Download.microsoft.com
Microsoft Antigen for Exchange User Guide
Microsoft Antigen for Exchange Version 9
Microsoft Corporation
Published: July 2010
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, ActiveX, Excel, Internet Explorer, Outlook, PowerPoint, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Privacy policy
Review the "Microsoft Antigen Privacy Statement" at the Microsoft Antigen Web site.
Contents
Chapter 1 - Introducing Microsoft Antigen for Exchange 10
Consideration when using a third-party file-level antivirus program 10
Antigen scanning order overview 11
Antigen documentation 12
Chapter 2 - Installing Microsoft Antigen for Exchange 12
System requirements 13
Minimum server requirements 13
Minimum workstation requirements 14
Installing Antigen on a local server 14
Installing Antigen on a remote server 16
Administrator-only installation 17
Post-Installation security consideration 18
Installing to multiple servers 19
Uninstalling Antigen 19
Migrating and upgrading 19
Applying Exchange and Antigen service packs and rollups 20
Relocating Antigen's data files 21
Using the evaluation version 21
Product licensing information 21
Chapter 3 - Antigen services overview 22
About services 22
AntigenService service 22
AntigenMonitor service 23
AntigenStore service 23
AntigenIMC service 23
AntigenRealtime service 23
AntigenInternet service 23
AntigenStatisticsService service 23
AntigenStoreEvent service 23
Disabling the Antigen scan jobs 23
Recycling the Antigen services 24
Securing the service from unauthorized use 24
Chapter 4 - Using the Antigen Administrator 25
Enabling the Antigen Administrator 25
Running the Antigen Administrator 26
Connecting to a server 26
Connecting to a different server 27
Running in read-only mode 27
Antigen Administrator overview 28
General Options 29
Diagnostics section 29
Logging section 30
Scanner Updates section 31
Scanning section 33
VSAPI section 45
Exchange 2003 UCE Settings 47
Central Management 47
Chapter 5 - Using multiple scan engines 48
About engine rankings 48
Setting the bias 49
About bias settings 49
Configuring the Bias 50
Cleaning infected files 51
Chapter 6 - Configuring Manual Scan Jobs 51
Configuring the Manual Scan Job 51
About mailboxes and public folders 52
Configuring the antivirus scanners and job action 53
Running the Manual Scan Job 54
Checking results and status 54
Scheduling the Manual Scan Job 55
Performing a quick scan 55
Checking results and status 56
Scanning files by type 57
Chapter 7 - Configuring Realtime Scan Jobs 57
About multiple Realtime processes 57
Configuring the Realtime Scan Job 58
About mailboxes and public folders 58
Configuring the antivirus scanners and job action 59
Controlling the Realtime Scan Job 60
Checking results and status 61
About Realtime Scan recovery 61
Scanning files by type 62
Chapter 8 - Configuring SMTP Scan Jobs 62
About multiple Internet processes 62
Configuring the SMTP Scan Job 63
Adding outbound disclaimers 64
Configuring the antivirus scanners and job action 65
Controlling the SMTP Scan Job 66
Checking results and status 66
About SMTP Scan recovery 67
Scanning nested compressed files 67
Scanning files by type 67
Chapter 9 - Configuring MTA Scan Jobs 68
Configuring the MTA Scan Job 68
Configuring the antivirus scanners and job action 69
Scanning nested compressed files 70
Controlling the MTA Scan Job 70
Checking results and status 71
Chapter 10 - Performing background and on-access scans 71
On-access scanning 71
Configuring on-access scanning 71
Background scanning 72
Reporting incidents 73
Chapter 11 - Using templates 73
Template uses 73
Creating a named template 74
Renaming or deleting a named template 75
Modifying templates 75
Modifying default file scanner update templates 76
Modifying notification templates 76
Using named templates 77
Deploying templates during a remote installation 77
Deploying named templates 77
Deploying schedule job templates 79
Chapter 12 - Using file filtering 79
Mechanics of file filtering 79
Filtering by file type 79
Filtering by extension 80
Filtering by name 80
Configuring the file filter 80
Action 82
About file names buttons 84
Matching patterns in the file name with wildcard characters 85
Using directional file filters 86
Filtering container files 87
Excluding the contents of a container file from file filtering 87
Using file filtering to block most file types 88
Using filter set templates 89
About international character sets 89
About statistics logging 89
Chapter 13 - Using content filtering 90
Configuring sender-domains filtering 90
Configuring subject line filtering 91
Action 94
Creating content filter lists 95
Importing new items into a filter list 96
Exporting sender-domains filters, file filters, and subject line filters 97
Filtering mail from all users in a domain except for specific users 97
Using directional content filters 98
About international character sets 98
About reporting 99
Using filter set templates 99
Creating a filter set template 99
Configuring a filter set template 99
Associating a filter set template with a scan job 100
Editing a filter set template 100
Deleting a filter set template 101
Renaming a filter set template 101
Distributing filter set templates to remote servers 101
Chapter 14 - Using mailhost filtering 102
About mailhosts scanning priority 102
Using RBL servers 102
Using allowed mailhosts lists 103
Using rejected mailhosts lists 104
Action 105
Importing new items into a filter list 106
About mailhost filtering notifications 107
Chapter 15 - Using keyword filtering 107
Creating new keyword lists 107
Action 108
About keyword list syntax rules 109
About case-sensitive filtering 111
Filtering e-mail messages that automatically load HTML images 111
Creating allowed senders lists 111
Importing new items into a filter list 112
Chapter 16 - Purging messages infected by worms 113
Purging by the Realtime Scanner 113
Purging by the Internet Scanner 114
Purging by the MTA Scanner 114
Purging by the Manual Scanner 114
Using file filtering to purge worm viruses 114
Using notifications 115
Enabling and disabling worm purging 115
Updating the worm purge list 115
Creating a custom worm purge list 115
Chapter 17 - Antigen Spam Manager overview 116
Configuring the anti-spam scanning settings 117
Configuring Cloudmark updates 117
Managing Cloudmark updates with FSSMC or AEM 118
Submitting false positives and false negatives to Cloudmark 119
Using the GTUBE anti-spam test file to determine whether Cloudmark is detecting spam 119
About the Identify: tag message action 119
Outlook Junk Mail folders and user Junk Mail options 120
Approving senders 122
Blocking senders 122
Managing rules 122
Purging Junk Mail 123
Chapter 18 - Using e-mail notifications 123
Sending notifications 123
Configuring notifications 124
About notification roles 124
Configuring Antigen for internal addresses 126
Enabling and disabling a notification 126
Editing a notification 127
Chapter 19 - Reporting and statistics overview 127
About the incidents database 128
About VirusLog.txt 129
About Antigen incidents 129
About event statistics 131
Statistics for messages 131
Statistics for message attachments 132
Resetting statistics 132
Exporting statistics 133
About quarantine 133
About quarantine options 133
About quarantine database tables 134
Saving database items to disk 135
About the Deliver button 135
About DeliverLog.txt 136
Forwarding Attachments 136
Forwarding Attachments Quarantined by the Virus Scanner 136
Forwarding Attachments Quarantined by the File Filter 136
Forwarding Attachments and Manual Scans 136
Using the ExtractFiles utility 137
Using the ExtractFiles tool for fast mail recovery 137
Maintaining the databases 138
Clearing the databases 138
Clearing the incidents database 138
Clearing the quarantine database 139
Exporting database items 139
Purging database items 139
Filtering database views 140
Moving the databases 140
Changing the database compaction time 141
About Windows Event Viewer 142
About Performance Monitor 142
Reinstalling Antigen performance counters 142
Chapter 20 - File scanner updating overview 142
About automatic file scanner updating 143
Scheduling an update 143
Update Now 145
Update on load 145
About scanner information 145
About Manifest.cab 146
Distributing updates 146
Configuring servers to distribute and receive updates 146
Notifications following engine updates 147
Putting the new file scanner to use 148
Updating the file scanner through a proxy 148
Adding and deprecating scan engines 148
Adding new scan engines 149
Deprecating scan engines 149
Chapter 21 - Troubleshooting overview 149
Getting help 149
Using diagnostics 149
Antigen installation failure 150
Antigen services do not start when you start the computer 150
Submitting malicious software files to Microsoft for analysis 151
Submitting files through the Microsoft Malware Protection Center Portal 151
Preparing files for submission 151
About the response message 152
Submitting files through Microsoft Customer Support Services 152
No Realtime scanning occurs on the Exchange store after installing Antigen 152
Attaching a disclaimer message that includes non-US-ASCII characters 153
Exchange cannot deliver e-mail messages to certain domains after you configure an e-mail disclaimer 154
Rebuilding scan engines 154
Appendix A - Using the Antigen utility 156
Enabling and disabling Antigen 156
Appendix B - Setting registry values 157
Appendix C - Using keyword substitution macros 165
Appendix D - Using the Antigen diagnostic utility 168
Running the Antigen diagnostic utility 168
Appendix E - File types list overview 169
Appendix F - Using multiple disclaimers 174
Disclaimer hierarchy 184
Additional sample disclaimer text 184
Appendix G - Backing up and restoring Microsoft Antigen for Exchange 185
About backups 185
Preparing files for backup 185
Backing up data files 187
Restoring data files 187
Appendix H - Antigen security and configuration updates overview 189
Security policy changes 189
General Options changes 190
Other Antigen changes and updates 191
Chapter 1 - Introducing Microsoft Antigen for Exchange
In Microsoft® Exchange Server, viruses can enter the environment from file attachments to e-mail messages, e-mail bodies, and public folder posts, but traditional antivirus technology cannot monitor or scan the contents of the Exchange database or the Exchange SMTP stack. Exchange environments require an antivirus solution that can prevent the spread of viruses by scanning all messages in real-time, with minimal impact on server performance or delivery times of messages. Microsoft Antigen for Exchange Version 9 is the solution for protecting Exchange environments.
Antigen is uniquely suited for the Microsoft Exchange 2000 Server and the Microsoft Exchange Server 2003 environments. Antigen uses the Exchange VSAPI to tightly integrate with the Exchange servers to provide seamless protection.
Antigen provides powerful content filtering features that include:
• Keyword message body filtering.
• Mail host filtering with Real-Time Blackhole List (RBL) integration.
• File and content filtering that includes filter lists to help administrators manage large groups of filters.
Antigen also supports the optional Antigen Spam Manager. This add-on module helps administrators to minimize the number of spam e-mail messages that enter their Exchange environments.
The Antigen Spam Manager enhances Antigen’s content filtering by providing:
• Support for the Cloudmark anti-spam engine.
• Support for Exchange 2003 anti-spam features.
• Identify: Tag Message options for suspected spam message tracking and identification.
• Keyword filter options.
• Junk Mail folders for Microsoft Office Outlook® users.
Antigen also integrates with the Microsoft Antigen Enterprise Manager (AEM). The AEM provides administrators with central installation and reporting functionality and central administration of Antigen on all servers in their environments.
Antigen provides powerful protection for your messaging servers and is the antivirus solution for Exchange 2000 and 2003 environments.
Consideration when using a third-party file-level antivirus program
When performing a file-level antivirus scan on a server operating system, you must omit the following program folders from the scan to prevent corruption of Antigen:
• Drive:\Program Files\Sybari Software\Antigen for Exchange
• Drive:\Program Files\Exchsrvr
• Drive:\InetPub\Mailroot (Exchange 2003 only)
The file-level antivirus scan can also cause a conflict when Antigen tries to scan e-mail messages.
Antigen scanning order overview
When Antigen scans a file or an e-mail message, the following tasks are performed in the order that they appear:
Allowed senders scan—If the allowed senders list functionality is enabled, Antigen compares the message sender's domain or address to the allowed senders list. If a message is from a domain or address in the allowed senders list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.
You can configure the allowed senders list functionality to bypass specific types of filters, such as keyword filters, file filters, and content filters, or you can bypass all filters.
For more information about allowed senders lists, see "Creating allowed senders lists" in Chapter 15 - Using keyword filtering.
Cloudmark engine scan—The Cloudmark engine compares the message contents against a database of known spam. For more information about the Cloudmark engine, see Chapter 17 - Antigen Spam Manager overview.
Mailhost filtering scan—Mailhost filtering filters messages from specific IP addresses or from specific server names. Mailhost filtering consists of the following lists:
• RBL servers list—Contains server names and IP addresses that are known to originate spam or are spam open relay hosts. Antigen compares the message sender to the RBL servers list to determine whether the message was sent from a spam server.
• Allowed mailhosts list—Contains server names and IP addresses that are considered safe. Antigen compares the message sender to this list to determine whether the message sender is considered safe. If a message is from a server or IP address in the allowed mailhosts list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.
• Rejected mailhosts list—Contains server names and IP addresses that have been blocked. Antigen compares the message sender to the rejected mailhosts list to determine whether the message sender has been blocked.
For more information about mailhost filtering, see Chapter 14 - Using mailhost filtering.
Content filtering scan—Content filtering includes the following filters:
• Sender-domains filtering—When sender-domain filtering is enabled, Antigen compares the message sender to the senders and domains that are in the sender-domains filter list.
• Subject line filtering—When subject line filtering is enabled, Antigen compares the contents of the message's subject line to the words in the subject line filter list.
For more information about content filtering, see Chapter 13 - Using content filtering.
Keyword filtering scan—When keyword filtering is enabled, Antigen compares the contents of the message to any keyword filter lists that have been created. For more information about keyword filtering, see Chapter 15 - Using keyword filtering.
Attachment scan—If the e-mail message has an attachment, Antigen scans it for worms and viruses:
• Worm purge—The worm purge tool maintains the WormPrge.dat file, which contains a list of known worms. This list is regularly updated and maintained by Antigen. The contents of the message are compared to the list of known worms.
For more information about worm purging, see Chapter 16 - Purging messages infected by worms.
• File filtering—When file filtering is enabled, Antigen compares the contents of the message to the file filter list. The file filter list provides you with the ability to search for attachments with a specific name, type, and size within an e-mail message.
For more information about file filtering, see Chapter 12 - Using file filtering.
• Virus cleaning—Antigen uses multiple virus scan engines to determine whether the attachment contains a virus. For more information about using multiple scan engines, see Chapter 5 - Using multiple scan engines.
Body scan—The body of the message is compared to the worm list that is maintained in the WormPrge.dat file. If no worms are found, Antigen then scans the body of the message for viruses.
Antigen documentation
The most current Microsoft Antigen for Exchange documentation, including the Microsoft Antigen for Exchange Quick Start Guide, the Microsoft Antigen for Exchange Best Practices Guide, the Microsoft Antigen for Exchange Cluster Installation Guide, and the Microsoft Antigen Spam Manager Best Practices Guide, is available at the Microsoft Antigen TechNet Library.
Chapter 2 - Installing Microsoft Antigen for Exchange
Antigen supports local and remote installations on Microsoft® Exchange Server 2003, Microsoft Exchange 2000 Server, and local installations on active/passive clusters.
[pic]Note:
For the procedures necessary to install Antigen for Exchange on a clustered system, see the Microsoft Antigen for Exchange Cluster Installation Guide at the Microsoft Antigen TechNet Library. If your system is configured to run a Network Load Balancer (NLB), there are no special installation procedures for Antigen for Exchange. Simply follow the instructions in this guide for a non-clustered installation.
[pic]Important:
Antigen runs in VSAPI mode only. If you are currently running an older version of Antigen in ESE mode, Antigen converts the system to VSAPI mode without confirmation from the user.
In Antigen, you can use setup wizards to install the product to a local Exchange server, to a remote Exchange server, or as an Administrator Only installation to a local workstation. The following information should be gathered prior to installation:
• The user account and password that has sufficient rights to administer the computer that runs Exchange (local and remote installations).
• The server name of the computer running Exchange 2000 or Exchange 2003 (remote installations).
System requirements
The following are the minimum server and workstation requirements for Microsoft Antigen for Exchange.
[pic]Note:
All minimum system memory and disk space requirements for Microsoft Exchange 2000/2003 must be met before installing Microsoft Antigen for Exchange.
Minimum server requirements
• Windows® 2000 Server SP4 Update Rollup 1, Windows 2000 Advanced Server SP4 Update Rollup 1, Windows Server 2003, or Windows Small Business Server 2003
[pic]Note:
Antigen is supported only on 32-bit environments. If both the Exchange and SharePoint products are installed on the same server, Antigen will only be installed on Exchange.
• Exchange 2000 Server SP1 or Exchange Server 2003
[pic]Note:
Antigen is not supported on Exchange 2007.
• 1 gigabyte (GB) of free memory, in addition to that required to run Exchange (512 MB recommended)
[pic]Note:
With each additional licensed scan engine, more memory is needed for each scanning process.
• 2 GB of available disk space
• Intel processor, 1 gigahertz (GHz)
• Internet Information Services (IIS) 4.0
• Microsoft Data Access Components (MDAC) 2.7
• Microsoft Jet 4.0 Service Pack 3 (SP3)
• Microsoft XML Core Services (MSXML) 6.0
• .NET Framework 1.1 (required only if you are using Antigen Spam Manager (ASM) Junk Mail folder processing on Exchange 2000)
Minimum workstation requirements
• Windows 2000 Professional, Windows Server 2003, Windows XP, or Windows Vista
• 6 MB of available memory
• 10 MB of available disk space
• Intel processor
Installing Antigen on a local server
To locally install Antigen on an Exchange server, you must log on to the local computer by using an account that has administrator rights. This step is necessary for Setup to perform service registration.
