Sms Imp Guide

Symantec Mail Security for Microsoft Exchange Implementation Guide
Symantec Mail Security for Microsoft Exchange Implementation Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 5.0.3
Legal Notice
Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec Logo, and Symantec AntiVirus Corporate Edition are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Windows is a trademark of Microsoft Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THIS DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs maintenance offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-tothe-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management
For information about Symantecs Maintenance Programs, you can visit our Web site at the following URL: http://www.symantec.com/techsupp/enterprise/ Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you use.
Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL: http://www.symantec.com/techsupp/enterprise/ Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.
When you contact Technical Support, please have the following information available:

Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: http://www.symantec.com/techsupp/enterprise/ Select your region or language under Global Support, and then select the Licensing and Registration page.
Customer service
Customer service information is available at the following URL: http://www.symantec.com/techsupp/enterprise/ Select your country or language under Global Support. Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about Symantec Value License Program Advice about Symantec's technical support options
Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:

Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com
Additional enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Additional services that are available include the following:
Symantec Early Warning These solutions provide early warning of cyber attacks, Solutions comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. These services provide a full array of technical training, security education, security certification, and awareness communication programs.
Consulting services
Educational Services
To access more information about Enterprise Services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Symantec Software License Agreement Symantec Mail Security for Microsoft Exchange
SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (SYMANTEC) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS YOU OR YOUR) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK ON THE I DO NOT AGREE, NO BUTTON, OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE. C. use the Software on a network, provided that you have a licensed copy of the Software for each computer that can access the Software over that network; and D. after written notice to Symantec, transfer the Software on a permanent basis to another person or entity, provided that you retain no copies of the Software and the transferee agrees to the terms of this license.
You may not:

A. copy the printed documentation which accompanies the Software; B. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; C. use a previous version or copy of the Software after you have received a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed; D. use a later version of the Software than is provided herewith unless you have purchased upgrade insurance or have otherwise separately acquired the right to use such later version; E. use, if you received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which you have not received a permission in a License Module; or F. use the Software in any manner not authorized by this license.
1. License:
The software which accompanies this license (collectively the Software) is the property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, you will have certain rights to use the Software after your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to you. Except as may be modified by a Symantec license certificate, license coupon, or license key (each a License Module) which accompanies, precedes, or follows this license, your rights and obligations with respect to the use of this Software are as follows:
2. Content Updates:
Certain Symantec software products utilize content that is updated from time to time (antivirus products utilize updated virus definitions; content filtering products utilize updated URL lists; firewall products utilize updated firewall rules; vulnerability assessment products utilize updated vulnerability data, etc.; collectively, these are referred to as Content Updates). You may obtain Content Updates for any period for which you have purchased upgrade insurance for the product, entered into a maintenance agreement that includes Content Updates, or otherwise separately acquired the right to obtain Content Updates. This license does not otherwise permit you to obtain and use Content Updates.
You may:
A. use that number of copies of the Software as have been licensed to you by Symantec under a License Module, provided that if the Software is part of a suite of Symantec software licensed to you, the number of copies you may use of all titles of the software in the suite, including the Software, may not exceed the total number of copies so indicated in the License Module in the aggregate, as calculated by any combination of licensed suite products. Your License Module shall constitute proof of your right to make such copies. If no License Module accompanies, precedes, or follows this license, you may make one copy of the Software you are authorized to use on a single computer. B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of your computer and retain the original for archival purposes;
3. Limited Warranty:
Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to you. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the
money you paid for the Software. Symantec does not warrant that the Software will meet your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE.
6. General:
This Agreement will be governed by the laws of the State of California. This Agreement may only be modified by a License Module which accompanies this license or by a written document which has been signed by both you and Symantec. Should you have any questions concerning this Agreement, or if you desire to contact Symantec for any reason, please write: Symantec Customer Service, 555 International Way, Springfield. OR 97477.
4. Disclaimer of Damages:
REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether you accept the Software.
5. U.S. Government Restricted Rights:

RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are Commercial Items, as that term is defined in 48 C.F.R. section 2.101, consisting of Commercial Computer Software and Commercial Computer Software Documentation, as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Contents
Technical Support Chapter 1 Introducing Symantec Mail Security for Microsoft Exchange
About Symantec Mail Security for Microsoft Exchange ................................15 Whats new in Symantec Mail Security ............................................................16 Components of Symantec Mail Security ..........................................................18 How Symantec Mail Security works .................................................................20 What you can do with Symantec Mail Security ..............................................20 Manage your Exchange environment using policies ..............................21 Scan your Exchange server for risks and violations ..............................22 Protect against threats ................................................................................22 Keep your protection up-to-date ...............................................................22 Identify spam email .....................................................................................23 Filter undesirable message content ..........................................................24 Save messages to a folder for archiving ...................................................24 Manage outbreaks ........................................................................................25 Quarantine infected message bodies and attachments .........................25 Monitor Symantec Mail Security events ..................................................26 Generate reports ..........................................................................................26 Send notifications when a threat or violation is detected .....................27 Manage single and multiple Exchange servers .......................................27 Where to get more information about Symantec Mail Security ..................27
Chapter 2
Installing Symantec Mail Security for Microsoft Exchange

Before you install .................................................................................................29 Software component locations ..................................................................30 About security and access permissions ....................................................32 System requirements ..........................................................................................33 Server system requirements ......................................................................33 Console only system requirements ...........................................................34 About installing Symantec Mail Security ........................................................34 Installing Symantec Mail Security on a local server ..............................35 About installing Symantec Mail Security on remote servers ...............40 Installing the Symantec Mail Security console only ..............................43 About installing Symantec Mail Security in a Microsoft Cluster .........45
10 Contents
Post-installation tasks ........................................................................................ 50 About setting up impersonation privileges on the IWAM account ..... 51 Restarting the IIS ......................................................................................... 51 Implementing SSL communications ......................................................... 51 Accessing the Symantec Mail Security console ...................................... 52 About using Symantec Mail Security with other antivirus products ................................................................................................. 57 Setting scanning threads and number of scan processes ..................... 58 Migrating to version 5.0.3 .................................................................................. 59 Uninstalling Symantec Mail Security .............................................................. 60
Chapter 3
Activating licenses
About licensing .................................................................................................... 63 How to activate a license .................................................................................... 64 If you do not have a serial number ............................................................ 65 Obtaining a license file ............................................................................... 65 About the Symantec Premium AntiSpam license file ............................ 67 Installing license files ................................................................................. 68 Checking the license status of a server .................................................... 69 If you want to renew a license ........................................................................... 69
Chapter 4
Managing your Exchange servers

About managing your Exchange servers ......................................................... 71 Deploying settings to a server or group ........................................................... 72 How to manage servers and server groups ...................................................... 74 Modifying or viewing server or server group settings .......................... 74 Viewing the status of a server ................................................................... 75 Creating a server group .............................................................................. 76 Adding servers to a group .......................................................................... 77 Moving a server to another group ............................................................. 78 Synchronizing group settings to a server ................................................ 80 Restoring default settings to a server or group ...................................... 80 Removing a server from group management .......................................... 81 Removing a server group ............................................................................ 81 Importing and exporting settings ............................................................. 82 Modifying the port and communication properties of a server ........... 83
Chapter 5
Quarantining messages and attachments

About the quarantine .......................................................................................... 85 Forwarding quarantined items to the Quarantine Server ............................ 86 Establishing local quarantine thresholds ........................................................ 87 Viewing the contents of the local quarantine ................................................. 88
Contents
11
Release messages from the quarantine ............................................................90 Releasing messages from the quarantine by email ................................90 Releasing messages from the quarantine to a file ..................................92 Deleting an item from the quarantine ..............................................................93
Chapter 6
Protecting your server from risks

About protecting your server from risks .........................................................95 How Symantec Mail Security detects risks ..............................................97 Configuring threat detection .............................................................................98 Configuring security risk detection ................................................................100 Configuring file scanning limits ......................................................................102 Configuring rules to address unscannable container files ..........................104
Chapter 7
Identifying spam
About spam detection .......................................................................................107 How Symantec Mail Security detects and processes spam .................109 About spam confidence level (SCL) values .............................................110 Blocking spam using real-time blacklists ......................................................112 Configuring whitelists .......................................................................................113 How to detect spam using Symantec Premium AntiSpam ..........................114 How the Symantec Premium AntiSpam service works ........................115 About spam foldering ................................................................................117 About registering Symantec Premium AntiSpam through an ISA server ............................................................................................117 Configuring your proxy server to download spam definition updates .................................................................................................118 About the Symantec Spam Folder Agent for Exchange .......................119 About the Symantec Spam Plug-in for Outlook ....................................124 Configuring Symantec Premium AntiSpam to identify spam ............130 What you can do with spam and suspected spam messages ...............132 Configuring heuristic antispam protection ...................................................141
Chapter 8
Filtering content using content filtering rules

About filtering content .....................................................................................145 About default content filtering rules ......................................................147 About content evaluation .........................................................................147 Elements of a content filtering rule ........................................................149 Working with match lists .................................................................................154
12 Contents
Working with content filtering rules ............................................................. 157 Specifying inbound SMTP domains ........................................................ 157 Enabling or disabling content filtering for auto-protect scanning ... 158 Creating a new rule .................................................................................... 159 Editing an existing rule ............................................................................. 159 About configuring a content filtering rule ............................................ 160 Prioritizing content filtering rules ......................................................... 168 Deleting a content filtering rule ..............................................................169 Refreshing the Active Directory groups cache ..................................... 169 How to enforce email attachment policies ....................................................170 Blocking attachments by file name ......................................................... 170 Configuring multimedia file detection ................................................... 172 Configuring executable file detection ....................................................175
Chapter 9
Scanning your Exchange servers for threats and violations

About the scanning process ............................................................................. 178 Configuring auto-protect scanning ................................................................ 179 About manual scans .......................................................................................... 180 Configuring the manual scan parameters ............................................. 180 Running a manual scan ............................................................................ 182 Viewing manual scan results ................................................................... 183 About scheduling a scan ................................................................................... 183 Creating a scheduled scan ........................................................................183 Editing a scheduled scan .......................................................................... 184 Configuring scheduled scan options ....................................................... 184 Enabling a scheduled scan ........................................................................187 Deleting a scheduled scan ........................................................................ 187 Configuring notification settings for scan violations .................................. 188
Chapter 10
Managing outbreaks
About outbreak management .......................................................................... 189 What defines an outbreak ........................................................................ 190 About outbreak triggers ........................................................................... 191 Enabling outbreak management ..................................................................... 192 Configuring outbreak triggers ......................................................................... 193 Configuring outbreak notifications ................................................................ 194 Clearing outbreak notifications ....................................................................... 195
Contents
13
Chapter 11
Logging events and generating reports

About logging events .........................................................................................197 Viewing the Symantec Mail Security Event log ....................................198 Specifying the duration for storing data in the Reports database .....200 Purging the Reports database ..................................................................201 About report templates .....................................................................................201 About report output formats ....................................................................202 Creating or modifying a Summary report template .............................203 Creating or modifying a Detailed report template ...............................208 Deleting a report template .......................................................................211 What you can do with reports ..........................................................................211 Generating a report on demand ...............................................................211 Accessing a report ......................................................................................212 Printing a report ........................................................................................214 Saving report data .....................................................................................214 Deleting a report ........................................................................................215 Resetting statistics ....................................................................................216
Chapter 12
Updating your protection

About keeping your server protected .............................................................217 Configuring a proxy server to permit LiveUpdate definitions ...........218 About setting up your own LiveUpdate server ......................................220 How to update definitions ................................................................................220 Updating definitions on demand .............................................................220 Scheduling definition updates .................................................................221 Distributing definitions to multiple servers ..................................................222
Appendix A Appendix B
Using variables to customize alerts and notifications

About alert and notification variables ............................................................225
Integrating Symantec Mail Security with SESA

About SESA .........................................................................................................227 Interpreting Symantec Mail Security events in SESA .................................229 Configuring logging to SESA ............................................................................230 Configuring SESA 2.1 to recognize Symantec Mail Security ..............231 Configuring SESA 2.5 to recognize Symantec Mail Security ..............232 Installing the local SESA Agent ...............................................................235 Updating the Windows hosts file to log events to SESA 2.5 ...............235 Configuring Symantec Mail Security to log events to SESA ...............236
14 Contents
About uninstalling SESA .................................................................................. 236 About uninstalling the SIP ....................................................................... 236 About uninstalling the SESA Agent ........................................................ 237
Index
Chapter
Introducing Symantec Mail Security for Microsoft Exchange

