Download.microsoft.com
Microsoft Antigen for SMTP Gateways User Guide
Microsoft Antigen for SMTP Gateways Version 9
Microsoft Corporation
Published: July 2010
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, ActiveX, Excel, Internet Explorer, Outlook, PowerPoint, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Privacy policy
Review the "Microsoft Antigen Privacy Statement" at the Microsoft Antigen Web site.
Contents
Chapter 1 - Introducing Microsoft Antigen for SMTP Gateways 9
Consideration when using a third-party file-level antivirus program 9
Antigen scanning order overview 9
Antigen documentation 11
Chapter 2 - Installing Microsoft Antigen for SMTP Gateways 11
System requirements 11
Minimum server requirements 11
Minimum workstation requirements 12
Installing Antigen on a local server 12
Installing Antigen on a remote server 14
Administrator-only installation 15
Post-installation security consideration 16
Installing to multiple servers 16
Uninstalling Antigen 16
Migrating and upgrading 17
Applying Antigen service packs and rollups 17
Relocating Antigen data files 18
Using the evaluation version 18
Product licensing information 19
Chapter 3 - Antigen services 19
About services 19
AntigenService service 19
AntigenMonitor service 20
AntigenIMC service 20
AntigenInternet service 20
AntigenStatisticsService service 20
Disabling the Antigen services 20
Recycling the Antigen services 20
Securing the service from unauthorized use 21
Chapter 4 - Antigen Administrator 21
Enabling the Antigen Administrator 21
Running the Antigen Administrator 22
Connecting to a server 23
Connecting to a different server 23
Connecting to a computer that is not a member of the domain 23
Running in read-only mode 24
Antigen Administrator overview 25
General Options 26
Diagnostics section 26
Logging section 27
Scanner Updates section 28
Scanning section 30
Exchange 2003 UCE Settings 40
Central Management 41
Chapter 5 - Implementing multiple scan engines and setting bias modes 42
About engine rankings 42
Setting the bias 43
About bias settings 43
Configuring the bias 44
Cleaning infected files 45
Chapter 6 - Configuring SMTP Scan Jobs 45
About multiple Internet processes 45
Configuring the SMTP Scan Job 45
Adding outbound disclaimers 47
Configuring the antivirus scanners and job action 48
Controlling the SMTP Scan Job 49
Checking results and status 49
About SMTP scan recovery 49
Scanning nested compressed files 50
Scanning files by type 50
Chapter 7 - Using templates 51
Template uses 51
Creating a named template 52
Renaming or deleting a named template 52
Modifying templates 53
Modifying default file scanner update templates 53
Modifying notification templates 54
Using named templates 54
Deploying templates during a remote installation 55
Deploying named templates 55
Chapter 8 - Using file filtering 57
Mechanics of file filtering 57
Filtering by file type 57
Filtering by extension 57
Filtering by name 58
Configuring the file filter 58
Action 60
About file names buttons 61
Matching patterns in the file name with wildcard characters 62
Using directional file filters 63
About filtering container files 63
Excluding the contents of a container file from file filtering 64
Using file filtering to block most file types 65
Using filter set templates 66
About international character sets 66
About statistics logging 66
Chapter 9 - Using content filtering 66
Configuring sender-domains filtering 67
Configuring subject line filtering 68
Action 70
Creating content filter lists 71
Importing new items into a filter list 71
Exporting sender-domains filters, file filters, and subject line filters 72
Filtering mail from all users in a domain except for specific users 73
Using directional content filters 73
About international character sets 74
About reporting 74
Using filter set templates 74
Creating a filter set template 74
Configuring a filter set template 74
Associating a filter set template with a scan job 75
Editing a filter set template 75
Deleting a filter set template 76
Renaming a filter set template 76
Distributing filter set templates to remote servers 76
Chapter 10 - Using mailhost filtering 77
About mailhosts scanning priority 77
Using RBL servers 78
Using Allowed Mailhosts lists 79
Using Rejected Mailhosts lists 80
Action 81
Importing new items into a filter list 81
About mailhost filtering notifications 82
Chapter 11 - Using keyword filtering 82
Creating new keyword lists 82
Action 83
About keyword list syntax rules 84
About case-sensitive filtering 86
Filtering e-mail messages that automatically load HTML images 86
Creating allowed senders lists 86
Importing new items into a filter list 87
Chapter 12 - Purging messages infected by worms 88
Purging by the Internet scanner 88
Using file filtering to purge worm viruses 89
Using notifications 89
Enabling and disabling worm purging 89
Updating the worm purge list 89
Creating a custom worm purge list 90
Chapter 13 - Antigen Spam Manager overview 90
Configuring the anti-spam scanning settings 91
Configuring Cloudmark updates 91
Managing Cloudmark updates with FSSMC or AEM 92
Submitting false positives and false negatives to Cloudmark 92
Using the GTUBE anti-spam test file to determine whether Cloudmark is detecting spam 93
About the Identify: tag message action 93
Chapter 14 - Using e-mail notifications 94
Sending notifications 94
Configuring notifications 95
About notification roles 95
Configuring Antigen for internal addresses 97
Enabling and disabling a notification 97
Editing a notification 98
Chapter 15 - Reporting and statistics overview 98
About the incidents database 99
About VirusLog.txt 100
About Antigen incidents 100
About event statistics 102
Statistics for messages 102
Statistics for message attachments 103
Resetting statistics 104
Exporting statistics 104
About quarantine 104
About quarantine options 104
Quarantine Database Tables 105
Saving database items to disk 106
About the Deliver button 106
About DeliverLog.txt 107
Forwarding attachments 107
Forwarding attachments quarantined by the virus scanner 107
Forwarding attachments quarantined by the file filter 107
Using the ExtractFiles tool 108
Maintaining the databases 108
Clearing the databases 108
Clearing the incidents database 109
Clearing the quarantine database 109
Exporting database items 109
Purging database items 110
Filtering database views 110
Moving the databases 111
Changing the database compaction time 111
About Windows Event Viewer 112
About Performance Monitor 112
Reinstalling Antigen performance counters 112
Chapter 16 - File scanner updating overview 113
About automatic file scanner updating 113
Scheduling an update 114
Update Now 115
Update on load 115
About scanner information 116
About Manifest.cab 116
Distributing updates 117
Configuring servers to distribute and receive updates 117
Notifications following engine updates 118
Putting the new file scanner to use 118
Updating the file scanner through a proxy 118
Adding and deprecating scan engines 119
Adding new scan engines 119
Deprecating scan engines 119
Chapter 17 - Troubleshooting overview 119
Getting help 119
Using diagnostics 120
Submitting malicious software files to Microsoft for analysis 120
Submitting files through the Microsoft Malware Protection Center Portal 120
Preparing files for submission 120
About the response message 121
Submitting files through Microsoft Customer Support Services 121
Attaching a disclaimer message that includes non-US-ASCII characters 122
Rebuilding scan engines 122
Appendix A - Antigen Utility 124
Enabling and disabling Antigen 125
Appendix B - Setting registry keys 125
Appendix C - Using keyword substitution macros 133
Appendix D - Using the Antigen diagnostic utility (AntigenDiag.exe) 135
Running the antigen diagnostic utility 136
Appendix E - File types overview 137
Appendix F - Using multiple SMTP disclaimers 142
Disclaimer hierarchy 152
Additional sample disclaimer text 152
Appendix G - Backing up and restoring Microsoft Antigen for SMTP Gateways 153
About backups 153
Preparing files for backup 153
Backing up data files 155
Restoring data files 155
Appendix H - Antigen security updates and configuration changes overview 157
Security policy changes 157
General Options changes 158
Other Antigen changes and updates 159
Chapter 1 - Introducing Microsoft Antigen for SMTP Gateways
Microsoft® Antigen for SMTP Gateways Version 9 provides complete protection for Microsoft Simple Mail Transfer Protocol (SMTP) services running on the Windows Server® 2003 or Microsoft Windows® 2000 Server operating system. It is designed to eliminate the infiltration of viruses into your environment as well as provide file and content filtering to control unwanted message traffic and proactively block viruses before they have been identified by virus labs.
Antigen for SMTP Gateways provides keyword message body filtering, mailhost filtering with real-time block list (RBL) integration, and enhanced file and content filtering that includes filter lists to help administrators manage large groups of filters.
Antigen for SMTP Gateways also supports the optional Antigen Spam Manager. This add-in module helps administrators minimize the number of spam e-mail messages that enter their messaging environments.
The Antigen Spam Manager enhances Antigen for SMTP Gateways content filtering by providing:
• Support for the Cloudmark anti-spam engine.
• Support for Microsoft Exchange Server 2003 anti-spam features.
• Identify: Tag Message options for suspected spam message tracking and identification.
• Keyword filter options.
• Junk Mail folders for Outlook® users.
Antigen for SMTP Gateways also integrates with the Antigen Enterprise Manager. The Antigen Enterprise Manager provides administrators with central installation and reporting functionality and central administration of Antigen for SMTP Gateways on all servers in their environment.
Consideration when using a third-party file-level antivirus program
When performing a file-level antivirus scan on a server operating system, you must omit the following program folders from the scan to prevent corruption of Antigen:
• Drive:\Program Files\Sybari Software\Antigen for SMTP
• Drive:\InetPub\Mailroot (2003 only)
The file-level antivirus scan can also cause a conflict when Antigen tries to scan e-mail messages.
Antigen scanning order overview
When Antigen scans a file or an e-mail message, the following tasks are performed in the order that they appear:
Allowed senders scan—If the allowed senders list functionality is enabled, Antigen compares the message sender's domain or address to the allowed senders list. If a message is from a domain or address in the allowed senders list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.
You can configure the allowed senders list functionality to bypass specific types of filters, such as keyword filters, file filters, and content filters, or you can bypass all filters.
For more information about allowed senders lists, see "Creating allowed senders lists" in Chapter 11 - Using keyword filtering.
Cloudmark engine scan—The Cloudmark engine compares the message contents against a database of known spam. For more information about the Cloudmark engine, see Chapter 13 - Antigen Spam Manager overview.
Mailhost filtering scan—Mailhost filtering filters messages from specific IP addresses or from specific server names. Mailhost filtering consists of the following lists:
• RBL servers list—Contains server names and IP addresses that are known to originate spam or are spam open relay hosts. Antigen compares the message sender to the RBL servers list to determine whether the message was sent from a spam server.
• Allowed mailhosts list—Contains server names and IP addresses that are considered safe. Antigen compares the message sender to this list to determine whether the message sender is considered safe. If a message is from a server or IP address in the allowed mailhosts list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.
• Rejected mailhosts list—Contains server names and IP addresses that have been blocked. Antigen compares the message sender to the rejected mailhosts list to determine whether the message sender has been blocked.
For more information about mailhost filtering, see Chapter 10 - Using mailhost filtering.
Content filtering scan—Content filtering includes the following filters:
• Sender-domains filtering—When sender-domain filtering is enabled, Antigen compares the message sender to the senders and domains that are in the sender-domains filter list.
• Subject line filtering—When subject line filtering is enabled, Antigen compares the contents of the message's subject line to the words in the subject line filter list.
For more information about content filtering, see Chapter 9 - Using content filtering.
Keyword filtering scan—When keyword filtering is enabled, Antigen compares the contents of the message to any keyword filter lists that have been created. For more information about keyword filtering, see Chapter 11 - Using keyword filtering.
Attachment scan—If the e-mail message has an attachment, Antigen scans it for worms and viruses:
• Worm purge—The worm purge tool maintains the WormPrge.dat file, which contains a list of known worms. This list is regularly updated and maintained by Antigen. The contents of the message are compared to the list of known worms.
For more information about worm purging, see Chapter 12 - Purging messages infected by worms.
• File filtering—When file filtering is enabled, Antigen compares the contents of the message to the file filter list. The file filter list provides you with the ability to search for attachments with a specific name, type, and size within an e-mail message.
For more information about file filtering, see Chapter 8 - Using file filtering.
• Virus cleaning—Antigen uses multiple virus scan engines to determine whether the attachment contains a virus. For more information about using multiple scan engines, see Chapter 5 - Implementing multiple scan engines and setting bias modes.
Body scan—The body of the message is compared to the worm list that is maintained in the WormPrge.dat file. If no worms are found, Antigen then scans the body of the message for viruses.
Antigen documentation
The most current Antigen for SMTP Gateways documentation, including the Microsoft Antigen for SMTP Gateways Quick Start Guide and the Microsoft Antigen Spam Manager Best Practices Guide, is available at the Microsoft Antigen TechNet Library.
Chapter 2 - Installing Microsoft Antigen for SMTP Gateways
Antigen for SMTP Gateways supports local and remote installations on computers running Windows Server 2003 and Windows 2000 Server.
Antigen for SMTP Gateways Setup wizards can be used to install the product to a local SMTP server, to a remote SMTP server, or as an Administrator-only installation to a local workstation. If you are performing a remote installation, you should know the server name of the computer running the SMTP service prior to running the installation program.
System requirements
The following are the minimum server and workstation requirements for Antigen for SMTP Gateways.
Minimum server requirements
The following are minimum server requirements:
• Windows 2000 Server Service Pack 4 (SP4) Update Rollup 1 or Windows 2000 Advanced Server SP4 Update Rollup 1
[pic]Note:
Windows Server 2003 is also supported. Antigen for SMTP Gateways is supported only on 32-bit environments.
• 1 gigabyte (GB) of free memory
[pic]Note:
With each additional licensed scan engine, more memory is needed for each scanning process.