[pic]To install Antigen on a local server
|1. Run Setup.exe from the folder containing the Antigen installation files. You can obtain the latest installation package|
|from the Microsoft Volume Licensing Download Center. |
|2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Select Local |
|Installation, and then click Next. |
|3. If MDAC or Jet is not installed (Exchange 2000 only), Antigen asks if you would like the component installed on the |
|server. Follow the onscreen instructions to complete the installation. After MDAC or Jet has been installed, you must run |
|the installation program again to install Antigen. |
|4. In the Installation Type dialog box, select Server - Admin console and scanner components, and then click Next. |
|5. Setup checks to see whether you have the correct version of the Windows Update Agent. |
|• If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site|
|to do the opt-in manually. |
|• If you do have the correct version, Setup then checks to see whether Microsoft Update is enabled. If Microsoft Update is|
|not enabled, the Use Microsoft Update dialog box appears where you can enable it. |
|6. In the Quarantine Security Settings dialog box, select the desired setting, and then click Next. The choices are: |
|• Secure Mode is the default. When the value is set to this mode, all messages and attachments delivered from Quarantine |
|are rescanned for viruses and filter matches. |
|• Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter |
|matches. (Messages and attachments are always scanned for viruses.) Antigen identifies these messages by placing special |
|tag text in the subject line of all messages that are delivered from Quarantine. |
|For more information about this setting, see Chapter 19 - Reporting and statistics overview. |
|7. In the Engine Updates Required dialog box, read the warning about engine updates and proxy information, and then click |
|Next. |
|8. In the Choose Destination Location dialog box, either accept the default destination folder for the product or click |
|Browse to select a different one. The default is: |
|Program Files\Microsoft Antigen for Exchange |
|9. If you are installing Antigen Spam Manager on Exchange 2000, enter the file path to the location where Antigen should |
|create the Junk Mail Folder application. This application is used to create user Junk Mail folders. You need to enter the |
|file path, the Administrator Account, and the Administrator Home Server. |
|10. In the Select Program Folder dialog box, choose a program folder for Antigen. The default is: |
|Microsoft Antigen for Exchange |
|11. In the Start Copying Files dialog box, review the data. If any changes need to be made, use the Back button to |
|navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the |
|files are being copied. |
|12. After installation is complete, you can start or restart the SMTP services, depending on whether they were stopped or |
|running when the installation began. For a clean installation, the services were probably still running and need to be |
|recycled. If you are reinstalling the product, the services had to be stopped before Antigen could be uninstalled. In the |
|Start SMTP Services dialog box, you can start the SMTP services automatically so that Antigen can become active. Click |
|Next to have Setup perform this step, or click Skip to manually perform this step at a later time. Until the SMTP services|
|have been started or restarted, Antigen cannot scan mail in transport. |
|13. If the SMTP services are being started or restarted (that is, you clicked Next on the prior dialog box), the Starting |
|SMTP Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. |
|14. Depending on which services were stopped when the installation began, either the Start Exchange Information Store |
|dialog box or the Start AntigenStore Service dialog box appears. You can start the Information Store services |
|automatically so that Antigen can become active. Click Next to have Setup perform this step, or click Skip to manually |
|perform this step at a later time. Until the services have been started, Antigen cannot scan mail on the Store. |
|15. Depending on whether the Information Store services are being started or restarted (that is, you clicked Next on the |
|prior dialog box), the Starting Exchange Services dialog box appears. Wait until the status changes to All services |
|started before clicking Next to continue. |
|16. In the InstallShield Wizard Complete dialog box, you can optionally select to View the README file before clicking |
|Finish. If you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. |
[pic]Note:
As in most installations, Setup updates shared Microsoft files on your computer. If you are asked to restart your computer, you do not need to do this immediately, but it may be necessary for certain Antigen features to work correctly.
Installing Antigen on a remote server
To remotely install Antigen on an Exchange server, you must log on to your local computer by using an account that has administrator rights to the remote computer. This step is necessary for Setup to perform service registration. The platforms of both the local computer and remote computer must be the same.
[pic]To install Antigen on a remote server
|1. Run Setup.exe from the folder containing the Antigen installation files. You can obtain the latest installation package|
|from the Microsoft Volume Licensing Download Center. |
|2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Select Remote |
|Installation, and then click Next. If Antigen is already installed on the remote Exchange server, this process can |
|automatically stop the Exchange and IIS services, and uninstall Antigen. |
|3. In the Remote Server Information dialog box, enter the following information, and then click Next. The parameters are: |
|• Server Name: The name of the computer to which you are installing Antigen. |
|• Share Directory: The temporary location that the remote installation uses while setting up Antigen. The default is: |
|C$ |
|4. If MDAC or Jet is not installed (Exchange 2000 only), Antigen asks whether you would like the component installed on |
|the remote server. When initiated, the installation of MDAC or Jet proceeds in silent mode. |
|[pic]Note: |
|If a restart is required after MDAC or Jet is installed, Antigen restarts the server automatically. Once the installation |
|is complete, Antigen continues installing Antigen on the remote server. |
|5. Setup checks to see whether you have the correct version of the Windows Update Agent. |
|• If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site|
|to do the opt-in manually. |
|• If you do have the correct version, Setup then checks to see whether Microsoft Update is enabled. If Microsoft Update is|
|not enabled, the Use Microsoft Update dialog box appears where you can enable it. |
|6. In the Quarantine Security Settings dialog box, select the desired setting, and then click Next. The choices are: |
|• Secure Mode is the default and when the value is set to this mode, all messages and attachments delivered from |
|Quarantine are rescanned for viruses and filter matches. |
|• Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter |
|matches. (Messages and attachments are always scanned for viruses.) Antigen identifies these messages by placing special |
|tag text in the subject line of all messages delivered from Quarantine. |
|For more information about this setting, see Chapter 19 - Reporting and statistics overview. |
|7. In the Remote Location dialog box, select the Destination Directory and Folder Name, and then click Next to begin |
|installing Antigen. |
|8. After installation is complete, you can start or restart the SMTP services, depending on whether they were stopped or |
|running when the installation began. For a clean installation, the services were probably still running and need to be |
|recycled. If you are reinstalling the product, the services had to be stopped before Antigen could be uninstalled. In the |
|Start SMTP Services dialog box, you can start the SMTP services automatically so that Antigen can become active. Click |
|Next to have Setup perform this step, or click Skip to manually perform this step at a later time. Until the SMTP services|
|have been started or restarted, Antigen cannot scan mail in transport. |
|9. If the SMTP services are being started or restarted (that is, you clicked Next on the prior dialog box), the Starting |
|SMTP Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. |
|10. Depending on which services were stopped when the installation began, the Start Exchange Information Store dialog box |
|or the Start AntigenStore Service dialog box appears. You can start the Information Store services automatically so that |
|Antigen can become active. Click Next to have Setup perform this step, or click Skip to manually perform this step at a |
|later time. Until the services have been started, Antigen cannot scan mail on the Store. |
|11. If the Information Store services are being started or restarted (that is, you clicked Next on the prior dialog box), |
|the Starting Exchange Services dialog box appears. Wait until the status changes to All services started before clicking |
|Next to continue. |
|12. After you have been informed that the installation was successful, click Next to perform another remote installation, |
|or click Cancel to exit the installation program. If you do not have the correct version of the Windows Update Agent, you |
|are directed to a site to obtain it. |
[pic]Note:
As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain Antigen features to work correctly.
Administrator-only installation
Performing an administrator-only installation installs the Antigen Administrator onto any Windows workstation or server, which can then be used to centrally manage the Antigen Service running on remote Exchange servers. An administrator-only installation requires approximately 2.5 MB of disk space.
[pic]To perform an administrator-only installation
|1. Run Setup.exe from the folder containing the Antigen installation files. You can obtain the latest installation package|
|from the Microsoft Volume Licensing Download Center. |
|2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Choose Local |
|Installation, and then click Next. |
|3. In the Installation Type dialog box, select Client - Admin console only, and then click Next. |
|4. Setup checks to see whether if you have the correct version of the Windows Update Agent. |
|• If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site|
|to do the opt-in manually. |
|• If you do have the correct version, Setup then checks to see whether Microsoft Update is enabled. If Microsoft Update is|
|not enabled, the Use Microsoft Update dialog box appears where you can enable it. |
|5. In the Choose Destination Location dialog box, either accept the default destination folder for the product, or click |
|Browse to select a different one. The default is: |
|Program Files\Microsoft Antigen for Exchange |
|6. In the Select Program Folder dialog box, choose a program folder for Antigen. The default is: |
|Microsoft Antigen for Exchange |
|7. In the Start Copying Files dialog box, review the data. If any changes need to be made, use the Back button to navigate|
|to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are |
|being copied. |
|8. In the InstallShield Wizard Complete dialog box, you can optionally select to View the README file before clicking |
|Finish. If you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. |
Post-Installation security consideration
When you install Antigen for Exchange, it is configured to allow everyone access to the AntigenService service. To change the security settings to restrict access to AntigenService, you need to use DCOMCNFG to modify the security settings. For more information about securing access to AntigenService, see "Securing the service from unauthorized use" in Chapter 3 - Antigen services overview.
Installing to multiple servers
The Microsoft Antigen Enterprise Manager (AEM) should be used to install Antigen to multiple Exchange servers. For complete installation instructions, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.
Uninstalling Antigen
To uninstall Antigen, log on to the computer on which it is installed.
[pic]Note:
For information about uninstalling Antigen from a clustered server, see the Microsoft Antigen for Exchange Cluster Installation Guide at the Microsoft Antigen TechNet Library.
[pic]To uninstall Antigen for Exchange
|1. Ensure that the Antigen Administrator is not running. |
|2. In Control Panel, open Administrative Tools, and then open Services. |
|3. Stop the Exchange and IIS services. |
|4. When all these services have stopped, close the Services dialog box. |
|5. In Control Panel, open Add or Remove Programs. |
|6. Remove Microsoft Antigen for Exchange. Click Yes to confirm the deletion. |
|7. On the Uninstall Complete screen, click Finish. |
|8. Delete the Microsoft Antigen for Exchange folder in Program Files (or, if you installed to a different folder, delete |
|your installation folder). |
|9. If you are not planning to reinstall Antigen for Exchange, restart the stopped Exchange services and IIS. |
Migrating and upgrading
Microsoft Antigen for Exchange upgrades properly from Antigen 8.0 SR3 only by upgrading all components during the installation process. Scan job and other settings are preserved during the upgrade process.
When you are upgrading Antigen, all scan jobs have their template settings configured to None to prevent users from inadvertently overwriting existing settings. To deploy templates, you need to change this setting on each server to Default or a named template. For more information on configuring scan job template settings, see Chapter 11 - Using templates.
[pic]Note:
When upgrading from Antigen 8.0 SR3, you must do an engine update immediately after installing Antigen to ensure that the engines are using the most recent signature files.
After upgrading Antigen, the Microsoft Engine is not scheduled for updates. You must manually set the update schedule for the Microsoft Engine after the upgrade is complete.
When upgrading Antigen on a server where NetIQ AppManager is installed, you first need to disable and shut down NetIQ prior to upgrading Antigen. This is required because the Antigen performance.dll file is registered so that the Performance Monitor monitors it. NetIQ attaches itself to this dynamic-link library (DLL) and does not release it even if the programs that use it are shut down. If this DLL is not released, it is not properly upgraded during the installation.
For information about upgrading clustered servers, see the Microsoft Antigen for Exchange Cluster Installation Guide at the Microsoft Antigen TechNet Library.
Applying Exchange and Antigen service packs and rollups
This section describes how to apply Exchange and Antigen service packs and rollups. For cluster installations, follow the instructions in Installing Antigen on a Cluster in the “Microsoft Antigen for Exchange Cluster Installation Guide”.
[pic]To install an Exchange service pack or rollup
|1. Disable Antigen using the steps described in Appendix A - Using the Antigen utility. |
|2. Follow the instructions provided with the specific service pack or rollup that you are installing. |
|3. After the installation is complete and the Exchange services have been restarted, verify that mail is flowing. |
|4. Enable Antigen using the steps described in Appendix A - Using the Antigen utility. |
[pic]Note:
Some Exchange service packs and rollups require you to download and install an Antigen update in order to ensure that Antigen operates correctly. For information and downloads, visit the Microsoft Web site at Microsoft Help and Support.
[pic]To install an Antigen service pack or rollup
|1. Run the installer by double-clicking the service pack or rollup executable file. |
|[pic]Note: |
|While the installer is running, the Exchange and Antigen services are stopped, and your mail flow is temporarily halted. |
|2. After the installation is complete and the Exchange and Antigen services have been restarted (this occurs automatically|
|during the installation), verify that Antigen is working properly. |
|[pic]Note: |
|Antigen service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs |
|in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there|
|is no user input required. The rest of the process remains the same as when running the installer by double-clicking the |
|executable file. |
Relocating Antigen's data files
Antigen stores program settings as well as scanning activity information, including the Quarantine Area, on the file system. If you want, you can relocate these files at any time after installation.
[pic]To relocate data files
|1. Stop all Exchange services and any Antigen services that might still be running after Exchange is stopped. |
|2. Create a folder in the location where you want to move the files. |
|3. Move all the data files (files with the .adb extension) and the Quarantine and Engines folders. |
|4. Change the following registry key to reflect the new location: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for |
|Exchange\DatabasePath. |
|5. Set the security for the new location. Right-click the folder of the new location, and then select Properties. On the |
|Security tab, add a user called “Network Service” with Full Control privileges. This is necessary so that logging is |
|performed for the SMTP Scan Job. |
|6. Restart the Exchange services. |
Using the evaluation version
Microsoft provides a fully functional version of Antigen for Exchange for a 30-day evaluation. After 30 days, the evaluation version of Antigen continues to operate and report detected files. However, it no longer cleans, deletes, or purges files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the Allowed Sender lists are disabled, and scan engines no longer update.
[pic]Note:
To purchase a subscription build of Antigen, contact Microsoft Sales.
Product licensing information
After you have installed a subscription build of Antigen, you can enter licensing information (which can also be obtained from Microsoft Sales).
These are the reasons to license your product:
• You can align the date that your product expires with the date of your license agreement (otherwise, the expiration is three years from the installation date).
• You can easily renew your license by entering a new expiration date.
To license Antigen, select Product License from the Help menu. The Product License Agreement and Expiration dialog box appears.
Enter your 7-digit License Agreement Number, and then enter an Expiration Date. You should enter a date that corresponds to the expiration of your license agreement. This coordinates the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product License Agreement and Expiration dialog box.
Chapter 3 - Antigen services overview
The Antigen services are the components that run on the Microsoft® Exchange Server and control all back-end functionality of Antigen. The services process requests from the Antigen Administrator, control the scanning processes, generate e-mail notifications, and store virus incidents data-to-disk (which can be viewed by using the Antigen Administrator). When an Administrator-Only installation of Antigen is performed, the Antigen Services are not installed.
About services
The following sections describe the services used by Antigen for Exchange.
AntigenService service
The AntigenService service acts as the server component that the Antigen Administrator connects to for configuration and monitoring. AntigenService coordinates all Realtime, Manual, and SMTP scanning activities. The AntigenService startup type defaults to Manual and should not be changed. After being installed, the AntigenService becomes a dependency on the AntigenStore and AntigenIMC services. Due to other dependencies, whenever the Exchange Information Store service is started or stopped, the same action will occur with AntigenService. The Task Scheduler service becomes a dependency of AntigenService and must be operating properly in order for AntigenService to initialize.
There is no benefit from starting or stopping AntigenService independently of the Exchange services.
On Exchange 2000/2003, AntigenService runs under the Local System account.
[pic]Important:
If the AntigenService or AntigenMonitor is disabled, e-mail will continue to be processed without being scanned for viruses or spam.
AntigenMonitor service
The AntigenMonitor service monitors the Exchange Information Store, the SMTP stack, and Antigen processes to ensure that Antigen provides continuous protection for your messaging environment.
[pic]Note:
The AntigenMonitor must run under the Local System account on Exchange 2000/2003. If it is changed to run under a different account, Antigen might not start.
AntigenStore service
The AntigenStore service ensures that Antigen initializes properly with the Information Store. AntigenStore becomes a dependency on the Microsoft Information Store. AntigenStore starts and stops with the Information Store.
AntigenIMC service
The AntigenIMC service connects to the SMTP stack to ensure that messages are scanned by the AntigenInternet process. AntigenIMC becomes a dependency on the Exchange SMTP service on Exchange 2000/2003.
AntigenRealtime service
The AntigenRealtime service provides immediate scanning of e-mail that is sent or received by the Mailboxes and Public Folders resident on the Exchange server.
AntigenInternet service
The AntigenInternet service ensures that all messages that pass through the Exchange SMTP stack are scanned prior to delivery.
AntigenStatisticsService service
The AntigenStatisticsService service logs scanning statistics for all Antigen scan jobs. This information is then available for retrieval by the Microsoft Antigen Enterprise Manager.
AntigenStoreEvent service
The AntigenStoreEvent service handles Junk Mail when the ASM Junk Mail folders are enabled.
Disabling the Antigen scan jobs
The Antigen scan jobs can be disabled by using the Enable Antigen for Exchange Scan option in the General Options pane. This selection box provides the following options:
• Disable All
• Enable Store Scanning
• Enable Internet Scanning
• Enable All
To disable scanning, select Disable All and then click Save. The Antigen services must be recycled for the change to take effect.
Recycling the Antigen services
The Services Control Manager is used to recycle the Antigen services.
[pic]To recycle the services
|1. Stop all Antigen services. (For details, see Disabling the Antigen services.) |
|2. Wait for all services to finish shutting down. |
|3. Use the Task manager to make sure that no Antigen processes are still running. |
|4. Start all Antigen services. |
[pic]Warning:
While the Antigen services are unavailable, e-mail will continue to be processed, but will not be scanned for viruses or spam.
Securing the service from unauthorized use
The AntigenService utilizes Distributed COM (DCOM) to launch and authenticate Antigen Administrator connections. You can build an access list of authorized users who can connect to the AntigenService by using the Antigen Administrator.
