230
In centrally managed installations, you can use the F-Secure Anti-Virus for Microsoft Exchange Web Console only for monitoring the F-Secure
Automatic Update Agent settings. To change these settings, you need to use F-Secure Policy Manager Console. For more information, see
“ F-Secure Automatic Update Agent Settings ” , 101 .
If necessary, reconfigure the firewall and other devices that may block the database downloads.
In common deployment scenarios, make sure that the following ports are open:
DNS (53, UDP and TCP)
HTTP (80)
Port used to connect to F-Secure Policy Manager Server
A
APPENDIX:
Variables in Warning
Messages
List of Variables ........................................................................ 232
231
232
List of Variables
The following table lists the variables that can be included in the warning and informational messages sent by the product if an infection is found or content is blocked.
If both stripping and scanning are allowed and the Agent found both types of disallowed content (infected and to be stripped) in an e-mail message, a warning message will be sent to the end-user instead of an informational one, if it is required.
These variables will be dynamically replaced by their actual names. If an actual name is not present, the corresponding variable will be replaced with [Unknown].
Variable Description
$ANTI-VIRUS-SERVER The DNS/WINS name or IP address of
F-Secure Anti-Virus for Microsoft Exchange.
$NAME-OF-SENDER
$NAME-OF-RECIPIENT The e-mail addresses where the original content is sent.
$SUBJECT
$DIRECTION
The e-mail address where the original content comes from.
The original e-mail message subject.
The direction of e-mail message (inbound, outbound or internal).
$REPORT-BEGIN
$REPORT-END
Marks the beginning of the scan report. This variable does not appear in the warning message.
Marks the end of the scan report. This variable does not appear in the warning message.
$REPORT-BEGIN, $REPORT-END, $DIRECTION macros are not applicable in the replacement text used on real-time scanning in the Exchange storage.
APPENDIX A
Variables in Warning Messages
233
The following table lists variables that can be included in the scan report, in other words the variables that can be used in the warning message between $REPORT-BEGIN and $REPORT-END.
Variable Description
$AFFECTED-FILENAME The name of the original file or attachment.
$AFFECTED-FILESIZE The size of the original file or attachment.
$THREAT The name of the threat that was found in the content. For example, it can contain the name of the found infection, etc.
$TAKEN-ACTION
$QUARANTINE-ID
The action that was taken to remove the threat. These include the following: dropped, disinfected, etc.
The identification number of the quarantined attachment or file.
B
APPENDIX:
Sending E-mail Alerts
And Reports
Overview................................................................................... 235
Solution..................................................................................... 235
234
APPENDIX B
Sending E-mail Alerts And Reports
B.1
Overview
You can configure the product to send alerts to the administrator by e-mail. F-Secure Management Agent that handles the alerting uses a simple SMTP protocol (without authentication and encryption) to send alerts to the specified e-mail address.
The product can send e-mail based reports to F-Secure World Map system. These reports are sent using the simple SMTP protocol with an empty address ("<>") as the source.
In Microsoft Exchange Server 2007 and 2010, the message relaying is tightly restricted, even on servers that are not connected to the Internet.
By default, only e-mail messages that come from authenticated or allowed sources can be relayed.
This means that the product cannot send SMTP alerts and reports unless some changes are done in the Microsoft Exchange Server 2007 and 2010 configurations. These changes can be done before or after the product has been deployed.
235
B.2
Solution
In order to make F-Secure alerts and reports relayed through Microsoft
Exchange Server 2007 or 2010, you need to create a special receive connector configure it to allow anonymous, non-authenticated submissions. This connector has to be created on Exchange Edge and/or
Hub server(s) that are specified as the SMTP server where the product sends alerts and reports to.
236
B.2.1
Creating a Scoped Receive Connector
The connector can be created from the Exchange management shell.