• 2 GB of available disk space
• Intel processor, 1 gigahertz (GHz)
• Microsoft Data Access Components (MDAC) 2.7
• Microsoft Jet 4.0 Service Pack 3 (SP3)
• Microsoft XML Core Services (MSXML) 6.0
• Internet Information Services (IIS) 5.0 with SMTP Service installed
• Windows messaging
[pic]Note:
Windows messaging provides the MAPI interface to ensure the proper parsing of message bodies in .msg files or TNEF-encoded messages. (You may install Outlook on the server to provide the required functionality.)
Minimum workstation requirements
The following are minimum workstation requirements:
• Windows 2000 Professional or Windows XP
[pic]Note:
Windows Server 2003 and Windows Vista® are also supported.
• 6 MB of available memory
• 10 MB of available disk space
• Intel processor
Installing Antigen on a local server
To locally install Antigen for SMTP Gateways on an SMTP server, you must log on to the local computer using an account that has administrator rights. This step is necessary for Setup to perform service registration.
[pic]To install Antigen for SMTP Gateways on a local server
|1. Run Setup.exe from the folder containing the Antigen for SMTP Gateways installation files. You can obtain the latest |
|installation package from the Microsoft Volume Licensing Download Center. |
|2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Select Local |
|Installation and click Next. |
|3. In the Installation Type dialog box, select Server - Admin console and scanner components and click Next. |
|4. Setup checks whether you have the correct version of the Windows Update Agent: |
|• If you do not have the correct version, at the end of the installation, you are directed to the Microsoft Update Web |
|site to upgrade manually. |
|• If you have the correct version, Setup then checks if Microsoft Update is enabled. If Microsoft Update is not enabled, |
|the Use Microsoft Update dialog box appears so that you can enable it. |
|5. In the Quarantine Security Settings dialog box, select the desired setting and click Next. Select one of the following:|
|• Secure Mode is the default and when the value is set to this mode, all messages and attachments delivered from |
|quarantine are scanned again for viruses and filter matches. |
|• Compatibility Mode allows messages and attachments to be delivered from quarantine without being scanned for filter |
|matches. (Messages and attachments are always scanned for viruses.) Antigen for SMTP Gateways identifies these messages by|
|placing special tag text in the subject line of all messages that are delivered from quarantine. |
|For more information about this setting, see Chapter 15 - Reporting and statistics overview. |
|6. In the Engine Updates Required dialog box, read the warning about engine updates and proxy information, and then click |
|Next. |
|7. In the Choose Destination Location dialog box, either accept the default destination folder for the product, or click |
|Browse to select a different one. The default location is: |
|Program Files\Microsoft Antigen for SMTP |
|8. In the Select Program Folder dialog box, choose a program folder for Antigen for SMTP Gateways. The default location |
|is: |
|Microsoft Antigen for SMTP |
|9. In the Start Copying Files dialog box, review the data. If any changes have to be made, use the Back button to navigate|
|to the page to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are |
|being copied. |
|10. After installation is complete, you can start or restart the SMTP services, depending on whether they were stopped or |
|running when the installation began. For a clean installation, the services were probably still running and need to be |
|recycled. If you are reinstalling the product, the services had to be stopped before Antigen for SMTP Gateways could be |
|uninstalled. In the Start SMTP Services dialog box, you can start the SMTP services automatically so that Antigen for SMTP|
|Gateways can become active. Click Next to have Setup perform this step, or click Skip to manually perform this step at a |
|later time. Until the SMTP services have been started or restarted, Antigen for SMTP Gateways cannot scan mail. |
|11. If the SMTP services are being started or restarted (that is, you clicked Next in the prior dialog box), the Starting |
|SMTP Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. |
|12. In the InstallShield Wizard Complete dialog box, you can optionally select to View the README file before clicking |
|Finish. If you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. |
[pic]Notes:
As in most installations, Setup updates shared Microsoft files on your computer. If you are asked to restart your computer, you do not have to do that immediately, but it may be necessary for certain Antigen for SMTP Gateways features to work correctly.
The Antigen Administrator installed with SMTP scanning for Windows Server 2003 or Windows 2000 Server may also be used to connect to Antigen for Exchange or Antigen for SharePoint® servers. The registry for Antigen services remains: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for SMTP
Installing Antigen on a remote server
To remotely install Antigen for SMTP Gateways on an SMTP server, you must log on to your local computer using an account that has administrator rights to the remote computer. This step is necessary for Setup to perform service registration. The platforms of both the local computer and remote computer must be the same.
[pic]To install Antigen for SMTP Gateways on a remote server
|1. Run Setup.exe from the folder containing the Antigen for SMTP Gateways installation files. You can obtain the latest |
|installation package from the Microsoft Volume Licensing Download Center. |
|2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Select Remote |
|Installation and click Next. If Antigen for SMTP Gateways is already installed on the remote SMTP server, this process can|
|automatically stop the SMTP and IIS services, and uninstall Antigen for SMTP Gateways. |
|3. In the Remote Server Information dialog box, enter the following information and click Next. The parameters are: |
|• Server Name—The name of the computer to which you are installing Antigen for SMTP Gateways. |
|• Share Directory—The temporary location that the remote installation uses while setting up Antigen. The default is: |
|C$ |
|4. Setup checks whether you have the correct version of the Windows Update Agent: |
|• If you do not have the correct version, at the end of the installation, you are directed to the Microsoft Update Web |
|site to upgrade manually. |
|• If you have the correct version, Setup then checks if Microsoft Update is enabled. If Microsoft Update is not enabled, |
|the Use Microsoft Update dialog box appears so that you can enable it. |
|5. In the Quarantine Security Settings dialog box, select the desired setting and click Next. The parameters are: |
|• Secure Mode is the default and when the value is set to this mode, all messages and attachments delivered from |
|quarantine are scanned again for viruses and filter matches. |
|• Compatibility Mode allows messages and attachments to be delivered from quarantine without being scanned for filter |
|matches. (Messages and attachments are always scanned for viruses.) Antigen identifies these messages by placing special |
|tag text in the subject line of all messages delivered from quarantine. |
|For more information about this setting, see Chapter 15 - Reporting and statistics overview. |
|6. In the Remote Location dialog box, select the Destination Directory and Folder Name, and then click Next to begin |
|installing Antigen for SMTP Gateways. |
|7. After installation is complete, you can start or restart the SMTP services, depending on whether they were stopped or |
|running when the installation began. For a clean installation, the services were probably still running and need to be |
|recycled. If you are reinstalling the product, the services had to be stopped before Antigen for SMTP Gateways could be |
|uninstalled. In the Start SMTP Services dialog box, you can start the SMTP services automatically so that Antigen for SMTP|
|Gateways can become active. Click Next to have Setup perform this step, or click Skip to manually perform this step at a |
|later time. Until the SMTP services have been started or restarted, Antigen for SMTP Gateways cannot scan mail. |
|8. If the SMTP services are being started or restarted (that is, you clicked Next in the prior dialog box), the Starting |
|SMTP Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. |
|9. After you are informed that the installation was successful, click Next to perform another remote installation, or |
|click Cancel to exit the installation program. If you do not have the correct version of the Windows Update Agent, you are|
|directed to a site to obtain it. |
[pic]Note:
As in most installations, Setup updates shared Microsoft files on your computer. If you are asked to restart your computer, you do not have to do that immediately, but it may be necessary for certain Antigen features to work correctly.
Administrator-only installation
Performing an Administrator-only installation will install the Antigen Administrator onto any Windows workstation or server, which can then be used to centrally manage the Antigen services running on remote SMTP servers. An Administrator-only installation requires approximately 2.5 MB of disk space.
[pic]To perform an Administrator-only installation
|1. Run Setup.exe from the folder containing the Antigen for SMTP Gateways installation files. You can obtain the latest |
|installation package from the Microsoft Volume Licensing Download Center. |
|2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Choose Local |
|Installation and click Next. |
|3. In the Installation Type dialog box, select Client - Admin console only and click Next. |
|4. Setup checks whether you have the correct version of the Windows Update Agent: |
|• If you do not have the correct version, at the end of the installation, you are directed to the Microsoft Update Web |
|site to upgrade manually. |
|• If you have the correct version, Setup then checks if Microsoft Update is enabled. If Microsoft Update is not enabled, |
|the Use Microsoft Update dialog box appears so that you can enable it. |
|5. In the Choose Destination Location dialog box, either accept the default destination folder for the product, or click |
|Browse to select a different one. The default is: |
|Program Files\Microsoft Antigen for SMTP |
|6. In the Select Program Folder dialog box, choose a program folder for Antigen for SMTP Gateways. The default is: |
|Microsoft Antigen for SMTP |
|7. In the Start Copying Files dialog box, review the data. If any changes have to be made, use the Back button to navigate|
|to the page to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are |
|being copied. |
|8. In the InstallShield Wizard Complete dialog box, you can optionally select to View the README file before clicking |
|Finish. If you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. |
Post-installation security consideration
When you install Antigen for SMTP Gateways, it is configured to allow everyone access to the AntigenService service. To change the security settings to restrict access to AntigenService, you need to use DCOMCNFG to modify the security settings. For more information about securing access to AntigenService, see "Securing the service from unauthorized use" in Chapter 3 - Antigen services.
Installing to multiple servers
The Antigen Enterprise Manager should be used to install Antigen for SMTP Gateways to multiple servers. For complete installation instructions, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.
Uninstalling Antigen
To uninstall Antigen for SMTP Gateways, log on to the computer on which it is installed.
[pic]To uninstall Antigen for SMTP Gateways
|1. Ensure that the Antigen Administrator is not running. |
|2. In Control Panel, click Administrative Tools, and then click Services. |
|3. Stop the SMTP and IIS services. |
|4. When all these services have stopped, close the Services dialog box. |
|5. In Control Panel, click Add or Remove Programs. |
|6. Remove Microsoft Antigen for SMTP. Click Yes to confirm the deletion. |
|7. On the Uninstall Complete page, click Finish. |
|8. Delete the Microsoft Antigen for SMTP folder in Program Files. (Or, if you installed to a different folder, delete your|
|installation folder.) |
|9. If you are not planning to reinstall Antigen for SMTP Gateways, restart the stopped SMTP and IIS services. |
Migrating and upgrading
Antigen for SMTP Gateways detects previous installations and provides the option of upgrading. Upgrading an installation only requires that you provide the password for the user account that the Antigen services run under. (Antigen for SMTP Gateways does not store this for security reasons.) Antigen for SMTP Gateways retains all of your previous settings. When upgrading, additional features may be added based on your environment.
When upgrading Antigen for SMTP Gateways, all scan jobs have their template settings configured to none to prevent users from inadvertently overwriting existing settings. To deploy templates, you need to change this setting on each server to default or a named template. For more information about configuring scan job template settings, see Chapter 7 - Using templates.
[pic]Notes:
When upgrading from Antigen for SMTP Gateways version 8.0 SR3, you must do an engine update immediately after Antigen for SMTP Gateways version 9 is installed to ensure that the engines are using the most recent signature files.
After an upgrade to Antigen for SMTP Gateways version 9, the Microsoft engine is not scheduled for updates. You must manually set the update schedule for the Microsoft engine after the upgrade is complete.
When upgrading Antigen for SMTP Gateways on a server where NetIQ AppManager is installed, you first need to disable and shut down NetIQ prior to the upgrade of Antigen for SMTP Gateways. This is required because the Antigen for SMTP Gateways performance.dll file is registered so that Performance Monitor monitors it. NetIQ attaches itself to this .dll file and will not release it, even if the programs that use it are shut down. If this .dll file is not released, it is not properly upgraded during the installation.
Applying Antigen service packs and rollups
[pic]To install an Antigen service pack or rollup
|1. Run the installer by double-clicking the service pack or rollup executable file. |
|[pic]Note: |
|While the installer is running, the SMTP and Antigen services are stopped, and your mail flow is temporarily halted. |
|2. After the installation is complete and the SMTP and Antigen services have been restarted (this occurs automatically |
|during the installation), verify that Antigen is working properly. |
|[pic]Note: |
|Antigen service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs |
|in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there|
|is no user input required. The rest of the process remains the same as when running the installer by double-clicking the |
|executable file. |
Relocating Antigen data files
Antigen for SMTP Gateways stores program settings as well as scanning activity information including the Quarantine Area on the file system. If you want, you can relocate these files at any time after installation.
[pic]To relocate data files
|1. Stop all Antigen services. |
|2. Create a folder in the location where you want to move the files. |
|3. Move all the data files (files with the .adb extension) and the Quarantine and Engines folders. |
|4. Change the following registry key to reflect the new location: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for |
|SMTP\DatabasePath |
|5. Set the security for the new location. Right-click the folder of the new location, and then select Properties. On the |
|Security tab, add a user called Network Service with Full Control privileges. This is necessary so that logging is |
|performed for the SMTP Scan Job. |
|6. Restart the services. |
Using the evaluation version
Microsoft provides a fully functional version of Antigen for SMTP Gateways for a 30-day evaluation. After 30 days, the evaluation version continues to operate and report detected files. However, it no longer cleans, deletes, or purges files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the Allowed Sender lists are disabled, and scan engines no longer update.
[pic]Note:
To purchase a subscription build of Antigen for SMTP Gateways, contact Microsoft Sales.
Product licensing information
After you install a subscription build of Antigen for SMTP Gateways, you can enter licensing information (which can also be obtained from Microsoft Sales).
These are the reasons to license your product:
• You can align when your product expires with your license agreement. (Otherwise, the expiration is three years from the installation date.)
• You can easily renew your license by entering a new expiration date.
To license Antigen for SMTP Gateways, select Product License from the Help menu. The Product License Agreement and Expiration dialog box appears.