[pic]To build an access list of authorized users
|1. Open a Command Prompt window. |
|2. Type DCOMCNFG, and then press ENTER. The Component Services dialog box appears. |
|3. In the Console Root section, expand Component Services. |
|4. Expand Computers. |
|5. Expand My Computer. |
|6. Expand DCOM Config. |
|7. Right-click AntigenService, and then select Properties. The AntigenServices Properties dialog box opens. |
|8. Click the Identity tab, and then configure your user accounts. |
|9. Click the Security tab, and then use the permissions lists to control which user accounts have rights to launch the |
|AntigenService, access the AntigenService, or change the DCOM configuration. |
|10. Click OK to exit the AntigenServices Properties dialog box. |
Chapter 4 - Using the Antigen Administrator
The Antigen Administrator is used by the administrator to configure and run Antigen locally or remotely. For the Administrator to launch successfully, the AntigenService service and the Microsoft® Exchange Server must be running on the computer to which the Administrator is connecting. Because the Administrator is the front end of the Antigen software, it can be launched and closed without affecting the back-end processes that are performed by the Antigen Services. The Antigen Administrator can also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who might need to view information provided through the user interface.
Enabling the Antigen Administrator
Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use the Antigen Administrator on those operating systems, you must first enable the Administrator.
[pic]To enable the Antigen Administrator to run on Microsoft Windows XP SP2
|1. Click Start, click Run, and then enter dcomcnfg. |
|2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and then |
|click Properties. |
|3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote |
|Access for the Anonymous Logon user. |
|4. Add the AntigenClient application to the Windows Firewall Exceptions list, as follows: |
|a. In Control Panel, click Windows Firewall. |
|b. In the Windows Firewall dialog box, click the Exceptions tab. |
|c. Click Add Program, select AntigenClient from the list, and then click OK. This adds the Antigen Administrator to the |
|Programs and Services list. |
|d. In the Programs and Services list, select the AntigenClient. |
|e. Click Add Port, enter a name for the port, and enter 135 for the port number. |
|f. Select TCP as the protocol, and then click OK. |
[pic]Note:
If you are concerned about opening port 135 to all computers, you can opt for the port to open only for the servers running Antigen. When you add port 135, click Change Scope, and then select Custom List. Enter the IP addresses of all the Antigen servers that should be allowed access through port 135.
[pic]To enable the Antigen Administrator to run on Microsoft Windows Server 2003 SP2
|1. Click Start, click Run, and then type dcomcnfg. |
|2. In Component Services, at the console root, expand Component Services, expand Computers, right-click My Computer, click|
|Properties, and then click the COM Security tab. |
|3. Under Access Permissions, click Edit Limits. |
|4. In the Access Permission dialog box, select the Add Anonymous logon account, and then select the Allow check box for |
|Remote Access for the Anonymous Logon user. |
Running the Antigen Administrator
To run the Antigen Administrator, on the Start menu, point to All Programs, point to Microsoft Antigen for Exchange, and then click Antigen Administrator. You can also launch it from a command prompt.
[pic]To launch the Antigen Administrator from a command prompt
|1. Open a Command Prompt window. |
|2. Navigate to the Antigen installation directory. The default is: |
|\Program Files\Microsoft Antigen for Exchange |
|3. Type antigenclient.exe, and then press Enter. |
Connecting to a server
The first time that the Administrator is launched, it will prompt you to connect to the Exchange server running on the local computer. You can use the server name or local alias to connect to the local Exchange server.
The Administrator can also be connected to a remote Exchange server running Antigen. This enables an administrator to use one installation of the Administrator to configure and control Antigen throughout the network. To connect to a remote server, at the Server prompt box, click the Browse button or enter the server name, IP Address, or Domain Name System (DNS) name of the remote computer.
[pic]Notes:
Due to enhanced security settings in Windows 2003 SP1, DCOM settings may need to be updated when Antigen is installed on a Windows 2003 SP1 server to allow remote access. Remote administrators must have privileges enabled for both remote launch and remote activation.
Because the Antigen installation includes the installation folder for both administrator-only installations and for the full product installation on the access control list (ACL), a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting.
If you are having problems connecting the Antigen Administrator to the Exchange server, try using the PING command to test for server availability. If the server is available, make sure that no other Antigen Administrators are currently connected to the server.
Connecting to a different server
To connect to a different server when already connected to Antigen, select Open from the Antigen Administrator File menu. The Connect to Server dialog box appears. Enter the name of another server running Antigen, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Antigen Administrator dialog box to quickly reconnect to a server.
Running in read-only mode
The Antigen Administrator can be run in a read-only mode. To do so, the administrator will need to modify the NTFS permissions on the Antigen Database directory to allow modify access to only those users with permission to change Antigen settings. By default, the installation directory is:
Program Files\Microsoft Antigen for Exchange
To ensure proper configuration, you must first remove modify access for all users, and then set modify access only for users who are allowed to change settings in Antigen. When a user without modify access opens the UI, the UI will display ReadOnly at the top of the pane and will not allow any configuration changes.
[pic]Note:
The System Account and Exchange Service Account must have full control of the Antigen for Exchange folder, or Antigen will not run properly.
Antigen Administrator overview
The Antigen Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right, as shown in the following image:
[pic]
The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access various work panes:
|Area |Description |
|SETTINGS |The SETTINGS area enables you to configure scan jobs, antivirus |
| |settings, scanner updates, templates, General Options, and the |
| |Anti-Spam Job when the Antigen Spam Manager is enabled. |
|FILTERING |The FILTERING area enables you to configure content filtering, |
| |file filtering, mailhost filtering, keyword filtering, allowed |
| |senders lists, and filter lists. |
|OPERATE |The OPERATE area enables to control virus scanning, spam |
| |scanning, and filter options, schedule and run scan jobs, and |
| |perform quick scans. |
|REPORT |The REPORT area enables you to configure notifications, view and |
| |manage incidents, and view and manage quarantined files. |
General Options
General Options, accessed from the SETTINGS shuttle, provide access to a variety of system level settings for Antigen. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Antigen Enabled, Internet Process Count, and Realtime Process Count require that the Antigen services be restarted for the change to take effect.
Although there are many options that can be controlled through the General Options pane, each of them has a default (Enabled, Disabled, or a value), which is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation, and you might need to change one of them from time to time.
To access the General Options pane, click General Options in the SETTINGS area of the Shuttle Navigator. The General Options pane opens.
The General Options pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, VSAPI, and Microsoft Exchange Server 2003 UCE Settings.
[pic]Note:
Although the Exchange 2003 UCE Settings are always visible, they are only enabled when the Antigen Spam Manager is installed on Exchange Server 2003.
Diagnostics section
The following table lists and describes the settings in the Diagnostics section of General Options.
|Setting |Description |
|Additional Internet |Logs every file that is scanned by the Internet scanner. |
|Additional Realtime |Logs every file that is scanned by the Realtime scanner. |
|Additional Manual |Logs every file that is scanned by the Manual scanner. |
|Notify on Startup |When checked, Antigen will send a notification to all the e-mail |
| |addresses listed in the Virus Administrators list whenever the |
| |Internet Scanner starts. |
|Archive SMTP Mail |Enables administrators to archive inbound and outbound SMTP |
| |e-mail (Microsoft Exchange 2000 Server and Exchange Server 2003) |
| |in two folders (named In and Out) that are located in the Antigen|
| |installation folder. Each message will be given a file name that |
| |consists of the year, day, month, time, and a three-digit number.|
| |For example: 20022009102005020.eml. |
| |Administrators have the following options for archiving: |
| |No Archive - No mail is archived. |
| |Archive Before Scan - Messages are archived prior to scanning. |
| |Archive After Scan - Messages are archived after scanning. |
| |Archive Before And After Scan - Messages are archived before and |
| |after scanning. |
| |These options are provided to help administrators and Antigen |
| |support engineers diagnose and isolate problems that users may be|
| |experiencing. |
|Critical Notification List |Enter the e-mail addresses of administrators and others who |
| |should be notified in the event that the Exchange Store starts |
| |and Antigen is not hooked in or if the Antigen Store shuts down |
| |abnormally. Multiple e-mail addresses should be separated by |
| |semicolons. Example: admin@;admin2@. |
Logging section
The following table lists and describes the settings in the Logging section of General Options.
|Setting |Description |
|Enable Event Log |Enables logging of Antigen events to the event log. |
|Enable Antigen Program Log |Enables the Antigen program log (ProgramLog.txt). The Antigen |
| |services must be restarted for a change to this value to take |
| |effect. |
|Enable Performance Monitor and Statistics |Enables logging of Antigen performance statistics to the |
| |Performance Monitor. |
|Enable Antigen Virus Log |Enables the Antigen Virus Log (VirusLog.txt). |
|Enable Incidents Logging - Realtime |Enables or disables incident logging for the Realtime Scan Job. |
|Enable Incidents Logging - Manual |Enables or disables incident logging for the Manual Scan Job. |
|Enable Incidents Logging - Internet |Enables or disables incident logging for the Internet Scan Job. |
| |You can select from the following options: |
| |• Enable all incident logging. |
| |• Disable all incident logging. |
| |• Disable Spam/RBL incident logging – Only Spam/RBL logging will |
| |be disabled. Other incidents will still be logged. |
|Max Program Log Size |Specifies the maximum size of the program log. Expressed in |
| |kilobytes (KB), the minimum size is 512 KB. The default is 25600 |
| |KB. A value of 0 indicates that there is no limit to the maximum |
| |size. |
For more information on the log files and the Performance Monitor, see Chapter 19 - Reporting and statistics overview.
Scanner Updates section
The following table lists and describes the settings in the Scanner Updates section of General Options.
|Setting |Description |
|Redistribution Server |When this option is enabled, the two most recent engine update |
| |packages are saved in the engine package folder instead of the |
| |usual single engine package. Antigen will also download the full |
| |update package rather than perform an incremental update. The |
| |multiple engine packages enable the spoke servers to continue |
| |pulling updates from the redistribution server while a new update|
| |is being downloaded. |
|Perform Updates at Startup |Configures Antigen to automatically perform engine updates every |
| |time Antigen is started. |
|Send Update Notification |Configures Antigen to send a notification to the Virus |
| |Administrator each time a scan engine is updated. |
|Use Proxy Settings |Configures Antigen to use proxy settings when retrieving |
| |antivirus scanner updates. The use of a proxy server to retrieve |
| |updates is optional. |
|Use UNC Credentials |Configures Antigen to use Universal Naming Convention (UNC) |
| |credentials when retrieving scanner updates from a file share. |
| |The use of a UNC path to retrieve updates is optional. Note: |
| |Credentials are not supported if you are using the Antigen |
| |Enterprise Manager for redistribution. Be sure to clear this |
| |setting if you are using the AEM to manage antivirus engine |
| |updates. |
|Proxy Server Name/IP Address |Name or IP address of the proxy server Antigen should use when |
| |retrieving antivirus scanner updates. Required, if using proxy |
| |settings. |
|Proxy Port |Port number for the proxy server. |
|Proxy Username |Name of a user with access rights to the proxy server, if |
| |necessary. Optional field. |
|Proxy Password |Password for the proxy user name, if necessary. Optional field. |
|UNC Username |Name of a user with access rights to the UNC path, if necessary. |
| |Optional field. |
|UNC Password |Password for the UNC user name, if necessary. Optional field. |
For more information on updating the scan engines, see Chapter 20 - File scanner updating overview.
Scanning section
The following table lists and describes the settings in the Scanning section of General Options.
|Setting |Description |
|Body Scanning - Manual |Enable message body scanning for the Manual Scan Job. |
|Body Scanning - Realtime |Enable message body scanning for the Realtime Scan Job. |
|Delete Corrupted Compressed Files |Specifies whether corrupted compressed files will be deleted. A |
| |corrupted compressed file is an archive or compressed file type that|
| |does not conform to the standard of that type. These files usually |
| |have internal headers set incorrectly, or it could be that the file |
| |exceeds the size limit configured for Antigen. |
| |When a corrupted compressed file is detected, Antigen reports it as |
| |a CorruptedCompressedFile virus. This option is enabled by default. |
| |Quarantining of these files is determined by the individual scan job|
| |settings. By default, files identified as corrupted are quarantined.|
| |You can also create a new registry key setting named |
| |QuarantineCorruptedCompressedFiles to override quarantining for |
| |these file types. The DWORD setting must be created and its value |
| |set to 0. |
| |Note: In addition to CorruptedCompressedFile viruses, this setting |
| |also handles these file types: |
| |UnwritableCompressedFile—A type of corrupted compressed file whose |
| |contents cannot be correctly modified (cleaned or deleted), or |
| |correctly inserted back into the archive by the scanners due to the |
| |corrupt nature of the file. |
| |UnReadableCompressedFile—A type of corrupted compressed file whose |
| |contents cannot be correctly read out of the archive due to the |
| |corrupt nature of the archive. |
|Delete Corrupted Uuencode Files |Specifies whether corrupted Uuencoded files will be deleted. |
| |Typically, a Uuencoded file that Antigen is unable to parse is |
| |considered corrupted. When a corrupted compressed file is detected, |
| |Antigen will report it as a CorruptedCompressedUuencodeFile virus. |
| |This option is enabled by default. |
|Delete Encrypted Compressed Files |Specifies whether encrypted compressed files with at least one |
| |encrypted item within its contents are deleted. (Encrypted files |
| |cannot be scanned by antivirus scan engines.) When an encrypted |
| |compressed file is detected, Antigen will report it as an |
| |EncryptedCompressedFile virus. This option is disabled by default. |
|Treat high compression ZIP files as corrupted compressed |Specifies whether ZIP archives containing highly-compressed files |
| |are reported as corrupted compressed. If the archive is reported as |
| |corrupted compressed, and if the option to Delete Corrupted |
| |Compressed Files is enabled, the archive is deleted. If Delete |
| |Corrupted Compressed Files is not enabled, the files in the ZIP |
| |archive are passed to the virus engines to be scanned, in their |
| |compressed form. The ZIP archive itself is also passed to the virus |
| |engines. If scanned and no threat is found, the message will be |
| |delivered. If a threat can be cleaned, the message will be |
| |delivered. If a threat cannot be cleaned, the message will be |
| |deleted. If the file is compressed with an unknown algorithm, it |
| |will always be treated as corrupted compressed, regardless of the |
| |setting of this option. This option is enabled by default (that is, |
| |ZIP archives containing highly-compressed files will be treated as |
| |corrupted compressed). |
|Treat multipart RAR archives as corrupted compressed |A file within a RAR archive can be compressed across multiple files |
| |or parts, thereby allowing large files to be broken into |
| |smaller-sized files for ease of file transfer. This option specifies|
| |whether RAR archives containing such parts are reported as corrupted|
| |compressed. |
| |Disabling this option enables you to receive such files. However, in|
| |this case a virus may escape detection if it is split across |
| |multiple volumes. Therefore, this setting is enabled by default. |
| |If the archive is reported as corrupted compressed, and if the |
| |option to Delete Corrupted Compressed Files is enabled, the archive |
| |is deleted. If Delete Corrupted Compressed Files is not enabled, |
| |only the RAR archive as a whole is passed to the virus engines to be|
| |scanned. If no threat is found when the archive is scanned, the |
| |message will be delivered. If a threat is found and can be cleaned, |
| |the message will be delivered. If a threat is found and cannot be |
| |cleaned, the message will be deleted. |
| |[pic]Note: |
| |If you are using multipart RAR to compress files that exceed 100MB |
| |when uncompressed, you should be aware of the registry value |
| |MaxUncompressedFileSize. For more information, see Appendix B - |
| |Setting registry values. |
|Treat concatenated gzips as corrupted compressed |Multiple Gnu zip (gzip) files can be concatenated into a single |
| |file. Although Antigen recognizes concatenated gzips, it may not |
| |recognize individual files split across concatenated gzips. |
| |Therefore, Antigen treats concatenated gzips as corrupted compressed|
| |by default. In combination with the Delete Corrupted Compressed |
| |Files option, this default behavior prevents all concatenated gzips |
| |from passing through, thereby preventing potential infections. |
| |Disabling the treat concatenated gzips as corrupted compressed |
| |option enables you to receive concatenated gzips. However, in this |
| |case, a virus may escape detection. |
|Scan Doc Files as Containers - Manual |Specifies that the Manual Scan Job should scan .doc files and any |
| |other files that use structured storage and the OLE embedded data |
| |format (for example, .xls, .ppt, or .shs) as container files. This |
| |ensures that any embedded files are scanned as potential virus |
| |carriers. This setting does not apply to Office 2007 (OpenXML) |
| |files; they are always scanned as containers. For more information |
| |about OpenXML files, see Appendix E - File types list overview. |
| |Disabled by default. |
|Scan Doc Files as Containers - Internet |Specifies that the Internet Scan Job should scan .doc files and any |
| |other files that use structured storage files and the OLE embedded |
| |data format (for example, .xls, .ppt, or .shs) as container files. |
| |This ensures that any files embedded in the file are scanned as |
| |potential virus carriers. This setting does not apply to Office 2007|
| |(OpenXML) files; they are always scanned as containers. For more |
| |information about OpenXML files, see Appendix E - File types list |
| |overview. Disabled by default. |
|Scan Doc Files as Containers - Realtime |Specifies that the Realtime Scan Job should scan .doc files and any |
| |other files that use structured storage files and the OLE embedded |
| |data format (for example, .xls, .ppt, or .shs) as container files. |
| |This ensures that any files embedded in the file are scanned as |
| |potential virus carriers. This setting does not apply to Office 2007|
| |(OpenXML) files; they are always scanned as containers. For more |