This chapter includes the following topics:

About Symantec Mail Security for Microsoft Exchange Whats new in Symantec Mail Security Components of Symantec Mail Security How Symantec Mail Security works What you can do with Symantec Mail Security Where to get more information about Symantec Mail Security
About Symantec Mail Security for Microsoft Exchange

Symantec Mail Security for Microsoft Exchange is a complete, customizable, and scalable solution that scans email messages that pass through the Microsoft Exchange server. Symantec Mail Security protects your Exchange server from the following:
Threats (such as viruses, Trojan horses, worms, and denial-of-service attacks) Security risks (such as adware and spyware)
16 Introducing Symantec Mail Security for Microsoft Exchange Whats new in Symantec Mail Security
Unwanted content Unsolicited email messages (spam)
Symantec Mail Security also lets you manage the protection of one or multiple Exchange servers from a single console. See What you can do with Symantec Mail Security on page 20. The Exchange environment is only one avenue by which a threat can penetrate a network. For complete protection, ensure that every computer and workstation is protected by an antivirus solution. See About using Symantec Mail Security with other antivirus products on page 57.
Whats new in Symantec Mail Security

Table 1-1 lists the new and enhanced features in Symantec Mail Security 5.0.3 for Microsoft Exchange. Table 1-1 Feature
Protection from mail-based security risks Redesigned console
New and enhanced features Description

Symantec Mail Security protects your mail environment from security risks, such as spyware and adware. See Configuring security risk detection on page 100. You can manage a single mail server or a group of servers from the same console. The new console lets you view summary information about the activities on an individual mail server or a group of servers. See Accessing the Symantec Mail Security console on page 52.
Improved support for cluster environments
Symantec Mail Security is Microsoft cluster-aware. In a clustering environment, multiple nodes on the network operate like a single system to ensure high availability. Symantec Mail Security is installed as a cluster resource on an active/passive cluster. It is designed to interact with and detect the nodes that are within the cluster environment. See About installing Symantec Mail Security in a Microsoft Cluster on page 45.
Automatic server discovery
Symantec Mail Security can automatically detect the Exchange servers that are within your organization using Active Directory.
Introducing Symantec Mail Security for Microsoft Exchange Whats new in Symantec Mail Security
17
Table 1-1 Feature
New and enhanced features (Continued) Description
User-based and You can select the users or groups for which a content filtering group-based policies policy applies. You can configure the rule to apply to all Active Directory groups or to only the users or Active Directory groups that you select. You can also specify users or groups who are exceptions to the rule. See About configuring a content filtering rule on page 160. File attachment content scanning You can scan for content violations within file attachments. Symantec Mail Security supports over 300 file attachment types and common file types, such as Microsoft Office documents, Adobe Acrobat PDF files, text files, RTF files, and database files. See About configuring a content filtering rule on page 160. Multimedia and executable file detection based on true file type Symantec Mail Security can detect multimedia and executable files based on an analysis of their true file type instead of relying on their file extensions. See Configuring multimedia file detection on page 172. See Configuring executable file detection on page 175. Summary and Detailed reports You can generate a report that contains statistics about the scanning activities that occurred on one or more mail servers. You can configure Symantec Mail Security to send the report to the email addresses that you specify. See What you can do with reports on page 211. Automatically save messages to a folder You can save messages that are identified as spam or suspected spam, or messages that trigger content filtering violations, to a specified folder. This lets you use an archiving program to automatically archive messages in the folder. See Save messages to a folder for archiving on page 24.
18 Introducing Symantec Mail Security for Microsoft Exchange Components of Symantec Mail Security
Components of Symantec Mail Security

Table 1-2 lists the components of Symantec Mail Security. Table 1-2 Component
Symantec Mail Security for Microsoft Exchange
Product components Description Location on the product CD
\SMSMSE\Install\ This is the software that you install to protect your Exchange servers. It protects your servers from threats (such as viruses and denial-of-service attacks), security risks (such as adware and spyware). It also detects spam email messages and unwanted content. This is the utility that lets you \ADMTOOLS\LUA\ configure one or more intranet FTP, HTTP, or LAN servers to act as internal LiveUpdate servers. LiveUpdate lets Symantec products download program and definition file updates directly from Symantec or from a LiveUpdate server. For more information, see the LiveUpdate Administrators Guide on the Symantec Mail Security product CD in the following location: \DOCS\LUA\Luadmin.pdf
LiveUpdate Administration Utility
Symantec Spam Folder Agent for Exchange
This is the program that lets you install a spam foldering agent. The foldering agent works with the Symantec Premium AntiSpam service. It lets you automatically route spam and suspected spam messages to a spam folder in each users inbox. The Symantec Spam Folder Agent is recommended for Exchange 2000 servers only.
\ADMTOOLS\SPA\BSFA\
Introducing Symantec Mail Security for Microsoft Exchange Components of Symantec Mail Security
19
Table 1-2 Component

Outlook Plug-in
Product components (Continued) Description Location on the product CD
This is the software that lets you \ADMTOOLS\SPA\BMOP\ submit missed spam and false positives to Symantec. It also lets users administer allowed senders and blocked senders lists and block email messages based on language identification. The Outlook Plug-in is used with the Symantec Premium AntiSpam service. The Outlook Plug-in can be used on Exchange 2000 and Exchange 2003 servers.
Symantec Enterprise Security Administration (SESA) Integration Package (SIP)
\ADMTOOLS\SIPI\ This is the software configuration package that you must install on each computer that runs a SESA Manager. The SIP extends SESA functionality to include Symantec Mail Security event data. This is the software that makes it \DOCS\ar60enu.exe possible to read electronic documentation in Portable Document Format (PDF). Symantec Mail Security can forward infected messages and messages that contain violations from the local quarantine to the Central Quarantine, which acts as a central repository. For more information, see the Symantec Central Quarantine Administrators Guide on the Symantec Mail Security product CD in the following location: \DOCS\DIS\CentQuar.pdf \ADMTOOLS\DIS
Adobe Acrobat Reader 6.0
Symantec Central Quarantine
20 Introducing Symantec Mail Security for Microsoft Exchange How Symantec Mail Security works
How Symantec Mail Security works

In a typical configuration, Symantec Mail Security scans items (message headers, bodies, and attachments) that are sent to Exchange servers by SMTP or directly to the store (mailboxes and public folders) by MAPI. Symantec Mail Security can scan messages and their attachments to detect the following:
Risks Such as viruses, worms, Trojan horses, adware, and spyware See About protecting your server from risks on page 95. Spam See About spam detection on page 107. Content filtering rule violations See About filtering content on page 145.
See About the scanning process on page 178. When spam, a risk, or a content filtering rule violation is detected, Symantec Mail Security takes the actions that you specify in the respective polices. See Manage your Exchange environment using policies on page 21. Symantec Mail Security contains a decomposer that extracts container files so that they can be scanned for risks and content filtering violations. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule. See Configuring rules to address unscannable container files on page 104.
What you can do with Symantec Mail Security

You can use Symantec Mail Security to do the following:

Manage your Exchange environment using policies Scan your Exchange server for risks and violations Protect against threats Keep your protection up-to-date Identify spam email Filter undesirable message content Save messages to a folder for archiving
Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
21
Manage outbreaks Quarantine infected message bodies and attachments Monitor Symantec Mail Security events Generate reports Send notifications when a threat or violation is detected Manage single and multiple Exchange servers
Manage your Exchange environment using policies

Symantec Mail Security scans email messages and their attachments for violations to polices. A policy is a set of rules designed to detect potential risks to your Microsoft Exchange mail system or content policy violations. Symantec Mail Security contains the following policies:
General Contains rules controlling scanning limits, exceptions, and outbreak management Contains rules for detecting threats in messages and attachments with viruses, virus-like characteristics, or security risks, such as adware or spyware Contains rules for the following:

Antivirus
Antispam
Allowed senders Recipients whose email messages are not scanned for spam Real-time blacklist domains
Also lets you enable and configure the heuristic antispam engine or the Symantec Premium AntiSpam service Content Enforcement Contains rules for filtering inappropriate content in message bodies and attachments
22 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
Scan your Exchange server for risks and violations

You can keep your server protected by performing any of the following types of scans:
Auto-protect scanning Auto-protect scanning detects risks, spam, and content filtering rule violations in real-time as email messages are routed through the Exchange server to the information store. Manual scans are on-demand scans of local mailbox and public folder items. These are scans that run according to the schedule that you specify.
Manual scans
Scheduled scans
See About the scanning process on page 178.
Protect against threats

Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, and worms) to identify new risks. After a threat is identified, information about the threat (a signature) is stored in a definition file. This file contains information to detect and eliminate the threat. When Symantec Mail Security scans for threats, it searches for these signatures. Symantec Mail Security also uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments. See Configuring threat detection on page 98.
Keep your protection up-to-date

Symantec Mail Security relies on up-to-date information to detect and eliminate risks. One of the most common reasons computers are vulnerable to attacks is that definition files are out-of-date. Symantec regularly supplies updated definition files. Using LiveUpdate, Symantec Mail Security connects to a Symantec server over the Internet and automatically determines if definitions need to be updated. If they do, the definition files are downloaded to the proper location and installed. If you need a quicker response for emerging threats, you can use Rapid Release to get the most current definitions that are available.
23
If your organization has both front-end and back-end Exchange servers, you might want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and certified Live Update definitions on the back-end mailbox servers. See About keeping your server protected on page 217. See About using Symantec Mail Security with other antivirus products on page 57. Note: To update definitions, you must have a valid content license. See About licensing on page 63.
Identify spam email

Spam is unsolicited bulk email, most often advertising messages for a product or service. It wastes productivity, time, and network bandwidth. You can use one of the following features to identify spam:
Symantec Premium AntiSpam Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available. You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium AntiSpam. See How to detect spam using Symantec Premium AntiSpam on page 114. See About the Symantec Premium AntiSpam license file on page 67. Heuristic antispam The heuristic antispam feature uses a pattern-matching, heuristics engine to compare the contents of email messages to a list of spam characteristics. You can select the antispam engine sensitivity level. See Configuring heuristic antispam protection on page 141.
You can enhance heuristic or premium antispam detection by specifying domains that are allowed to bypass antispam scanning or that are automatically blocked. You can also specify email addresses to which inbound emails are permitted to bypass real-time blacklist blocking and antispam scanning. See Blocking spam using real-time blacklists on page 112. See Configuring whitelists on page 113.
Filter undesirable message content

Symantec Mail Security lets you filter undesirable content using the following features:
Match lists To filter content that applies to a specific situation, you can create a match list that includes words and phrases that are standard for or particular to your company or industry and for which you want to filter content. After you create a match list, you can define a content filtering rule that uses the match list. A content filtering rule can refer to one or more match list. Match lists can consist of literal strings, regular expressions, or DOS wildcard expressions. See Working with match lists on page 154. Content filtering rules You can create content filtering rules that apply to SMTP inbound and SMTP outbound mail and the Exchange information store. Content filtering rules let you filter messages for attachments names, attachment content, specific words, phrases, subject lines, and senders. Symantec Mail Security takes the action that you specify in the rule when it detects a violation. Symantec Mail Security also provides File Filtering Rules. File Filtering Rules let you filter email messages based on attached files names or file types, such as multimedia or executable files. See Working with content filtering rules on page 157.
Save messages to a folder for archiving

You can configure Symantec Mail Security to automatically save email messages that trigger violations (such as spam and content filtering violations) to a folder location that you specify. This lets you configure your mail archiving solution to archive the messages in this folder. Maintaining archives of files can help your organization comply with regulatory requirements, such as the Sarbanes-Oxley Act of 2002 (SOX). See Configuring heuristic antispam protection on page 141. See Processing spam messages on page 133. See About configuring a content filtering rule on page 160.
25
If you specify an absolute path (with ':'; for example, C:\Program Files\Archive), Symantec Mail Security creates the folder, if one does not already exist. If you specify a relative path (without ':'; for example, Archive), Symantec Mail Security creates a subfolder underneath the SavedMessages folder in the server installation directory, if one does not already exist. The mail foldering option is only available for inbound and outbound SMTP traffic.
Manage outbreaks
An outbreak occurs when the number of threats to the Microsoft Exchange system that are detected over a period of time exceeds a specified limit. Symantec Mail Security lets you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications when an outbreak is detected. You can also select an action to take when an outbreak is detected, such as deleting the entire message, deleting the attachment or message body, quarantining the attachment or message body, or logging the event. You can set rules to define an outbreak based on event. For example, the same threat occurs a specified number of times within a specified time period. You can also configure Symantec Mail Security to send notifications and alerts in the case of an outbreak. See About outbreak management on page 189.
Quarantine infected message bodies and attachments