Enter your seven-digit License Agreement Number and then an Expiration Date. You should enter a date that corresponds to the expiration of your license agreement. This coordinates the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product License Agreement and Expiration dialog box.
Chapter 3 - Antigen services
The Antigen services are the components that run on the SMTP server and control all back-end functionality of Antigen for SMTP Gateways. They process requests from the Antigen Administrator, control the scanning processes, generate e-mail notifications, and store virus incident data to disk (which can be viewed using the Antigen Administrator). When an Administrator-only installation of Antigen is performed, the Antigen services are not installed.
About services
The following sections describe the services used by Antigen for SMTP Gateways.
AntigenService service
The AntigenService service acts as the server component that the Antigen Administrator connects to for configuration and monitoring. AntigenService coordinates all SMTP scanning activities. The AntigenService startup type defaults to Manual and should not be changed. After being installed, AntigenService becomes a dependency on the AntigenMonitor service. The Schedule service becomes a dependency of AntigenService and must be operating properly for AntigenService to initialize.
[pic]Important:
If AntigenService or AntigenMonitor is disabled, e-mail will continue to flow without being scanned for viruses or spam.
AntigenMonitor service
The AntigenMonitor service monitors the SMTP processes to ensure that Antigen for SMTP Gateways provides continuous protection of your messaging environment.
AntigenIMC service
The AntigenIMC service is responsible for connecting to the SMTP stack to ensure that messages are scanned by the AntigenInternet process. AntigenIMC becomes a dependency on the SMTP service on Exchange 2003 and Exchange 2000.
AntigenInternet service
The AntigenInternet service is responsible for ensuring that all messages that pass through the SMTP stack are scanned prior to delivery.
AntigenStatisticsService service
The AntigenStatisticsService service is used to log scanning statistics for all Antigen for SMTP Gateways scan jobs. This information is then available for retrieval by the Antigen Enterprise Manager.
Disabling the Antigen services
The Antigen services can be disabled using the Enable Antigen option in the General Options work pane. This selection box provides the following options:
• Enable
• Disable
To disable scanning, select Disable and click Save. The Antigen services must be recycled for the change to take effect.
Recycling the Antigen services
The Services Control Manager is used to recycle the Antigen services.
[pic]To recycle the services
|1. Stop all Antigen services. (For details, see Disabling the Antigen services.) |
|2. Wait for all services to completely shut down. |
|3. Use Task Manager to make sure that no Antigen processes are still running. |
|4. Start all Antigen services. |
[pic]Warning:
While the Antigen services are unavailable, mail will continue to flow but will not be scanned for viruses or spam.
Securing the service from unauthorized use
AntigenService utilizes DCOM to launch and authenticate Antigen Administrator connections. You can build an access list of authorized users who can connect to AntigenService utilizing the Antigen Administrator.
[pic]To build an access list of authorized users
|1. Open a Command Prompt window. |
|2. Type DCOMCNFG and press ENTER. The Component Services dialog box appears. |
|3. In the Console Root section, expand Component Services, expand Computers, expand My Computer, expand DCOM Config, |
|right-click AntigenService, and then select Properties. The AntigenServices Properties dialog box opens. |
|4. Click the Identity tab and configure your user accounts. |
|5. Click the Security tab and use the permissions lists to control which user accounts have rights to launch |
|AntigenService, access AntigenService, or change the DCOM configuration. Click OK to exit the AntigenServices Properties |
|dialog box. |
Chapter 4 - Antigen Administrator
The Antigen Administrator is used by the administrator to configure and run Antigen for SMTP Gateways locally or remotely. For the Antigen Administrator to launch successfully, the AntigenService service must be running on the computer to which the Antigen Administrator is connecting. Because the Antigen Administrator is the front end of the Antigen for SMTP Gateways software, it can be launched and closed without affecting the back-end processes that are being performed by the Antigen services. The Antigen Administrator may also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who may need to view information provided through the user interface.
Enabling the Antigen Administrator
Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use the Antigen Administrator on those operating systems, you must first enable the Antigen Administrator.
[pic]To enable the Antigen Administrator to run on Windows XP SP2
|1. Click Start, click Run, and type dcomcnfg. |
|2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and then |
|click Properties. |
|3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote |
|Access for the Anonymous Logon user. |
|4. Add the AntigenClient application to the Windows Firewall Exceptions list, as follows: |
|a. In Control Panel, click Windows Firewall. |
|b. In the Windows Firewall dialog box, click the Exceptions tab. |
|c. Click Add Program, select AntigenClient from the list, and then click OK. This adds the Antigen Administrator to the |
|Programs and Services list. |
|d. In the Programs and Services list, select AntigenClient. |
|e. Click Add Port, type a name for the port, and type 135 for the port number. |
|f. Select TCP as the protocol, and then click OK. |
[pic]Note:
If you are concerned about opening port 135 to all computers, you can opt for the port to open only for the servers running Antigen for SMTP Gateways. When adding port 135, click Change Scope and select Custom List. Enter the IP addresses of all the Antigen for SMTP Gateways servers that should be allowed access through port 135.
[pic]To enable the Antigen Administrator to run on Windows Server 2003 SP2
|1. Click Start, click Run, and enter dcomcnfg. |
|2. In Component Services, at the console root, expand Component Services, expand Computers, right-click My Computer, click|
|Properties, and then click the COM Security tab. |
|3. Under Access Permissions, click Edit Limits. |
|4. In the Access Permission dialog box, select the Add Anonymous logon account, and then select the Allow check box for |
|Remote Access for the Anonymous Logon user. |
Running the Antigen Administrator
To run the Antigen Administrator, on the Start menu, point to All Programs, point to Microsoft Antigen for SMTP, and then click Antigen Administrator. Or, you can launch it from a command prompt.
[pic]To launch the Antigen Administrator from a command prompt
|1. Open a Command Prompt window. |
|2. Navigate to the Antigen installation directory. The default is: |
|Program Files\Microsoft Antigen for SMTP |
|3. Type antigenclient.exe and press ENTER. |
Connecting to a server
The first time the Antigen Administrator is launched, it prompts you to connect to the SMTP server running on the local computer. You can use the server name or local alias to connect to the local server.
The Antigen Administrator can be connected to a remote server running Antigen for SMTP Gateways. This ability enables an administrator to use one installation of the Antigen Administrator to configure and control Antigen for SMTP Gateways throughout the network.
At the server prompt box, click the Browse button or enter the server name, IP address, or Domain Name System (DNS) name of the remote computer.
[pic]Notes:
Due to enhanced security settings in Windows Server 2003 SP1, DCOM settings may need to be updated when Antigen for SMTP Gateways is installed on a server running Windows Server 2003 SP1 to allow remote access. Remote administrators must have privileges enabled for both remote launch and remote activation.
Because the Antigen for SMTP Gateways installation includes the installation folder for both administrator-only installations and for the full product installation on the access control list (ACL), a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting.
If you are having problems connecting the Antigen Administrator to the server, try using the PING command to test for server availability. If the server is available, make sure that no other instances of Antigen Administrator are currently connected to the server.
Connecting to a different server
To connect to a different server when already connected to Antigen for SMTP Gateways, select Open from the Antigen Administrator File menu. The Connect to Server dialog box appears. Enter the name of another server running Antigen for SMTP Gateways, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Antigen Administrator dialog box to quickly reconnect to a server.
Connecting to a computer that is not a member of the domain
When you install Antigen for SMTP Gateways on a computer that is acting as an SMTP virtual server, the computer acting as an SMTP virtual server is not a member of the domain. When attempting to access the Antigen Administrator by connecting this computer, you will receive an “Unable to connect to scan job” error message.
This behavior occurs because Antigen for SMTP Gateways depends on the Netlogon service to connect to scan jobs. Because the computer that is acting as the SMTP virtual server is not part of the domain, the Netlogon service account cannot be authenticated. To work around this behavior, you can remove the Netlogon dependency.
[pic]To remove the Netlogon dependency
|1. Use an account that has administrative permissions to log on to the computer that is acting as the SMTP gateway. |
|2. Click Start, click Run, type regedit, and then click OK. |
|3. In Registry Editor, locate and then click the following registry key: |
|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntigenService |
|4. Double-click DependOnService. |
|5. In the Edit Multi String dialog box, click Netlogon under Value data, press DELETE, and then click OK. |
|6. Exit Registry Editor. |
|7. Restart the computer for the changes to take effect. |
Running in read-only mode
The Antigen Administrator may be run in a read-only mode. To do so, the administrator needs to modify the NTFS file system permissions on the Antigen Database directory to allow modify access only to those users with permission to change Antigen for SMTP Gateways settings. By default, the installation directory is:
Program Files\Microsoft Antigen for SMTP
To ensure proper configuration, first remove modify access for all users and then set modify access only for users that are allowed to change Antigen for SMTP Gateways settings. When a user without modify access opens the Antigen Administrator, ReadOnly appears at the top of the pane and no configuration changes are allowed.
Antigen Administrator overview
The Antigen Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right as shown in the following image.
[pic]
The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access various work panes:
|Area |Description |
|SETTINGS |The SETTINGS area enables you to configure scan jobs, antivirus |
| |settings, scanner updates, templates, General Options, and the |
| |Anti-Spam Job when the Antigen Spam Manager is enabled. |
|FILTERING |The FILTERING area enables you to configure content filtering, |
| |file filtering, mailhost filtering, keyword filtering, allowed |
| |senders lists, and filter lists. |
|OPERATE |The OPERATE area enables to control virus scanning, spam |
| |scanning, and filter options, schedule and run scan jobs, and |
| |perform quick scans. |
|REPORT |The REPORT area enables you to configure notifications, view and |
| |manage incidents, and view and manage quarantined files. |
General Options
General Options settings, accessed from the SETTINGS shuttle, provide access to a variety of system-level settings for Antigen for SMTP Gateways. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Antigen Enabled and Internet Process Count require that the Antigen services be restarted for the change to take effect.
Although there are many options that can be controlled through the General Options pane, each of them has a default (enabled, disabled, or a value), which is probably the correct setting for your enterprise. It is rare that any of these settings need to be changed. However, several of the settings were entered during installation, and you might need to change a setting occasionally.
To access the General Options pane, click General Options in the SETTINGS area of the Shuttle Navigator. The General Options pane opens.
The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, and Exchange 2003 UCE Settings.
Diagnostics section
The following table lists and describes the settings in the Diagnostics section of the General Options pane.
|Setting |Description |
|Additional Internet |Logs every file that is scanned by the Internet scanner. |
|Notify on Startup |When selected, Antigen for SMTP Gateways sends a notification to |
| |all the e-mail addresses listed in the Virus Administrators list |
| |whenever the Internet scanner starts. |
|Archive SMTP Mail |Enables administrators to archive inbound and outbound SMTP |
| |e-mail in two folders (named In and Out) that are located in the |
| |Antigen for SMTP Gateways installation folder. Each message is |
| |given a file name that consists of the year, day, month, time, |
| |and a three-digit number. For example: 20022009102005020.eml |
| |Administrators have the following options for archiving: |
| |• No Archive—No mail is archived. |
| |• Archive Before Scan—Messages are archived prior to scanning. |
| |• Archive After Scan—Messages are archived after scanning. |
| |• Archive Before And After Scan—Messages are archived before and |
| |after scanning. |
| |These options are provided to help administrators and Antigen for|
| |SMTP Gateways support engineers diagnose and isolate problems |
| |users may be experiencing. |
|Critical Notification Lists |Enter the e-mail addresses of administrators and others who |
| |should be notified in the event that the SMTP service starts and |
| |Antigen for SMTP Gateways is not connected, or if the Antigen |
| |store shuts down. Multiple e-mail addresses should be separated |
| |by semicolons, for example: |
| |admin@;admin2@ |
Logging section
The following table lists and describes the settings in the Logging section of the General Options pane.
|Setting |Description |
|Enable Event Log |Enables logging of Antigen for SMTP Gateways events to the event |
| |log. |
|Enable Antigen Program Log |Enables the Antigen for SMTP Gateways program log |
| |(ProgramLog.txt). The Antigen services must be restarted for a |
| |change to this value to take effect. |
|Enable Performance Monitor and Statistics |Enables logging of Antigen for SMTP Gateways performance |
| |statistics to Performance Monitor. |
|Enable Antigen Virus Log |Enables the Antigen Virus Log (VirusLog.txt). |
|Enable Incidents Logging – Internet |Enables or disables incident logging for the Internet Scan Job. |
| |You may select from the following options: |
| |• Enable all incident logging |
| |• Disable all incident logging |
| |• Disable Spam/RBL incident logging—Only spam and RBL logging are|
| |disabled. Other incidents are still logged. |
|Max Program Log Size |Specifies the maximum size of the program log. Expressed in |
| |kilobytes (KB), the minimum size is 512 KB. The default is 25600 |
| |KB. A value of 0 indicates that there is no limit to the maximum |
| |size. |
For more information about the log files and Performance Monitor, see Chapter 15 - Reporting and statistics overview.