| |information about OpenXML files, see Appendix E - File types list |
| |overview. Disabled by default. |
|Skip Content Filtering for Allowed Mailhosts |This setting allows Antigen to skip Content Filtering for SMTP |
| |messages when every public Mailhost in the Received MIME header |
| |field—up to the number specified in the Maximum Allowed Mailhosts |
| |Lookups General Options setting—is listed in an enabled Allowed |
| |Mailhost list. For more information, see Chapter 14 - Using mailhost|
| |filtering. |
|Case Sensitive Keyword Filtering |This setting makes all keyword filters case sensitive. When this |
| |setting is cleared, all keyword filters are case insensitive. |
|Fix Bare CR or LF in Mime Headers |This setting is intended to correct a discrepancy between the MIME |
| |header parsing method used by Outlook and Outlook Express and the |
| |RFC822 spec on how bare CR (0x0d) and bare LF (0x0a) are handled in |
| |MIME headers. MIME messages can be formed that allow Outlook and |
| |Outlook Express to improperly detect attachments in the MIME headers|
| |that are not scanned. |
| |When checked, Antigen will modify any bare carriage return (CR) or |
| |bare line feed (LF) found in the MIME headers to the CRLF |
| |combination, which removes the discrepancy in parsing methods. |
| |For more information about this setting, see “Exchange cannot |
| |deliver e-mail messages to certain domains after you configure an |
| |e-mail disclaimer” in Chapter 21 - Troubleshooting overview. |
|Add Disclaimers to Clear Signed Messages |When this option is selected, Antigen will add disclaimers—if |
| |disclaimers are enabled—to Clear Signed Messages. If you do not want|
| |disclaimers appended to Clear Signed Messages, clear this option. A |
| |Clear Signed Message is a message that contains a digital signature |
| |and is in a readable state. If the message is modified by the |
| |addition of a disclaimer, however, the digital signature will be |
| |invalid. When a user receives the message they will be told that the|
| |digital signature is invalid. This option is enabled by default. |
|Enable Junk Mail Folders |This setting is used to create the ASM Junk Mail folders for each |
| |Outlook mailbox when the ASM is installed on Exchange 2000. When |
| |this option is selected and saved, the Junk Mail Folder creation |
| |cycle begins immediately. The creation cycle runs again every day at|
| |2:00 am in order to create folders for any new mailboxes that have |
| |been added. For more information about the ASM Junk Mail Folders, |
| |see Chapter 17 - Antigen Spam Manager overview. |
| |Note Junk Mail folders require certain prerequisites. If any are |
| |missing, the following grayed out option will be displayed: |
| |“Requirements for Junk folder option: W3SVC started, IIS and junk |
| |mail web folder installed, .NET installed for 200x.” W3SVC is the |
| |World Wide Web Publishing Service, which must be started. IIS must |
| |be installed and started. The Junk Mail homepage that is created by |
| |Antigen during the installation when the ASM is licensed must exist.|
| |For Exchange 2000, .NET Framework also must be installed. If any |
| |requirements are missing, they must be installed and started before |
| |Junk Mail folders can be enabled. |
|Purge Message if Message Body Deleted - Internet |Some messages carry viruses in the body of the message file. When |
| |all or part of the message body is deleted to remove a virus, |
| |Antigen inserts deletion text in its place. If administrators do not|
| |want e-mail users receiving cleaned messages that contain deletion |
| |text, they can use this setting to purge messages where all or part |
| |of the message body has been deleted by Antigen and there are no |
| |attachments. Note that if a message contains both HTML and plain |
| |text and the HTML is deleted, the message will be purged if this |
| |option is checked. |
|Enable Antigen for Exchange Scan |This setting enables Administrators to enable or disable all or |
| |selected Antigen jobs. The options are: Disable All, Enable Store |
| |Scanning, Enable Internet Scanning, and Enable All. The default |
| |value is Enable All. After changing this setting, the Antigen |
| |services must be recycled. For more information on recycling the |
| |services, see “Recycling the Antigen services” in Chapter 3 - |
| |Antigen services overview. |
|Internet Process Count |This setting is used to change the number of Internet processes that|
| |are used by Antigen. The default value is 2. You can create up to 10|
| |Internet processes. After changing this setting, the Antigen |
| |services must be recycled. For more information about this setting, |
| |see Chapter 8 - Configuring SMTP Scan Jobs. |
|Realtime Process Count |This setting is used to change the number of Realtime processes that|
| |are used by Antigen. The default value is 2. You may create up to 4 |
| |Realtime processes. After changing this setting, the Antigen |
| |services must be recycled. For more information about this setting, |
| |see Chapter 7 - Configuring Realtime Scan Jobs. |
|Antigen Manual Priority |This setting enables administrators to set the CPU priority of |
| |Manual Scan Jobs to Normal, Below Normal, or Low to allow more |
| |important jobs to take precedence over Manual Scan Jobs when demands|
| |on server resources are high. The default value is Normal. |
|Engine Error Action |Sets the action that Antigen should take if a scan engine error |
| |occurs. (Examples include an engine exception, excessive read/write |
| |operations, a virus found without a virus name, multiple engine |
| |errors, and any other failure code returned by an engine.) The |
| |options are: Ignore, which will log the error to the program log; |
| |Skip, which will log the error to the program log and display an |
| |EngineError entry with the state Detected in the UI; and Delete, |
| |which will log the error to the program log, delete the file that |
| |caused the error, and display an EngineError entry with the state |
| |Removed in the UI. The file that caused the engine error will always|
| |be quarantined. The default value is Delete. |
|Illegal MIME Header Action - Internet |If Antigen encounters an illegal MIME header during a scan, it can |
| |be enabled to Purge: eliminate message (the default) or set to |
| |Ignore the message. Illegal MIME headers are headers that have |
| |multiple Content-Type, Content-Transfer Encoding, or |
| |Content-Disposition headers containing conflicting data. Messages |
| |where the Content-Disposition or Content-Type header is longer than |
| |it is supposed to be, and messages that contain multiple subject |
| |lines, are also identified as illegal MIME headers. Identified |
| |messages will be quarantined by default. If you do not want |
| |identified messages to be quarantined, create a new registry DWORD |
| |value named DisableQuarantineForIllegalMimeHeader and set it to 1 to|
| |override quarantining. |
|Internet Scan Timeout Action |Indicates what to do in the event that the Internet/SMTP Scan Job |
| |times out while scanning a file. The options are: Ignore, Skip, and |
| |Delete. The Ignore setting will let the file pass without being |
| |scanned. The Skip setting will report in the Incidents log and |
| |Program log that the file exceeded the scan time and let it pass |
| |without being scanned. The Delete setting will also report the event|
| |and replace the contents of the file with the deletion text. A copy |
| |of the file will be stored in the Quarantine database if |
| |quarantining is enabled and Internet Scan Timeout Action is set to |
| |either Skip or Delete. The default value is Delete. |
|Realtime Scan Timeout Action |Indicates what to do if the Realtime Scan Job times out while |
| |scanning a file. The options are: Ignore, Skip, and Delete. The |
| |Ignore setting will let the file pass without being scanned. The |
| |Skip setting will report in the Incidents log and Program log that |
| |the file exceeded the scan time and let it pass without being |
| |scanned. The Delete setting will also report the event and replace |
| |the contents of the file with the deletion text. A copy of the file |
| |will be stored in the Quarantine database if quarantining is enabled|
| |and Realtime Scan Timeout Action is set to either Skip or Delete. |
| |The default value is Delete. |
|SMTP Quarantine Messages |Antigen performs two different quarantine operations: quarantining |
| |of entire messages or quarantining of attachments only. Entire |
| |messages are quarantined only for content filters, spam filters, and|
| |file filters that are set to Purge when quarantine is enabled. |
| |When SMTP Quarantine Messages is set to Quarantine as Single EML |
| |File (only applies to the SMTP Scan Job), the quarantined message |
| |and all attachments are quarantined in an EML file format. |
| |When SMTP Quarantine Messages is set to Quarantine Message Body and |
| |Attachments Separately, Antigen will quarantine messages as separate|
| |pieces (bodies and attachments). |
| |For a complete description of this setting, see “About quarantine” |
| |in Chapter 19 - Reporting and statistics overview. |
| |[pic]Note: |
| |These settings do not apply to files that are quarantined due to |
| |virus scanning. Only infected attachments are quarantined when an |
| |infection is detected. |
|Deliver From Quarantine Security |This value gives administrators flexibility for handling messages |
| |and attachments that are forwarded from quarantine. The options for |
| |this setting are Secure Mode and Compatibility Mode. |
| |• Secure Mode forces all messages and attachments delivered from |
| |quarantine to be rescanned for viruses and filter matches. This is |
| |the default setting. |
| |• Compatibility Mode allows messages and attachments to be delivered|
| |from Quarantine without being scanned for filter matches. (Messages |
| |and attachments are always scanned for viruses.) Antigen identifies |
| |these messages by placing special tag text in the subject line of |
| |all messages that are delivered from quarantine. |
| |For more information about this setting, see Chapter 19 - Reporting |
| |and statistics overview. |
|SMTP Sender Information |By default, Antigen for Exchange uses the “MIME FROM:” header sender|
| |address for the SMTP Scan Job on Exchange 2000/2003. This General |
| |Option setting allows administrators to use the MAIL FROM sender |
| |address from the SMTP protocol for the SMTP Scan Job. When Use SMTP |
| |protocol MAIL FROM is selected, the address in that field will be |
| |used anywhere the sender address is used, for example, for sender or|
| |domain content filtering, notifications, reporting in the |
| |Administrator, and Multiple Disclaimers. The options for this |
| |setting are: |
| |• Use MIME From: Header (the default). |
| |• Use SMTP protocol MAIL FROM. |
| |[pic]Note: |
| |When MIME From is selected and a MIME Sender header is also present,|
| |the MIME Sender header information will be used. |
|Perform Reverse DNS Lookup |Provides the ability to disable Reverse DNS lookups when validating |
| |an IP address or domain name against the Allowed Mailhost or |
| |Rejected Mailhost lists. If Reverse DNS lookups are disabled, the |
| |domain name found in the MIME Received header field will be used for|
| |comparisons with the Allowed Mailhost and Rejected Mailhost lists. |
| |The options for this setting are: |
| |• Enable All (the default) |
| |• Disable All |
| |• Only for Mailhost List Checking |
| |• Only for Inbound/Outbound Determination |
| |For more information about this setting, see Chapter 14 - Using |
| |mailhost filtering. |
|Max Container File Infections |Specifies the maximum number of infections allowed in a compressed |
| |file. If this number is exceeded, the entire file is deleted and |
| |Antigen logs an incident stating that an ExceedinglyInfected virus |
| |was found. A value of zero means that a single infection will cause |
| |the entire container to be deleted. In this case, the logged |
| |incident has the tag “Container Removed” appended to the filter |
| |match. The default value is 5 infections. |
|Max Container File Size |Specifies the maximum container file size (in bytes) that Antigen |
| |will attempt to clean or repair in the event that it discovers an |
| |infected file. The default is 26 MB (26,214,400 bytes). Files larger|
| |than the maximum size are deleted if they are infected or meet file |
| |filter rules. Antigen reports deleted files as a |
| |LargeInfectedContainerFile virus. |
|Max Nested Attachments |Specifies the limit for the maximum nested documents that can appear|
| |in MSG, TNEF, MIME, and Uuencoded documents. The limit will include |
| |the sum of the nestings of all of these types. If the maximum number|
| |is exceeded, Antigen will block or delete the document and report |
| |that an ExceedinglyInfected virus was found. The default value is |
| |30. |
|Max Nested Compressed Files |Specifies the maximum nested depth for a compressed file. If this is|
| |exceeded, the entire file is deleted and Antigen sends a |
| |notification stating that an ExceedinglyNested virus was found. A |
| |value of zero represents that an infinite amount of nestings is |
| |allowed. The default value is 5. |
|Max Container Scan Time (msecs) - Realtime/Internet |Specifies the number of milliseconds that Antigen will scan a |
| |compressed attachment before reporting it as a ScanTimeExceeded |
| |virus. This setting is intended to prevent denial of service risk |
| |from zip of death attacks. The default value is 120,000 milliseconds|
| |(two minutes). |
|Max Container Scan Time (msecs) - Manual |Specifies the number of milliseconds that Antigen will scan a |
| |compressed attachment before reporting it as a ScanTimeExceeded |
| |virus. This setting is intended to prevent denial of service risk |
| |from zip of death attacks. The default value is 600,000 milliseconds|
| |(ten minutes). |
|Internal Address |Antigen can be configured to send different notifications to |
| |internal and external senders and recipients. If your list of |
| |internal names is small, enter the domain names in the Internal |
| |Address field, to show who should be sent internal notifications. |
| |Domains should be entered as a semicolon delimited list (for |
| |example: ;; |
| |) with no spaces. Any change to this value is immediately|
| |reflected in virus notifications. |
| |When entering a domain name in the Internal Address field, be aware |
| |that subdomains are covered by the entry. |
| |For example: will include subdomain. and |
| |subdomain2.. |
| |Alternate domains such as or must be entered |
| |individually. |
| |Values entered in Internal Address are used as a substring match of |
| |the end of an e-mail address. For example, “” would consider|
| |“someone@” and “someone@” to be |
| |internal addresses. |
| |If you have a large number of domains to be used as internal |
| |addresses, you can enter them in an external text file (leaving the |
| |Internal Address field blank). Enter all your internal domains, each|
| |on a separate line. Be aware that all subdomains must be entered |
| |individually. To use the external file, you must manually create the|
| |registry key DomainDatFilename and set its value to the full path of|
| |the external text file. For more about this key, see Appendix B - |
| |Setting registry values. |
| |(For more information about internal addresses and notifications, |
| |see Chapter 18 - Using e-mail notifications.) |
|SMTP External Hosts |If you are using an SMTP gateway to route e-mail into your Exchange |
| |environment, you can enter the IP address of the gateway server so |
| |that Antigen will treat all mail coming from that server as inbound |
| |when determining which filters and scan jobs to use for a message. |
| |If you do not enter the IP address of your SMTP gateway, Antigen |
| |will use its internal logic to determine whether messages are |
| |inbound or internal. IP addresses should be entered as a semicolon |
| |delimited list with no spaces. |
| |Example: 123.456.78;876.543.21;000.000.00 |
|Maximum RBL Lookups |Specifies the number of hops allowed while doing RBL tests. (Only |
| |public IP addresses received in the chain are counted.) Antigen |
| |starts counting with the first public IP address and checks the IP |
| |address of each hop until the Maximum RBL Lookups is reached or a |
| |private IP address is encountered. The default value is 4. |
|Maximum Allowed Mailhost Lookups |Specifies how many addresses need to be checked and matched by the |
| |Allowed Mailhost filter for content filtering to be skipped. The |
| |default value is 4. |
VSAPI section
The following table lists and describes the settings in the VSAPI section of General Options.
|Setting |Description |
|Scan on Scan Job Update |Causes previously scanned files to be rescanned when accessed |
| |following a scan job update. This setting is disabled by default.|
| |[pic]Note: |
| |When Scan on Scan Job Update is selected, the Mailbox server may |
| |experience increased virus scanning, which may affect server |
| |performance. |
|Enable Background Scan if 'Scan on Scan Job Update' Enabled |Initiates a Background Scan every time a scan job setting is |
| |updated if the General Option setting Scan on Scan Job Update is |
| |enabled. |
|Scan on Scanner Update |Causes previously scanned files to be rescanned when accessed |
| |following a scanner update. This setting applies to messages |
| |stored on a Mailbox server or a Public Folder server. This |
| |setting provides heightened security protection to rescan |
| |messages that have already been scanned. Messages will be |
| |rescanned the first time that a mailbox server “On-Access” event |
| |occurs and during every “On-Access” event after the initial one, |
| |if new virus signatures have been received since the last time |
| |the message was scanned. This setting is disabled by default. |
| |[pic]Note: |
| |When Scan on Scanner Update is selected, the Mailbox server may |
| |experience increased virus scanning, which may impact server |
| |performance. |
| |[pic]Note: |
| |Messages retrieved by Outlook 2003 or by Outlook 2007 clients |
| |running in cache mode generate an “On-Access” event only when |
| |they are originally synchronized to the client and will not be |
| |rescanned on the server when the messages are accessed on the |
| |local client and retrieved from the cache. To rescan these |
| |already retrieved messages, use the General Option setting Enable|
| |Background Scan if ‘Scan on Scanner Update’ Enabled. If a |
| |background scan detects a virus in a message and cleans or purges|
| |the message, then the next time the Outlook client resynchronizes|
| |with the server, the already-retrieved infected message will be |
| |cleaned or purged. |
|Enable Background Scan if 'Scan on Scanner Update' Enabled |Initiates a Background Scan every time a scan engine is updated |
| |if the General Option setting Scan on Scanner Update is enabled. |
Exchange 2003 UCE Settings
These settings are visible in the General Options pane for all installations, but will not configure the Exchange settings unless the Antigen Spam Manager is enabled. The UCE settings are Exchange 2003 functions that help combat spam e-mail by tagging potential spam and diverting suspect messages into a Junk folder instead of a user’s inbox.
|Setting |Description |
|Enable SCL Rating |Specifies whether the user wants to use the Exchange 2003 features |
| |to specify Spam Confidence Level (SCL) ratings in a message. If |
| |this option is checked, Antigen will set an SCL rating based on the|
| |results of filtering operations performed by the Spam Manager. |
| |Administrators must configure the Action Identify: Tag Message to |
| |Set SCL property for ratings to be appended to messages. For more |
| |information, see Chapter 17 - Antigen Spam Manager overview. |
|Skip Content Filtering for Authenticated Connections |Specifies whether to use the Authenticated Connections property of |
| |a message. This property is added to the message by the SMTP |
| |service according to administration options available in Exchange |
| |2003. Virus scanning, worm detection, and file filtering will still|
| |be performed even if this is enabled. |
|Skip Content Filtering for Safe Connections |Specifies whether to use the Safe Connections property of a |
| |message. This property is added to the message by the SMTP service |
| |according to administration options available in Exchange 2003. |
| |Virus scanning, worm detection, and file filtering will still be |
| |performed even if this is enabled. |
Central Management
Central management of Antigen is handled through the Microsoft Antigen Enterprise Manager (AEM). The AEM enables administrators to:
• Install or uninstall Antigen on local and remote servers.