Run the following command to create a scoped receive connector on the local server:
New-ReceiveConnector -Name <connector_name> -Bindings
<listen_ip_port> -RemoteIPRanges <accepted_hosts>
-AuthMechanism Tls -PermissionGroups "AnonymousUsers"
-RequireEHLODomain $false -RequireTLS $false where:
<connector_name> is the name for the connector,
<listen_ip_port> is the IP address and port number
(separated by a colon) that the receive connector listens for inbound messages, and
<accepted_hosts> is the IP address or IP address range from which inbound connections are accepted.
The IP address or IP address range can be entered in one of the following formats:
IP address: 192.168.1.1
IP address range: 192.168.1.10-192.168.1.20
IP address with subnet 192.168.1.0 (255.255.255.0)
IP address by using Classless Interdomain Routing (CIDR) notation: 192.168.1.0/24
For example, to create a new connector that listens on all configured local
IP addresses and accepts connections from the local host only, run the following command in the Exchange management shell:
New-ReceiveConnector -Name "F-Secure alerts and reports"
-Bindings 0.0.0.0:25 -RemoteIPRanges 127.0.0.1 -AuthMechanism
Tls -PermissionGroups "AnonymousUsers" -RequireEHLODomain
$false -RequireTLS $false
APPENDIX B
Sending E-mail Alerts And Reports
237
To create a new connector that is bound to a single IP addresses and accepts connections from the specified remote servers, run the following command:
New-ReceiveConnector -Name "F-Secure alerts and reports"
-Bindings 192.168.58.128:25 -RemoteIPRanges 192.168.58.129,
192.168.58.131 -AuthMechanism Tls -PermissionGroups
"AnonymousUsers" -RequireEHLODomain $false -RequireTLS $false
B.2.2
Grant the Relay Permission on the New Scoped
Connector
The receive connector accepts anonymous SMTP submissions but messages are not relayed. To relay messages, grant ms-Exch-SMTP-Accept-Any-Recipient the permission to the anonymous account. To do this, run the following command:
Get-ReceiveConnector <connector_name> | Add-ADPermission
-User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights
"ms-Exch-SMTP-Accept-Any-Recipient" where:
<connector_name> is the name of the connector you created.
For example:
Get-ReceiveConnector "F-Secure alerts and reports" |
Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON"
-ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
B.2.3
Specify SMTP Server for Alerts and Reports
Check that the product is properly configured and the address and port of the SMTP server corresponds to the address and port on which the receive connector listens for inbound messages. Remember to specify the return address for e-mail alerts.
C
APPENDIX:
Troubleshooting
Overview................................................................................... 239
Starting and Stopping........................................................... 239
Viewing the Log File ................................................................. 240
Common Problems and Solutions............................................ 240
Frequently Asked Questions .................................................... 245
238
APPENDIX C
Troubleshooting
C.1
Overview
If you have a problem that is not covered in here, see “ Technical Support ” ,
.
239
C.2
Starting and Stopping
If you ever need to start or stop F-Secure Anti-Virus for Microsoft
Exchange, you can do it in the following ways:
Open the Services applet from the Administrative tools folder in the Windows Control Panel and select F-Secure Anti-Virus for
Microsoft Exchange . To stop F-Secure Anti-Virus for Microsoft
Exchange, click Stop . To start the service, click Start .
Open the F-Secure Anti-Virus for Microsoft Exchange Web
Console and select Home > Services . Click Start to activate
F-Secure Anti-Virus for Microsoft Exchange and Stop to stop it.
From the command line when the product is installed on
Microsoft Exchange Server 2003: enter NET STOP FSHKMNGR to the command line to stop the service, and NET START FSHKMNGR to start the service.
From the command line when the product is installed on
Microsoft Exchange Server 2007 or 2010: enter NET STOP
FSAVMSED to the command line to stop the service, and NET
START FSAVMSED to start the service.
When F-Secure Anti-Virus for Microsoft Exchange is stopped, all e-mail messages sent and notes posted to public folders pass through normally, but they are not scanned for viruses or spam.