Scanner Updates section
The following table lists and describes the settings in the Scanner Updates section of the General Options pane.
|Setting |Description |
|Redistribution Server |When this option is enabled, the two most recent engine update |
| |packages are saved in the engine package folder instead of the |
| |usual single engine package. Antigen for SMTP Gateways also |
| |downloads the full update package rather than performing an |
| |incremental update. The multiple engine packages allow the spoke |
| |servers to continue getting updates from the redistribution |
| |server while a new update is being downloaded. |
|Perform Updates at Startup |Configures Antigen for SMTP Gateways to automatically perform |
| |engine updates every time Antigen for SMTP Gateways is started. |
|Send Update Notification |Configures Antigen for SMTP Gateways to send a notification to |
| |the Virus Administrator each time a scan engine is updated. |
|Use Proxy Settings |Configures Antigen for SMTP Gateways to use proxy settings when |
| |retrieving antivirus scanner updates. The use of a proxy server |
| |to retrieve updates is optional. |
|Use UNC Credentials |Configures Antigen for SMTP Gateways to use Universal Naming |
| |Convention (UNC) credentials when retrieving scanner updates from|
| |a file share. The use of a UNC path to retrieve updates is |
| |optional. Note that credentials are not supported if you are |
| |using Antigen Enterprise Manager for redistribution. Make sure |
| |you clear this setting if you are using Antigen Enterprise |
| |Manager to manage antivirus engine updates. |
|Proxy Server Name/IP Address |Enter the name or IP address of the proxy server Antigen for SMTP|
| |Gateways should use when retrieving antivirus scanner updates. |
| |Required, if using proxy settings. |
|Proxy Port |Enter the port number for the proxy server. |
|Proxy Username |Enter the name of a user with access rights to the proxy server, |
| |if necessary (optional). |
|Proxy Password |Enter the password for the proxy user name, if necessary |
| |(optional). |
|UNC Username |Enter the name of a user with access rights to the UNC path, if |
| |necessary (optional). |
|UNC Password |Enter the password for the UNC user name, if necessary |
| |(optional). |
For more information about updating the scan engines, see Chapter 16 - File scanner updating overview.
Scanning section
The following table lists and describes the settings in the Scanning section of the General Options pane.
|Setting |Description |
|Delete Corrupted Compressed Files |Specifies whether corrupted compressed files are deleted. A |
| |corrupted compressed file is an archive or compressed file type |
| |that does not conform to the standard of that type. These files |
| |usually have internal headers set incorrectly, or it could be |
| |that the file exceeds the size limit configured for Antigen for |
| |SMTP Gateways. |
| |When a corrupted compressed file is detected, Antigen for SMTP |
| |Gateways reports it as a CorruptedCompressedFile virus. This |
| |option is enabled by default. |
| |Quarantining of these files is determined by the individual scan |
| |job settings. By default, files identified as corrupted are |
| |quarantined. You can also create a new registry key setting named|
| |QuarantineCorruptedCompressedFiles to override quarantining for |
| |these file types. The DWORD setting must be created and its value|
| |set to 0. |
| |Note: In addition to CorruptedCompressedFile viruses, this |
| |setting also handles these file types: |
| |UnwritableCompressedFile—A type of corrupted compressed file |
| |whose contents cannot be correctly modified (cleaned or deleted),|
| |or correctly inserted back into the archive by the scanners due |
| |to the corrupt nature of the file. |
| |UnReadableCompressedFile—A type of corrupted compressed file |
| |whose contents cannot be correctly read out of the archive due to|
| |the corrupt nature of the archive. |
|Delete Corrupted Uuencode Files |Specifies whether corrupted Uuencoded files are deleted. |
| |Typically, a Uuencoded file that Antigen is unable to parse is |
| |considered corrupted. When a corrupted compressed file is |
| |detected, Antigen for SMTP Gateways reports it as a |
| |CorruptedCompressedUuencodeFile virus. This option is enabled by |
| |default. |
|Delete Encrypted Compressed Files |Specifies whether encrypted compressed files with at least one |
| |encrypted item within its contents are deleted. (Encrypted files |
| |cannot be scanned by antivirus scan engines.) When an encrypted |
| |compressed file is detected, Antigen for SMTP Gateways reports it|
| |as an EncryptedCompressedFile virus. |
|Treat high compression ZIP files as corrupted compressed |Specifies whether ZIP archives containing highly compressed files|
| |are reported as corrupted compressed. If the archive is reported |
| |as corrupted compressed, and if the option to Delete Corrupted |
| |Compressed Files is enabled, the archive is deleted. If Delete |
| |Corrupted Compressed Files is not enabled, the files in the ZIP |
| |archive are passed to the virus engines to be scanned, in their |
| |compressed form. The ZIP archive itself is also passed to the |
| |virus engines. If scanned and no threat is found, the message is |
| |delivered. If a threat can be cleaned, the message is delivered. |
| |If a threat cannot be cleaned, the message is deleted. If the |
| |file is compressed with an unknown algorithm, it is always |
| |treated as corrupted compressed, regardless of the setting of |
| |this option. This option is enabled by default (that is, ZIP |
| |archives containing highly compressed files are treated as |
| |corrupted compressed). |
|Treat multipart RAR archives as corrupted compressed |A file within an RAR archive can be compressed across multiple |
| |files or parts, thereby allowing large files to be divided into |
| |smaller-sized files for ease of file transfer. This option |
| |specifies whether RAR archives containing such parts are reported|
| |as corrupted compressed. |
| |Disabling this option allows you to receive such files. However, |
| |in this case, a virus may escape detection if it is split across |
| |multiple volumes. Therefore, this setting is enabled by default. |
| |If the archive is reported as corrupted compressed, and if the |
| |option to Delete Corrupted Compressed Files is enabled, the |
| |archive is deleted. If Delete Corrupted Compressed Files is not |
| |enabled, only the RAR archive as a whole is passed to the virus |
| |engines to be scanned. If no threat is found when the archive is |
| |scanned, the message is delivered. If a threat is found and can |
| |be cleaned, the message is delivered. If a threat is found and |
| |cannot be cleaned, the message is deleted. |
| |[pic]Note: |
| |If you are using multipart RAR to compress files that exceed |
| |100 MB when uncompressed, you should be aware of the registry |
| |value MaxUncompressedFileSize. For more information, see Appendix|
| |B - Setting registry keys. |
|Treat concatenated gzips as corrupted compressed |Multiple Gnu zip (gzip) files can be concatenated into a single |
| |file. Although Antigen for SMTP Gateways recognizes concatenated |
| |gzip files, it may not recognize individual files split across |
| |concatenated gzip files. Therefore, Antigen for SMTP Gateways |
| |treats concatenated gzip files as corrupted compressed by |
| |default. In combination with the Delete Corrupted Compressed |
| |Files option, this default behavior prevents all concatenated |
| |gzip files from passing through, thereby preventing potential |
| |infections. |
| |Disabling the treat concatenated gzips as corrupted compressed |
| |option enables you to receive concatenated gzip files. However, |
| |in this case, a virus may escape detection. |
|Scan Doc Files as Containers – Internet |Specifies that the Internet Scan Job should scan .doc files and |
| |any other files that use structured storage files and the OLE |
| |embedded data format (for example, .xls, .ppt, or .shs) as |
| |container files. This ensures that any files embedded in the file|
| |are scanned as potential virus carriers. This setting does not |
| |apply to Microsoft Office 2007 (OpenXML) files; they are always |
| |scanned as containers. For more information about OpenXML files, |
| |see Appendix E - File types overview. This option is disabled by |
| |default. |
|Skip Content Filtering for Allowed Mailhosts |Specifies that Antigen for SMTP Gateways skip content filtering |
| |for SMTP messages when every public mailhost in the Received MIME|
| |header field—up to the number specified in the General Options |
| |setting Maximum Allowed Mailhosts Lookups—is listed in an enabled|
| |Allowed Mailhost list. For more information, see Chapter 10 - |
| |Using mailhost filtering. |
|Case Sensitive Keyword Filtering |Specifies that all keyword filters are case sensitive. When this |
| |setting is cleared, all keyword filters are not case sensitive. |
|Fix Bare CR or LF in Mime Headers |Corrects a discrepancy between the MIME header parsing method |
| |used by Outlook and Outlook Express and the RFC 822 specification|
| |on how bare carriage return (CR) (0x0d) and bare line feed (LF) |
| |(0x0a) are handled in MIME headers. MIME messages can be formed |
| |that allow Outlook and Outlook Express to improperly detect |
| |attachments in the MIME headers that are not scanned. |
| |When selected, Antigen for SMTP Gateways modifies any bare CR or |
| |bare LF found in the MIME headers to the CR/LF combination, which|
| |removes the discrepancy in parsing methods. |
|Add Disclaimers to Clear Signed Messages |When this option is selected, Antigen for SMTP Gateways adds |
| |disclaimers—if disclaimers are enabled—to Clear Signed Messages. |
| |If you do not want disclaimers appended to Clear Signed Messages,|
| |clear this option. A Clear Signed Message is a message that |
| |contains a digital signature and is in a readable state. If the |
| |message is modified by the addition of a disclaimer, however, the|
| |digital signature is invalid. When users receive the message, |
| |they are told that the digital signature is invalid. This option |
| |is enabled by default. |
|Purge Message if Message Body Deleted – Internet |Some messages carry viruses in the body of the message file. When|
| |all or part of the message body is deleted to remove a virus, |
| |Antigen for SMTP Gateways inserts deletion text in its place. If |
| |administrators do not want e-mail users receiving cleaned |
| |messages that contain deletion text, they can use this setting to|
| |purge messages where all or part of the message body has been |
| |deleted by Antigen for SMTP Gateways and there are no |
| |attachments. Note that if a message contains both HTML and plain |
| |text and the HTML is deleted, the message will be purged if this |
| |option is selected. |
|Enable Antigen |Enables administrators to enable or disable scanning. The default|
| |value is Enable. After changing this setting, the Antigen |
| |services must be recycled for the change to take effect. For more|
| |information about recycling the services, see "Recycling the |
| |Antigen services" in Chapter 3 - Antigen services. |
|Internet Process Count |This setting is used to change the number of Internet processes |
| |that are used by Antigen for SMTP Gateways. The default value is |
| |2. You may create up to 10 Internet processes. After changing |
| |this setting, the Antigen services must be recycled. For more |
| |information about this setting, see Chapter 6 - Configuring SMTP |
| |Scan Jobs. |
|Engine Error Action |Sets the action that Antigen for SMTP Gateways should take if a |
| |scan engine error occurs. (Examples include an engine exception, |
| |excessive read/write operations, a virus found without a virus |
| |name, multiple engine errors, and any other failure code returned|
| |by an engine.) The options are: Ignore, which logs the error to |
| |the program log; Skip: Detect Only, which logs the error to the |
| |program log and displays an EngineError entry with the state |
| |Detected in the UI; and Delete, which logs the error to the |
| |program log, deletes the file that caused the error, and displays|
| |an EngineError entry with the state Removed in the UI. The file |
| |that caused the engine error is always quarantined. The default |
| |value is Delete. |
|Illegal MIME Header Action - Internet |If Antigen for SMTP Gateways encounters an illegal MIME header |
| |during a scan, it can be enabled to Purge: eliminate message (the|
| |default) or set to Ignore the message. Illegal MIME headers are |
| |headers that have multiple Content-Type, Content-Transfer |
| |Encoding, or Content-Disposition headers containing conflicting |
| |data. Messages where the Content-Disposition or Content-Type |
| |header is longer than it is supposed to be, and messages that |
| |contain multiple subject lines, are also identified as illegal |
| |MIME headers. Identified messages will be quarantined by default.|
| |If you do not want identified messages to be quarantined, create |
| |a new registry DWORD value named |
| |DisableQuarantineForIllegalMimeHeader and set it to 1 to override|
| |quarantining. |
|Internet Scan Timeout Action |Indicates what to do in the event that the Internet Scan Job |
| |(SMTP Scan Job) times out while scanning a file. The options are:|
| |Ignore, Skip, and Delete. The Ignore setting lets the file pass |
| |without being scanned. The Skip setting reports in the Incidents |
| |log and Program log that the file exceeded the scan time and lets|
| |it pass without being scanned. The Delete setting also reports |
| |the event and replaces the contents of the file with the deletion|
| |text. A copy of the file is stored in the Quarantine database if |
| |quarantining is enabled and Internet Scan Timeout Action is set |
| |to either Skip or Delete. The default value is Delete. |
|Quarantine Messages |Antigen for SMTP Gateways performs two different quarantine |
| |operations: quarantining of entire messages or quarantining of |
| |attachments only. Entire messages are quarantined only for |
| |content filters, spam filters, and file filters that are set to |
| |Purge when quarantine is enabled. |
| |When Quarantine Messages is set to Quarantine as Single EML |
| |File), the quarantined message and all attachments are |
| |quarantined in an EML file format. |
| |When Quarantine Messages is set to Quarantine Message Body and |
| |Attachments Separately, Antigen for SMTP Gateways quarantines |
| |messages as separate pieces (bodies and attachments). |
| |For a complete description of this setting, see "About |
| |quarantine" in Chapter 15 - Reporting and statistics overview. |
| |[pic]Note: |
| |These settings do not apply to files that are quarantined due to |
| |virus scanning. Only infected attachments are quarantined when an|
| |infection is detected. |
|Deliver From Quarantine Security |This value gives administrators flexibility for handling messages|
| |and attachments that are forwarded from quarantine. The options |
| |for this setting are Secure Mode and Compatibility Mode: |
| |• Secure Mode forces all messages and attachments delivered from |
| |quarantine to be scanned again for viruses and filter matches. |
| |This is the default setting. |
| |• Compatibility Mode allows messages and attachments to be |
| |delivered from quarantine without being scanned for filter |
| |matches. (Messages and attachments are always scanned for |
| |viruses.) Antigen for SMTP Gateways identifies these messages by |
| |placing special tag text in the subject line of all messages that|
| |are delivered from quarantine. |
| |For more information about this setting, see Chapter 15 - |
| |Reporting and statistics overview. |
|SMTP Sender Information |By default, Antigen uses the MIME FROM header sender address for |
| |the SMTP Scan Job. This General Options setting enables |
| |administrators to use the MAIL FROM sender address from the SMTP |
| |protocol for the SMTP Scan Job. When Use SMTP protocol MAIL FROM |