• Update all or individual scan engines on local and remote servers.
• Run a manual scan on multiple servers simultaneously.
• Check Antigen, scan engine, and virus definition versions on multiple servers.
• Deploy Antigen template files.
• Retrieve virus logs from multiple servers.
• Retrieve quarantined files.
• Retrieve the ProgramLog.txt file from single or multiple servers.
• Retrieve virus incident information.
• Deploy General Options settings.
• Deploy Filter List templates.
• Generate HTML reports.
• Send outbreak alerts.
For detailed instructions on using these features, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.
Chapter 5 - Using multiple scan engines
Antigen provides you with the ability to implement multiple scan engines for detecting and cleaning viruses.
Multiple engines provide extra security by enabling you to draw on the expertise of various virus labs to keep your environments virus-free. A virus can slip by one engine, but it is unlikely to get past three.
Multiple engines also allow for a variety of scanning methods. Antigen integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor’s Web site. Links are provided at Microsoft Help and Support.
All the scan engines that Antigen integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.
Multiple engines are easy to configure. You can select only the engines that you would like to use for a scan job, and then indicate the bias setting. These two settings (both on the Antivirus Settings work pane) enable Antigen’s Multiple Engine Manager (MEM) to properly control the selected engines during the scan job.
MEM uses the engine results to determine the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, the MEM returns a result greater than 0. Antigen then considers the item infected and has the MEM deal with it accordingly (for more information, see Cleaning infected files).
About engine rankings
MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information enables the MEM to weight each engine so that better-performing engines will be used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up to date and best-performing engines have more influence in the scanning process.
If two or more engines are equally ranked, Antigen invokes them by cycling through various engine order permutations.
Setting the bias
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance.
Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. In between is the number of engines that permit balanced (called neutral) performance.
After you make your scan engine configurations and bias configurations, it is recommended that you reevaluate the server performance and then make any necessary adjustments. These adjustments may involve increasing or decreasing the number of scan engines, or changing the bias setting based on the needs of your organization. For best performance, it is recommended that you use no more than five engines per scan job.
You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Gateway server to maximize its system performance. Then, you can use several engines on your mailbox servers.
[pic]Note:
The bias setting applies only to virus scanning. It is not used in file filtering.
About bias settings
There are several possible bias settings. Each scan (other than one with a bias setting of Maximum Certainty) independently selects which engines to use:
|Bias Setting |Description |
|Maximum Performance |Scans each message with only one of the selected engines. This |
| |provides the fastest performance, but the least security. |
|Favor Performance |Fluctuates between virus scanning with one of the selected |
| |engines and half of the engines. |
|Neutral |Scans each message with at least half of the selected engines. |
| |This setting balances security and performance. Neutral is the |
| |default value. |
|Favor Certainty |Fluctuates between virus scanning with half of the selected |
| |engines and all of them. |
|Maximum Certainty |Scans each message with all of the selected engines. This gives |
| |the slowest performance, but the greatest security. If an engine |
| |is not available because it is being updated, messages are queued|
| |until the engine is once again ready to scan them. |
Assuming that you select five engines, the following table shows how each of the bias settings uses the engines in virus scanning:
|Bias Mode |Description |
|Maximum Performance |Each item is virus-scanned by only one of the selected engines. |
|Favor Performance |Fluctuates between virus scanning each item with one engine and |
| |with three engines. |
|Neutral |Each item is virus-scanned by at least three engines. |
|Favor Certainty |Fluctuates between virus scanning each item with three and five |
| |engines. |
|Maximum Certainty |Each item is virus-scanned by all five of the selected engines. |
Configuring the Bias
The bias is set on the Antivirus Settings work pane. Select Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears on the right.
To configure the bias, select a scan job at the top of the work pane. Then, set its bias by using the Bias field in the lower part of the work pane. The values are those discussed in About bias settings. To find out more about the other fields on the Antivirus Settings work pane, see any of the scan job chapters. Remember to Save your choices.
Cleaning infected files
The first engine that detects an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detect the infection fail to clean it, the item is deleted.
Chapter 6 - Configuring Manual Scan Jobs
Antigen enables you to customize the Manual Scan Job for the purpose of scanning mailboxes that are not covered by the Realtime Scan Job or that contain messages that predate the installation of Antigen. The Manual Scan Job is also useful for scanning with a third-party engine that is different from the engines being used by the Realtime Scan Job. It is recommended that you conduct a full manual scan after installing Antigen for the first time. The Manual Scan Job can be configured to scan message bodies, as well as attachments. The ability to scan message bodies is disabled by default on installation, but can be enabled by checking the box for Manual Body Scanning in the General Options work pane. Message body scanning increases the time that is required to perform a manual scan of a server.
Configuring the Manual Scan Job
When configuring the Manual Scan Job settings, select the mailboxes and public folders to be protected, and optionally specify Deletion Text.
[pic]To configure the Manual Scan Job
|1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. |
|2. Click Manual Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan|
|jobs. |
|3. In the Scan portion of the Scan Job Settings work pane, select the mailboxes and public folders to be protected. For |
|more information, see About mailboxes and public folders. |
|4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This deletion |
|text box is used by Antigen for Exchange when the contents of an infected file are being replaced during a delete |
|operation. A custom message can be placed inside the deleted file attachments by modifying this text box. |
|[pic]Note: |
|Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the |
|infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. |
|5. Click Save. |
About mailboxes and public folders
Antigen offers flexibility in choosing what mailboxes, public folders, and items to scan in any specified scan job. You can configure the scan job to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.
[pic]Note:
Mailboxes and public folders with names that are made up entirely of back slashes (\) will not be scanned if Antigen is configured for Selected scanning. If Antigen is set to scan all mailboxes and public folders, mailboxes and public folders that use back slashes or other special characters will be scanned.
In the Scan portion of the work pane, mailboxes and public folders each have three selection options:
|Option |Description |
|All |Scan all existing and newly created mailboxes or public folders. |
|None |Do not scan any mailboxes or public folders. |
|Selected |Scan specific mailboxes or public folders. When you choose |
| |Selected, the icon underneath the options becomes active. Click |
| |this icon to change to the listing of mailboxes or public folders|
| |on the server. |
| |You can choose each mailbox or public folder to be scanned by |
| |clicking on the name. You can also use the accompanying buttons |
| |to select All or None of the mailboxes or public folders. The +/-|
| |button inverts the current selection. |
| |[pic]Note: |
| |Choosing all mailboxes or public folders in the selection pane is|
| |not the same as choosing the All option in the previous pane. An |
| |inclusion list is built from the selections made here. New |
| |mailboxes or public folders that are added after making this |
| |selection will not automatically be included. |
| |To return to the main scan selection window, click the arrow in |
| |the upper-right corner of the selection window. |
Configuring the antivirus scanners and job action
After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.
[pic]To configure antivirus settings
|1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. |
|2. Select the Manual Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work |
|pane. |
|3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus |
|scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in |
|the Run Job work pane of the OPERATE shuttle for the Manual Scan Job. |
|4. Select the bias to control how many engines should be used to provide you with an acceptable probability that your |
|system is protected. For more information, see Chapter 5 - Using multiple scan engines. |
|5. Select the Action that you want Antigen for Exchange to perform when a virus is detected: |
|• Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. |
|If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is |
|selected in General Options, a match to any of those conditions will cause the item to be deleted. |
|• Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced |
|with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. |
|• Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed |
|from the message and a text file will be inserted in its place. The text file will contain, by default, a message saying |
|that the attachment was removed because it was found to be infected with a particular virus. |
|6. Enable or disable e-mail notifications by using the Send Notifications box. By default, the Send Notifications box is |
|disabled. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the |
|notifications (see Chapter 18 - Using e-mail notifications). |
|7. Enable or disable the saving of attachments detected by the file-scanning engine by using the Quarantine Files box. By |
|default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it |
|possible for you to recover them. However, worm-purged messages are not recoverable. |
|8. Click Save. |
Running the Manual Scan Job
After the scan job and the antivirus settings have been properly configured, you can run the Manual Scan Job.
[pic]To run the Manual Scan Job
|1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the |
|right. |
|2. Select the Manual Scan Job. |
|3. The Manual Scan Job can perform any combination of virus scanning, file filtering, or content filtering. Select or |
|clear the following options: Virus Scanning, File Filtering, or Content Filtering. Any change to these settings is |
|performed immediately, even if the job is currently running. |
|4. Select the Send Summary Notification check box if you would like a notification sent to the virus administrator when |
|the scan job is complete. |
|5. The State for the scan job should be Stopped. Click the Start button to start the scan job. |
Checking results and status
The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when it is no longer needed by using the Clear Log button. This does not affect the Virus Incidents log, which stores global viruses or filtered results that include every job on a particular server.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.
[pic]Note:
If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text formats.
At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.
Antigen sends an e-mail message to the designated Virus Administrators after the completion of a manual scan if the Send Summary Notification box on the Manual Scan work pane is checked. This e-mail message includes:
• Total Mailboxes Scanned
• Total Physical Attachments Scanned
• Total Physical Attachments Detected
• Total Physical Attachments Cleaned
• Total Physical Attachments Deleted
• Total Logical Attachments Scanned
• Total Logical Attachments Detected
• Total Logical Attachments Cleaned
• Total Logical Attachments Deleted
Scheduling the Manual Scan Job
To schedule a Manual Scan Job, click OPERATE in the left navigation shuttle, and then click the Schedule Job icon. The Schedule Job work pane appears on the right.
The top portion of the Schedule Job work pane shows the Manual Scan Job and indicates whether it is enabled or disabled.
The bottom portion of the Schedule Job work pane shows the scheduling information for the Manual Scan Job.
[pic]To schedule the Manual Scan Job
|1. Use the calendar option to set the Date when the Manual Scan Job will activate. The red circle indicates today's date. |
|2. Set the run time by using the Time edit field to the right of the calendar. |
|3. Set the Frequency of the scheduled Manual Scan Job to control whether the job will run only once, daily, weekly, or |
|monthly. |
|4. If the job is disabled, click Enable to enable it and save your changes. If the job is already enabled, just click |
|Save. |
|[pic]Note: |
|The Schedule Job work pane displays the status of the Manual Scan Job. You can also verify that the scheduled job is |
|enabled by opening a Windows® command window and typing AT. When a scheduled job is enabled, it will appear in the AT list|
|until it is run or disabled. |
Performing a quick scan
There are times when you may want to perform a scan of a single mailbox or another one-time virus scanning job. Quick Scan enables you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in one work pane.
Quick Scan initially uses the default configuration (all mailboxes and public folders, the scan engines selected during installation, a bias of Neutral, an action of Skip: detect only, no notifications, and quarantining). You can make changes to any of these settings and Antigen will preserve them for the next time that you run a Quick Scan.
[pic]To perform a quick scan
|1. Click OPERATE in the left navigation shuttle and then click the Quick Scan icon. The Quick Scan work pane appears. Your|
|last Quick Scan configuration is displayed. |
|2. To run the Quick Scan with the same configuration, click Start. Otherwise, make changes as necessary. |
|a. In the Scan portion of the Quick Scan work pane, select the mailboxes and public folders to be protected. For more |
|information about the choices, see About mailboxes and public folders. |
|b. Select the File Scanners from the list of available third-party scanners. |
|c. Select the bias to control how many engines should be used to provide you with an acceptable probability that your |
|system is protected. For more information, see Chapter 5 - Using multiple scan engines. |
|d. Select the Action that you want Antigen for Exchange to perform when a virus is detected. The choices are: |
|Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. If, |
|however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected |
|in General Options, a match to any of those conditions will cause the item to be deleted. |
|Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced |
|with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. |
|Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed from|
|the message and a text file will be inserted in its place. The text file will contain the following string: "Antigen for |
|Exchange found a virus and deleted this file.” |
|e. Enable or disable e-mail notifications by using the Send Notifications box. By default, it is disabled. This setting |
|does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter |
|18 - Using e-mail notifications). |
|f. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By |
|default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it |
|possible for you to recover them. However, worm-purged messages are not recoverable. |
|g. Click Start. |
Checking results and status
At the bottom of the screen, the status of the Quick Scan job and the mailbox, folder, or file currently being scanned are reported.
Scanning files by type
By default, Antigen is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
Chapter 7 - Configuring Realtime Scan Jobs
The Antigen Realtime Scan Job runs on the Microsoft® Exchange Server to provide immediate scanning of e-mail messages that are sent or received by the mailboxes and public folders that reside on the server. This method of scanning e-mail messages in real time is the most effective method for stopping the spread of infectious file attachments. The Realtime Scan Job can be configured to scan message bodies, as well as attachments. This feature is disabled by default on installation, but can be enabled by selecting the box for Body Scanning - Realtime in the General Options work pane. Message body scanning will increase the time required to scan messages.
About multiple Realtime processes
During installation, two Realtime Scan Jobs (processes) are created for each storage group (Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003) or private/public store (Microsoft Exchange Server 5.5). Administrators can create additional Realtime Scan Jobs for each storage group or private/public store by changing the value of the General Options setting, Realtime Process Count, to represent the number of Antigen Realtime processes that you want running per Storage Group or on the public/private stores. The maximum is four.
When you run multiple Realtime processes, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file is scanned by the third process. Whenever possible, Antigen delivers files to the first process, if it is available. Multiple processes will increase the load on the server at startup when they are being loaded and whenever they are called on to scan a file. More than two Realtime processes should not be necessary except in high-volume environments that need the additional redundancy provided by 3 or 4 processes. As a general rule, it is recommended to enable only two Realtime Processes per processor on each server.
Configuring the Realtime Scan Job
When configuring the Realtime Scan Job settings, select the mailboxes and public folders to be protected and optionally specify Deletion Text.
[pic]To configure the Realtime Scan Job
|1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. |
|2. Click Realtime Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable |
|scan jobs. |
|3. In the Scan portion of the Scan Job Settings work pane, select the mailboxes and public folders to be protected. For |
|more information, see About mailboxes and public folders. |
|4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This deletion |
|text box is used by Microsoft Antigen for Exchange when replacing the contents of an infected file during a delete |
|operation. A custom message can be placed inside the deleted file attachments by modifying this text box. |
|[pic]Note: |
|Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the |
|infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. |
|5. Click Save. |
About mailboxes and public folders
Antigen offers flexibility in choosing which mailboxes, public folders, and items to scan with the Realtime Scan Job. You can configure the scan job to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.
[pic]Note:
Mailboxes and public folders with names that are composed entirely of back slashes (\) will not be scanned if Antigen is configured for Selected scanning. If Antigen is set to scan all mailboxes or public folders, mailboxes or public folders that use back slashes or other special characters will be scanned.
In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options:
|Option |Description |
|All |Configures the scan job to include all existing and newly created|
| |mailboxes or public folders. |
|None |Do not scan any mailboxes or public folders. |
|Selected |Scan specific mailboxes or public folders. When you choose |
| |Selected, the icon underneath the options become active. Click |
| |this icon to change to the listing of mailboxes or public folders|
| |on the server. |
| |You can choose each mailbox or public folder to be scanned by |
| |clicking on the name. You can also use the accompanying buttons |
| |to select All or None of the mailboxes or public folders. The +/-|
| |button inverts the current selection. |
| |[pic]Note: |
| |Choosing all mailboxes or public folders in the selection pane is|
| |not the same as choosing the All option in the previous pane. An |
| |inclusion list is built from the selections made here. New |
| |mailboxes or public folders added after making this selection |
| |will not automatically be included. |
| |To return to the main scan selection pane, click the arrow in the|
| |upper-right corner of the mailbox or public folder selection |
| |pane. |
Configuring the antivirus scanners and job action
After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.
[pic]To configure antivirus settings
|1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. |
|2. Select the Realtime Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work |
|pane. |
|3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus |
|scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in |
|the Run Job work pane of the OPERATE shuttle for the Realtime Scan Job. |
|4. Select the bias to control how many engines should be used to provide an acceptable probability that your system is |
|protected. For more information, see Chapter 5 - Using multiple scan engines. |
|5. Select the Action that you want Antigen for Exchange to perform when a virus is detected: |
|• Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. |
|If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was |
|selected in General Options, a match to any of those conditions will cause the item to be deleted. |
|• Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced |
|with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text |
|• Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed |
|from the message and a text file will be inserted in its place. The text file will contain the following string: "Antigen |
|for Exchange found virus and deleted this file.” |
|6. Enable or disable e-mail notifications by using the Send Notifications box. By default, it is disabled. This setting |
|does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter |
|18 - Using e-mail notifications). |
|7. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By |
|default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, allowing you to |
|recover them. However, worm-purged messages are not recoverable. |
|8. Click Save. |
Controlling the Realtime Scan Job
After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the Realtime Scan Job.
[pic]To control the Realtime Scan Job
|1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears to the |
|right. |
|2. Select the Realtime Scan Job. |
|3. If the State for the scan job is not set to Enabled, click the Enable button to enable the scan job. |
|4. The Realtime Scan Job can perform any combination of virus scanning, file filtering, or content filtering. Select or |
|clear the following options: Virus Scanning, File Filtering, or Content Filtering. Any change to these settings is |
|performed immediately, even if the job is currently running. |
Checking results and status
The lower half of the Run Job work pane shows the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log, which stores global viruses or filtered results that include every job on a particular server.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.
[pic]Note:
If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text format.
At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.
About Realtime Scan recovery
In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a file (default is 5 minutes or 300,000 milliseconds), the process is terminated and Antigen attempts to restart the service. If successful, real-time scanning resumes and a notification is sent to the administrator stating that the Realtime Scan Job exceeded the allotted scan time and was recovered.