240
C.3
Viewing the Log File
F-Secure Anti-Virus for Microsoft Exchange uses the log file Logfile.log
that is maintained by F-Secure Management Agent and contains all alerts generated by F-Secure components installed on the host. Logfile.log
can be found on all hosts running F-Secure Management Agent. You can view the Logfile.log
with any text editor, for example Windows Notepad. Open the logfile.log
from F-Secure Settings and Statistics / F-Secure
Management Agent properties / Show log file, or from the Summary page of F-Secure Anti-Virus for Microsoft Exchange Web Console by clicking
View F-Secure Log .
F-Secure Management Agent uses Logfile.log
(in F-Secure / Common directory) for logging of all the alerts on the host.
Logfile.log contains all the alerts generated by the host, regardless of the severity. Logfile.log file size can be configured in F-Secure Management
Agent / Settings / Alerting / Alert Agents / Logfile / Maximum File Size .
Quarantine Logs
Quarantine logs are not stored in Logfile.log
. By default, quarantine logs are stored in the quarantine log directory. You can view quarantine logs with any text editor.
To specify the path to the directory where Quarantine logfiles are placed, change the Quarantine > Quarantine Log Directory setting in F-Secure
Policy Manager or Quarantine > Options > Logging > Quarantine log directory setting in F-Secure Anti-Virus for Microsoft Exchange Web
Console. For more information, see “ Quarantine ” , 24
C.4
Common Problems and Solutions
If you think that you have some problem with F-Secure Anti-Virus for
Microsoft Exchange, check that both F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Content Scanner Server are up and running.
APPENDIX C
Troubleshooting
241
Checking F-Secure Anti-Virus for Microsoft
Exchange
1.
Make sure that F-Secure Anti-Virus for Microsoft Exchange service and all its processes have started.
Open Services in the Windows Control Panel and check that the
F-Secure Anti-Virus for Microsoft Exchange service has started.
Open the Windows Task Manager and check that the following processes are running: fshkmngr.exe
fsavmsed.exe
(when the product is installed on Microsoft
Exchange Server 2003)
(when the product is installed on Microsoft
Exchange Server 2007 or 2010) fsmb32.exe
fameh32.exe
fch32.exe
fnrb32.exe
fsobmngr.exe
fsm32.exe
fsma32.exe
2.
To make sure that F-Secure Content Scanner Server accepts connections, run the following command from the command line on the Microsoft Exchange Server:
telnet 127.0.0.1 18971
If you get the cursor blinking in the upper left corner, it means that the connection has been established and F-Secure Content Scanner
Server can accept incoming connections.
If you get "Connection to the host lost" or other error message or if the cursor does not go to the upper left corner, it means that the connection attempt was unsuccessful. If the telnet connection attempt
242 was unsuccessful, make sure that F-Secure Content Scanner Server is up and running and that there is no local firewall on the server blocking the access.
Checking F-Secure Content Scanner Server
Problem:
When the F-Secure Anti-Virus for Microsoft Exchange tries to send an attachment to F-Secure Content Scanner Server, the attachment is not scanned and the e-mail does not reach the recipient.
Solution:
The problem is that F-Secure Anti-Virus for Microsoft Exchange is unable to contact F-Secure Content Scanner Server.
A service or process may not be running on F-Secure Content Scanner
Server. Make sure that all processes and services of F-Secure Content
Scanner Server have started. Check the Services in Windows Control
Panel. The following services should be started:
F-Secure Content Scanner Server
F-Secure Management Agent
F-Secure Network Request Broker
Check the Task Manager. The following processes should be running: fsmb32.exe
fsavsd.exe
fsdbuh.exe
fnrb32.exe
fsma32.exe
fih32.exe
fch32.exe
fameh32.exe
If any of these processes are not started, uninstall and reinstall F-Secure
Anti-Virus Content Scanner Server service.
APPENDIX C
Troubleshooting
243
Checking F-Secure Anti-Virus for Microsoft
Exchange Web Console
Problem:
I cannot open or access F-Secure Anti-Virus for Microsoft Exchange Web
Console.
Solution:
1.
Make sure that F-Secure Web Console daemon has started and is running. Check the Services in Windows Control Panel. The following service should be started:
F-Secure Web Console Daemon
Check the Task Manager. The following process should be running:
fswebuid.exe
2.