| |is selected, the address in that box is used anywhere the sender |
| |address is used, for example, for sender or domain content |
| |filtering, notifications, reporting in the Antigen Administrator,|
| |and multiple disclaimers. The options for this setting are: |
| |• Use MIME From: Header (the default). |
| |• Use SMTP protocol MAIL FROM. |
| |[pic]Note: |
| |When Use MIME From: Header is selected and a MIME Sender header |
| |is also present, the MIME Sender header information is used. |
|Perform Reverse DNS Lookup |Provides the ability to disable reverse DNS lookups when |
| |validating an IP address or domain name against the Allowed |
| |Mailhost or Rejected Mailhost lists. If reverse DNS lookups are |
| |disabled, the domain name found in the MIME Received header field|
| |is used for comparisons with the Allowed Mailhost and Rejected |
| |Mailhost lists. The options for this setting are: |
| |• Enable All (the default) |
| |• Disable All |
| |• Only for Mailhost List Checking |
| |• Only for Inbound/Outbound Determination |
| |For more information about this setting, see Chapter 10 - Using |
| |mailhost filtering. |
|Max Container File Infections |Specifies the maximum number of infections allowed in a |
| |compressed file. If this is exceeded, the entire file is deleted |
| |and Antigen for SMTP Gateways logs an incident stating that an |
| |ExceedinglyInfected virus was found. A value of zero means that a|
| |single infection will cause the entire container to be deleted. |
| |In this case, the logged incident has the tag Container Removed |
| |appended to the filter match. The default value is 5 infections. |
|Max Container File Size |Specifies the maximum container file size (in bytes) that Antigen|
| |for SMTP Gateways attempts to clean or repair in the event that |
| |it discovers an infected file. The default is 26 MB (26,214,400 |
| |bytes). Files larger than the maximum size are deleted if they |
| |are infected or meet file filter rules. Antigen for SMTP Gateways|
| |reports deleted files as a LargeInfectedContainerFile virus. |
|Max Nested Attachments |Specifies the limit for the maximum nested documents that can |
| |appear in MSG, TNEF, MIME, and Uuencoded documents. The limit |
| |includes the sum of the nestings of all of these types. If the |
| |maximum number is exceeded, Antigen for SMTP Gateways blocks or |
| |deletes the document and reports that an ExceedinglyInfected |
| |virus was found. The default value is 30. |
|Max Nested Compressed Files |Specifies the maximum nested depth for a compressed file. If this|
| |is exceeded, the entire file is deleted and Antigen for SMTP |
| |Gateways sends a notification stating that an ExceedinglyNested |
| |virus was found. A value of zero represents that an infinite |
| |amount of nestings is allowed. The default value is 5. |
|Max Container Scan Time (msecs) - Internet |Specifies the number of milliseconds that Antigen for SMTP |
| |Gateways scans a compressed attachment before reporting it as a |
| |ScanTimeExceeded virus. This setting is intended to prevent |
| |denial of service risk from zip of death attacks. The default |
| |value is 120,000 milliseconds (two minutes). |
|Internal Address |Antigen for SMTP Gateways can be configured to send different |
| |notifications to internal and external senders and recipients. If|
| |your list of internal names is small, enter the domain names in |
| |the Internal Address box, to show who should be sent internal |
| |notifications. Domains should be entered as a semicolon delimited|
| |list (for example: ;;) with |
| |no spaces. Any change to this value is immediately reflected in |
| |virus notifications. |
| |When entering a domain name in the Internal Address box, be aware|
| |that subdomains are covered by the entry. |
| |For example: will include subdomain. and |
| |subdomain2.. |
| |Alternate domains such as or must be |
| |entered individually. |
| |Values entered in the Internal Address box are used as a |
| |substring match of the end of an e-mail address. For example, |
| |"" would consider "someone@" and |
| |"someone@" to be internal addresses. |
| |If you have a large number of domains to be used as internal |
| |addresses, you can enter them in an external text file (leaving |
| |the Internal Address box blank). Enter all your internal domains,|
| |each on a separate line. Be aware that all subdomains must be |
| |entered individually. To use the external file, you must manually|
| |create the registry key DomainDatFilename and set its value to |
| |the full path of the external text file. For more information |
| |about this key, see Appendix B - Setting registry keys. |
| |(For more information about internal addresses and notifications,|
| |see Chapter 14 - Using e-mail notifications.) |
|SMTP External Hosts |If you are using an SMTP gateway to route e-mail into your |
| |messaging environment, you may enter the IP address of the |
| |gateway server so that Antigen for SMTP Gateways treats all mail |
| |coming from that server as inbound when determining which filters|
| |and scan jobs to utilize for a message. If you do not enter the |
| |IP address of your SMTP gateway, Antigen for SMTP Gateways uses |
| |its internal logic to determine if messages are inbound or |
| |internal. IP addresses should be entered as a semicolon delimited|
| |list with no spaces. |
| |For example, enter: 123.45.6.78;8.76.54.32;1.0.0.0 |
|Maximum RBL Lookups |Specifies the number of hops allowed while doing RBL tests. (Only|
| |public IP addresses received in the chain are counted.) Antigen |
| |for SMTP Gateways starts counting with the first public IP |
| |address and checks the IP address of each hop until the Maximum |
| |RBL Lookups is reached or a private IP address is encountered. |
| |The default value is 4. |
|Maximum Allowed Mailhost Lookups |Specifies how many addresses need to be checked and matched by |
| |the Allowed Mailhost filter for content filtering to be skipped. |
| |The default value is 4. |
Exchange 2003 UCE Settings
These settings are visible in the General Options pane for all installations, but will not configure the Exchange settings unless the Antigen Spam Manager is enabled. The unsolicited commercial e-mail (UCE) settings are Exchange 2003 functions that help combat spam e-mail by tagging potential spam and diverting suspect messages into a Junk E-mail folder instead of a user's Inbox.
|Setting |Description |
|Enable SCL Rating |Specifies whether the user wants to use the Exchange 2003 |
| |features to specify the spam confidence level (SCL) ratings in a |
| |message. If this option is selected, Antigen for SMTP Gateways |
| |sets an SCL rating based on the results of filtering operations |
| |performed by the Spam Manager. Administrators must configure the |
| |action Identify: Tag Message to Set SCL property for ratings to |
| |be appended to messages. For more information, see Chapter 13 - |
| |Antigen Spam Manager overview. |
|Skip Content Filtering for Safe Connections |Specifies whether to use the Safe Connections property of a |
| |message. This property is added to the message by the SMTP |
| |service according to administration options available in Exchange|
| |2003. Virus scanning, worm detection, and file filtering is still|
| |performed even if this is enabled. |
|Skip Content Filtering for Authenticated Connections |Specifies whether to use the Authenticated Connections property |
| |of a message. This property is added to the message by the SMTP |
| |service according to administration options available in Exchange|
| |2003. Virus scanning, worm detection, and file filtering is still|
| |performed even if this is enabled. |
Central Management
Central management of Antigen for SMTP Gateways is handled through the Antigen Enterprise Manager. The Antigen Enterprise Manager enables administrators to:
• Install or uninstall Antigen for SMTP Gateways on local and remote servers.
• Update all or individual scan engines on local and remote servers.
• Run a manual scan on multiple servers simultaneously.
• Check Antigen, scan engine, and virus definition versions on multiple servers.
• Deploy Antigen for SMTP Gateways template files.
• Retrieve virus logs from multiple servers.
• Retrieve quarantined files.
• Retrieve the ProgramLog.txt file from single or multiple servers.
• Retrieve virus incident information.
• Deploy General Options settings.
• Deploy Filter List templates.
• Generate HTML reports.
• Send outbreak alerts.
For detailed instructions about using these features, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechCenter.
Chapter 5 - Implementing multiple scan engines and setting bias modes
Antigen for SMTP Gateways provides you with the ability to implement multiple scan engines for detecting and cleaning viruses.
Multiple engines provide extra security by enabling you to use the expertise of various virus labs to keep your environments virus-free. A virus may slip by one engine, but it is unlikely to get past three.
Multiple engines also allow for a variety of scanning methods. Antigen for SMTP Gateways integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor’s Web site. Links are provided at Microsoft Help and Support.
All the scan engines that Antigen for SMTP Gateways integrates with have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.
Multiple engines are easy to configure. You need only select which engines you would like to use for a scan job and indicate the bias setting. These two settings (both on the Antivirus Settings work pane) allow the Antigen Multiple Engine Manager to properly control the selected engines during the scan job.
The Multiple Engine Manager uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, the Multiple Engine Manager returns a result greater than 0. Antigen for SMTP Gateways then considers the item infected and has the Multiple Engine Manager deal with it accordingly. (For more information, see Cleaning infected files.)
About engine rankings
The Multiple Engine Manager uses the results from each engine as part of its engine ranking process. The Multiple Engine Manager ranks each engine based on its past performance and its age. This information allows the Multiple Engine Manager to weight each engine so that better-performing ones are used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and best-performing engines have more influence in the scanning process.
If two or more engines are equally ranked, Antigen for SMTP Gateways invokes them by cycling through various engine order permutations.
Setting the bias
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance.
Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that allows maximum performance. In between is the number of engines that permit balanced (called neutral) performance.
After you make your scan engine configurations and bias configurations, it is recommended that you reevaluate the server performance and then make any necessary adjustments. These adjustments may involve increasing or decreasing the number of scan engines, or changing the bias setting based on the needs of your organization. For best performance, it is recommended that you use no more than five engines per scan job.
You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your gateway server to maximize its system performance. Then, you can use several engines on your other servers.
[pic]Note:
The bias setting only applies to virus scanning. It is not used in file filtering.
About bias settings
There are several possible bias settings. Each scan (other than one with a bias setting of Maximum Certainty) independently selects the engines to use, as described in the following table.
|Bias setting |Description |
|Maximum Performance |Scans each message with only one of the selected engines. This |
| |gives the fastest performance, but the least security. |
|Favor Performance |Fluctuates between virus scanning with one of the selected |
| |engines and half of them. |
|Neutral |Scans each message with at least half of the selected engines. |
| |This setting balances security and performance. Neutral is the |
| |default value. |
|Favor Certainty |Fluctuates between virus scanning with half of the selected |
| |engines and all of them. |
|Maximum Certainty |Scans each message with all of the selected engines. This gives |
| |the slowest performance, but the greatest security. If an engine |
| |is not available because it is being updated, messages are queued|
| |until the engine is once again ready to scan them. |
Assuming you select five engines, the following table shows how each of the bias settings uses the engines in virus scanning:
|Bias mode |Description |
|Maximum Performance |Each item is virus-scanned by only one of the selected engines. |
|Favor Performance |Fluctuates between virus scanning each item with one and three |
| |engines. |
|Neutral |Each item is virus-scanned by at least three engines. |
|Favor Certainty |Fluctuates between virus scanning each item with three and five |
| |engines. |
|Maximum Certainty |Each item is virus-scanned by all five of the selected engines. |
Configuring the bias
The bias is set on the Antivirus Settings work pane. Select Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears to the right.
To configure the bias, select a scan job at the top of the work pane. Then, set its bias, using the Bias field in the lower part of the work pane. The values are those discussed in About bias settings. To find out more about the other fields on the Antivirus Settings work pane, see Chapter 6 - Configuring SMTP Scan Jobs. Remember to click Save to save your choices.
Cleaning infected files
The first engine that detects an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detect the infection fail to clean it, the item is deleted.
Chapter 6 - Configuring SMTP Scan Jobs
The Antigen for SMTP Gateways SMTP Scan Job (also known as the Internet Scan Job) can scan, in real time, all MIME and Uuencode-based e-mail that is inbound or outbound via the SMTP gateway of an organization. The SMTP scanner scans for viruses in attachments and for embedded and HTML viruses in the message body.
Antigen for SMTP Gateways scans mail on all SMTP virtual servers when the SMTP Scan Job is enabled. If you do not want Antigen for SMTP Gateways to scan all enabled SMTP virtual servers, you can create a string registry value named DisableSMTPVS. After it is created, you must populate it with a comma-delimited list of numbers 1 through 10 representing the virtual servers you would like Antigen for SMTP Gateways to skip during scanning.
For example, if you have four virtual servers (named VS1, VS2, VS3, and VS4) and only want to scan on VS1 and VS3, the string value would be: 2,4 (with no spaces in the string).
Do not place anything other than the number 1 through 10 in the string or it will cause unpredictable results. The SMTP service must be recycled for the registry changes to take effect.
About multiple Internet processes
Two Internet Scan Jobs (processes) are created during installation, but administrators may create additional Internet Scan Jobs by changing the value of the General Options setting Internet Process Count to represent the number of Antigen for SMTP Gateways Internet Scan Jobs you want running on your SMTP stack. The maximum is 10.
When you run multiple Internet processes, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file will be scanned by the third process. Whenever possible, Antigen for SMTP Gateways delivers files to the first process if it is available. Multiple processes increase the load on the server at startup when they are being loaded and whenever they are called upon to scan a file. More than two Internet processes should not be necessary except in high-volume environments that need the additional redundancy provided by three or four processes. As a general rule, it is recommended that you enable only two Internet processes per processor on each server.
Configuring the SMTP Scan Job
When configuring the SMTP Scan Job settings, select the SMTP messages (Inbound, Outbound, or Internal) and optional features such as Deletion Text and Tag Text.