Symantec Mail Security for Microsoft Exchange includes a local quarantine that can store infected message bodies and attachments that are detected during scans. You can configure Symantec Mail Security to quarantine threats, security risks, content filtering violations, and file filtering violations in the local quarantine. Quarantined items that contain threats can be forwarded to the Symantec Central Quarantine, if it is installed. The Symantec Central Quarantine program is available on the Symantec Mail Security product CD. See About the quarantine on page 85.
Monitor Symantec Mail Security events

Symantec Mail Security logs events to the Windows Application Event Log. You can view events that are logged to the Windows Application Event Log from the console. See Viewing the Symantec Mail Security Event log on page 198. Symantec Mail Security logs extensive report data on threats, security risks, content violations, spam, and server information to a reports database. You can use this data to generate summary or detailed reports based on different subsets of the data. See About logging events on page 197. You can also configure Symantec Mail Security to post events to Symantec Enterprise Security Architecture (SESA). SESA is an event management system that compiles data for events that Symantec and supported third-party products generate. Symantec Mail Security sends a subset of security and application events to SESA. The events that Symantec Mail Security generates include failed definition updates, threat detections, unscannable files, and spam events. See Configuring Symantec Mail Security to log events to SESA on page 236.
Generate reports
Symantec Mail Security collects and saves scan data on your Exchange servers. You can create reports from the data, which gives you a history of risk detection activity and rule violations. Report templates let you define a subset of the raw report data that is collected by Symantec Mail Security for a single server. Report templates can include different categories or combinations of security-related statistics. You can create different report templates to describe different subsets of the raw report data. Once you create a report template, you use it to generate reports. Symantec Mail Security provides two pre-configured report templates that you can modify. You can also create your own report templates. When you create or modify a report template, Symantec Mail Security provides a wizard to guide you through the configuration process.
Introducing Symantec Mail Security for Microsoft Exchange Where to get more information about Symantec Mail Security
27
The types of report templates that you can create are as follows:
Summary See Creating or modifying a Summary report template on page 203. Detailed See Creating or modifying a Detailed report template on page 208.
Send notifications when a threat or violation is detected

Symantec Mail Security provides several options for notifying administrators and email recipients of risks and violations. You define the conditions in which to send an alert. You can also customize the alert message text for each alert condition that you define. See Configuring notification settings for scan violations on page 188.
Manage single and multiple Exchange servers

Symantec Mail Security can protect one or more Exchange servers. If your organization has multiple Exchange servers, you can manage all of the servers from the same console that you use to manage a single server. By switching between server view and group view, you can manage the configuration settings for individual servers, a logical grouping of servers (such as all front-end servers), or all servers in a specific location. See About managing your Exchange servers on page 71.
Where to get more information about Symantec Mail Security

Symantec Mail Security includes a comprehensive help system that contains conceptual, procedural, and context-sensitive information. Press F1 to access information about the page in which you are working. If you want more information about features that are associated with the page, select a More Information link in the Help page, or use the Table of Contents, Index, or Search tabs in the Help viewer to locate a topic. The About folder in the Help page provides information about the feature or topic. If there are procedures that are associated with a feature or topic, a How to folder for the Help topic is enabled. Click that folder to display the procedures.
28 Introducing Symantec Mail Security for Microsoft Exchange Where to get more information about Symantec Mail Security
You can visit the Symantec Web site for more information about your product. The following online resources are available:
Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration Provides product news and updates www.symantec.com/ techsupp/ent/ enterprise.html www.symantec.com /licensing/els/help/en/ help.html www.enterprisesecurity. symantec.com www.securityresponse. symantec.com
Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats
Chapter
Installing Symantec Mail Security for Microsoft Exchange


Before you install System requirements About installing Symantec Mail Security Post-installation tasks Migrating to version 5.0.3 Uninstalling Symantec Mail Security
Before you install

Before you install Symantec Mail Security, ensure that all pre-installation and system requirements are met. You also should ensure that you have an installation plan that best matches your organizations needs. See System requirements on page 33. Symantec Mail Security supports upgrades from Symantec Mail Security 4.x. If you are upgrading from a prior version, you should review the migration information. See Migrating to version 5.0.3 on page 59.
30 Installing Symantec Mail Security for Microsoft Exchange Before you install
Before you install the product, you should do the following:
If you are running Symantec Brightmail AntiSpam on the same server on which you want to install Symantec Mail Security, you must uninstall Symantec Brightmail AntiSpam before you install Symantec Mail Security. The email tools feature of Symantec AntiVirus Corporate Edition is not compatible with Microsoft Exchange or Symantec Mail Security for Microsoft Exchange. You must uninstall the feature before you install Symantec Mail Security. You must disable any antivirus software that is on the server in which you want to install Symantec Mail Security. After installation, you should reenable the antivirus protection. See About using Symantec Mail Security with other antivirus products on page 57. To install Symantec Mail Security components correctly, log on as a Windows domain administrator. See Software component locations on page 30. For optimal visibility, modify your screen resolution to 1024 x 768.
Software component locations

Table 2-1 lists the default locations in which Symantec Mail Security installs software components. Table 2-1 Component
Symantec Mail Security program files Quarantined items in encrypted format Note: You should configure all antivirus file system scanners to exclude the quarantine directory from scanning. The system scanners might try to scan and delete Symantec Mail Security files that are placed in the quarantine directory. Reporting data C:\Program Files\Symantec\SMSMSE\5.0\Server \Reports
Software component locations Location

C:\Program Files\Symantec\SMSMSE\5.0\Server
C:\Program Files\Symantec\SMSMSE\5.0\Server \Quarantine
Installing Symantec Mail Security for Microsoft Exchange Before you install
31
Table 2-1 Component
Software component locations (Continued) Location

C:\Program Files\Symantec\SMSMSE\5.0\Server \Reports\<report name> File type can be .csv, .html, xml, or image file
Data files for reports that are generated
Report templates
C:\Program Files\Symantec\SMSMSE\5.0\Server \Reports\Templates C:\Program Files\Symantec\SMSMSE\5.0\Server \MatchLists C:\Program Files\Symantec\SMSMSE\5.0\Server \SpamPrevention
Match list files
Heuristic antispam configuration files, allowed senders files, and Symantec Premium AntiSpam configuration files
Location where Symantec Mail C:\Program Files\Symantec\SMSMSE\5.0\Server Security scans items \Temp Note: You should configure all antivirus products that scan files to exclude the Temp directory from scanning. The system scanners might try to scan and delete Symantec Mail Security files that are placed in the Temp directory during the scanning process. Dynamic-link libraries for Symantec Premium AntiSpam Manual scan configuration data Configuration files for allowed and blocked senders for Symantec Premium AntiSpam Component logs for Symantec Premium AntiSpam Statistical information on the effectiveness of Symantec Premium AntiSpam rules Console files C:\Program Files\Symantec\SMSMSE\5.0\Server \bin C:\Program Files\Symantec\SMSMSE\5.0\Server \Config C:\Program Files\Symantec\SMSMSE\5.0\Server \etc
C:\Program Files\Symantec\SMSMSE\5.0\Server \logs C:\Program Files\Symantec\SMSMSE\5.0\Server \stats
C:\Program Files\Symantec\SMSMSE\5.0\UI
32 Installing Symantec Mail Security for Microsoft Exchange Before you install
Table 2-1 Component
Software component locations (Continued) Location

C:\Program Files\Symantec\LiveUpdate
Component to update virus definitions Definitions
C:\Program Files\Common Files\SymantecShared \VirusDefs C:\Program Files\Common Files\SymantecShared \Licenses C:\Program Files\Symantec\SMSMSE\5.0\Server \Verity\bin C:\Program Files\Symantec\SMSMSE\5.0\Server \DExLService\bin C:\Windows\Microsoft.NET\Framework
License files
Verity content extraction component Symantec Mail Security Web service components .NET Framework 1.1 service pack 1.1 SESA agent installation files Symantec rulesets
C:\Program Files\Server\AgtInst C:\Program Files\Server\
About security and access permissions

Users must have System Administrator privileges to configure or modify Symantec Mail Security settings. When you install the product, Symantec Mail Security automatically creates the SMSMSE viewers group in Active Directory and assigns the group read-only access to Symantec Mail Security components and features. Users in this group cannot change settings for Symantec Mail Security. Users can run reports, view event logs, and view settings through the console. The SMSMSE viewers group is domain-wide for Active Directory. You can use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to change membership in this group. During the security set-up process, security is also set for the Symantec Mail Security registry key and file folders. You must have administrator access to the local servers and domain administrator rights for the security set-up to proceed.
Installing Symantec Mail Security for Microsoft Exchange System requirements
33
System requirements
Ensure that you meet the appropriate system requirements for the type of installation that you are performing. See About installing Symantec Mail Security on page 34.
Server system requirements

You must have domain administrator-level privileges to install Symantec Mail Security. The server system requirements are as follows:
Operating system

Windows 2000 Server/Advanced Server /Data Center SP4 Windows Server 2003 Standard/Enterprise /Data Center SP1 Exchange 2000 Server SP3/Enterprise Server Exchange Server 2003/Enterprise Server Intel Server class 32-bit processor 1 GB RAM 775 MB available disk space Required available disk space for Symantec Mail Security and required third-party components. This does not include the space required for items such as quarantined messages and attachments, reports, and log data. .NET Framework version 1.1 SP1 (is automatically installed if not detected) MDAC 2.6 or higher (is automatically installed if not detected) DirectX 8.01 or higher (automatically installs DirectX 9 DirectX 8.01 or higher if not detected)
Exchange platform
Minimum system requirements
See Installing Symantec Mail Security on a local server on page 35. See About installing Symantec Mail Security on remote servers on page 40. See About installing Symantec Mail Security in a Microsoft Cluster on page 45.
34 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
If you install Symantec Mail Security on a Windows 2000 Server Domain Controller that does not allow impersonation, you might have difficulty changing settings in a group view or from a remote console. You should run Microsoft Exchange on a computer that is not a Domain Controller. If this is not feasible, set the computer to allow impersonation by configuring the Impersonate a client after authentication policy for the IWAM account. See About setting up impersonation privileges on the IWAM account on page 51.
Console only system requirements

You can install the Symantec Mail Security console only. The console only system requirements are as follows:
Operating system

Windows 2000 Server SP4 Windows Server 2003 SP1 Windows XP SP1 Intel Server class 32-bit processor 512 MB RAM 162 MB available disk space This does not include the space required for items such as quarantined messages and attachments, reports, and log data. .NET Framework version 1.1 SP1 (is automatically installed if not detected)
Minimum system requirements
See Installing the Symantec Mail Security console only on page 43.
About installing Symantec Mail Security

Use any of the following installation procedures, depending on the type of installation that you want to perform:
Local server installation You can install or upgrade Symantec Mail Security on a local computer that is running Microsoft Exchange Server. See Installing Symantec Mail Security on a local server on page 35.
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
35
Remote server installation
If you have multiple servers on which you want to install or upgrade Symantec Mail Security, after you install Symantec Mail Security to a local server, you can use the Asset Management tool in the console to install the product to remote servers. See About installing Symantec Mail Security on remote servers on page 40.
Console only installation
You can install the product console on a computer that is not running Symantec Mail Security. This lets you manage your servers from any computer that has access to your Exchange servers. See Installing the Symantec Mail Security console only on page 43.
Microsoft Clustering If you are installing Symantec Mail Security with the Microsoft service installation Clustering service, follow the instructions for clustering service installation. See About installing Symantec Mail Security in a Microsoft Cluster on page 45.
See Migrating to version 5.0.3 on page 59.
Installing Symantec Mail Security on a local server

You can install Symantec Mail Security on a local Microsoft Exchange Server. You must install the product on a local server before you can perform the remote server or console installations. Before you begin the installation process, ensure that you have met the system requirements. See System requirements on page 33. You must be logged on as a member of the administrator group on the local computer and have domain administrator privileges on the computer on which you want to install Symantec Mail Security. If you do not have .NET Framework version 1.1 SP1, MDAC 2.6 or higher, or DirectX 8.01 or higher installed, Symantec Mail Security automatically installs these components during installation. If Symantec Mail Security installs any of these components, you are prompted to restart your computer after installation is complete. When installation is complete, a Symantec Mail Security icon is placed on the computer desktop.
To install Symantec Mail Security on a local server, do the following:

Begin the installation process The installation wizard guides you through the installation process of selecting upgrade configurations (if applicable), the product installation folder location, and the type of installation that you want to perform.
Configure additional You can specify if you want to stop IIS during installation, setup options and specify the Web service set-up values, designate an email confirm settings notification address, install the SESA agent, and review your setup configurations. See Installing the local SESA Agent on page 235. Install licenses You can install your licenses during installation. See About licensing on page 63. If you install a valid content license, Symantec Mail Security lets you perform a LiveUpdate to obtain the most current definitions. See About keeping your server protected on page 217.
To begin the installation process 1 Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, you should run cdstart.exe from the product CD. Click Install Symantec Mail Security for Microsoft Exchange. In the InstallShield welcome panel, click Next. Click Next until you reach the Software License Agreement panel.
2 3 4
37
In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. You must accept the terms of the license agreement for the installation to continue. In the Existing Settings panel, select one of the following, and then click Next:
Restore default settings Retain existing settings Applies the default settings of the version that you are installing. Retains your existing settings.
This panel only appears if you are upgrading. 7 In the Destination Folder panel, do one of the following:
To install the product in the default location, click Next. The default directory is as follows: C:\Program Files\Symantec\SMSMSE\5.0\Server To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next. Symantec Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam service, you cannot install the product to a directory that contains high ASCII characters.
8 9
In the Setup Type panel, click Complete, and then click Next. In the Setup Preview panel, click Next. This panel only appears if Symantec Mail Security must install a third-party component (such as .NET Framework). See Server system requirements on page 33.
10 In the information dialog box, click OK.
To configure additional setup options 1 2 In the IIS Reset Options panel, select whether to stop IIS during installation, and then click Next. In the Web Service Setup panel, do one of the following:

Click Next if you want to accept the default values. Modify the following settings, and then click Next:
IP/Name By default, the computer name resolves to the primary external network identification card (NIC). You can also use an IP address. The IP address validates the availability of the port. Port # Port 8081 is the default port number for the Web service that is used by Symantec Mail Security. If port 8081 is being used by another application, a different default port number appears. If you change the port number, use a port number that is not used by another application. You should not use port 80. Port 80 is the port number that is used by the default Web service, which is hosted by Microsoft Internet Information Services (IIS).
In the Notification Email Address panel, do one of the following to specify the administrator to notify of violations and outbreaks:

Click Next if you want to accept the default value. Modify the originator email address, and then click Next.
In the Symantec Enterprise Security Architecture panel, select one of the following:
No Select this option if you do not have a SESA server or do not want to install the SESA agent at this time. Select this option if you have a SESA server and want to install the SESA agent. In the IP Address of SESA Server box, type the SESA IP address.
Yes
See Integrating Symantec Mail Security with SESA on page 227. 5 Click Next.
39
In the Setup Summary panel, review the information, and then click Next. If you need to make any modifications, click Back to return to the appropriate panel. In the Ready to Install the Program panel, click Install.
To install a license and update definitions 1 In the Install Content License File panel, do one of the following:
To install a license file Do the following:

Click Browse, locate the license file, and then click Open. Click Install, and in the confirmation dialog box, click OK. Repeat this process for each license that you have to install. Click Next.
To install a license file later through the console
Click Skip, and then click Next. See About licensing on page 63.
In the LiveUpdate panel, do one of the following:

To perform a LiveUpdate Click Yes, and then click Next. In the LiveUpdate Options window, click Start. When LiveUpdate is complete, click Close. To perform a LiveUpdate at a later time Click No, and then click Next. See About keeping your server protected on page 217.
This panel only appears if you installed a valid license. 3 Click Finish. The option Show the readme file is checked by default. The Readme file contains information that is not available in the product documentation. Click Yes to restart your computer. This option only appears if Symantec Mail Security installed .NET Framework, MDAC, or DirectX during the installation process. You must restart your computer for the necessary changes to take affect.
See Post-installation tasks on page 50.
About installing Symantec Mail Security on remote servers

After you install Symantec Mail Security on a local server or install the console, you can install the Symantec Mail Security server component on remote servers. You can also upgrade from versions 4.x. See Migrating to version 5.0.3 on page 59. Before you install the product on remote servers, you should review the preinstallation information and system requirements. See Before you install on page 29. See System requirements on page 33. If you do not have .NET Framework version 1.1 SP1, MDAC 2.6 or higher, or DirectX 8.01 or higher installed, Symantec Mail Security automatically installs these components during installation. If Symantec Mail Security installs any of these components, after installation is complete, the remote computer is automatically restarted. To install Symantec Mail Security on remote servers, do the following:
Customize installation settings, if needed. Remote servers are installed with default installation settings. If you want to customize the installation settings and apply them to a remote server, you can add the custom features to the vpremote.dat file. See Customizing remote server installation settings on page 40. Install Symantec Mail Security on remote servers. See Installing the product on a remote server on page 42.
Customizing remote server installation settings

There may be cases in which you want to customize the installation of Symantec Mail Security on a remote Exchange server. For example, you might want to change the following settings:

Installation location Default email address for notifications Stop/start of IIS
41
Table 2-2 lists the remote customization options that you can modify. Table 2-2 Property
EMAILADDRESS=
Remote customization options Description

Address of the domain administrator for the Address of sender and Administrator and others to notify Notification/ Alert settings
Default value
N/A
Optional value
(Email address of domain administra tor)
EXISTINGSETTINGGROUP= Controls whether to retain a previous versions settings or apply the default settings of the new version IIS_RESET= Controls whether to stop and restart IIS Determines whether to install SESA The default product installation directory
Retain
Restore
Yes
No
INSTALL_SESA=
No
Yes
INSTALLDIR=
[drive]:\ (Any valid Program path) Files\Symantec \SMSMSE\5.0\ 8081 (Any valid port)
PORTNUMBER=
The port that is used by the product for Web services Controls whether the console appears during installation
REMOTEINSTALL
1 to hide consoles Set to 1 if you are performing a silent installation (A valid SESA IP number)
SESAIP=
The IP address of the SESA N/A server
Warning: The following entry should not be changed: {setup.exe /s /v"/qn NOT_FROM_ARP=1}. You can append the entry. For example, {setup.exe /s /
v"/qn NOT_FROM_ARP=1 REMOTEINSTALL=1}
To customize remote server installation settings 1 Locate the folder that contains the Symantec Mail Security console files. The default location is as follows: \Program Files\Symantec\SMSMSE\5.0\UI\ Using WordPad or a similar tool, open the following file: vpremote.dat Insert one or more properties by doing the following:
2 3
Type a space after the previous or existing entry inside the quotation marks. Type the new property. The property portion of each entry is case sensitive.
Type the value immediately after the = sign with no space. The values are not case sensitive. For example, to specify a silent installation, the entry would appear as follows:
{setup.exe /s /v"/qn NOT_FROM_ARP=1 REMOTEINSTALL=1}
Installing the product on a remote server

You must be logged on as a member of the administrator group on the local computer and have domain administrator privileges on all remote computers on which you want to install Symantec Mail Security. When installation is complete, a Symantec Mail Security icon is placed on the computer desktop. Note: You should not use the remote installation procedures if you are installing the product on cluster server nodes. See About installing Symantec Mail Security in a Microsoft Cluster on page 45.
43
To install the product on a remote server 1 2 3 4 5 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the sidebar under Tasks, click Install/ Upgrade server(s). In the Select Server(s) window, in the Servers and server groups list, highlight one or more servers and click the >> command icon. Under Server options, check Keep installation files on server(s) to maintain the installation files on the server. Check Send group settings to apply group settings. If unchecked, existing server settings are retained. Future changes that are made to the server group are applied to the server. Click OK, and then click Close.
Installing the Symantec Mail Security console only

The Symantec Mail Security console is a Windows application. The console lets you manage local and remote installations of Symantec Mail Security from a single computer. You can install and use the console on a computer in which Symantec Mail Security is not installed. This lets you manage Symantec Mail Security from a convenient location. Before you install the console, you must first install Symantec Mail Security on a local Exchange server. You should also review the console installation system requirements. See Installing Symantec Mail Security on a local server on page 35. See Console only system requirements on page 34. Symantec Mail Security automatically installs .NET Framework version 1.1 SP1 if it is not detected during installation. If Symantec Mail Security installs .NET Framework, after installation is complete, you are prompted to restart the computer. When installation is complete, a Symantec Mail Security icon is placed on the computer desktop.
To install the Symantec Mail Security console only 1 Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, you should run cdstart.exe from the Symantec Mail Security product CD. Click Install Multiserver Console. If the installation program detects that you have Windows XP or that there is no version of the Exchange server installed, the installation program defaults to console only installation options. Click Next until you reach the Software License Agreement panel. In the License Agreement panel, check I accept the Terms in the license agreement, and then click Next. In the Destination Folder panel, do one of the following:
3 4 5
To install the product in the default location, click Next. The default destination directory is as follows: C:\Program Files\Symantec\SMSMSE\5.0\Server To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next. Symantec Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam service, you cannot install the product to a directory that contains high ASCII characters.
6 7 8 9
Click Next until you reach the Ready to Install the Program panel. In the Ready to Install the Program panel, click Install. The installation may take several minutes. Click Finish. Click Yes to restart your computer. This option only appears if Symantec Mail Security installed .NET Framework during the installation process. You must restart your computer for the necessary changes to take affect.
45
About installing Symantec Mail Security in a Microsoft Cluster

You can install Symantec Mail Security in a Microsoft Cluster. Symantec Mail Security supports active/active configurations, but recommends configurations with one or more passive nodes. The two configuration types have different installation considerations. When you install Symantec Mail Security in a cluster environment, you should install the product individually on each node of the cluster. The remote installation feature should not be used. To install Symantec Mail Security in a cluster environment, do the following:
Ensure that your environment meets the pre-installation requirements. See Considerations before you install on a Microsoft Exchange cluster on page 46. Install Symantec Mail Security using the procedures for your cluster configuration. See About installing Symantec Mail Security on a cluster with one or more passive nodes on page 47. See About installing Symantec Mail Security on a Veritas cluster server on page 50. Configure the cluster resource if you are using an active/passive configuration only. See Configuring the cluster resource on page 48.
Considerations before you install on a Microsoft Exchange cluster

Table 2-3 describes the items that you should consider before you install Symantec Mail Security in a cluster environment. Table 2-3 Configuration
One or more passive nodes
Cluster installation considerations Considerations

Symantec Mail Security must be installed on all active and passive nodes of a cluster. Only one Exchange Virtual Server (EVS) can run on any cluster node at any time. If two EVSs try to run on the same node, the results are undefined. Before you install Symantec Mail Security on an Exchange cluster with one or more passive nodes, ensure that the following requirements are met:
There must be an available passive node to fail to. Multiple failovers are supported only if multiple passive nodes are available. Symantec Mail Security must be installed with the same configuration and in the same locations on all nodes of the cluster.
During installation, Symantec Mail Security checks for presence of a cluster environment. If the installation is running in a cluster environment, you are prompted to register a cluster resource DLL (SMSMSEClusterResource.dll). This DLL must be registered on only one of the cluster nodes. Symantec Mail Security runs on all the nodes (even passive) immediately after installation. After the first instance of the cluster resource is configured, the service runs on only the active node or nodes. Active/active Before you install Symantec Mail Security on an active/active Exchange 2000 or 2003 cluster, ensure that the following requirements are met:

The cluster is a group of identical servers containing two nodes. An active/active cluster can contain only two nodes. At least two Exchange Virtual Servers exist and are capable of running on either node in the cluster.
47
About installing Symantec Mail Security on a cluster with one or more passive nodes
You can install Symantec Mail Security on Exchange servers that are running Microsoft Clustering Service with one or more passive nodes. Symantec Mail Security settings are stored in the registry and local hard drive of each individual server. Each time settings are changed, the settings are duplicated on the hard drive of the shared storage that is used as a dependency for the Symantec Mail Security resource. Any time the active node goes down and control transfers to the passive node, the passive node checks for settings on the shared hard disk storage. The settings are then downloaded to the passive node (which is now active) and applied. Symantec Mail Security is Microsoft cluster aware and does not require any specific settings prior to installing the product on a cluster with one or more passive nodes. Symantec Mail Security requires its own cluster resource. You must use IP addresses or names of the Exchange Virtual Server nodes instead of the actual server IP addresses or names for managing Symantec Mail Security through the console. When the EVS group and Symantec Mail Security cluster resource move from one node to another, the following items are not transferred:

Quarantine contents Virus definitions and spam rules Report database and generated reports Spam statistics Mailbox and public folder lists
In a cluster environment, you should manage Symantec Mail Security with a console that is installed on a computer that is not a part of the cluster rather than from one of the cluster nodes. This lets you maintain independent Symantec Mail Security settings for each Exchange Virtual Server. See Configuring the cluster resource on page 48. See Post-installation tasks on page 50.
Configuring the cluster resource

After Symantec Mail Security is installed on each node of the cluster, you must create a new resource. This resource provides high availability by monitoring and controlling Symantec Mail Security. You should create the resource in each Exchange Virtual Server group. As the Symantec Mail Security resource is created, the Symantec Mail Security service on all nodes is stopped and service startup is changed to manual. This occurs because the service is running under the control of the Symantec Mail Security cluster resource. The Symantec Mail Security cluster resource is responsible for all of the following tasks:

Handling cluster events Saving Symantec Mail Security settings for each Exchange Virtual Server to shared storage Retrieving settings from shared storage and making them active on a given cluster node Managing the Symantec Mail Security service
To configure the cluster resource 1 2 3 4 5 On the Windows taskbar, click Start > Programs > Administrative Tools > Cluster Administrator. Select an EVS group and launch the New Resource Wizard. Name the resource. You must assign a unique name to each resource. Select Symantec Mail Security for Microsoft Exchange as the resource type, and then click Next. Choose the nodes for which the resource is being created, and then click Next. The nodes should be the same as those on which EVS can operate.
49
Choose the dependencies for this resource. The required dependencies are as follows:

Physical Disk Resource (disk on which the settings are saved) EVS Network Name resource
Repeat steps 2 through 6 for each EVS server group.
Installing Symantec Mail Security on an active/active cluster

You can install Symantec Mail Security on an active/active Microsoft Exchange cluster. To install Symantec Mail Security on an active/active cluster 1 2 3 Log on to a node using an Administrator account that is a member of the Domain and Local Admin groups. Insert the Symantec Mail Security product CD into the CD-ROM drive. Run the following file to install the Symantec Mail Security product on the cluster node. \SMSMSE\Install\setup.exe The installation directory should be on a local node (non-shared drive). In the Web Service wizard, type the IP address of the externally accessible network card of the current node (if not already present). The Virtual Server IP address, the cluster IP address, or name of the node are invalid entries. Repeat steps 3 and 4 to install Symantec Mail Security on the remaining node.
See Configuring the cluster resource on page 48. See Post-installation tasks on page 50.
50 Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks
About installing Symantec Mail Security on a Veritas cluster server

Before you install Symantec Mail Security on a Veritas cluster server, you should consider the following:

Symantec Mail Security should be installed to all nodes of a cluster. The name of the server is usually used when installing to a cluster, but you can use an IP address to specify the computer. If you are using IP addresses, use the IP address of the computer and not the IP address of the cluster or virtual server. You should use the Symantec Mail Security console to schedule definition updates and scans for each server in the cluster.
For more information, see An Introduction to Symantec Mail Security and Availability for Microsoft Exchange. To view this document, on the Internet, go to the following URL: http://enterprisesecurity.symantec.com/content.cfm?articleid=6302&rnav=0
Post-installation tasks
After you install Symantec Mail Security, you can perform the following postinstallation tasks:
If you are using Windows 2000, set up the appropriate impersonation privileges on the IWAM account. See About setting up impersonation privileges on the IWAM account on page 51. Restart Internet Information Service (IIS). See Restarting the IIS on page 51. Implement SSL communications. See Implementing SSL communications on page 51. Install the license file if it was not installed during setup. See About licensing on page 63. Update definitions if a LiveUpdate was not performed during setup. See About keeping your server protected on page 217. Access the Symantec Mail Security console. See Accessing the Symantec Mail Security console on page 52.
Installing Symantec Mail Security for Microsoft Exchange Post-installation tasks
51
Configure other antivirus products that are on the same computer as Symantec Mail Security. See About using Symantec Mail Security with other antivirus products on page 57. Configure the number of scanning threads and scan processes, if necessary. See Setting scanning threads and number of scan processes on page 58.
About setting up impersonation privileges on the IWAM account

If you are using Windows 2000, the IWAM account is not granted Impersonate privileges for ASP.NET 1.1 on a Domain Controller. You must manually assign Impersonate a client after authentication to the IWAM account. For more information, on the Internet, go to the following URL: http://support.microsoft.com/?id=824308
Restarting the IIS

If you are upgrading from a prior version of Symantec Mail Security, after installation is complete, you must restart Internet Information Services (IIS) to ensure that Symantec Mail Security functions properly. If you are installing the product for the first time, Symantec Mail Security restarts IIS automatically after installation. To restart the IIS
Do any of the following:
At the command prompt, type the following:

IISRESET
Restart your server. In the Windows Services window, right-click IIS Admin Service and select Restart.
Implementing SSL communications

You can configure Symantec Mail Security to use Secure Sockets Layer (SSL) communications, which requires a server certificate. You can create your own server certificate using Microsoft Certificate Services 2.0 or request one from a certificate authority. After you implement SSL, you must enable SSL from the console and specify the SSL port for each server. See Modifying the port and communication properties of a server on page 83.
To implement SSL communications 1 On the computer on which Symantec Mail Security is installed, on the Windows menu, click Start > Administrative Tools > Internet Information Services (IIS) Manager. In the server list, expand the folder for the server that is hosting Symantec Mail Security. On the Web Sites folder, right-click Symantec Mail Security for Exchange, and then click Properties. On the Directory Security tab, under Secure communications, click Server Certificate. Follow the instructions in the Web Server Certificate wizard to install the certificate. On the Directory Security tab, under Secure communications, click Edit. In the Secure Communications dialog box, check Require secure channel (SSL), and then click OK. On the Web Service tab, under Web Service Identification, in the IP Address text box, type the IP address of the Symantec Mail Security server. In the SSL Port text box, type the port to use for SSL communications. The default port for SSL communications is 636.
2 3 4 5 6 7 8 9
10 Click OK to close the Symantec Mail Security Properties window.
Accessing the Symantec Mail Security console

You can access the Symantec Mail Security console from the Windows Start menu or from your desktop. You must have the appropriate administrator or viewer rights to open the console. If you do not, you are prompted to provide proper authentication. See About security and access permissions on page 32. To access the Symantec Mail Security console
Do one of the following:
On the desktop, click the Symantec Mail Security icon.
53
On the Windows menu, click Start > Programs > Symantec Mail Security for Microsoft Exchange > Server Management Console.
See About the Symantec Mail Security console on page 53.
About the Symantec Mail Security console

Figure 2-1 shows the Symantec Mail Security console. Figure 2-1
Menu bar Toolbar
Symantec Mail Security Home page server view
Primary navigation bar
Content area
Figure 2-2 shows additional console elements. Figure 2-2 Additional console elements
List pane
Sidebar
Preview pane
Resizing bars
About the primary navigation bar

Management operations are grouped into the following categories on the primary navigation bar:
Home Lets you view server status, recent activities, and violations statistics See About the Home page on page 55. Policies Lets you create and configure sets of rules that are implemented by specific scans Lets you configure notification addresses and quarantine settings and monitor quarantine data and events Lets you create, configure, schedule, and run scans Lets you view and print data collected by Symantec Mail Security Lets you update definitions, configure system settings, and install licenses
Monitors
Scans Reports Admin
55
About the Home page

Table 2-4 provides a summary of the information that is displayed on the Home page for the server or group that is selected. The information is categorized in content panes. Table 2-4 Pane
Status
Home page content panes Description

If you are in a group view, the Status pane provides the following information about the status of the servers in the group:

Name: Provides the names of the servers. SMSMSE Service State: Indicates whether the services are started and stopped. If the services have been started, indicates when and for how long. Exchange State: Indicates whether the Exchange stores are enabled or disabled. Auto-Protect State: Indicates whether auto-protect scanning is enabled or disabled. Virus Definitions Date: Indicates the date of the definitions that are being used to scan messages. SPA license status: Indicates whether the Symantec Premium AntiSpam service is valid.
If you are in a server view, the Status pane provides the following information about the selected server.

Server name: Provides the name of the server. SMSMSE service state: Indicates whether the service is started and stopped. If the service has been started, indicates when and for how long. Exchange store state: Indicates whether the Exchange store is enabled or disabled. Auto-Protect state: Indicates whether auto-protect scanning is enabled or disabled. Virus definitions date: Indicates the date of the definitions that are being used to scan messages. SPA license status: Indicates whether the Symantec Premium AntiSpam service is valid.
Table 2-4 Pane

Recent Activity
Home page content panes (Continued) Description

The Recent Activity pane provides the following information:
Top Ten Threats/Security Risks This list shows the ten threats and security risks that were detected. The list also provides the number of incidents for each threat or security risk. Top Ten Spam Domains This list shows the top ten domains from which spam was most frequently received. It also provides the total number of messages from the domain, the number of messages that were classified as spam, and the percentage of spam messages that were received from the domain.
Total Violations
This pie chart illustrates the percentages of the violations in the time specified in Report Settings. If Store no data is selected, the chart is blank. Violations are shown in following categories: Threats and risks, spam, and content violations. The categories are color coded as follows:

Gold: Threats (such as viruses, Trojan horses, and worms) and security risks (such as spyware and adware) Orange: Spam Blue: Content filtering violations
57
Table 2-4 Pane

Activity Summary
Home page content panes (Continued) Description

This pane provides a summary of the scanning activity in the time specified in Report Settings. If Store no data is selected, the quantities are blank. The information provided is as follows:

Files scanned via VSAPI: Total number of files scanned through Microsoft Virus Scanning API (VSAPI) Files scanned via SMTP: Total number of files scanned through Simple Mail Transfer Protocol (SMTP) Messages scanned via SMTP: Total number of messages scanned through SMTP Virus infections: Total number of virus infections detected Content enforcement violations: Total number of content enforcement violations that were detected
If Symantec Premium AntiSpam is enabled, the following information appears:

Spam: Number of spam messages that were detected since last reset Suspected spam: Number of suspected spam messages detected since last reset Suspected spam and SCL: Number of suspected spam messages with Spam Confidence Level (SCL) that were detected since last reset Not spam: Number of messages scanned since last reset that are not spam
About using Symantec Mail Security with other antivirus products

If you have Symantec AntiVirus Corporate Edition installed on the same computer as Symantec Mail Security, you can configure Symantec AntiVirus to perform definition updates. When Symantec AntiVirus Corporate Edition is installed on a Microsoft Exchange server, you must configure Symantec AntiVirus Corporate Edition following the guidelines that are described a Knowledge Base article. To view the Knowledge Base article, on the Internet, go to the following URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid /2000110108382454?Open&src=w
The Knowledge Base article also provides instructions for how you can configure Symantec AntiVirus Corporate Edition (or any other antivirus program that is running on the same computer as Symantec Mail Security) to exclude certain folders from scanning. If another antivirus program scans the Exchange directory structure or the Symantec Mail Security processing folder, it can cause false-positive threat detection, unexpected behavior on the Exchange Server, or damage to the Exchange databases.
Setting scanning threads and number of scan processes

To control scanning speed and performance, Symantec Mail Security lets you set the number of VSAPI scanning threads and the number of scan processes. The default is configured using the following formula: (number of processors) x 2 + 1. Accept the default, unless you have a compelling reason to do otherwise. Symantec Mail Security considers a hyper-threaded processor as more than one processor. For example, if you have a dual hyper-threaded processor on your computer, Symantec Mail Security calculates the number of scanning processes as follows: Number or processors (4 ) x 2 + 1 = 9 When the load is heavy, all nine scanning processes are scanning messages. This can consume a lot of memory, which could severely impact the performance of your Exchange server. If you have a hyper-threaded processor on your computer, configure the number of scan processes based on the actual number of physical processors. For example, if you have a dual hyper-thread processor, configure the number of scan processes as follows: Number of physical processors (1) x 2 +1 = 3 Note: If you are using Intel Xeon processors, you must set this value using the formula based on the number of physical processors, instead of the number reported by the operating system. To set scanning threads and number of scan processes 1 2 3 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click System Settings. In the Number of VSAPI scanning threads box, type the number of threads to use for VSAPI scanning. The default value is 3.
Installing Symantec Mail Security for Microsoft Exchange Migrating to version 5.0.3
59
In the Number of scan processes box, type the number of scan processes. The default is configured during installation using the formula 2 times the number of processors plus 1. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Migrating to version 5.0.3