When the new Realtime scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Realtime Scan Timeout Action. For example, if it is set to Delete, Antigen deletes the file, replaces its contents with the Deletion Text for the Realtime Scan Job, logs the information, and quarantines and archives the file. (For more information on General Options, see Chapter 4 - Using the Antigen Administrator.)
If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job stopped. In this event, real-time scanning for the particular storage group does not function, but the information store will not stop.
The default time-out for message scanning can be modified by creating the DWORD registry value RealtimeTimeout and setting a new time-out. The value is in milliseconds.
If you continue to have time-out problems, you can try increasing the time specified in the RealtimeTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called RealtimeTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Antigen services for the change to take effect. For more information about registry values, see Appendix B - Setting registry values.
Scanning files by type
By default, Antigen is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
Chapter 8 - Configuring SMTP Scan Jobs
The Antigen SMTP Scan Job (also known as the Internet Scan Job) runs on a Microsoft® Exchange Server that is running an SMTP stack for Microsoft Server Exchange 2000 or Microsoft Exchange Server 2003. It can scan, in real time, all MIME and uuencode-based e-mail that is inbound or outbound via the SMTP stack of an Exchange site or organization. The SMTP scanner scans for viruses in attachments and for embedded and HTML viruses in the message body.
Antigen scans mail on all SMTP virtual servers when the SMTP Scan Job is enabled (it is enabled by default). If you do not want Antigen to scan all enabled SMTP virtual servers, you can create a string registry value named DisableSMTPVS. When the registry value is created, you must populate it with a comma delimited list of numbers 1 through 10 representing the virtual servers that you would like Antigen to skip during scanning.
Example: If you have four virtual servers and want to scan only on Virtual Server 1 (VS1) and VS3, the string value would be: 2,4 (Do not use any spaces in the string.)
Do not place anything other than the numbers 1 through 10 in the string or it will cause unpredictable results. The SMTP service must be recycled for the registry changes to take effect.
[pic]Note:
When running Microsoft Exchange 2000 Server pre-SP3, outgoing messages may not be scanned because outgoing messages waiting to be scanned are not blocked from being accessed by transports such as X.400, SMTP, and the Lotus Notes Connector. This is a known limitation of the Microsoft VSAPI2 in pre-SP3 builds.
About multiple Internet processes
Two Internet Scan Jobs (processes) are created during installation, but administrators can create additional Internet Scan Jobs by changing the value of the General Option setting Internet Process Count to represent the number of Antigen Internet Scan Jobs that they want running on the SMTP stack. The maximum is 10.
When you run multiple Internet processes, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file will be scanned by the third process. Whenever possible, Antigen delivers files to the first process, if it is available. Multiple processes increase the load on the server at startup when they are being loaded and whenever they are called upon to scan a file. More than two Internet processes should not be necessary, except in high-volume environments that need the additional redundancy provided by three or four processes. As a general rule, it is recommended to enable only two Internet processes per processor on each server.
Configuring the SMTP Scan Job
When configuring the SMTP Scan Job settings, select the SMTP messages (Inbound, Outbound, or Internal) and optional features, such as Deletion Text and Tag Text.
[pic]To configure the SMTP Scan Job
|1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. |
|2. Click SMTP Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan |
|jobs. |
|3. Select the type of message that you would like to scan: Inbound, Outbound, or Internal messages. |
|• Selecting the Inbound check box configures Antigen to scan all e-mail messages entering the Internet Mail Service or the|
|Internet Mail Connector (IMS or IMC). Messages are designated as inbound if the message originated from. or was relayed |
|through, an external server. If the Exchange servers within that site or organization are not running Antigen, this is an |
|effective way to protect them from infected e-mail messages coming from the Internet. |
|• Selecting the Outbound check box configures Antigen to scan all outgoing e-mail that leaves your Exchange site or |
|Exchange organization via the IMS/IMC. Messages are designated as Outbound if at least one recipient has an external |
|address. |
|• Selecting the Internal check box configures Antigen to scan all e-mail that is being routed from one location inside |
|your domain to another location inside your domain. Messages are designated as internal if they originate from inside your|
|domain and all the recipients are located inside your domain. |
|4. Optionally, if you are installing both Microsoft Antigen for Exchange and the Microsoft Antigen Spam Manager on a |
|server running Exchange Server 2003, you can set the Store Action Threshold. The Store Action Threshold designates when |
|Exchange 2003 will divert a suspected spam e-mail message to a Junk Mail folder based on the spam confidence level (SCL) |
|rating of the message. |
|For this feature to function properly, administrators must use the Identify: Tag Message Action to configure the Antigen |
|Spam Manager to include the SCL rating. (For more information, see Chapter 17 - Antigen Spam Manager overview.) By |
|default, the Store Action Threshold is set to 8 so that any message with an SCL rating higher than 8 will be diverted to |
|the Junk Mail folder. When Antigen identifies a message as spam, it sets the SCL rating to 9. |
|5. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This box is |
|used by Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message |
|can be placed inside the deleted file attachments by modifying this text box. |
|[pic]Note: |
|Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the |
|infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. |
|6. Optionally, if the Advanced Spam Manager is installed, you can specify Tag Text. When you click the Tag Text button, a |
|text box appears. This text is used by Antigen for Exchange to tag the subject line or MIME header of a message when the |
|Action for a filter is set to Identify: Tag Message. (For more information about this Action, see Chapter 17 - Antigen |
|Spam Manager overview.) A custom message can be used by modifying this text box. |
|7. Optionally, if you would like to append a disclaimer to all outbound messages, select the Add Outbound Disclaimer check|
|box. Fore more information about this feature, see Adding outbound disclaimers. |
|8. Click Save. |
Adding outbound disclaimers
The Add Disclaimer feature of Antigen enables administrators to append a disclaimer to outbound messages flowing through the SMTP stack. If the Add Outbound Disclaimer button is selected during configuration of the SMTP Scan Job, the Disclaimer Text button is enabled.
Click the Disclaimer Text button to display a text input dialog box. The default disclaimer text appears.
You may customize the disclaimer text by entering the message you would like to include in all outgoing messages. When enabled, the disclaimer text will be appended to the message body of all outbound messages.
The disclaimer text can also be entered by using HTML tags to format the text. For example, you can create a disclaimer such as: “This is a test disclaimer”
If the e-mail message is sent in HTML form, the HTML formatted disclaimer is appended and is displayed properly provided the recipient is using an e-mail client that supports HTML formatted messages. If the recipient's e-mail client supports only plain text, the recipient will see the entire HTML formatted disclaimer text, which includes the HTML tags. This is also the case if the sender is sending the message in plain text.
The disclaimer setting, along with the disclaimer text, is saved in the SMTP Scan Job, and is disabled by default.
When upgrading from previous versions of Antigen, the SMTP Scan Job will be updated to include this setting.
To avoid having disclaimers appended to mail destined for addresses within your internal domain, you must enter your e-mail domains into the General Option setting Internal Address. Enter your local domain name (). You can also enter multiple domain names by separating each name with a semicolon (;)—no space is required. For more information about the Internal Address General Option, see Chapter 4 - Using the Antigen Administrator.
[pic]Note:
Antigen supports multiple SMTP disclaimers for outgoing e-mail messages. For more information about this feature, see Appendix F - Using multiple disclaimers.
Configuring the antivirus scanners and job action
After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.
[pic]To configure antivirus settings
|1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. |
|2. Select the SMTP Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane.|
|3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus |
|scanning while retaining the ability to run filtering, clear the Virus Scanning check box in the Run Job work pane of the |
|OPERATE shuttle for the SMTP Scan Job. |
|4. Select the bias to control how many engines should be used to provide you with an acceptable probability that your |
|system is protected. For more information, see Chapter 5 - Using multiple scan engines. |
|5. Select the Action that you want Antigen for Exchange to perform when a virus is detected: |
|• Skip: detect only – Make no attempt to clean or delete. Viruses are reported, but the files will remain infected. If, |
|however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected |
|in General Options, a match to any of those conditions will cause the item to be deleted. |
|• Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced |
|with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. |
|• Delete: remove infection – Delete the attachment without attempting to clean. The infected file is removed from the |
|attachment and a text file is inserted in its place. By default, the text file contains the following string: "Microsoft |
|Antigen for Exchange removed %File% since it was found to be infected with %Virus% virus." |
|6. Enable or disable e-mail notifications by using the Send Notifications box. This setting does not affect reporting to |
|the Virus Incidents log. In addition, you must also configure the notifications. (For more information about configuring |
|notifications, see Chapter 18 - Using e-mail notifications.) Notifications are disabled by default. |
|7. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By |
|default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, enabling you to |
|recover them. However, worm-purged messages are not recoverable. |
|8. Click Save. |
Controlling the SMTP Scan Job
After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the SMTP Scan Job.
[pic]To control the SMTP Scan Job
|1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the |
|right. |
|The top portion of the Run Job work pane contains a list of scan jobs. The list shows the current state of each scan job, |
|and whether they are performing scanning or filtering operations. |
|2. Select the SMTP Scan Job. |
|3. If the State for the scan job is not set to Enabled, click the Enable button to enable the scan job. |
|4. Select or clear the check boxes that determine whether you can perform Virus Scanning, File Filtering, Content |
|Filtering, Keyword Filtering, and Mailhost Filtering. If the Antigen Spam Manager is installed, you can also select or |
|clear Spam Scanning. Any change to these settings is performed immediately, even if the scan job is currently running. |
Checking results and status
The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.
[pic]Note:
If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text format.
About SMTP Scan recovery
If the SMTP Scan Job takes longer than a specified amount of time to scan a message (the default is 5 minutes or 300,000 milliseconds), the process is terminated and Antigen attempts to restart the service. If successful, SMTP scanning resumes and a notification is sent to the administrator stating that the SMTP Scan Job stopped and recovered.
When the new Internet scan process starts, the message that caused it to terminate is reprocessed according to the Action set in the General Option setting Internet Scan Timeout Action. For example, if it is set to Delete, Antigen deletes the file, replaces its contents with the Deletion Text for the SMTP Scan Job, logs the information, and quarantines and archives the file. (For more information on General Options, see Chapter 4 - Using the Antigen Administrator.)
If the process cannot be restarted, a notification is sent to the administrator stating that the SMTP Scan job stopped. In this event, SMTP scanning will not function and the mail stream will not be scanned.
If you continue to have time-out problems, you can try increasing the time specified in the InternetTimeout registry value. Because this is a hidden registry value, you will have to create a new DWORD registry value called InternetTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Antigen services for the change to take effect. For more information on registry values, see Appendix B - Setting registry values.
Scanning nested compressed files
Exceedingly nested, compressed files can slow the performance of Antigen and the Exchange server. Multiple nesting is also a known denial of service attack against antivirus products. To minimize the potential impact on server performance and guard against denial of service attacks, the General Option Max Nested Compressed Files is set to 5 by default. This setting enables Antigen to search into five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion.
You may change this setting as needed for your environments in the General Options work pane. For more information, see Chapter 4 - Using the Antigen Administrator.
Scanning files by type
By default, Antigen is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
Chapter 9 - Configuring MTA Scan Jobs
Antigen provides the scanning of messages passing through the Exchange Message Transfer Agent (MTA) on Microsoft® Exchange 2000 Server and on Microsoft Exchange Server 2003. This job scans all MTA connectors, such as X.400, MSMail, and cc:Mail. Antigen MTA scanning is enabled by default and can be run on the upgraded bridgehead server to protect the MTA access point for the organization.
[pic]Note:
When running Exchange Server 2000 pre-SP3, outgoing messages cannot be scanned because outgoing messages waiting to be scanned are not blocked from being accessed by transports such as X.400, SMTP, and the Lotus Notes Connector. This is a known limitation of the Microsoft VSAPI2 in pre-SP3 builds.
Configuring the MTA Scan Job
When configuring the MTA Scan Job settings, select the MTA messages (Inbound or Outbound) and optionally specify Deletion Text.
[pic]To configure the MTA Scan Job
|1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. |
|2. Click MTA Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan |
|jobs. |
|3. Select whether you would like to scan Inbound or Outbound messages. |
|• Selecting the Inbound check box configures Antigen for Exchange to scan all e-mail messages that are handled by the |
|Exchange MTA. Messages are designated as inbound if the message originated from, or was relayed through, an external |
|server. If the Exchange servers within that site or organization are not running Antigen, this is an effective way to |
|protect them from infected e-mail messages coming from the Internet. |
|• Selecting the Outbound check box configures Antigen for Exchange to scan all outgoing messages that are passing through |
|the Exchange MTA. Messages are designated as outbound if at least one recipient has an external address. |
|4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This box is |
|used by Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message |
|can be placed inside the deleted file attachments by modifying this text box. |
|[pic]Note: |
|Antigen for Exchange provides keywords that can be used in the deletion text field to obtain information from the message |
|in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution |
|macros. |
|5. Click Save. |
Configuring the antivirus scanners and job action
After you configure the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.
[pic]To configure antivirus settings
|1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. |
|2. Select the MTA Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane. |
|3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus |
|scanning while retaining the ability to file filtering and content filtering, clear the Virus Scanning check box in the |
|Run Job work pane of the OPERATE shuttle for the MTA Scan Job. |
|4. Select the bias to control how many engines should be used to provide an acceptable probability that your system is |
|protected. For more information, see Chapter 5 - Using multiple scan engines. |
|5. Select the Action that you want Antigen for Exchange to perform when a virus is detected: |
|• Skip: detect only—Make no attempt to clean or delete. Viruses are reported, but the files will remain infected. If, |
|however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected |
|in General Options, a match to any of those conditions will cause the item to be deleted. |
|• Clean: repair document—Attempt to clean the virus. If successful, the infected attachment or message body is replaced |
|with the clean version. If cleaning is not possible, the attachment or message body is replaced with the deletion text. |
|• Delete: remove infection—Delete the attachment without attempting to clean. The infected file is removed from the |
|attachment and a text file is inserted in its place. The text file contains the following string: "Antigen for Exchange |
|found a virus and deleted this file." |
|6. Enable or disable e-mail notifications by using the Send Notifications box. This setting does not affect reporting to |
|the Virus Incidents log. In addition, you must also configure the notifications. (For more information about configuring |
|notifications, see Chapter 18 - Using e-mail notifications.) Notifications are disabled by default. |
|7. Enable or disable the saving of attachments that are detected by the file scanning engine by using the Quarantine Files|
|box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it|
|possible for you to recover them. However, worm-purged messages are not recoverable. |
|8. Click Save. |
Scanning nested compressed files
Exceedingly nested, compressed files can slow the performance of Antigen and the Exchange server. Multiple nesting is also a known denial-of-service attack against antivirus products. To minimize the potential impact on server performance and guard against denial-of-service attacks, the Antigen registry key MaxNestedCompressedFile is set to 5 by default. This setting enables Antigen to search up to five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion.
You can change this setting as needed for your environments in the General Options work pane. For more information, see Chapter 4 - Using the Antigen Administrator.
[pic]Note:
By default, entries into the registry are hexadecimal values. This is not noticed until you enter a value that is greater than 9. If you are entering a value greater then 9, you must change the option from hexadecimal to decimal.
Controlling the MTA Scan Job
After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the MTA Scan Job.
[pic]To control the MTA Scan Job
|1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the |
|right. |
|The top portion of the Run Job work pane contains a list of scan jobs. The list shows the current state of each scan job, |
|and whether it is performing scanning or filtering operations. |
|2. Select the MTA Scan Job. |
|3. If the State for the scan job is not set to Enabled, click Enable to enable the scan job. |
|4. Select or clear the check boxes that determine whether you can perform Virus Scanning, File Filtering, and Content |
|Filtering. Any change to these settings is performed immediately, even if the scan job is currently running. |
Checking results and status
The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.
[pic]Note:
If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text format.
Chapter 10 - Performing background and on-access scans
Microsoft® Exchange Server VSAPI 2 and 2.5 provide the ability to perform background scanning of all files in the information store and on-access scanning of files as they are accessed. These features enhance the functionality of Antigen by ensuring that files are scanned by using the latest engine updates and scanning configuration.
On-access scanning
On-access scanning ensures that all files being accessed will be scanned if the configuration of the antivirus software has changed since the file was originally stored.
Configuring on-access scanning
On-access scanning is controlled by the following General Option settings:
|Setting |Description |
|Scan on Scan Job Update |Causes previously scanned files to be rescanned when accessed |
| |following a scan job update. |
|Scan on Scanner Update |Causes previously scanned files to be rescanned when accessed |
| |following a scanner update. |
[pic]Note:
When these options are enabled, the Mailbox server may experience increased virus scanning, which can impact system performance.
Background scanning
Background scanning is intended to ensure that all files are scanned using the latest updates and configurations. Background Scanning can initiate a scan of the entire information store when any change is made to the Realtime Scan Job and saved, when the Exchange Services are recycled, or when a new Storage Group is mounted. A Background Scan can also be initiated after scan engine updates if desired.
Background Scanning is disabled by default since Background Scanning of large information stores can place a heavy load on the server. The Background Scan Job uses the same configuration settings as the Realtime Scan Job for respective Storage Groups.