[pic]To configure the SMTP Scan Job
|1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears to the right. |
|2. Click SMTP Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan |
|jobs. |
|3. Select if you would like to scan Inbound, Outbound, or Internal messages. |
|• Selecting the Inbound check box configures Antigen for SMTP Gateways to scan all inbound SMTP e-mail messages. Messages |
|are designated as inbound if the message originated from or relayed through an external server. |
|• Selecting the Outbound check box configures Antigen for SMTP Gateways to scan all outgoing SMTP e-mail messages. |
|Messages are designated as outbound if at least one recipient has an external address. |
|• Selecting the Internal check box configures Antigen for SMTP Gateways to scan all mail that is being routed from one |
|location inside your domain to another location inside your domain. Messages are designated as internal if they originate |
|from inside your domain and all the recipients are located inside your domain. |
|4. Optionally, if the Antigen Spam Manager is installed on a server running Exchange 2003, you can set the Store Action |
|Threshold. The Store Action Threshold designates when Exchange 2003 will divert a suspected spam e-mail message to a Junk |
|Mail folder based on the SCL rating of the message. |
|For this feature to function properly, administrators must use theAction setting Identify: Tag Message to configure the |
|Antigen Spam Manager to include the SCL rating. (For more information, see Chapter 13 - Antigen Spam Manager overview.) By|
|default, the Store Action Threshold is set to 8 so that any message with an SCL rating higher than 8 will be diverted to |
|the Junk Mail folder. When Antigen identifies a message as spam, it sets the SCL rating to 9. |
|5. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This box is |
|used by Antigen for SMTP Gateways when replacing the contents of an infected file during a delete operation. A custom |
|message can be placed inside the deleted file attachments by modifying this text box. |
|[pic]Note: |
|Antigen for SMTP Gateways provides keywords that can be used in the deletion text field to obtain information from the |
|message in which the infection was found. For more information about this feature, see Appendix C - Using keyword |
|substitution macros. |
|6. Optionally, if the Advanced Spam Manager is installed, you can specify Tag Text. When you click the Tag Text button, a |
|text box appears. This text is used by Antigen for SMTP Gateways to tag the subject line or MIME header of a message when |
|the Action setting for a filter is set to Identify: Tag Message. (For more information about this Action setting, see |
|Chapter 14 - Using e-mail notifications.) A custom message can be used by modifying this text box. |
|7. Optionally, if you would like to append a disclaimer to all outbound messages, select the Add Outbound Disclaimer check|
|box. For more information about this feature, see Adding outbound disclaimers. |
|8. Click Save. |
Adding outbound disclaimers
The add disclaimer feature of Antigen for SMTP Gateways enables administrators to append a disclaimer to outbound messages flowing through the SMTP stack. If the Add Outbound Disclaimer button is selected during configuration of the SMTP Scan Job, the Disclaimer Text button is enabled.
Click the Disclaimer Text button to display a text input dialog box. The default disclaimer text appears.
You may customize the disclaimer text by entering the message you would like to include in all outgoing messages. After being enabled, the disclaimer text will be appended to the message body of all outbound messages.
The disclaimer text may also be entered using HTML tags to format the text. For example, you can create a disclaimer like this: "This is a test disclaimer”
If the e-mail message is sent in HTML form, the HTML formatted disclaimer is appended and displayed properly provided the recipient is using an e-mail client that supports HTML formatted messages. If the recipient's e-mail client only supports plain text, the recipient will see the entire HTML formatted disclaimer text, which includes the HTML tags. This is also the case if the sender is sending the message in plain text.
The disclaimer setting, along with the disclaimer text, is saved in the SMTP Scan Job, and is disabled by default.
When upgrading from previous versions of Antigen for SMTP Gateways, the SMTP Scan Job is updated to include this setting.
To avoid having disclaimers appended to mail destined for addresses within your internal domain, you must enter your e-mail domains into the General Options setting Internal Address. Enter your local domain name (). You may also enter multiple domain names by separating each name with a semicolon (;)—no space is required. For more information about the Internal Address option, see Chapter 4 - Antigen Administrator.
[pic]Note:
Antigen for SMTP Gateways supports multiple SMTP disclaimers for outgoing e-mail messages. For more information about this feature, see Appendix F - Using multiple SMTP disclaimers.
Configuring the antivirus scanners and job action
After you configure the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.
[pic]To configure antivirus settings
|1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens to the right. |
|2. Select the SMTP Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane.|
|3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus |
|scanning while retaining the ability to run filtering, clear the Virus Scanning check box in the Run Job work pane of the |
|OPERATE shuttle for the SMTP Scan Job. |
|4. Select the bias to control how many engines should be used to provide you with an acceptable probability that your |
|system is protected. For more information, see Chapter 5 - Implementing multiple scan engines and setting bias modes. |
|5. Select the Action that you want Antigen for SMTP Gateways to perform when a virus is detected: |
|• Skip: detect only—Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, |
|Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General|
|Options, a match to any of those conditions will cause the item to be deleted. |
|• Clean: repair document—Attempt to clean the virus. If successful, the infected attachment or message body is replaced |
|with the clean version. If cleaning is not possible, the attachment or message body is replaced with the deletion text. |
|• Delete: remove infection—Delete the attachment without attempting to clean. The infected file is removed from the |
|attachment and a text file is inserted in its place. By default, the text file contains the following string when viewed: |
|"Microsoft Antigen for SMTP removed %File% since it was found to be infected with %Virus% virus." |
|6. Enable or disable e-mail notifications by using the Send Notifications box. This setting does not affect reporting to |
|the Virus Incidents log. In addition, you must also configure the notifications. (For more information about configuring |
|notifications, see Chapter 14 - Using e-mail notifications.) Notifications are disabled by default. |
|7. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By |
|default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, allowing you to |
|recover them. However, worm-purged messages are not recoverable. |
|8. Click Save. |
Controlling the SMTP Scan Job
After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the SMTP Scan Job.
[pic]To control the SMTP Scan Job
|1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears to the |
|right. |
|The top portion of the Run Job work pane contains a list of scan jobs. The list shows the current state of each scan job, |
|and whether they are performing scanning or filtering operations. |
|2. Select the SMTP Scan Job. |
|3. If the State for the scan job is not set to Enabled, click the Enable button to enable the scan job. |
|4. Select or clear the check boxes that determine whether you can perform Virus Scanning, File Filtering, Content |
|Filtering, Keyword Filtering, and Mailhost Filtering. If the Antigen Spam Manager is installed, you can also select or |
|clear Spam Scanning. Any change to these settings is performed immediately, even if the scan job is currently running. |
Checking results and status
The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.
[pic]Note:
If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text format.
About SMTP scan recovery
In the event that the SMTP Scan Job takes longer than a specified amount of time to scan a message (default is 5 minutes or 300,000 milliseconds.), the process is terminated and Antigen for SMTP Gateways attempts to restart the service. If successful, SMTP scanning resumes and a notification is sent to the administrator stating that the SMTP Scan Job stopped and recovered.
When the new Internet scan process starts, the message that caused it to terminate is reprocessed according to the Action set in the General Options setting Internet Scan Timeout Action. For example, if it is set to Delete, Antigen deletes the file, replaces its contents with the Deletion Text for the SMTP Scan Job, logs the information, and quarantines and archives the file. (For more information about General Options settings, see Chapter 4 - Antigen Administrator.)
If the process cannot be restarted, a notification is sent to the administrator stating that the SMTP Scan Job stopped. In this event, SMTP scanning does not function and the mail stream is not scanned.
If you continue to have time-out problems, you may try increasing the time specified in the InternetTimeout registry value. Because this is a hidden registry value, you will have to create a new DWORD registry value called InternetTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the SMTP and Antigen services for the change to take effect. For more information about registry values, see Appendix B - Setting registry keys.
Scanning nested compressed files
Exceedingly nested, compressed files can slow the performance of Antigen for SMTP Gateways and the SMTP server. Multiple nesting is also a known denial of service attack against antivirus products. To minimize the potential impact on server performance and guard against denial of service attacks, the General Options setting Max Nested Compressed Files is set to five (5) by default. This setting allows Antigen for SMTP Gateways to search into five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion.
You may change this setting as needed for your environments in the General Options work pane. For more information, see Chapter 4 - Antigen Administrator.
Scanning files by type
By default, Antigen for SMTP Gateways is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen for SMTP Gateways can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen for SMTP Gateways performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen for SMTP Gateways to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
Chapter 7 - Using templates
When Antigen for SMTP Gateways is installed, it creates default templates for the various scan jobs, scan engines, and notifications. The scan jobs are configured to use the values in the default templates. Administrators can also create templates for file filter and content filter settings and additional scan job templates as needed. (These are called named templates.) Templates are useful for controlling the configuration of Antigen for SMTP Gateways on multiple servers from a central location, controlling the configuration of scan jobs and other functions at installation, and defining configuration settings for newly mounted storage groups.
The Template.adb file contains the following default templates:
• An Internet Scan Job template
• Notification templates for each of the default notifications
• Scanner update templates for each scan engine that is installed on the current system
To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates.
To view templates in the Antigen Administrator, click File, click Templates, and then click View Templates. This will cause the default and named templates to be displayed in the various work panes.
[pic]Note:
The settings for the scan jobs are contained in the file Scanjobs.adb. If the Scanjobs.adb file is not present when AntigenService starts, a new file is created based on the values in the Template.adb file. If the Template.adb file does not exist, a new file is created based on the values in the Scanjobs.adb file. If they both do not exist, new files are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.
Template uses
Templates are used for the following purposes:
• Controlling configuration settings of all Antigen for SMTP Gateways servers from a single location—After a Template.adb file is created, the Antigen Enterprise Manager can be used to copy and activate the template settings on multiple Antigen for SMTP Gateways servers throughout an organization. Templates can be deployed simultaneously to multiple Antigen for SMTP Gateways servers and the settings can be applied to currently running scan jobs without the need to stop or restart any services. (For more information about using the Antigen Enterprise Manager to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.)
• Controlling the configuration of scan jobs during remote installations—Use templates to configure your remote servers at the time Antigen for SMTP Gateways is installed.
Creating a named template
To use named templates, you must create them and associate them with scan jobs.
[pic]To create a named template
|1. Click File, click Templates, and then click New. The New Template dialog box appears. |
|2. Select the Type of template you would like to create (Internet or Filter Set). For more information about filter set |
|templates, see "Using filter set templates" in Chapter 9 - Using content filtering. For more information about the |
|different types, see Using named templates. |
|3. Give the template a Name, and then click OK. The new template is created and becomes a choice in the Job List in the |
|top pane and in the Template list in the bottom pane of the Template Settings work pane. |
|4. Select your new template in the Job List. If the templates are not visible, you can display them by clicking File, |
|selecting Templates, and then clicking View Templates. |
|[pic]Note: |
|If you have many templates, you may want to normally hide them to simplify the display. |
|5. Click the appropriate work pane to configure the template. For example, if you have created an SMTP template, select |
|Antivirus in the SETTINGS area of the Shuttle Navigator and configure the template as you would an SMTP Scan Job. Click |
|Save when you are done. |
|6. For a scan job to use a template, the template must be associated with that scan job: |
|a. Select Templates in the SETTINGS area of the Shuttle Navigator. |
|b. Select the scan job in the list in the top pane with which to associate with the template you have just created. For |
|example, select the SMTP Scan Job. |
|c. In the lower work pane, select the desired template from the Template list. |
|d. Click Load From Template. |
|e. Click Save. The selected scan job’s settings will be reconfigured to those in the selected template. |
[pic]Note:
The new template can be distributed to remote servers using the Antigen Enterprise Manager. For more information about using the Antigen Enterprise Manager to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.
Renaming or deleting a named template
You can rename or delete a named template. You cannot rename or delete a default template.
[pic]To rename or delete a named template
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
| |
|2. Select the template in the Job List. |
|3. Click File. |
|4. Select Templates. |
|5. Select Rename or Delete. If you choose Delete, you will be asked to confirm your choice. |
Modifying templates
There are times when you may want to make changes to a default template or a named template.
[pic]To modify a template
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
| |
|2. Select a work pane with the template to be modified (for example, Scan Job on the SETTINGS shuttle). |
|3. Select the template to be modified in the Job List. |
|4. Configure the template as desired, using the various work panes, clicking Save on each. |
[pic]Note:
If you make changes directly to a specific scan job (for example, the SMTP Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server.
Modifying default file scanner update templates
You can change the primary and secondary update path, change the updating schedule, and enable or disable automatic updates by using the scanner update templates.
[pic]To configure default file scanner update templates
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
|2. Select Scanner Updates from the SETTINGS shuttle. The Scanner Update Settings work pane appears. |
|3. Select the file scanner template that you want to update from the Job List. There should be one template for every |
|installed engine. |
|4. Change the primary and secondary Network Update Path, as desired. |
|5. Change the date, time, frequency, and repeat interval if desired. Enable or disable updating as needed. |
|6. Click Save. |
[pic]Note:
New templates can be deployed locally using AntigenStarter (for more information, see Deploying named templates) or to remote servers using the Antigen Enterprise Manager. For more information about using the Antigen Enterprise Manager to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. If you are using the Antigen Enterprise Manager to update Antigen for SMTP Gateways scan engines, you should disable scheduled updates in Antigen for SMTP Gateways.
Modifying notification templates
Default notification templates can be used to deploy notification settings to remote servers.
[pic]To configure notification templates
|1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.|
|2. Select Notification in the REPORT area of the Shuttle Navigator. |
|3. Select the notification template you would like to modify from the Job List. |
|4. Edit the template in the lower work pane or use the Enable and Disable buttons to change the state of the template. |
|5. Click Save. |
Note You cannot create new notification templates. You must modify the default notification template to update notification settings.