Symantec Mail Security supports upgrades from Symantec Mail Security 4.x. If you are upgrading from a previous version, the policy settings that you configured on the previous installation are incorporated into the applicable policy on the new installation. If you are upgrading from version 5.0x, all user settings are retained. Symantec Mail Security 5.x for Exchange does not contain a separate multiserver console. Single and multiple servers are administered from the same console. Multiserver console settings do not migrate to the new version. You must add any existing servers to be upgraded to an asset group (for example, Global). You can use the Install/Upgrade servers feature to upgrade the selected server. Once all of the servers are upgraded, you can uninstall the console from the prior version using the Add/Remove Programs feature in the Control Panel. Custom policies, content filtering rules, and report templates do not migrate to the new version. Table 2-5 lists the data and settings that migrate from version 4.x to the new version. Table 2-5 Category
Auto-protect Auto-protect statistics Mass-Mailer Rule Basic Virus Rule Virus subpolicy Filtering subpolicy
Version 4.x migration settings Migration status

Migrates to the new version as the standard policy Migrates as is Only the enable/disable setting migrates Migrates as is Only the enable/disable setting migrates Migrates to the new version as the standard policy Enable/disable setting migrates
Exception subpolicy
All existing exceptions rules and settings migrate
60 Installing Symantec Mail Security for Microsoft Exchange Uninstalling Symantec Mail Security
Table 2-5 Category
Version 4.x migration settings (Continued) Migration status
Certificate, license files, and Migrate as is registry keys Quarantine files Quarantine settings Spam settings Clear outbreak settings Alerting/Notification settings LiveUpdate/Rapid Release settings Match lists Spam XML file Migrate as is Migrate as is Migrate as is Migrate as is All settings migrate except the AMS and Messenger settings All settings migrate
Migrate as is Migrates as is
Uninstalling Symantec Mail Security

When you uninstall Symantec Mail Security in a clustered environment, you are prompted to unregister the Symantec Mail Security resource DLL that was configured during install. This needs to be done only once and can be done on any of the cluster nodes. You must delete all instances of the Symantec Mail Security resource from every EVS group before unregistering the cluster resource. See Considerations before you install on a Microsoft Exchange cluster on page 46. Stop Microsoft Internet Information Service (IIS) before you uninstall the product. This ensures that all of the files that are installed with the product are removed. To stop Microsoft IIS 1 2 3 On the Windows menu, click Start > Administrative Tools > Services. In Services window, right-click IIS Admin Service and select Stop. Close the Services window.
Installing Symantec Mail Security for Microsoft Exchange Uninstalling Symantec Mail Security
61
To uninstall Symantec Mail Security 1 2 3 4 5 6 On the server on which Symantec Mail Security is installed, on the Windows menu, click Start > Control Panel. In the Windows Control Panel, click Add or Remove Programs. Click Symantec Mail Security 5.0 for Exchange, and then click Remove. In the confirmation dialog box, click Yes. In the Information dialog box, click OK to confirm that you have stopped IIS. When the uninstallation is complete, click OK.
62 Installing Symantec Mail Security for Microsoft Exchange Uninstalling Symantec Mail Security
Chapter
Activating licenses

About licensing How to activate a license If you want to renew a license
About licensing
Key features for Symantec Mail Security, which include definition updates and Symantec Premium AntiSpam, are activated by a license. When a license expires or no license is installed, limited functionality is available. To regain product functionality when your license expires, you must renew and reactivate your license subscription. Table 3-1 describes the licenses that are required. Table 3-1 License
Content license
Symantec Mail Security Licenses Description

A content license is required to update Symantec software with the latest associated content (such as new definitions) through LiveUpdate and Rapid Release. A valid content license enables your servers to stay protected. When the content license is missing or invalid, you cannot download definition updates to keep protection current. See About keeping your server protected on page 217.
64 Activating licenses How to activate a license
Table 3-1 License
Symantec Mail Security Licenses (Continued) Description

This license is required to enable Symantec Premium AntiSpam. Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available. When the Symantec Premium AntiSpam license is missing or invalid, the premium antispam service does not function, but the heuristic antispam feature is available. See How to detect spam using Symantec Premium AntiSpam on page 114.
Symantec Premium AntiSpam license
Definition updates and updates to Symantec Premium AntiSpam are limited to the period of time that is specified by the license. The start and end dates of the license period depend on the terms of your license agreement. See If you want to renew a license on page 69. You must install one license file on each server that is running Symantec Mail Security or on each member of an Exchange cluster. You cannot replicate license files. Note: If you are upgrading from versions 4.x, existing licenses are automatically recognized and do not need to be reinstalled.
How to activate a license

Symantec issues a serial number for each type of license that you purchase. Each serial number must be registered (individually or at the same time) to receive a license key for the associated license. License keys are delivered in a Symantec license file (.slf). The serial number is provided on a license certificate, which is mailed separately and arrives in the same time frame as your software. For security reasons, the license certificate is not included in the Symantec Mail Security software distribution. If you are upgrading from a previous version of the product and you have an active maintenance contract, you might receive the serial number certificate with an upgrade insurance letter. See If you want to renew a license on page 69.
Activating licenses How to activate a license
65
License activation involves the following process:

Obtain a license file from Symantec. To request a license file, you must have the license serial number for each license that you want to activate. After you complete the registration process, Symantec sends you the appropriate license file by email. See Obtaining a license file on page 65. Install the license file. You must install the product licenses on each server on which you run Symantec Mail Security or on each member of an Exchange cluster. If you purchased a subscription for Symantec Premium AntiSpam, you must install the Symantec Premium AntiSpam license on the servers on which you intend to use the premium antispam service. See Installing license files on page 68.
If you do not have a serial number

Your license certificate, which contains the serial numbers for the licenses that you have purchased, should arrive within three to five business days of when you receive your software or subscribe to Symantec Premium AntiSpam. If you do not receive the license certificate, contact Symantec Customer Service at 800-721-3934 or your reseller to check the status of your order. If you have lost your license certificate, contact Symantec License Administration. See Where to get more information about Symantec Mail Security on page 27.
Obtaining a license file

To request a license file, you must have the serial number that is required for activation. (Each license has a separate serial number.) The serial number is used to request a license file and to register for support. The serial number is printed on the license certificate that was mailed to you. The format of a serial number is a letter followed by 10 digits, for example, F2430482013. See If you do not have a serial number on page 65. If you purchased multiple types of licenses but registered them separately, Symantec sends you a separate license file for each license. You must install each license file separately. If you registered multiple licenses at the same time, Symantec sends you a single license file that contains all of your licences.
The license file that Symantec sends to you is contained within a .zip file. The .slf file that is contained within the .zip file is the actual license file. Ensure that your inbound email environment permits .zip email message attachments. Warning: License files are digitally signed. If you try to edit a license file, you will corrupt the file and render it invalid. To obtain a license file 1 In a Web browser, type the following address: https://licensing.symantec.com Your Web browser must use 128-bit encryption to view the site. If a Security Alert dialog box appears, click OK. In the Serial Number box, type the 11-digit serial number that is provided on the license certificate, and then click Next. If you are registering multiple types of licenses, type one of the serial numbers. If you have an additional license that you want to register, in the Number 2 box, type the serial number. Click Enter another serial number to add additional serial numbers, and in the serial number box, type the serial number. Repeat this step until you have added the serial numbers for all of the licenses that you want to register. Click Next. In the Email Address box, type the email address where you want Symantec to send the license file. In the Confirm Email Address box, type the email address again, and then click Next.
2 3
4 5
6 7 8
Activating licenses How to activate a license
67
Provide your contact information in the boxes available, and then click Next. First name, last name, work phone, and email address fields must be completed to continue the registration process.
10 Confirm that the license registration information is accurate, and then click Complete this registration. Symantec sends you an email message that contains the license file in an attachment. If the email message does not arrive within two hours, an error might have occurred, such as an invalid email address entry. Try again to obtain the license file through the Symantec Web site. If the problem continues, contact Symantec Technical Support. See Where to get more information about Symantec Mail Security on page 27.
About the Symantec Premium AntiSpam license file

To enable Symantec Premium AntiSpam, you must activate the Symantec Premium AntiSpam license. You must install the license file before you enable the premium antispam service. You only need to install the Symantec Premium AntiSpam license on the servers that receive email and on which you intend to use Symantec Premium AntiSpam. When you install the Symantec Premium AntiSpam license, the heuristic spam detection feature is disabled. See Installing license files on page 68. If you register the Symantec Premium AntiSpam service license separately from the content license, you receive a separate license file. You must install this license file separately. If you register all of the licenses simultaneously, you receive one license file. You must install this license file on all servers that require any of the licenses that are contained in the license file. See Obtaining a license file on page 65. Internet access for the server is required to activate the license and to receive updated spam detection filters. Updates to the premium antispam service are handled through Symantec Premium AntiSpam and not through LiveUpdate.Symantec Premium AntiSpam does not support the installation of license files from path names that contain high ASCII or double-byte characters. Note: When you install the Symantec Premium AntiSpam license, the heuristic spam detection settings are disabled.
Installing license files

You must install the license file on each server on which Symantec Mail Security is installed. If you are running in a cluster configuration, you must install the license file on each cluster node. You can install a license file on one or more servers within a server group at one time. You can install your licenses during product installation or from the console. Symantec Mail Security issues periodic messages in the Event Log to notify you that your license is invalid or expired until a valid license is properly installed. See About installing Symantec Mail Security on page 34. To install license files to a local server 1 2 3 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click Licensing. In the content area, do one of the following:
In Step 3, under Enter path to the license file, type the fully qualified path to the license file. If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file. Click Browse, select the license file, and then click Open. If the license file does not reside on the same computer, you can locate the file using My Network Places.
4 5
Click Install. Repeat steps 3 and 4 for each license that you have to install.
To install license files to a remote server or server group 1 2 3 4 5 In the console on the toolbar, click Change. In the Select Asset window, select Global Group or a specific server or server group from the menu. Click Select. On the primary navigation bar, click Admin. In the sidebar under Views, click Licensing.
Activating licenses If you want to renew a license
69
In the content area, do one of the following:
In Step 3, under Enter path to the license file, type the fully qualified path to the license file. If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file. Click Browse, select the license file, and then click Open. If the license file does not reside on the same computer, you can locate the file using My Network Places.
Click Install. If a server within a server group is already licensed, the license file is reapplied. The license file with the latest expiration date is applied. Repeat steps 6 and 7 for each license that you have to install.
Checking the license status of a server

You can check the status of your content and Symantec Premium AntiSpam licenses in the server view. You can use this information to verify that your licenses are current and that your product is protecting your computers. To check the license status of a server 1 2 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click Licensing. The licensing information appears in the content area.
If you want to renew a license

When a server has an expired Symantec Premium AntiSpam license or when the Symantec Premium AntiSpam license is missing or invalid, Symantec Premium AntiSpam is disabled. When a server has an expired content license or when the content license is missing or invalid, content updates are not applied to your product, which can leave your server vulnerable to attacks. When a content license expires, you must renew your Maintenance Agreement to receive content updates.
70 Activating licenses If you want to renew a license
The process for license renewal depends on how you purchased your software, as follows:
If you purchased Symantec Mail Security through the Symantec Value or Elite Enterprise Licensing programs To determine whether your Maintenance Agreement has been renewed and if new licenses are available, contact your administrator, reseller, or Symantec account manager. After your Maintenance Agreement is renewed, you receive new serial numbers that you can register to obtain your new license files. For more information about license renewal, on the Internet, go to the following URL: www.symantecstore.com/renew
If you purchased Symantec Mail Security Small Business Edition
Chapter
Managing your Exchange servers


About managing your Exchange servers Deploying settings to a server or group How to manage servers and server groups
About managing your Exchange servers

Symantec Mail Security can simplify the management of one or more Microsoft Exchange servers across your organization. You can create server groups that have a common purpose and, therefore, require the same protection. By grouping servers, you can apply a common set of protection settings once, rather than repeatedly to each server. In a large network with multiple servers that perform similar roles, the reduction in configuration time and maintenance costs can be considerable.
72 Managing your Exchange servers Deploying settings to a server or group
You can configure settings for each server individually. To configure and manage multiple servers, you can use the following groups:
Global Group All of the servers that you manage through the Symantec Mail Security console are part of the Global server group. This group includes servers that are added to user-defined groups as well as servers that are added to multi-server management control but are not assigned to a specific server group. When you configure and apply Global Group settings, the changes are propagated to all servers in all groups. Changes that are made at the Global Group level overwrite all individual server and userdefined server group settings. User-defined server groups A user-defined server group is a grouping of servers that have common roles and, therefore, require similar configurations. Configuring settings for a group simplifies server management. For example, a server group might be all of the mail servers that are used by a department (for example, marketing) or the physical location of a group of mail servers (for example, third floor servers in Building A). A managed server can only belong to one user-defined group. All servers belong to the Global Group. See Moving a server to another group on page 78.
See Viewing the status of a server on page 75. Settings for an individual server are stored by the server. Symantec Mail Security saves the settings for groups in the following default file location: \Documents and Settings\All Users\Application Data\Symantec\SMSMSE\5.0 When you delete a group, the associated files are automatically deleted.
Deploying settings to a server or group