[pic]To enable background scanning
|1. Open the General Options work pane and select one or both of the following options: |
|Enable Background Scan if ’Scan On Scan Job Update’ Enabled: When this setting is enabled, Antigen will initiate a |
|Background Scan every time a scan job setting is updated. |
|Enable Background Scan if ’Scan On Scanner Update’ Enabled: When this setting is enabled, Antigen will initiate a |
|Background Scan every time a scanner setting is updated. |
|2. Enable the Realtime Scan Job for the Storage Groups that you want to have scanned by the Background Scanner. For more |
|information, see Chapter 7 - Configuring Realtime Scan Jobs. |
|3. Enable the On-Access Scanning General Options Scan on Scan Job Update and Scan on Scanner Update. |
[pic]To schedule a Background Scan Job
|1. Click OPERATE in the left navigation shuttle, and then click the Schedule Job icon. The Schedule Job work pane appears |
|on the right. |
|2. Select the VSAPI Background Scan Job at the top of the Schedule Job work pane. |
|3. Use the calendar in the Date section to set the date when the Background Scan Job will activate. The red circle |
|indicates today's date. The date you set is highlighted in blue. |
|4. Set the run time using the Time edit field to the right of the calendar. |
|5. Indicate the Frequency of the scheduled job: run it Daily, Weekly, Monthly, or only Once (the default). |
|6. If the job is disabled, click Enable to enable it. |
|7. Click Save. |
Reporting incidents
Incidents detected by background scanning and on-access scanning are reported in the Realtime column in the Incidents work pane of the REPORT shuttle.
Chapter 11 - Using templates
When Antigen for Exchange is installed, it creates default templates for the various scan jobs, scan engines, and notifications. The scan jobs are configured to use the values in the default templates. Administrators can also create templates for file filter and content filter settings and additional scan job templates, as needed. (These are called named templates.) Templates are useful for controlling the configuration of Antigen on multiple servers from a central location, controlling the configuration of scan jobs and other functions at installation, and defining configuration settings for newly mounted storage groups.
The Template.adb file contains the following default templates:
• An Internet Scan Job template, a Realtime Scan Job template, a Manual Scan Job template, and an MTA Scan Job template.
• Notification templates for each of the default notifications.
• Scanner update templates for each scan engine that is installed on the current system.
To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates.
To view templates in the Antigen Administrator, click File, click Templates, and then click View Templates. This will cause the default and named templates to be displayed in the various work panes.
[pic]Note:
The settings for all the scan jobs are contained in the file Scanjobs.adb. If this file is not present when the Antigen Service starts, a new one is created based on the values in the Template.adb file. If the Template.adb file does not exist, a new one is created based on the values in the Scanjobs.adb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.
Template uses
Templates are used for the following purposes:
• Controlling configuration settings of all Antigen servers from a single location - After a Template.adb file is created, Microsoft® Antigen Enterprise Manager (AEM) can be used to copy and activate the template settings on multiple Antigen servers throughout an organization. Templates can be deployed simultaneously to multiple Antigen servers, and the settings can be applied to currently running scan jobs without the need to stop or restart any services. (For more information about using the AEM to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.)
• Controlling the configuration for scan jobs during remote installations - Use templates to configure your remote servers at the time Antigen is installed.
• Defining scan job settings for newly mounted storage groups - In Microsoft Exchange Server 2003, storage groups can be added to the system dynamically while both Exchange and Antigen are running. Antigen detects when a new or previously used storage group is mounted. If the storage group is new, Antigen needs to create a Realtime Scan Job and a Manual Scan Job to protect that storage group. The settings that are used for each of these scan jobs are read from their associated templates found in Template.adb.
This feature enables an administrator to create default rules that will protect new storage groups as they are added to the system.
Creating a named template
To use named templates, you must create them and associate them with scan jobs.
[pic]To create a named template
|1. Click File, click Templates, and then click New. The New Template dialog box appears. |
|2. Select the Type of template you would like to create (Internet, Realtime, Manual, MTA, or Filter Set). For more |
|information about filter set templates, see "Using filter set templates" in Chapter 13 - Using content filtering. For more|
|information about the different types, see Using named templates. |
|3. Give the template a Name, and then click OK. The new template is created and then becomes a choice in the Job List in |
|the top pane, and a choice in the Template list in the bottom pane of the Template Settings work pane. |
|4. Select your new template in the Job List. If the templates are not visible, you can display them by clicking File, |
|selecting Templates, and then clicking View Templates. |
|[pic]Note: |
|If you have many templates, you may want to hide them to simplify the display. |
|5. Click the appropriate work pane to configure the template. For example, if you have created an SMTP template, select |
|Antivirus in the SETTINGS area of the Shuttle Navigator, and then configure the template as you would an SMTP Scan Job. |
|Click Save when you are done. |
|6. For a scan job to use a template, the template must be associated with that scan job. |
|a. Select Templates in the SETTINGS area of the Shuttle Navigator. |
|b. Select the scan job in the list in the top pane with which to associate with the template you have just created. For |
|example, select SMTP Scan Job. |
|c. In the lower work pane, select the desired template from the Template list. |
|d. Click Load From Template. |
|e. Click Save. The selected scan job’s settings will be reconfigured to those in the selected template. |
[pic]Note:
The new template can be distributed to remote servers by using the Antigen Enterprise Manager (AEM). For more information about using the AEM to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.
Renaming or deleting a named template
You can rename or delete a named template. You cannot rename or delete a default template.
[pic]To rename or delete a named template
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
| |
|2. Select the template in the Job List. |
|3. Click File. |
|4. Select Templates. |
|5. Select Rename or Delete. If you choose Delete, you will be asked to confirm your choice. |
Modifying templates
You may want to make changes to a default template or a named template.
[pic]To modify a template
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
| |
|2. Select a work pane with the template to be modified (for example, Scan Job on the SETTINGS shuttle). |
|3. Select the template to be modified in the Job List. |
|4. Configure the template as desired, using the various work panes, clicking Save on each. |
[pic]Note:
If you make changes directly to a specific scan job (for example, the. SMTP Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server.
Modifying default file scanner update templates
You may change the primary and secondary update path, change the updating schedule, and enable or disable automatic updates by using the scanner update templates.
[pic]To configure default file scanner update templates
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
|2. Select Scanner Updates from the SETTINGS shuttle. The Scanner Update Settings work pane appears. |
|3. Select the file scanner template that you want to update from the Job List. There should be one template for every |
|installed engine. |
|4. Change the primary and secondary Network Update Path, as desired. |
|5. Change the date, time, frequency, and repeat interval if desired. Enable or disable updating as needed. |
|6. Click Save. |
[pic]Note:
New templates can be deployed locally by using the AntigenStarter (for more information, see Deploying named templates) or to remote servers by using the Antigen Enterprise Manager (AEM). For more information about using the AEM to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. If you are using the Antigen Enterprise Manager to update Antigen’s scan engines, you should disable scheduled updates in Antigen.
Modifying notification templates
Default notification templates can be used to deploy notification settings to remote servers.
[pic]To configure notification templates
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
|2. Select Notification in the REPORT area of the Shuttle Navigator. |
|3. Select the notification template you would like to modify from the Job List. |
|4. Edit the template in the lower work pane or use the Enable and Disable buttons to change the state of the template. |
|5. Click Save. |
[pic]Note:
You cannot create new notification templates. You must modify the default notification template to update notification settings.
Using named templates
Named templates can be used to create and manage multiple configurations in an Exchange environment. If you run different configurations on the servers in your environment, we recommend configuring each server to use a named template as the default for its configuration settings.
Named templates are created as described in Creating a named template. At the time of installation or upgrade, you can configure all of the named templates that you will need for your environment. For example, if you have twenty servers divided into four groups of five, you can create named templates for each server group. These templates will contain all of the configuration information for scan jobs, filtering, notifications, and scanner update paths. Each template will have the name of the group:
SMTPTemplate1
SMTPTemplate2
SMTPTemplate3
SMTPTemplate4
These names are similar for each scan job and filter set template.
Deploying templates during a remote installation
To have the template.adb file distributed to all servers during a remote installation or upgrade, you must run the self-extracting file used to run the installation. You will be prompted for the path where the extracted files will be placed.
Copy the template.adb file to the directory containing the extracted files. Finally, execute the setup.exe file that was extracted to that directory. (For more information about remote installations, see “Manage Jobs” in the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. When you enter the location of the Setup.exe file for the deployment job in the Enterprise Manager, specify the directory containing the extracted file.)
The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise, the default template is used. You can use the Antigen Administrator to connect to the computer and make the association. (For more information, see “Connecting to a remote server” in Chapter 4 - Using the Antigen Administrator.)
After you are connected to the remote server, you can associate the template with the appropriate scan job by following the steps in Creating a named template.
After you have associated a named template with a scan job, the assigned template will continue to be used when there are configuration changes. It is not necessary to reassociate the scan job unless you want to switch the template that is being used.
Deploying named templates
Named templates can be deployed locally by using AntigenStarter or to remote servers by using the Microsoft Antigen Enterprise Manager (AEM).
Individual templates can be associated with current scan jobs in the Administrator by clicking the Load From Template button. An exception is filter list templates, which must be associated with a scan job using the AntigenStarter. The AntigenStarter can be used to activate any or all templates from a command prompt directly on the server. The AntigenStarter.exe file has the ability to activate template settings on the current server. The t parameter facilitates activating template settings.
The syntax of AntigenStarter is:
AntigenStarter t[c][f][l][n][p][s]
The t parameter instructs AntigenStarter to read all of the settings in the Template.adb file and apply them on the current server. All filter settings, notification settings, and scanner update paths can be updated. You must insert a space between AntigenStarter and the t parameter. However, there is no space between the t parameter and the options.
You can also deploy a subset of the filters by using one of the switches listed below. The switches must be used in conjunction with the t parameter. Any combination of the following options causes a subset of the template settings to be applied:
|Switch |Description |
|c |Update the content filter settings for each scan job. |
|f |Update the file filter settings for each scan job. The file |
| |filter settings of each scan job on the server are updated with |
| |the file filter settings found in the associated template type. |
| |For example, the file filter settings for all SMTP Scan Jobs are |
| |updated with the file filter settings found in the SMTP Scan Job |
| |template. |
|l |Update the filter lists for each scan job. |
|n |Update the notification settings with the data in the associated |
| |templates. |
|p |Update the file scanner update path, proxy server settings (if |
| |applicable), and the scanner update schedule items (date, time, |
| |frequency, and repeat interval). The update path for each file |
| |scanner is updated from the file scanner template that matches |
| |the vendor of the file scanner. |
|s |Update the scan job and antivirus settings. Each scan job on the |
| |server is updated with the settings found in the associated |
| |template type. For example, all SMTP Scan Jobs are updated with |
| |the settings found in the SMTP Scan Job template. This includes |
| |all filters. |
[pic]Note:
Multiple switches should be listed without punctuation or spacing. For example: tsfn
Deploying schedule job templates
When deploying the default schedule job template, the Background Scan Job and all Manual Scan Jobs that are set to use the default template will be updated. This will cause all Manual Scan Jobs and the background scan to begin at the same time and could degrade server performance. To avoid this problem, use named templates for each Manual Scan Job so that you can schedule each Manual Scan Job independently of the background scan.
Chapter 12 - Using file filtering
The Antigen file filter feature gives you the ability to search for attachments with a specific name, type, and size within an e-mail message. If it finds a match, the file filter can be configured to perform actions on the attachment, such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means for detecting file attachments within e-mail messages and other Microsoft® Office Outlook® items, including Tasks and Schedules (such as meetings and appointments).
Mechanics of file filtering
File filtering can be configured to assess several aspects of an attached file: the file name and extension, the actual file type, and the file size. By using these criteria, you can filter files in a variety of ways.
Filtering by file type
If you want to filter certain file types, you can create the filter * and set the File Types selection to the exact file type that you want to filter.
For example, you can create the filter * and set the File Types to MP3. This will ensure that all MP3 files are filtered, regardless of their file name or extension.
One advantage of setting a generic * filter and associating it with a certain file type (for example, EXEFILE) is that this prevents users from bypassing the filter simply by changing the extension of a file.
[pic]Notes:
If you want to filter Microsoft Office Excel® files, you must enter *.xls or * in the File Names box, and then select both WINEXCEL1 and DOCFILE in the File Types list. Excel 1.x files are WINEXCEL1 file types, but newer versions of Excel are DOCFILE file types.
For Microsoft Office 2007 documents (Word, Excel, and PowerPoint®), you should use the proper file extension in the File Names box, and then select OPENXML in the File Types list.
Filtering by extension
If you want to filter any file that has a certain extension, you can create a generic filter for the extension and then set the File Types selection to All Types. Filter matching is not case-sensitive.
For example: Create the filter *.exe* and then set the File Types selection to All Types. This will ensure that all files with an .exe extension will be filtered.
[pic]Important:
When creating generic file filters to stop all of a certain type of file (for example, .exe files), it is recommended that you write the filter in this format: *.exe*. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter.
Filtering by name
If you want to filter all files with a certain name, you can create a filter by using the file name and setting the File Types selection to All Types. Filter matching is not case-sensitive.
For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This will ensure that any file named payload.doc will be filtered, regardless of the file type.
Detecting file attachments by name is also useful when there is a new virus outbreak and the administrator knows the name of the file where the virus resides before the virus scanners are updated to detect it. A perfect example of this is the Melissa worm. The worm resided in a file named List.doc and could have been detected if the administrator had used file filtering before the virus scanners could detect it.
Configuring the file filter
You can configure the file filter by file names, file types, or file sizes.
[pic]To configure the file filter
|1. Click FILTERING in the Shuttle Navigator. |
|2. Select the File icon. The File Filtering pane appears on the right. |
|3. In the upper work pane, select the scan job for which you would like to create the file filter. |
|4. To detect file attachments with a particular file name, add the file name to the File Names section of the work pane by|
|clicking Add, typing the file name that you want to detect, and pressing ENTER. |
|Optionally, you can configure Antigen to filter files based on their size. To detect files by size, when typing the file |
|name, specify a comparison operator (=, >, =, =1.2MB all .bmp files larger than or equal to 1.2 megabytes |
|*.com>150KB all .com files larger than 150 kilobytes |
|*>5GB all files larger than 5 gigabytes |
|[pic]Note: |
|For additional buttons that you can use when configuring file names, see About file names buttons. |
|5. Specify the list of File Types that can be associated with the selected File Name. You can select one or more File |
|Types from the list, or select All Types located below the list. If the File Type that you want to associate with the |
|selected File Name is not available in the list, then select All Types. (For a description of the file types listed in the|
|selection box, see Appendix E - File types list overview.) |
|The All Types selection configures Antigen to filter based only on the file name and file extension. By selecting All |
|Types, Antigen will be configured to detect the selected file name regardless of the file type. This prevents users from |
|bypassing the filter simply by changing the extension of a file. |
|If you know the file type that you are searching for, Antigen will work more efficiently if you select the appropriate |
|file type rather than All Types. For example, if you want to filter all EXE files, you can create the filter * and then |
|set File Types to EXEFILE. |
|6. Ensure that the File Filter is set to Enabled. It is enabled by default. |
|7. Indicate the Action to take if there is a filter match. |
|8. Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Virus |
|Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). It is|
|disabled by default. |
|9. Indicate whether to enable Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine |
|causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, |
|worm-purged messages are not recoverable. |
|10. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete |
|operation. The default deletion text informs you that an infected file was removed, along with the name of the file and |
|the name of the filter. To create your own custom message, click Deletion Text. |
|[pic]Note: |
|Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the |
|infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. |
|11. Click Save. |
You can also create a filter list that contains multiple file filters. After you have created the list, the steps for configuring the filter list are the same as in the preceding procedure, except you must select the filter list rather than a filter name.
[pic]To create a file filter list
|1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. |
|2. In the List Types section, select Files. |
|3. In the List Names section, click Add. |
|4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section. |
|5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use the dialog box to add file |
|filters to the list. |
|6. In the Include In Filter section, click Add. |
|7. Type the file names to be included in the filter list. Press ENTER when you have finished typing. You can have as many |
|file names as you want, but each must be entered separately |
|The Exclude from Filter field is used to enter file names that should never be included on the relevant list. This |
|prevents these entries from accidentally being added when importing a list from a text file. For more information on |
|importing files, see "Importing new items into a filter list" and "Exporting sender-domains filters, file filters, and |
|subject line filters" in Chapter 13 - Using content filtering. |
|8. When you are finished adding items, click OK. The file names you just entered appear, alphabetically, in the pane next |
|to List Names. |
|9. Click Save. |
[pic]Note:
You can change the name of a list by selecting the list in the List Names box and then pressing F2.
Action
Choose the action that you want Antigen to perform when a file filter is matched.