If you try to connect to the F-Secure Anti-Virus for Microsoft
Exchange Web Console from a remote host, make sure that the connection is not blocked by a firewall or proxy server.
C.4.1
Installing Service Packs
If you wish to install a Microsoft Exchange Server Service Pack and
F-Secure Anti-Virus for Microsoft Exchange is already installed, stop
F-Secure Anti-Virus for Microsoft Exchange before installing the Service
Pack and restart it after the Service Pack installation.
244
C.4.2
Securing the Quarantine
Problem:
I have installed F-Secure Anti-Virus for Microsoft Exchange and I'm worried about security of the local Quarantine storage where stripped attachments are quarantined. What do you recommend me?
Solution:
F-Secure Anti-Virus for Microsoft Exchange creates and adjusts access rights to the local Quarantine storage during the installation. Keep in mind the following when setting up the local Quarantine storage:
Do not place the Quarantine storage on a FAT drive. FAT file system does not support access rights on directories and files for different users. If you place the Quarantine storage on a FAT drive everyone who has access to that drive will be able to get access to the quarantined content.
Create and adjust access rights to the Quarantine storage manually if you use one on a network drive.
Create and adjust access rights to the Quarantine storage manually when you change its path from F-Secure Policy
Manager Console or F-Secure Anti-Virus for Microsoft Exchange
Web Console.
C.4.3
Administration Issues
Some settings are initially configured during the installation of
F-Secure Anti-Virus for Microsoft Exchange and F-Secure
Content Scanner Server. They can be viewed on the Status tab of
F-Secure Policy Manager Console.
When changing such settings in F-Secure Policy Manager
Console for the first time, you must enforce the change by selecting the Final check box.
APPENDIX C
Troubleshooting
C.5
Frequently Asked Questions
All support issues, frequently asked questions and hotfixes can be found under the support pages at http://support.f-secure.com/ . For more
information, see “ Technical Support ” , 246 .
245
Technical Support
F-Secure Online Support Resources........................................ 247
Web Club.................................................................................. 249
Virus Descriptions on the Web ................................................. 249
246
Technical Support 247
F-Secure Online Support Resources
F-Secure Technical Support is available through F-Secure support web pages, e-mail and by phone. Support requests can be submitted through a form on F-Secure support web pages directly to F-Secure support.
F-Secure support web pages for any F-Secure product can be accessed at http://support.f-secure.com/ . All support issues, frequently asked questions and hotfixes can be found under the support pages.
If you have questions about F-Secure Anti-Virus for Microsoft Exchange not covered in this manual or on the F-Secure support web pages, you can contact your local F-Secure distributor or F-Secure Corporation directly.
For technical assistance, please contact your local F-Secure Business
Partner. Send your e-mail to:
Anti-Virus-<country>@f-secure.com
Example: [email protected]
If there is no authorized F-Secure Anti-Virus Business Partner in your country, you can submit a support request directly to F-Secure. There is an online "Web submit form" accessible through F-Secure support web pages under the "Contact Support" page. Fill in all the fields and describe the problem as accurately as possible. Please include the FSDiag report taken from the problematic server with the support request.
F-Secure
Support
Tool
Before contacting support, please run the F-Secure Support Tool
FSDiag.exe
on each of the hosts running F-Secure Anti-Virus for
Microsoft Exchange and F-Secure Content Scanner Server. This utility gathers basic information about hardware, operating system, network configuration and installed F-Secure and third-party software. You can run the F-Secure Support Tool from the F-Secure Anti-Virus for Microsoft
Exchange Web Console as follows:
1.
Log in to the Web Console.
2.
Type https://127.0.0.1:25023/fsdiag/ in the browser’s address field or or click F-Secure support tool on General Server Properties page.
248
3.
The F-Secure Support Tool starts and the dialog window displays the progress of the data collection.
Note that in some web browsers, the window may appear behind the main browser window.
4.
When the tool has finished collecting the data, click Report to download and save the collected data.