Using named templates
Named templates can be used to create and manage multiple configurations in an Exchange environment. If you run different configurations on the servers in your environment, it is recommended that you configure each server to use a named template as the default for its configuration settings.
Named templates are created as described in Creating a named template. At the time of installation or upgrade, you can configure all of the named templates that you need for your environment. For example, if you have twenty servers divided into four groups of five, you can create named templates for each server group. These templates contain all of the configuration information for scan jobs, filtering, notifications, and scanner update paths. Each template will have the name of the group:
• SMTPTemplate1
• SMTPTemplate2
• SMTPTemplate3
• SMTPTemplate4
These names are similar for each scan job and filter set template.
Deploying templates during a remote installation
To have the Template.adb file distributed to all servers during a remote installation or upgrade, you must run the self-extracting file used to run the installation. You will be prompted for the path where the extracted files will be placed.
Copy the Template.adb file to the directory containing the extracted files. Finally, execute the Setup.exe file that was extracted to that directory. (For more information about remote installations, see "Manage Jobs" in the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. When you enter the location of the Setup.exe file for the deployment job in the Enterprise Manager, specify the directory containing the extracted file.)
The first time a named template is deployed to a server, it must be associated with a scan job on that server, otherwise, the default template is used. You can use the Antigen Administrator to connect to the computer and make the association. (For more information, see "Connecting to a remote server" in Chapter 4 - Antigen Administrator.)
After you are connected to the remote server, you can associate the template with the appropriate scan job by following the steps in Creating a named template.
After you have associated a named template with a scan job, the assigned template continues to be used when there are configuration changes. It is not necessary to associate the scan job again unless you want to switch the template being used.
Deploying named templates
Named templates can be deployed locally using AntigenStarter or to remote servers using the Antigen Enterprise Manager.
Individual templates can be associated with current scan jobs in the Antigen Administrator using the Load From Template button. An exception is filter list templates, which must be associated with a scan job using the AntigenStarter. The AntigenStarter can be used to activate any or all templates from a command prompt directly on the server. The AntigenStarter.exe file has the ability to activate template settings on the current server. The t parameter facilitates activating template settings.
The syntax of AntigenStarter is:
AntigenStarter t[c][f][l][n][p][s]
The t parameter instructs AntigenStarter to read all of the settings in the Template.adb file and apply them on the current server. All filter settings, notification settings, and scanner update paths can be updated. You must insert a space between AntigenStarter and the t parameter. However, there is no space between the t parameter and the options.
You can also deploy a subset of the filters by using one of the switches listed in the following table. The switches must be used in conjunction with the t parameter. Any combination of the following options allows a subset of the template settings to be applied:
|Switch |Description |
|c |Update the content filter settings for each scan job. |
|f |Update the file filter settings for each scan job. The file |
| |filter settings of each scan job on the server are updated with |
| |the file filter settings found in the associated template type. |
| |For example, the file filter settings for all SMTP Scan Jobs are |
| |updated with the file filter settings found in the SMTP Scan Job |
| |template. |
|l |Update the filter lists for each scan job. |
|n |Update the notification settings with the data in the associated |
| |templates. |
|p |Update the file scanner update path, proxy server settings (if |
| |applicable), and the scanner update schedule items (date, time, |
| |frequency, and repeat interval). The update path for each file |
| |scanner is updated from the file scanner template that matches |
| |the vendor of the file scanner. |
|s |Update the scan job and antivirus settings. Each scan job on the |
| |server is updated with the settings found in the associated |
| |template type. For example, all SMTP Scan Jobs are updated with |
| |the settings found in the SMTP Scan Job template. This includes |
| |all filters. |
[pic]Note:
Multiple switches should be listed without punctuation or spacing (for example, AntigenStarter tsfn).
Chapter 8 - Using file filtering
The Antigen for SMTP Gateways file filter feature provides the ability to search for attachments with a specific name, type, and size within an e-mail message. If the file filter finds a match, the file filter can be configured to perform actions on the attachment, such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means to detect file attachments within e-mail messages and other Outlook items, including Tasks and Schedules (such as meetings and appointments).
Mechanics of file filtering
File filtering can be configured to assess several aspects of an attached file: actual file type, file extension and name, and file size. By using these criteria, you can filter files in a variety of ways.
Filtering by file type
If you want to filter certain file types, you can create the filter * and set the File Types selection to the exact file type you want to filter.
For example: Create the filter * and set the File Types to MP3. This will ensure that all MP3 files are filtered, regardless of their file name or extension.
One advantage of setting a generic * filter and associating it with a certain file type (For example, EXEFILE) is that this prevents the potential of users bypassing the filter by simply changing the extension of a file.
[pic]Notes:
If you want to filter Microsoft Office Excel® files, you will need to enter *.xls or * in the File Names box and then select both WINEXCEL1 and DOCFILE in the File Types list. Excel 1.x files are WINEXCEL1 file types but newer versions of Excel are DOCFILE file types.
For Microsoft Office 2007 documents (Word, Excel, and PowerPoint®), you should use the proper file extension in the File Names box, and then select OPENXML in the File Types list.
Filtering by extension
If you want to filter any file that has a certain extension, you can create a generic filter for the extension and then set the File Types selection to All Types. Filter matching is not case-sensitive.
For example: Create the filter *.exe* and then set the File Types selection to All Types. This will ensure that all files with an .exe extension are filtered.
[pic]Important:
When creating generic file filters to stop all of a certain type of file (for example, .exe files), it is recommended that you write the filter in this format: *.exe*. The second asterisk (*) prevents files with extra characters appended after the file extension from bypassing the filter.
Filtering by name
If you want to filter all files with a certain name, you can create a filter by using the file name and setting the File Types selection to All Types. Filter matching is not case-sensitive.
For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This will ensure that any file named payload.doc is filtered, regardless of the file type.
Detecting file attachments by name is also useful when there is a new virus outbreak and the administrator knows the name of the file where the virus resides before the virus scanners are updated to detect it. A perfect example of this is the Melissa worm. The worm resided in a file named List.doc and could have been detected if the administrator had used file filtering before the virus scanners could detect it.
Configuring the file filter
You can configure the file filter by file names, file types, or file sizes.
[pic]To configure the file filter
|1. Click FILTERING in the Shuttle Navigator. |
|2. Select the File icon. The File Filtering pane appears on the right. |
|3. In the upper work pane, select the scan job for which you would like to create the file filter. |
|4. To detect file attachments with a particular file name, add the file name to the File Names section of the work pane by|
|clicking Add, typing the file name that you want to detect, and pressing ENTER. |
|Optionally, you can configure Antigen to filter files based on their size. To detect files by size, when typing the file |
|name, specify a comparison operator (=, >, =, =1.2MB all .bmp files larger than or equal to 1.2 megabytes |
|*.com>150KB all .com files larger than 150 kilobytes |
|*>5GB all files larger than 5 gigabytes |
|[pic]Note: |
|For additional buttons you can use when configuring file names, see About file names buttons. |
|5. Specify the list of File Types that can be associated with the selected File Name. You can select one or more File |
|Types from the list, or select All Types located below the list. If the File Type that you want to associate with the |
|selected File Name is not available in the list, then select All Types. (For a description of the file types listed in the|
|selection box, see Appendix E - File types overview.) |
|The All Types selection configures Antigen to filter based only on the file name and file extension. By selecting All |
|Types, Antigen will be configured to detect the selected file name regardless of the file type. This prevents users from |
|bypassing the filter simply by changing the extension of a file. |
|If you know the file type that you are searching for, Antigen will work more efficiently if you select the appropriate |
|file type rather than All Types. For example, if you want to filter all EXE files, you can create the filter * and then |
|set File Types to EXEFILE. |
|6. Ensure that the File Filter is set to Enabled. It is enabled by default. |
|7. Indicate the Action to take if there is a filter match. |
|8. Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Virus |
|Incidents log. In addition, you must also configure the notifications (see Chapter 14 - Using e-mail notifications). It is|
|disabled by default. |
|9. Indicate whether to Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes |
|deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged |
|messages are not recoverable. |
|10. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete |
|operation. The default deletion text informs you that an infected file was removed, along with the name of the file and |
|the name of the filter. To create your own custom message, click Deletion Text. |
|[pic]Note: |
|Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the |
|infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. |
|11. Click Save. |
You can also create a filter list that contains multiple file filters. After you have created the list, the steps for configuring the filter list are the same as in the preceding procedure, except you must select the filter list rather than a filter name.
[pic]To create a file filter list
|1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. |
|2. In the List Types section, select Files. |
|3. In the List Names section, click Add. |
|4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section. |
|5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use the dialog box to add file |
|filters to the list. |
|6. In the Include In Filter section, click Add. |
|7. Type the file names to be included in the filter list. Press ENTER when you have finished typing. You can have as many |
|file names as you want, but each must be entered separately. |
|The Exclude from Filter field is used to enter file names that should never be included on the relevant list. This |
|prevents these entries from accidentally being added when importing a list from a text file. For more information on |
|importing files, see "Importing new items into a filter list" and "Exporting sender-domains filters, file filters, and |
|subject line filters" in Chapter 9 - Using content filtering. |
|8. When you are finished adding items, click OK. The file names you just entered appear, alphabetically, in the pane next |
|to List Names. |
|9. Click Save. |
[pic]Note:
You can change the name of a list by selecting the list in the List Names box and then pressing F2.
Action
Choose the action that you want Antigen for SMTP Gateways to perform when a file filter is matched.
[pic]Note:
You must set the action for each file filter that you configure. The Action setting is not global.
|Action |Description |
|Skip: Detect Only |Records the number of messages that meet the filter criteria, but|
| |allows messages to route normally. If, however, Delete Corrupted |
| |Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted |
| |Compressed Files is selected in General Options, a match to any |
| |of those conditions causes the item to be deleted. |
|Delete: Remove Contents |Deletes the file attachment. The detected file attachment is |
| |removed from the message and a text file is inserted in its |
| |place. The text file contains the string that was configured |
| |using the Deletion Text button. Delete: Remove Contents is the |
| |default value. |
|Purge: Eliminate Message |Deletes the message from your mail system. When you select this |
| |option, a warning appears informing you that if there is a filter|
| |match, the message will be purged and unrecoverable. Click Yes to|
| |continue. |
| |Note If the Quarantine Files box is selected, however, purged |
| |messages are quarantined and can then be recovered from the |
| |quarantine database. |
|Identify: Tag message |The subject line or message header of the detected message can be|
| |tagged with a customizable word or phrase. This tag can be |
| |modified for each scan job by clicking the Tag Text button on the|
| |Scan Job Settings work pane and then modifying the text. The same|
| |tag, however, will be used for all filters associated with the |
| |particular scan job. |
About file names buttons
The following buttons below the File Names section let you edit or delete a file name from the list. You can also change the order in which file names are filtered.
|Button |Description |
|Edit |Enables you to edit an existing file name from the File Names |
| |section. Select the file name that you want to edit, and then |
| |click Edit. A dialog box appears that enables you to edit the |
| |selected file name. After you have completed making the necessary|
| |edits, click Save to submit or Cancel to undo. |
|Delete |Enables you to remove a file name from the File Names section. |
| |Select the file name that you want to delete, click Delete, and |
| |then click Save. |
|[Up Arrow], [Down Arrow] |Enables you to change the order in which file names are filtered.|
| |In the lower pane, select the file name that you want to reorder,|
| |and then click the UP ARROW or DOWN ARROW buttons (on the same |
| |line with File Names) to change the ranking to your preference. |
Matching patterns in the file name with wildcard characters
Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following to refine your filters.
|Wildcard character |Description |
|* |Used to match any number of characters in a file name. You can |
| |use multiple asterisks. The following are some examples of its |
| |usage: |
| |• Single—Any of these single wildcard character patterns detects |
| |veryevil.doc: veryevil.*, very*.doc, very*, *il.doc |
| |• Multiple—Any of these multiple wildcard character patterns |
| |detects : e*c*r*om, ei*.*, *car.* |
| |Note Use multiple asterisks to filter file attachments with |
| |multiple extensions. For example: love*.*.* matches multiple |
| |extensions. |
|? |Used to match any single character in a name where a single |
| |character may change. For example: virus?.exe finds virusa.exe, |
| |virus1.exe, or virus$.exe. However, this filter does not catch |
| |virus.exe. |
|[set] |A list of characters and ranges, enclosed in square brackets |
| |[abcdef]. Any single character in the specified set is matched. |
| |For example: klez[a-h].exe finds kleza.exe through klezh.exe. |
|[^set] |Used to exclude characters that you know are not used in the file|
| |name. For example: klez[^m-z].exe does not find klezm.exe through|
| |klezz.exe. |
|[range] |Used to indicate several possible values in a set. It is |
| |specified by a starting character, a hyphen (-), and an ending |
| |character. For example: |
| |klez[ad-gp].exe matches kleza.exe, klezd.exe, klezf.exe, and |
| |klezp.exe but not klezb.exe or klezr.exe. |
|\char |Indicates that special characters are used literally. (The |
| |characters are: * ? [ ] - ^ < >.) The backslash is called an |
| |escape character, and indicates that a reserved control character|
| |should be taken literally, as a text character. For example: If |
| |you enter *hello*, you would typically expect to match hello |
| |anywhere in the file name. If you enter *\*hello\**, you match |
| |*hello*. If you enter *\*hello\?\**, you match *hello?*. |
| |Note You must use a backslash before each special character. |
Using directional file filters
When using the file filter in conjunction with the SMTP Scan Job, it is possible to configure a filter so that it checks only inbound or outbound messages. This is accomplished by adding a prefix to the file name when you enter it in the File Names work pane.