Symantec Mail Security lets you make changes to multiple pages before you apply those settings. When the Deploy changes icon on the toolbar is active, it indicates that you have made changes that you need to apply.
Managing your Exchange servers Deploying settings to a server or group
73
You can manage change deployment using the following toolbar icons:
Deploy changes Lets you deploy your changes. If you are in the server view, deploys your changes to the server. If you are in the group view, deploys your changes to each server in the group. Discard changes Lets you cancel pending changes. When you cancel pending changes, settings are returned to their configuration as of the last time changes were successfully deployed. If changes are pending, lets you apply pending changes to the group settings, and then pushes out the group settings to all of the servers in the group. If no changes are pending, pushes out the group settings to all of the servers in the group. Note: Any configuration settings that were made to an individual server within the group are overwritten. This option is only available in group view.
Deploy all settings
After you deploy your changes, the Operation Status window indicates which changes were successfully applied. To deploy pending changes to a server or group 1 2 3 In the console on the toolbar, click Deploy changes. In the Pending changes window, click Deploy changes. In the Operation Status window, click Close when the operation is complete.
To apply pending changes (if any) and deploy group settings to each server in the group 1 2 3 In the console on the toolbar, click Deploy all settings. The Deploy all settings icon is only enabled in group view. In the confirmation dialog box, click OK. In the Operation Status window, click Close when the operation is complete.
To cancel pending changes 1 2 In the console on the toolbar, click Discard changes. In the confirmation dialog box, click OK.
74 Managing your Exchange servers How to manage servers and server groups
How to manage servers and server groups

You can manage servers and server groups by doing any of the following:

Modifying or viewing server or server group settings Viewing the status of a server Creating a server group Adding servers to a group Moving a server to another group Synchronizing group settings to a server Restoring default settings to a server or group Removing a server from group management Removing a server group Importing and exporting settings Modifying the port and communication properties of a server
Modifying or viewing server or server group settings

Symantec Mail Security lets you manage one or more servers from a single console. The Server/group box on the toolbar indicates the server or group that is currently selected. The settings that you make and deploy are applied to that server or group. You can view and modify the settings of a different server or group by selecting the server or group in the Select Asset window. To modify or view server or server group settings 1 2 3 In the console on the toolbar, click Change. In the Select Asset window, select the server or group whose settings you want to modify or view. Click Select.
Managing your Exchange servers How to manage servers and server groups
75
Viewing the status of a server

Symantec Mail Security provides server status information on the Home page. You can view more detailed information about the status of a server on the Monitors > Server Status page. The server status details appear in the Server Status preview pane. If you are in a group view, the Server Status list contains all of the servers in the group. (The first time that you access the Server Status in a group view, you must refresh the page for the list of servers to appear.) If are in a single server view, the Server Status list contains just the server that you selected. Table 4-1 provides a description of the information that is provided in the Server Status preview pane. Table 4-1 Label
Auto-Protect state Auto-Protect status Installed version
Server Status preview pane information Description

Whether auto-protect scanning is started or stopped Whether auto-protect scanning is enabled or disabled The version of Symantec Mail Security that is installed on the server The latest available update, if any, for the version of Symantec Mail Security that is installed The date after which no further updates are available for the version of Symantec Mail Security that is installed The version of Symantec Mail Security that is currently available, if different from the version that is installed
Latest update for installed version Sunset date for installed version Currently available version
Virus definition date The date of definition files that are on the server Virus definition revision Virus definitions count Latest virus definitions update attempt The revision number of the definition files on the server
The number of definitions in the definition file
The date of most recent attempt to update definitions
Exchange store state Whether the Exchange store is started or stopped SMSMSE service state Whether the Symantec Mail Security service is started or stopped
Table 4-1 Label

SMSMSE service start time
Server Status preview pane information (Continued) Description

If the service is started, indicates the date and time Symantec Mail Security was last started If the service is not started, indicates that the service is not started Whether Symantec Premium AntiSpam is enabled or disabled
Symantec Premium AntiSpam Virus definition license status Symantec Premium AntiSpam license status Auto-Protect state Number of items in quarantine
Whether the content license is valid or invalid
Whether the Symantec Premium AntiSpam license is valid or invalid
Whether auto-protect scanning is started or stopped The number of items in the local quarantine
To view the status of a server 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Server Status. In the Server Status list pane, select the server whose status you want to view. If you are in a server view, the server is already selected. Press F5 to refresh the list. Refreshing the list might take several minutes for a large group.
Creating a server group

There are two general categories of server groups: the Global Group and userdefined groups. The Global Group is the default server group. You can keep all of your Microsoft Exchange servers that run Symantec Mail Security in the Global Group. If your network contains a large number of Exchange servers, you can create server groups in addition to the Global Group, add servers to these groups, and administer all of your servers that run Symantec Mail Security on a group basis.
77
To create a server group 1 2 3 4 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the sidebar under Tasks, click Add group. In the Add New Management Group window, type a name for the server group, and then click OK. Click Close.
Adding servers to a group

You can add servers to a server group that have a common purpose and, therefore, require the same protection. By adding a server to a group, you can apply a common set of protection settings once, rather than repeatedly to each server. In a large network with multiple servers that perform similar roles, the reduction in configuration time and maintenance costs can be considerable. All servers are added to the Global Group. However, a server can only reside in one user-defined server group at a time. You can create a new server group dynamically when you add a server to a group. You can install or upgrade Symantec Mail Security on servers that you are adding to a server group. All servers must be running Symantec Mail Security 5.0x to be managed from the console. See About installing Symantec Mail Security on page 34. To add servers to a group 1 2 3 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the sidebar under Tasks, click Add servers. In the Add Server(s) window, under Management group, do one of the following:
To select an existing group Click Select group, select the existing group in which you want to add the server, and then click OK. In the Group box, type the name of the new server group name that you want to create.
To create a new group
Under Servers to add, do one of the following:
In the Available servers list, select one or more servers, and then click the >> command icon. In the Server name or IP box, type the server name or IP address of the server that you want to add, and then click the >> command icon.
Under Server options, in the TCP port number box, type the TCP port number for the server or group of servers that you want to add. The default port number is 8081. The port number must be the same for all servers that you want to add. The port number and SSL setting must be identical for the console to communicate with the server. See Modifying the port and communication properties of a server on page 83. Check Send group settings to apply group settings to the newly added server. If unchecked, existing server settings are retained. Future changes that are made to the server group are applied to the server. Check Install SMSMSE to install Symantec Mail Security to the newly added server. Check Keep installation files on server(s) to maintain the installation files on the server. Click OK, and then click Close.
7 8 9
Moving a server to another group

You can move a server from one group to another group. You can choose to retain the servers settings or apply the settings of the new group.
Move a server to another group

If you have already created the group to which you want to move the server and you do not want to apply the groups settings, you can move the server by dragging it to the group. If you need to create a new group, if you are moving multiple servers, or if you want to apply group settings to the newly added server, you can use the Move Server window.
79
To drag a server to another group 1 2 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary. Select the server that you want to move and drag it into the new server group. In the confirmation dialog box, click OK. Click Close.
3 4 5
To move a server to another group using the Move Server window 1 2 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary. Do one of the following:
Select the server that you want to move, and then under Tasks, click Move server. Right-click on the server that you want to move, and then click Move server. Select the server group to which you want to add the server. In the Select a group or add a new group box, type the name of a new server group.
In the Move Server window, do one of the following:

5 6
Click Send group settings to server to apply the settings of the targeted server group to the server. Click OK, and then click Close.
Synchronizing group settings to a server

Settings on a particular server might not be synchronized with its server group settings. This can occur, for example, if a server is configured in the server view. To synchronize group settings to a server 1 2 3 4 5 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, under Assets, select the server to which you want to apply group settings. In the sidebar under Tasks, click Send group settings to server. This applies the settings of the server group to the selected server. In the Operation Status window, click Close when the operation is complete. In the Asset Management window, click Close.
Restoring default settings to a server or group

You can restore all of the settings for a server or group to their initial, default settings. Restoring default settings also deletes any custom content filtering rules, match lists, report templates, and scheduled scans that you have created. It does not delete existing reports. When you restore default settings, the Symantec Mail Security service is restarted. The process could take several minutes to complete. While the service is restarting, the console might not accurately reflect the correct settings. You should log off and log back into the console. To restore default settings to a server or group 1 2 3 4 5 6 7 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, under Assets, select the server that you want to restore to the default settings. In the sidebar under Tasks, click Reset to factory defaults. In the confirmation dialog box, click OK. In the Operation Status window, click Close when the operation is complete. In the Asset Management window, click Close. In the console on the menu bar, click File > Exit to close the console.
81
Removing a server from group management

When you remove a server from the Global Group, you can no longer manage the server through the Symantec Mail Security console. Removing a server does not uninstall Symantec Mail Security from the server. Symantec Mail Security continues to provide protection. However, you cannot modify server settings or view the server status from the Symantec Mail Security console. To remove a server from group management 1 2 3 4 5 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, under Assets, in the Global Group list, select one or more servers that you want to remove. In the sidebar under Tasks, click Remove servers. In the confirmation dialog box, click OK. Click Close.
Removing a server group

If a user-defined server group is no longer needed, you can remove it. The server group settings are retained on the servers that are in the group until new settings are applied. If you remove a user-defined server group, the servers that belong to the group can be managed through the Global Group. Note: You cannot remove the Global Group. To remove a server group 1 2 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, under Assets, select the group that you want to remove. The Global Group cannot be removed. In the sidebar under Tasks, click Remove group. In the confirmation dialog box, click OK. Click Close.
3 4 5
Importing and exporting settings

Symantec Mail Security provides a feature that lets you export the settings for a server or group to an .xml file. This lets you save the settings as a backup file or import the settings to another computer. When you import settings, you can view the setting configurations in the console. However, the settings are not applied until you deploy them. You can only deploy settings for Symantec Premium AntiSpam if the computer on which you are importing the settings has a valid Symantec Premium AntiSpam license. You can only export setting configurations, not data such as items in the Event Log. Before you export settings, ensure that you deploy all pending changes. To export settings 1 2 3 4 5 6 In the console on the menu bar, click File > Export. In the confirmation dialog box, click OK. In the Select the file to save exported settings window, choose the location where you want to save the file. In the File name box, type the file name. Click Save. In the Operation Status window, click Close when the operation is complete.
To import settings 1 2 3 4 5 In the console on the menu bar, click File > Import. In the confirmation dialog box, click OK. In the Select the file to save exported settings window, locate the file that you want to import. Click Open. In the console on the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
83
Modifying the port and communication properties of a server

After a server is added to management control, you can change the Transmission Control Protocol (TCP) port and specify whether to use Secure Socket Layer (SSL) for communication between the console and a server. See Implementing SSL communications on page 51. To modify the port and communication properties of a server 1 2 3 4 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, under Assets, select a server. In the sidebar under Tasks, click Server properties. In the Properties window, in the Port number box, type the new port number. The default port number is 8081. Check Use SSL to use SSL for communication between the console and server. Click OK, and then click Close.
5 6
Chapter
Quarantining messages and attachments


About the quarantine Forwarding quarantined items to the Quarantine Server Establishing local quarantine thresholds Viewing the contents of the local quarantine Release messages from the quarantine Deleting an item from the quarantine
About the quarantine

Symantec Mail Security provides the following options for quarantining messages:
Local quarantine When you configure Symantec Mail Security policies, you can choose to send infected messages and attachments to the local quarantine. You can also configure policies to quarantine messages that trigger violations. See Establishing local quarantine thresholds on page 87. See Viewing the contents of the local quarantine on page 88. See Deleting an item from the quarantine on page 93.
86 Quarantining messages and attachments Forwarding quarantined items to the Quarantine Server
Quarantine Server
You can forward infected files that are in the local quarantine to the Quarantine Server, if one has been set up on your network. When you send quarantined files to the Quarantine Server, the files are forwarded to Symantec for analysis in real-time using HTTPS communications. Symantec automatically distributes updated definitions to the Quarantine Server when they are available. The Quarantine Server is a component of Symantec AntiVirus Central Quarantine. Symantec Mail Security supports version 3.3 or later of the Symantec AntiVirus Central Quarantine Server. Version 3.3 is provided on the Symantec Mail Security CD in the following location and must be installed separately: \ADMTOOLS\DIS For more information about the Symantec AntiVirus Central Quarantine, see the Symantec Central Quarantine Administrators Guide, which is located on the product CD in the following location: \DOCS\DIS\CentQuar.pdf Note: Files that contain non-viral threats, are unscannable, or violate content filtering rules are not forwarded to the Quarantine Server.
Forwarding quarantined items to the Quarantine Server