You can also find and run the FSDiag.exe utility under the
F-Secure\Common folder, if you prefer not to do it through the F-Secure
Anti-Virus for Microsoft Exchange Web Console. The tool generates a file called FSDiag.tar.gz
.
Please include the following information with your support request:
Version number of F-Secure Management Agent, F-Secure
Anti-Virus for Microsoft Exchange, F-Secure Policy Manager
Server, and F-Secure Policy Manager Console. Include the build number if available.
Description how F-Secure components are configured.
The name and the version number of the operating system on which F-Secure products and protected systems are running. For
Windows, include the build number and Service Pack number.
The version number and the configuration of your Microsoft
Exchange Server. If possible, describe your network configuration and topology.
A detailed description of the problem, including any error messages displayed by the program, and any other details that could help us replicate the problem.
Logfile.log
from the machines running F-Secure products. This file can be found under Program Files\F-Secure\Common. If you are sending the FSDiag report you do not need to send the
Logfile.log separately, because it is already included in the
FSDiag report.
If the whole product or a component crashed, include the drwtsn32.log file from the Windows NT directory and the latest records from the Windows Application Log.
Technical Support 249
Web Club
The F-Secure Web Club provides assistance and updated versions of the
F-Secure products. To connect to the Web Club on our Web site, open the
F-Secure Anti-Virus for Microsoft Exchange Web Console, and click the
Web Club link in the banner.
Alternatively, right-click on the F-Secure icon in the Window taskbar, and choose the Web Club command.
To connect to the Web Club directly from within your Web browser, go to:
http://www.f-secure.com/en_EMEA/downloads/product-updates/
Virus Descriptions on the Web
F-Secure Corporation maintains a comprehensive collection of virus-related information on its Web site. To view the Virus Information
Database, connect to: http://www.f-secure.com/security_center/
About F-Secure Corporation
F-Secure Corporation protects consumers and businesses against computer viruses and other online threats from the Internet and mobile networks. We want to be the most reliable provider of internet security services in the market. One way to demonstrate this is the speed of our response.
F-Secure’s award-winning solutions for real-time virus protection are available as a service subscription through more than 170 Internet service providers and mobile operator partners around the world, making F-Secure the global leader in the market of internet and computer security. The solutions are also available as licensed products through thousands of resellers globally.
F-Secure aspires to be the most reliable mobile and computer security provider, helping make computer and smartphone users' networked lives safe and easy. This is substantiated by the company’s independently proven ability to respond faster to new threats than its main competitors. Founded in 1988 and headquartered in Finland, F-Secure has been listed on the OMX Nordic
Exchange Helsinki since 1999. The company has consistently been one of the fastest growing publicly listed companies in the industry.
The latest news on real-time virus threat scenarios is available at the
http://www.f-secure.com/weblog/
advertisement
Related manuals
advertisement
Table of contents
- 8 About This Guide
- 9 How This Guide Is Organized
- 11 Conventions Used in F-Secure Guides
- 11 Symbols
- 13 1. Using F-Secure Anti-Virus for Microsoft Exchange