(For information about the inbound, outbound, and internal designations, see Chapter 6 - Configuring SMTP Scan Jobs.)
[pic]Note:
There are no spaces between the prefix and the file name.
The options are:
• Inbound Filtering—Adding a prefix to the file name with the directive instructs Antigen for SMTP Gateways to apply this filter only to inbound messages. For example: filename
• Outbound Filtering—Adding a prefix to the file name with the directive instructs Antigen for SMTP Gateways to apply this filter only to outbound messages. For example: filename
• Inbound, Outbound, and Internal Filtering—If no prefix is appended to the file name, then the filter is applied to all messages, regardless of direction. For example: filename
About filtering container files
Container files can be broadly described as complex files that can be divided into various parts. Antigen for SMTP Gateways can scan the following container files for filter matches:
• PKZip (.zip)
• GNU Zip (.gzip)
• Self-Extracting .zip archives (.exe)
• Zip files (.zip)
• Java archive (.jar)
• TNEF (Winmail.dat)
• Structured storage (for example, .doc, .xls, or .ppt)
• Open XML (for example, .docx, .xlsx, or .pptx)
• MIME (.eml)
• SMIME (.eml)
• UUEncode (.uue)
• UNIX tape archive (.tar)
• RAR archive (.rar)
• MACBinary (.bin)
Antigen for SMTP Gateways scans all parts of the container file and repacks the file as necessary. For example, if you configure a file filter to delete all .exe files, Antigen for SMTP Gateways deletes .exe files inside container files (replacing them with the deletion text) but leaves all other files in the container intact.
[pic]Note:
Antigen for SMTP Gateways cannot scan password protected files or encrypted files. Although Antigen for SMTP Gateways does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.
Excluding the contents of a container file from file filtering
To exclude the contents of a .zip (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list and set the action to Skip. Ordering of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, file filters will not be applied to the contents of the container. The file will, however, be scanned for viruses. If you want to skip all .zip files, create the filter *.zip, and then set the action to Skip.
[pic]Notes:
By default, this functionality applies only to .zip and .jar files. If you want to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and self-extracting .zip archives), you can set the SkipFileFilterWithinCompressedInternet DWORD registry value. After creating the registry value, it should be set to 1 to disable file filtering in the specified archive type. (For the location of this registry key, see Appendix B - Setting registry keys.)
OPENXML files (for example, Office 2007 files) are ZIP container files, but they are not affected by the ZIP container settings.
Using file filtering to block most file types
You can use file filters to block some file types and permit others. The files permitted through in this example are Microsoft Office files. The filters in the example block all file attachments, with the exception of Office documents for messages entering your organization from the Internet. It takes two file filters for this to work properly.
[pic]Note:
Be sure to create the file filter that permits Office documents through first, because the filters are applied, in order, from top to bottom.
[pic]To create a file filter that permits Office documents
|1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on |
|the right. |
|2. Create a new filter by following these steps: |
|a. Click Add. |
|b. Type * as the file name, and then press ENTER. |
|c. Clear All Types in the File Types section, and then click Yes to confirm. |
|d. Select the DOCFILE, OPENXML, and TNEFFILE file types. (TNEFFILE is required because it is the wrapper around file |
|attachments for internal mail.) |
|e. Set the Action parameter to Skip: detect only. |
|f. Clear the Quarantine Files check box. |
|g. Click Save. |
[pic]To create a file filter that blocks all types of files
|1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears to |
|the right. |
|2. Create a new filter by following these steps: |
|a. Click Add. |
|b. Type * as the file name, and then press ENTER. |
|c. Ensure that All Types is selected in the File Types section. |
|d. Set the action to Block or Purge, as desired. |
|e. Select Quarantine Files. |
|f. Select Send Notifications. |
|g. Click Save. |
[pic]Notes:
The Skip: detect only action in the first filter will generate an Incident log entry for almost every attachment that is received.
If you would like this filter to apply to all email messages and not solely to inbound messages, remove "" from each of the filters.
Using filter set templates
Filter set templates can be created for use with any scan job. A single filter set template can be associated with any or all of the scan jobs, and you can also create multiple filter set templates for use on different servers or different scan jobs. For information about creating and configuring filter set templates, see "Using filter set templates" in Chapter 9 - Using content filtering.
About international character sets
Support for file filtering by name in Antigen for SMTP Gateways extends beyond the English character set. For example, messages with an attachment that includes Japanese characters, words, or phrases are handled in the same manner as are messages with attachments that have only English character sets.
About statistics logging
The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and therefore cause the messages to which they are attached to be purged. These counters can also be found in the Performance Monitor utility.
Chapter 9 - Using content filtering
Content filtering provides another tool to help manage the flow of messages entering and exiting your enterprise mail stream. Content filtering enables you to filter messages using a variety of filtering tools. These include:
• Sender-domains filtering.
• Subject line filtering.
• Filter set templates, which simplify the creation and management of file and content filters on all scan jobs.
You can enable inbound or outbound content filtering for the Internet Scan Job using these registry keys:
• DisableOutboundContentFiltering
• DisableInboundContentFiltering
Both keys are set to 0 (disabled) by default. To enable each key, set its value to 1. After changing these settings, the SMTP and Antigen services must be recycled for the changes to take effect. (For more information about Antigen registry settings, see Appendix B - Setting registry keys.)
Configuring sender-domains filtering
Sender-domains filtering lets you filter messages from particular senders or domains. Wildcard characters can be used to enable filters such as *@ to filter all mail from a certain domain.
[pic]Note:
Sender-domains filtering applies only to the From field in a message. It cannot be used for the To field.
[pic]To configure sender-domains filtering
|1. Click FILTERING in the Shuttle Navigator. |
|2. Select the Content icon. The Content Filtering work pane appears to the right. |
|3. In the upper work pane, select the scan job for which you would like to create a content filter. |
|4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters |
|pane. |
|5. A text box appears. Type the sender or domain that you would like to filter. If you want to use a generic domain name |
|filter, you must use an * (wildcard character) before the domain name. For example: |
|• Generic domain: *@ |
|• Specific sender: someone@ |
|6. Press ENTER after you have typed the sender or domain. You can add as many entries as you want, but each must be |
|entered separately. |
|7. Enable the filter with the Filter field. |
|8. Indicate the Action to take if there is a filter match. |
|9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content |
|Administrators set in the Notification Setup work pane located under REPORT in the Shuttle Navigator is sent a |
|notification that a message was filtered. In addition, you must also configure the notifications. (For details, see |
|Chapter 14 - Using e-mail notifications.) |
|10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and|
|purged messages to be stored, allowing you to recover them. However, worm-purged messages are not recoverable. |
|11. Click Save. |
|[pic]Notes: |
|The SMTP Scan Job uses the display name of the sender to match against sender-domains filters. If there is no display name|
|in the header, the SMTP Scan Job will fall back to use the e-mail address to match against the filter. |
|You can also create a filter list that contains multiple sender-domains. For more information, see Creating content filter|
|lists. |
|You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that |
|domain. For more information, see Filtering mail from all users in a domain except for specific users. |
Configuring subject line filtering
Subject line filtering lets you filter messages based on the content of the subject line of the message. Wildcard characters can be used.
[pic]To configure subject line filtering
|1. Click FILTERING in the Shuttle Navigator. |
|2. Select the Content icon. The Content Filtering work pane appears to the right. |
|3. In the upper work pane, select the scan job for which you would like to create a content filter. |
|4. Select Subject Lines in the Content Fields pane in the lower-left corner, and then click the Add button in the Content |
|Filters pane. |
|5. A text box appears so that you can type the content you would like to filter. |
|6. Press ENTER after you have typed the content. You can add as many entries as you want, but each must be entered |
|separately. |
|7. Enable the filter with the Filter field. |
|8. Indicate the Action to take if there is a filter match. |
|9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content |
|Administrators set in the Notification Setup work pane located under REPORT in the Shuttle Navigator is sent a |
|notification that a message was filtered. In addition, you must also configure the notifications. (For details, see |
|Chapter 14 - Using e-mail notifications.) |
|10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and|
|purged messages to be stored, allowing you to recover them. However, worm-purged messages are not recoverable. |
|11. Click Save. |
|[pic]Note: |
|You can also create a filter list that contains multiple subject lines. For more information, see Creating content filter |
|lists. |
|If you are entering a partial subject line as a filter, it is recommended that you use asterisk wildcard characters (*) at|
|the beginning and the end of the phrase to ensure proper detection. For example: |
|• The filter "get rich quick" filters messages that contain only the target phrase in the subject line. |
|• The filter "* get rich quick" filters messages that contain the target phrase and any phrase that ends with the target |
|phrase in the subject line. |
|• The filter "* get rich quick *" filters messages that contain the target phrase anywhere in the subject line. |
|You can use the following syntax to refine your filters. |
| |
|Syntax |
|Description |
| |
|* |
|Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of |
|its usage: |
|• Single—Any of these single wildcard character patterns detects veryevil: veryevil*, very*, *il |
|• Multiple—Any of these multiple wildcard character patterns detects veryevil: V*r*v*l, *very*, *evil* |
| |
|? |
|Matches any single character, because many malicious users insert extra characters between letters to spoof filters. |
|For example, you can filter C-O-N-T-E-S-T with the filter: C?O?N?T?E?S?T |
| |
|[set] |
|A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is |
|matched. |
|For example, the set is useful for creating a single rule to match when the number zero (0) is used instead of the letter |
|o. Ozone and oz0ne can be filtered using oz[o0]ne |
| |
|[^set] |
|Used to exclude characters that you know are not used. |
| |
|range |
|Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending |
|character. |
|For example, klez[ad-gp] matches kleza, klezd, kleze, klezf, klezg, and klezp but not klezb or klezr. |
| |
|\char |
|Indicates that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape |
|character, and indicates that a reserved control character should be taken literally, as a text character. |
|For example, if you enter *hello*, you normally expect to match hello anywhere in the file name. If you enter *\*hello\**,|
|you match *hello*. If you enter *\*hello\?\**, you match *hello?*. |
| |
| |
|[pic]Note: |
|You must use a backslash before each special character. |
Action
You also need to select the action that Antigen for SMTP Gateways should take upon detecting a match to your filter criteria.
[pic]Note:
You must set the action for each file filter you configure. The action setting is not global.
|Action |Description |
|Skip: Detect Only |Records the number of messages that meets the filter criteria, |
| |but allows messages to route normally. If, however, Delete |
| |Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete |
| |Encrypted Compressed Files was selected in General Options, a |
| |match to any of those conditions causes the item to be deleted. |
|Purge: Eliminate Message |Deletes the message from your mail system. When you select this |
| |option, a warning appears informing you that if there is a filter|
| |match, the message will be purged and unrecoverable. Click Yes to|
| |continue. |
|Identify: Tag message |The subject line or message header of the detected message can be|
| |tagged with a customizable word or phrase. This tag can be |
| |modified for each scan job by clicking Tag Text on the Scan Job |
| |Settings work pane and modifying the text. The same tag, however,|
| |will be used for all filters associated with the particular scan |
| |job. |
Creating content filter lists
You can create a content list that contains multiple content filters (sender-domains or subject lines). After you have created the list, the steps for configuring the filter list are the same as in the preceding procedures, except that you must select the filter list rather than a filter name.
[pic]To create a content filter list
|1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. |
|2. In the List Types section, select Subject Lines or Sender-Domains. |
|3. In the List Names section, click Add. |
|4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section. |
|5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to add items to the list. |
|6. In the Include In Filter section, click Add. |
|7. Type the data to be included in the filter list. The type of data that you add depends on the type of filter list that |
|you selected. For Subject Lines, add text that might appear in the subject line of a message. For Sender-Domains, add |
|specific senders or generalized domains. Press ENTER when you have finished typing. You can have as many words or phrases |
|as you want, but each must be entered separately. |
|The Exclude from Filter field is used to enter data that should never be included on the relevant list. This prevents |
|these entries from being accidentally added when importing a list from a text file. For more information on importing |
|files, see Importing new items into a filter list. |
|8. When you are finished adding items, click OK. The information that you just entered appears, alphabetically, in the |
|pane next to List Names. |
|9. Click Save. |
[pic]Note:
You can change the name of a list by selecting the list in the List Names box and then pressing F2.
Importing new items into a filter list
Filter lists can be created offline in Notepad or in a similar text editor, and then imported into the appropriate filter list by using the Antigen Administrator.
[pic]To create and import entries into a filter list
|1. Create a list and then save it as a text file. Place each filter on its own line in the file. |
|2. Open the Antigen Administrator and click Filter Lists on the FILTERING area of the Shuttle Navigator. |
|3. Select the filter list into which you will be importing data. |
|4. Click the Edit button. The Edit Filter List dialog box appears. |
|5. Click the Import button. A File Explorer window will open so that you can navigate to the text file that you created in|
|step 1. |
|6. Select the file and click Open. |
|7. The file will be imported into the middle pane of the Import List editor so that you can select the entries that you |
|would like to include in your filter list. Use the ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- download microsoft office onenote 2016
- download microsoft office for free
- download microsoft office for free windows 10
- download microsoft office already purchased
- download microsoft desktop app
- how to download microsoft office for free
- download microsoft onenote 2016 free
- free download microsoft office 2010
- download microsoft office 365 free full
- download microsoft word for pc
- minecraft download microsoft store
- download microsoft word for mac