[pic]Note:
You must set the action for each file filter that you configure. The Action setting is not global.
|Action |Description |
|Skip: Detect Only |Records the number of messages that meet the filter criteria, but|
| |allows messages to route in the usual way. If, however, Delete |
| |Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete |
| |Encrypted Compressed Files is selected in General Options, a |
| |match to any of those conditions will cause the item to be |
| |deleted. |
|Delete: Remove Contents |Deletes the file attachment. The detected file attachment will be|
| |removed from the message and a text file will be inserted in its |
| |place. The text file will contain the string that was configured |
| |by using the Deletion Text button. Delete: Remove Contents is the|
| |default value. |
|Purge: Eliminate Message |Deletes the message from your mail system. When you select this |
| |option, a warning will appear informing you that if there is a |
| |filter match, the message will be purged and unrecoverable. Click|
| |Yes to continue. |
| |[pic]Notes: |
| |If the Quarantine Files box is checked, purged messages will be |
| |quarantined and can then be recovered from the quarantine |
| |database. |
| |When running VSAPI 2.0, the Realtime Scan Job can purge only |
| |outbound messages, but the SMTP Scan Job can purge inbound and |
| |outbound messages. Inbound and outbound purging by the Realtime |
| |Scan Job is available when running VSAPI 2.5. |
|Identify: Tag message |The subject line or message header of the detected message can be|
| |tagged with a customizable word or phrase. This tag can be |
| |modified for each scan job by clicking Tag Text on the Scan Job |
| |Settings work pane and then modifying the text. The same tag, |
| |however, will be used for all filters associated with the |
| |particular scan job. This action is available only for the SMTP |
| |Scan Job. |
| |When the Antigen Spam Manager is enabled and Antigen is installed|
| |on an Exchange 2003 server, the Tag message action also enables |
| |you to set the SCL property in Exchange 2003 and move tagged |
| |messages to the ASM Junk Mail folder. For more information on |
| |these features, see Chapter 17 - Antigen Spam Manager overview. |
About file names buttons
The following buttons below the File Names section let you edit or delete a file name from the list. You can also change the order in which file names are filtered.
|Button |Description |
|Edit |Enables you to edit an existing file name from the File Names |
| |section. Select the file name that you want to edit, and then |
| |click Edit. A dialog box appears that enables you to edit the |
| |selected file name. After you have completed making the necessary|
| |edits, click Save to submit or Cancel to undo. |
|Delete |Enables you to remove a file name from the File Names section. |
| |Select the file name that you want to delete, click Delete, and |
| |then click Save. |
|[Up Arrow], [Down Arrow] |Enables you to change the order in which file names are filtered.|
| |In the lower pane, select the file name that you want to reorder,|
| |and then click the UP ARROW or DOWN ARROW buttons (on the same |
| |line with File Names) to change the ranking to your preference. |
Matching patterns in the file name with wildcard characters
Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following characters to refine your filters.
|Wildcard |Description |
|* |Match any number of characters in a file name. You can use |
| |multiple asterisks. The following are some examples of its usage:|
| |Single: Any of these single wildcard character patterns would |
| |detect veryevil.doc: |
| |veryevil.*, very*.doc, very*, *il.doc. |
| |Multiple: Any of these multiple wildcard character patterns would|
| |detect : e*c*r*om, ei*.*, *car.*. |
| |[pic]Note: |
| |Use multiple asterisks to filter file attachments with multiple |
| |extensions. For example: love*.*.* |
|? |Match any single character in a name where a single character may|
| |change. For example: |
| |virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. |
| |Note This filter would not catch virus.exe. |
|[set] |A list of characters and ranges, enclosed in square brackets |
| |[abcdef]. Any single character in the specified set will be |
| |matched. For example: |
| |klez[a-h].exe would find kleza.exe through klezh.exe. |
|[^set] |Exclude characters that you know are not used in the file name. |
| |For example: |
| |klez[^m-z].exe would not find klezm.exe through klezz.exe. |
|[range] |Indicate several possible values in a set. It is specified by a |
| |starting character, a hyphen (-), and an ending character. For |
| |example: |
| |klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and |
| |klezp.exe, but not klezb.exe or klezr.exe. |
|\char |Indicates that special characters are used literally. (The |
| |characters are: * ? [ ] - ^ < >.) The backslash is called an |
| |escape character, and it indicates that a reserved control |
| |character should be taken literally, as a text character. |
| |For example: |
| |If you enter *hello*, you would typically expect to match hello |
| |anywhere in the file name. If you enter *\*hello\**, you would |
| |match *hello*. If you enter *\*hello\?\**, you would match |
| |*hello?*. |
| |[pic]Note: |
| |You must use a backslash before each special character. |
Using directional file filters
When you use the file filter in conjunction with the SMTP Scan Job, you can configure a filter so that it checks only inbound or outbound messages. This is accomplished by adding a prefix to the file name when you enter it in the File Names work pane.
(For information about the inbound, outbound, and internal designations, see Chapter 8 - Configuring SMTP Scan Jobs.)
[pic]Note:
There are no spaces between the prefix and the file name.
Inbound Filtering—Prefixing the file name with the directive instructs Antigen to apply this filter only to inbound messages.
filename
Outbound Filtering—Prefixing the file name with the directive instructs Antigen to apply this filter only to outbound messages.
filename
Inbound, Outbound, and Internal Filtering—If no prefix is appended to the file name, then the filter is applied to all messages, regardless of direction.
filename
Filtering container files
Container files can be broadly described as complex files that can be broken down into various parts. Antigen can scan the following container files for filter matches:
• PKZip (.zip)
• GNU Zip (.gzip)
• Self-Extracting .zip archives (.exe)
• Zip Files (.zip)
• Java archive (.jar)
• TNEF (Winmail.dat)
• Structured storage (for example, .doc, .xls, or .ppt)
• Open XML (for example, .docx, .xlsx, or .pptx)
• MIME (.eml)
• SMIME (.eml)
• Uuencode (.uue)
• UNIX tape archive (.tar)
• RAR archive (.rar)
• MACBinary (.bin)
Antigen will scan all parts of the container file, and then repack the file as necessary. For example, if you configure a file filter to delete all .exe files, Antigen will delete .exe files inside container files (replacing them with the Deletion Text), but will leave all other files in the container intact.
[pic]Note:
Antigen cannot scan password-protected files or encrypted files. Although Antigen does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.
Excluding the contents of a container file from file filtering
To exclude the contents of a .zip file (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list, and then set the action to Skip. The order of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, file filters are not applied to the contents of the container. The file is, however, scanned for viruses. If you want to skip all .zip files, create the filter: *.zip, and then set the action to Skip.
By default, this functionality applies only to .zip and .jar files. If you would like to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and Self-Extracting .zip archives), you can set the following DWORD registry values:
|Scan job |DWORD registry value |
|Realtime Scan Job |SkipFileFilterWithinCompressedRealtime |
|Manual Scan Job |SkipFileFilterWithinCompressedManual |
|Internet Scan Job |SkipFileFilterWithinCompressedInternet |
For the location of these registry keys, see Appendix B - Setting registry values. After creating each registry value, the value should be set to 1 to disable file filtering in the specified archive type.
[pic]Note:
OPENXML files (For example, Office 2007 documents) are ZIP container files, but they are not affected by the ZIP container settings.
Using file filtering to block most file types
You can use file filters to block some file types and permit others. The files permitted through in this example are Microsoft Office files. The filters in the example block all file attachments, with the exception of Office documents, for messages entering your organization from the Internet. It takes two file filters for this to work properly.
[pic]Note:
Be sure to create the file filter that permits Office documents through first, as the filters are applied, in order, from top to bottom.
[pic]To create a file filter that permits Office documents through
|1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on |
|the right. |
|2. Create a new filter by following these steps: |
|a. Click Add. |
|b. Type * as the file name, and then press ENTER. |
|c. Clear All Types in the File Types section, and then click Yes to confirm. |
|d. Select the DOCFILE, OPENXML, and TNEFFILE file types. (TNEFFILE is required because it is the wrapper around file |
|attachments for internal mail.) |
|e. Set the Action parameter to Skip: detect only. |
|f. Clear the Quarantine Files check box. |
|g. Click Save. |
[pic]To create a file filter that blocks all types of files
|1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on |
|the right. |
|2. Create a new filter by following these steps: |
|a. Click Add. |
|b. Type * as the file name, and then press ENTER. |
|c. Ensure that All Types is selected in the File Types section. |
|d. Set the action to Block or Purge, as desired. |
|e. Select Quarantine Files. |
|f. Select Send Notifications. |
|g. Click Save. |
[pic]Notes:
The Skip: detect only action in the first filter will generate an Incident log entry for almost every attachment that is received.
If you would like this filter to apply to all e-mail messages and not solely to inbound messages, remove "" from each of the filters.
Using filter set templates
Filter set templates can be created for use with any scan job. A single filter set template can be associated with any or all of the scan jobs, and you can also create multiple filter set templates for use on different servers or different scan jobs. For information on creating and configuring filter set templates, see “Using filter set templates” in Chapter 13 - Using content filtering.
About international character sets
Support for file filtering by name in Antigen extends beyond the English character set. For example, messages with attachments that include Japanese characters, words, or phrases are handled in the same manner as are messages with attachments that have only English character sets.
About statistics logging
The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and therefore cause the messages to which they are attached to be purged. These counters can also be found in the Performance Monitor utility.
Chapter 13 - Using content filtering
Content filtering provides another tool to help manage the flow of messages entering and exiting your business's mail stream. Content filtering enables you to filter messages by using a variety of filtering tools. These include:
• Sender-domains filtering
• Subject line filtering
• Filter set templates (simplifies the creation and management of file and content filters on all scan jobs)
You can enable inbound or outbound content filtering for the Internet Scan Job by using these registry keys:
• DisableOutboundContentFiltering
• DisableInboundContentFiltering
Both keys are set to 0 (disabled) by default. To enable each key, set its value to 1. After changing these settings, the Microsoft® Exchange Server and Antigen services must be recycled for the changes to take effect. (For more information on Antigen registry settings, see Appendix B - Setting registry values.)
If you route e-mail messages through SMTP Gateway servers in your environment and are running Antigen on your Exchange servers, you should enter the IP addresses of your Gateway servers into the SMTP External Hosts setting under General Options to ensure that all mail routed through the Gateway servers is treated as inbound mail rather than internal mail by Antigen and the Antigen Spam Manager. For more information on this setting, see Chapter 4 - Using the Antigen Administrator.
Configuring sender-domains filtering
Sender-domains filtering lets you filter messages from particular senders or domains. Wildcard characters can be used to enable filters such as *@ to filter all mail from a certain domain.
[pic]Note:
Sender-domains filtering applies only to the From field in a message. It cannot be used for the To field.
[pic]To configure sender-domains filtering
|1. Click FILTERING in the Shuttle Navigator. |
|2. Select the Content icon. The Content Filtering pane appears on the right. |
|3. In the upper work pane, select the scan job for which you would like to create a content filter. |
|4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters |
|pane. |
|5. A text box appears. Type the sender or domain that you would like to filter. If you want to use a generic domain name |
|filter, you must use an * (wildcard character) before the domain name. |
|Examples: |
|A generic domain: *@ |
|A specific sender: someone@ |
|6. Press ENTER after you have typed the sender or domain. You can add as many entries as you want, but each must be |
|entered separately. |
|7. Set the Filter field to Enabled. |
|8. Indicate the Action to take if there is a filter match. |
|9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content |
|Administrators set in the Notification Setup work pane (located under REPORT in the Shuttle Navigator) will be sent a |
|notification that a message was filtered. In addition, you must also configure the notifications (see Chapter 18 - Using |
|e-mail notifications). |
|10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and|
|purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. |
|11. Click Save. |
|[pic]Notes: |
|The Realtime Scan Job will look at both the display name and the e-mail address of the sender to match against |
|sender-domains filters. It will apply the filter against the display name of the mailbox first. If the display name and |
|e-mail address are different, Antigen will also apply the filter against the e-mail address. If either matches, the filter|
|action will be taken. If you do not want to filter against e-mail addresses, set the registry value |
|ContentFilterSMTPAddress to zero (0). |
|The SMTP Scan Job will use the display name of the sender to match against sender-domains filters. If there is no display |
|name in the header, the SMTP Scan Job will fall back to use the e-mail address to match against the filter. |
|You can also create a filter list that contains multiple sender-domains. For more information, see Creating content filter|
|lists. |
|You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that |
|domain. For more information, see Filtering mail from all users in a domain except for specific users. |
Configuring subject line filtering
Subject line filtering lets you filter messages based on the content of the subject line of the message. Wildcard characters can be used.
[pic]To configure subject line filtering
|1. Click FILTERING in the Shuttle Navigator. |
|2. Select the Content icon. The Content Filtering pane appears on the right. |
|3. In the upper work pane, select the scan job for which you would like to create a content filter. |
|4. Select Subject Lines in the Content Fields pane in the lower-left corner, and then click the Add button in the Content |
|Filters pane. |
|5. A text box appears. Type in the content that you would like to filter. |
|6. Press ENTER after you have typed the content. You can add as many entries as you want, but each must be entered |
|separately. |
|7. Set the Filter field to Enabled. |
|8. Indicate the Action to take if there is a filter match. |
|9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content |
|Administrators set in the Notification Setup work pane located under REPORT in the Shuttle Navigator will be sent a |
|notification that a message was filtered. In addition, you must also configure the notifications (see Chapter 18 - Using |
|e-mail notifications). |
|10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and|
|purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. |
|11. Click Save. |
|[pic]Note: |
|You can also create a filter list that contains multiple subject lines. For more information, see Creating content filter |
|lists. |
|If you are entering a partial subject line as a filter, it is recommended that you use asterisk wildcard characters (*) at|
|the beginning and the end of the phrase to ensure proper detection. For example: |
|• The filter “get rich quick” will filter messages that contain only the target phrase in the subject line. |
|• The filter “* get rich quick” will filter messages that contain the target phrase and any phrase that ends with the |
|target phrase in the subject line. |
|• The filter “* get rich quick *” will filter messages that contain the target phrase anywhere in the subject line. |
| |
| |
| |
| |
| |
| |
| |
| |
|You can use the following syntax to refine your filters: |
| |
|Syntax |
|Description |
| |
|* |
|Match any number of characters in a file name. You can use multiple asterisks. Following are some examples of usage: |
|Single: Any of these single wildcard character patterns would detect veryevil: |
|veryevil*, very*, *il |
|Multiple: Any of these multiple wildcard character patterns would detect veryevil: V*r*v*l, *very*, *evil* |
| |
|? |
|Match any single character, because many malicious users insert extra characters between letters to spoof filters. For |
|example: |
|You can filter C-O-N-T-E-S-T with the filter: C?O?N?T?E?S?T |
| |
|[set] |
|A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set will be |
|matched. |
|For example, the set is useful for creating a single rule to match when the number zero (0) is used instead of the letter |
|o. Ozone and oz0ne can be filtered using oz[o0]ne. |
| |
|[^set] |
|Exclude characters that you know are not used. |
| |
|range |
|Indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character.|
|For example: |
|klez[ad-gp] would match kleza, klezd, kleze, klezf, klezg, and klezp but not klezb or klezr. |
| |
|\char |
|Indicate that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape |
|character, which indicates that a reserved control character should be taken literally, as a text character. |
|For example: If you enter *hello*, you would usually expect to match hello anywhere in the file name. If you enter |
|*\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*. |
| |
| |
|[pic]Note: |
|You must use a backslash before each special character. |
Action
You will also need to select the action that Antigen should take when it detects a match to your filter criteria.
[pic]Note:
You must set the action for each file filter you configure. The action setting is not global.
|Action |Description |
|Skip: Detect Only |Records the number of messages that meet the filter criteria, but|
| |allows messages to route normally. If, however, Delete Corrupted |
| |Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted |
| |Compressed Files was selected in General Options, a match to any |
| |of those conditions will cause the item to be deleted. |
|Purge: Eliminate Message |Deletes the message from your mail system. When you select this |
| |option, a warning will appear informing you that if there is a |
| |filter match, the message will be purged and unrecoverable. Click|
| |Yes to continue. |
| |[pic]Note: |
| |If you are running Microsoft Exchange 2000 Server with VSAPI 2.0,|
| |the Realtime scanner can purge only outbound messages, but the |
| |SMTP Scan Job can purge inbound and outbound messages. Inbound |
| |and outbound purging by the Realtime scanner is available when |
| |running VSAPI 2.5. If a message that matches a content filter is |
| |found in the Inbox (inbound), Antigen will delete any attachments|
| |and the message body. If there are no attachments to the message |
| |body, Antigen will take no action. In either case, the UI will |
| |report the message as Detected. |
|Identify: Tag message |The subject line or message header of the detected message can be|
| |tagged with a customizable word or phrase. This tag can be |
| |modified for each scan job by clicking Tag Text on the Scan Job |
| |Settings work pane and modifying the text. The same tag, however,|
| |will be used for all filters associated with the particular scan |
| |job. |
| |When the Antigen Spam Manager is enabled and Antigen is installed|
| |on an Exchange 2003 server, the Tag Message action also lets you |
| |set the SCL property in Exchange 2003 and move tagged messages to|
| |the ASM Junk Mail folder. For more information on these features,|
| |see Chapter 17 - Antigen Spam Manager overview. |
Creating content filter lists
You can create a content list that contains multiple content filters (sender-domains or subject lines). After you have created the list, the steps for configuring the filter list are the same as in the preceding procedures, except that you must select the filter list rather than a filter name.
[pic]To create a content filter list
|1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. |
|2. In the List Types section, select Subject Lines or Sender-Domains. |
|3. In the List Names section, click Add. |
|4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section. |
|5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to add items to the list. |
|6. In the Include In Filter section, click Add. |
|7. Type the data to be included in the filter list. The type of data that you add depends on the type of filter list that |
|you selected. For Subject Lines, add text that might appear in the subject line of a message. For Sender-Domains, add |
|specific senders or generalized domains. Press ENTER when you have finished typing. You can have as many words or phrases |
|as you want, but each must be entered separately. |
|The Exclude from Filter field is used to enter data that should never be included on the relevant list. This prevents |
|these entries from being accidentally added when importing a list from a text file. For more information on importing |
|files, see Importing new items into a filter list. |
|8. When you are finished adding items, click OK. The information that you just entered appears, alphabetically, in the |
|pane next to List Names. |
|9. Click Save. |
[pic]Note:
You can change the name of a list by selecting the list in the List Names box and then pressing F2.
Importing new items into a filter list
Filter lists can be created offline in Notepad or in a similar text editor, and then imported into the appropriate filter list by using the Antigen Administrator.
[pic]To create and import entries into a filter list
|1. Create a list and then save it as a text file. Place each filter on its own line in the file. |
|2. Open the Antigen Administrator and click Filter Lists on the FILTERING area of the Shuttle Navigator. |
|3. Select the filter list into which you will be importing data. |
|4. Click the Edit button. The Edit Filter List dialog box appears. |
|5. Click the Import button. A File Explorer window will open so that you can navigate to the text file that you created in|
|step 1. |
|6. Select the file and click Open. |
|7. The file will be imported into the middle pane of the Import List editor so that you can select the entries that you |
|would like to include in your filter list. Use the ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- download microsoft office onenote 2016
- download microsoft office for free
- download microsoft office for free windows 10
- download microsoft office already purchased
- download microsoft desktop app
- how to download microsoft office for free
- download microsoft onenote 2016 free
- free download microsoft office 2010
- download microsoft office 365 free full
- download microsoft word for pc
- minecraft download microsoft store
- download microsoft word for mac