- 14 1.1 Administering F-Secure Anti-Virus for Microsoft Exchange
- 15 1.2 Using Web Console
- 15 1.2.1 Logging in for the First Time
- 17 1.2.2 Modifying Settings and Viewing Statistics with Web Console
- 18 1.2.3 Checking the Product Status
- 18 1.3 Using F-Secure Policy Manager Console
- 18 1.3.1 Modifying Settings and Viewing Statistics in Centrally Administered Mode
- 21 2. Centrally Managed Administration
- 22 2.1 Overview
- 22 2.2 F-Secure Anti-Virus for Microsoft Exchange Settings
- 22 2.2.1 General Settings
- 31 2.2.2 Transport Protection
- 50 2.2.3 Storage Protection
- 82 2.3 F-Secure Anti-Virus for Microsoft Exchange Statistics
- 83 2.3.1 Common
- 84 2.3.2 Transport Protection
- 85 2.3.3 Storage Protection
- 87 2.3.4 Quarantine
- 88 2.4 F-Secure Content Scanner Server Settings
- 88 2.4.1 Interface
- 89 2.4.2 Virus Scanning
- 92 2.4.3 Virus Statistics
- 93 2.4.4 Database Updates
- 94 2.4.5 Spam Filtering
- 95 2.4.6 Threat Detection Engine
- 96 2.4.7 Proxy Configuration
- 97 2.4.8 Advanced
- 98 2.5 F-Secure Content Scanner Server Statistics
- 98 2.5.1 Server
- 99 2.5.2 Scan Engines
- 100 2.5.3 Common
- 100 2.5.4 Spam Control
- 101 2.5.5 Virus Statistics
- 101 2.6 F-Secure Management Agent Settings
- 103 2.7 F-Secure Automatic Update Agent Settings
- 105 3. Administration with Web Console
- 106 3.1 Overview
- 106 3.2 Home
- 111 3.3 Transport Protection
- 113 3.3.1 Attachment Filtering
- 116 3.3.2 Virus Scanning
- 119 3.3.3 Grayware Scanning
- 122 3.3.4 Archive Processing
- 125 3.3.5 Content Filtering
- 128 3.3.6 Other Options
- 131 3.4 Spam Control
- 132 3.4.1 Status
- 133 3.4.2 Settings
- 137 3.5 Storage Protection
- 139 3.5.1 Real-Time Scanning
- 148 3.5.2 Manual Scanning
- 161 3.5.3 Scheduled Scanning
- 174 3.6 Quarantine
- 175 3.6.1 Query
- 175 3.6.2 Options
- 183 3.7 Automatic Updates
- 185 3.7.1 Communications
- 189 3.8 General Server Properties
- 190 3.8.1 Administration
- 196 3.8.2 Network Configuration
- 198 3.8.3 Notifications
- 199 3.8.4 Sample Submission
- 200 3.8.5 Engines
- 210 3.8.6 Lists and Templates
- 213 4. rantine Management
- 214 4.1 Introduction
- 215 4.1.1 Quarantine Reasons
- 216 4.2 Configuring Quarantine Options
- 216 4.3 Quarantine Status
- 216 4.3.1 Quarantine Logging
- 216 4.4 Searching the Quarantined Content
- 221 4.5 Query Results Page
- 222 4.5.1 Viewing Details of the Quarantined Message
- 223 4.6 Quarantine Operations
- 225 4.6.1 Reprocessing the Quarantined Content
- 226 4.6.2 Releasing the Quarantined Content
- 227 4.6.3 Removing the Quarantined Content
- 227 4.6.4 Deleting Old Quarantined Content Automatically
- 228 4.7 Moving the Quarantine Storage
- 230 5. Updating Virus and Spam Definition Databases
- 231 Overview
- 231 Automatic Updates with F-Secure Automatic Update Agent
- 231 Configuring Automatic Updates
- 233 A. Variables in Warning Messages
- 234 List of Variables
- 236 B. Sending E-mail Alerts And Reports
- 237 B.1 Overview
- 237 B.2 Solution
- 238 B.2.1 Creating a Scoped Receive Connector
- 239 B.2.2 Grant the Relay Permission on the New Scoped Connector
- 239 B.2.3 Specify SMTP Server for Alerts and Reports
- 240 C.Troubleshooting
- 241 C.1 Overview
- 241 C.2 Starting and Stopping
- 242 C.3 Viewing the Log File
- 242 Quarantine Logs
- 242 C.4 Common Problems and Solutions
- 243 Checking F-Secure Anti-Virus for Microsoft Exchange
- 244 Checking F-Secure Content Scanner Server
- 245 Checking F-Secure Anti-Virus for Microsoft Exchange Web Console
- 245 C.4.1 Installing Service Packs
- 246 C.4.2 Securing the Quarantine
- 246 C.4.3 Administration Issues
- 247 C.5 Frequently Asked Questions
- 248 D. Technical Support
- 249 F-Secure Online Support Resources
- 251 Web Club
- 251 Virus Descriptions on the Web
- 252 About F-Secure Corporation