If you have installed the Quarantine Server, you can configure Symantec Mail Security to forward local quarantine events to the Quarantine Server. To forward quarantined items to the Quarantine Server 1 2 3 4 5 6 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Quarantine Settings. In the content area, under Quarantine Server, check Send quarantined items to Quarantine Server. Check Delete local quarantined items after forwarding to Quarantine Server to remove items from the local quarantine. In the Server Address box, type the IP address of the Quarantine Server. In the Server Port box, type the port number for the Quarantine Server.
Quarantining messages and attachments Establishing local quarantine thresholds
87
7 8
In the Network Protocol list, click the drop-down menu and select the appropriate network protocol. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Establishing local quarantine thresholds

You can specify the thresholds for the local quarantine and how you want Symantec Mail Security to respond when a threshold is met. When you establish the quarantine thresholds for the local quarantine, you can specify the following limits:
Maximum number of items Maximum size of quarantine Retain items in quarantine The maximum number of messages or attachments
The maximum file size (in megabytes or gigabytes) of the quarantine The maximum number of days to retain a message or attachment in the quarantine
You can also specify the actions that you want Symantec Mail Security to take when a threshold is met. To establish local quarantine thresholds 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Quarantine Settings. In the content area, under Quarantine Thresholds, check Maximum number of items to limit the number of quarantined items, and then type the maximum number of messages or attachments to retain in the quarantine. This item is checked by default. The default value is 1000. To limit the maximum size of the quarantine, do the following:
Check Maximum size of quarantine. This item is checked by default Type the maximum size of the quarantine. The default value is 500. Click the drop-down menu and select MB or GB. The default value is MB.
88 Quarantining messages and attachments Viewing the contents of the local quarantine
Check Retain items in quarantine to limit how long an item is quarantined, and then type the number of days. The default value is 90.
To specify an action to take when a quarantine threshold is met 1 Under When a threshold is met, check Notify Administrator to send notification messages to an administrator list. See Configuring notification settings for scan violations on page 188. Check Notify others to send notification messages to additional people. In the Notify others box, type the email addresses of the people to whom you want notifications sent. Separate email addresses with commas. Check Delete oldest items to remove items that meet a threshold. This option is not enabled by default. If Delete oldest items is not checked and a quarantine size threshold is reached, the event is logged. Symantec Mail Security sends a notification to the recipients that are specified on the Quarantine Settings page. Under Administrator Notification, in the Subject Line box, type your subject line text. In the Message Body box, type the administrator notification message body. You can use variables in the message body. See About alert and notification variables on page 225. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
2 3
5 6
Viewing the contents of the local quarantine

You can view the contents of the local quarantine for a server. You must be in the server view. See Modifying or viewing server or server group settings on page 74.
Quarantining messages and attachments Viewing the contents of the local quarantine
89
Table 5-1 lists the information that is found in the Quarantine list pane. Table 5-1 Item
Time encrypted
Quarantined file summary information Description

Date and time when Symantec Mail Security intercepted and encrypted the file Intended recipient(s) of the message Address of the sender of the message The part of the message that triggered the violation Location in the system where the file was intercepted Policy or rule that was violated Alpha-numeric identifier that Symantec Mail Security assigns to the quarantined file Whether the file was sent to the Quarantine Server
Recipient Sender Message part Location Rule violated Quarantine Id
Sent to QServer
When you select an item in the Quarantine, details about the message (and attachments, if any) appear in the preview pane. Table 5-2 lists the detailed information that is shown in the preview pane. Table 5-2 Item
Time encrypted
Quarantined file detailed information Description

Date and time when Symantec Mail Security intercepted and encrypted the file The name of the attachment that triggered the violation If the message body triggered the violation, this entry is: Message Body.
Attachment Name
Rule violated Location Sender Recipient(s) Sent to QServer Virus Name
Policy or rule that was violated Location in the system where the file was intercepted Address of the sender of the message Intended recipient(s) of the message Whether the file was sent to the Quarantine Server If a virus was detected, the name of the virus
90 Quarantining messages and attachments Release messages from the quarantine
To view the contents of the local quarantine 1 2 3 4 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Quarantine. This option is not available in group view. In the list pane, click an item to view the items details. The data appears in the preview pane. Press F5 to refresh the display.
Release messages from the quarantine

You can release messages from the local quarantine by doing the following:

Releasing messages from the quarantine by email Releasing messages from the quarantine to a file
Messages that are released from the quarantine are rescanned for threats. Remove or repair the threat before you release the message from the local quarantine. Otherwise, if your virus policy is to quarantine threats, Symantec Mail Security returns the message to the quarantine. Messages released from the quarantine are not filtered for spam, content filtering, or file filtering rules.
Releasing messages from the quarantine by email

You can send quarantined files to specified destinations by email. When you release a file from the quarantine by email, you remove it from the quarantine. To release messages from the quarantine by email 1 2 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Quarantine. This option is not available in group view.
Quarantining messages and attachments Release messages from the quarantine
91
In the sidebar under Tasks, click Select all to select all of the items in the quarantine.
In the list pane under Quarantine, select the items that you want to release. To select multiple items, press CTRL and select the items that you want to release. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
4 5
In the sidebar under Tasks, click Release by mail. In the Releasing by mail window, select one of the following:
Send to original intended recipient(s) Sends the message to the intended recipient. The names of the original recipients are listed in the Original recipient(s) list. This list cannot be modified. This option is enabled by default. Send to administrators Sends the selected file to the administrator whose address appears in the Administrators list. The administrator address cannot be modified in the Releasing by mail window. You can modify the address on the Monitors > Notification/ Alerts Settings page. See Configuring notification settings for scan violations on page 188. Send to the following Sends the selected file to the addresses that appear in the Alternate recipients list. In the Alternate recipients list, type the email address to which you want to email the selected quarantined item. Type each entry on a separate line.
6 7
Click OK. In the Operation Status window, click Close when the operation is complete.
92 Quarantining messages and attachments Release messages from the quarantine
Releasing messages from the quarantine to a file

You can move quarantined messages to a folder for review or analysis. The folder is in the following location: \Program Files\Symantec\SMSMSE\5.0\Server\Quarantine\Release The file location cannot be modified. To release messages from the quarantine to a file 1 2 3 In the console on the primary navigation bar, click Monitors. Under Views, click Quarantine. This option is not available in group view. Do one of the following:
In the sidebar under Tasks, click Select all to select all of the items in the quarantine. In the list pane under Quarantine, select the items that you want to release. To select multiple items, press CTRL and select the items that you want to release. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
4 5
In the sidebar under Tasks, click Release to file (Save). In the Releasing to file and delete dialog box, select one of the following:
Yes Removes the item from the quarantine after it has been saved to the Release folder. The item remains in the quarantine after it has been saved to the Release folder. Cancels the file release operation.
No
Cancel
6 7
In the confirmation dialog box, click OK. In the Operation Status window, click Close when the operation is complete.
Quarantining messages and attachments Deleting an item from the quarantine
93
Deleting an item from the quarantine

You can delete one or more items from the quarantine at a time. To delete an item from the quarantine 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Quarantine. Do one of the following:
In the sidebar under Tasks, click Select all to select all of the items in the quarantine. In the list pane under Quarantine, select the items that you want to remove. To select multiple items, press CTRL and select the items that you want to delete. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
In the sidebar under Tasks, click Delete.
94 Quarantining messages and attachments Deleting an item from the quarantine
Chapter
Protecting your server from risks


About protecting your server from risks Configuring threat detection Configuring security risk detection Configuring file scanning limits Configuring rules to address unscannable container files
About protecting your server from risks

Symantec Mail Security can detect risks in all major file types (for example, Windows, DOS, Microsoft Word, and Microsoft Excel files). See About the scanning process on page 178. Table 6-1 describes the risks that Symantec Mail Security protects your Exchange server against. Table 6-1 Risk
Threats
Risks that can threaten your Exchange server Description

Symantec Mail Security detects viruses, worms, and Trojan horses in all major file types. See Configuring threat detection on page 98.
96 Protecting your server from risks About protecting your server from risks
Table 6-1 Risk
Risks that can threaten your Exchange server (Continued) Description

Symantec Mail Security detects that an email message is a massmailer worm or virus. It automatically deletes the infected email message and any attachments. See Configuring threat detection on page 98.
Mass-mailer worms
Denial-of-service attacks
Symantec Mail Security protects your network from file attachments that can overload the system and cause denial-ofservice attacks. This includes container files that are overly large, that contain large numbers of embedded, compressed files, or that are designed to maliciously use resources and degrade performance. To reduce your exposure to denial-ofservice threats, you can impose limits to control how Symantec Mail Security handles container files. See Configuring file scanning limits on page 102.
Security risks
Symantec Mail Security detects security risks, such as adware, dialers, hack tools, joke programs, remote access programs, spyware, and trackware. See Configuring security risk detection on page 100.
Symantec Mail Security also helps you detect and block potential risks from entering your network, such as unscannable and encrypted container files. See Configuring rules to address unscannable container files on page 104. When a risk is detected, the incident is logged to the locations that you specify. You can also configure Symantec Mail Security to issue alerts when risks are detected or when an outbreak occurs. See About outbreak management on page 189. See How Symantec Mail Security detects risks on page 97.
Protecting your server from risks About protecting your server from risks
97
How Symantec Mail Security detects risks

Symantec Mail Security uses the following tools to detects risks:
Definitions Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, worms) to identify new threats. After a threat is identified, information about the threat (a signature) is stored in a definition file. This file contains information to detect and eliminate the threat. When Symantec Mail Security scans for threats, it searches for these signatures. Symantec Mail Security uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments. Bloodhound technology is capable of detecting upwards of 80 percent of new and unknown executable file threats. Bloodhound-Macro technology detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only message bodies and attachments that meet stringent prerequisites. In most cases, Bloodhound can determine in microseconds whether a message or attachment is likely to be infected. If it determines that a file is not likely to be infected, it moves to the next file. Symantec Mail Security contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule.
Heuristics
Container file decomposer
98 Protecting your server from risks Configuring threat detection
Configuring threat detection

To configure threat detection, do the following:
Enable threat detection scanning Symantec Mail Security detects viruses, worms, and Trojan horses in all major file types. Antivirus scanning must be enabled for Symantec Mail Security to detect threats. When you enable threat detection scanning, it applies to all types of scans. See About the scanning process on page 178. Set the Bloodhound detection level To supplement the detection of threats by signature, Symantec Mail Security uses Bloodhound technology. You can customize your level of protection against new threats, from zero protection to a high level of protection. A high level of protection increases protection of your network; however, server performance might be affected. At lower levels of protection, an unknown threat might escape detection, but the trade-off between system performance decreases. In most cases, the default (Medium) setting is appropriate. See How Symantec Mail Security detects risks on page 97. Enable massmailer worminfected message detection When it is enabled and Symantec Mail Security detects that an email message is a mass-mailer worm or virus, Symantec Mail Security deletes the infected email message and any attachments. When the mass-mailer detection feature is not enabled, an infected mass-mailer email message is treated the same as an infected message. Symantec Mail Security provides default antivirus rules, which are always enabled. You can modify these rules.
Modify default threat detection rules, as needed
To configure threat detection 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antivirus, click Antivirus Settings. In the content pane under Antivirus Settings, check Enable virus scanning. Virus scanning is enabled by default.
Protecting your server from risks Configuring threat detection
99
In the Bloodhound detection list, select one of the following:

Off Low Disables Bloodhound detection. Optimizes server performance, but might not detect potential threats. Provides a balance between threat detection and server performance. The default setting is Medium. High Increases the detection of threats, but might impact server performance.
Medium
Check Delete mass-mailer worm-infected messages (no notifications) to automatically delete mass-mailer messages. This feature is enabled by default. In the Rules table, select any of the following rules to view or modify:
Basic Virus Rule Applies to messages or attachments that contain threats that can be repaired. This option is always enabled. Unrepairable Virus Rule Applies to messages or attachments that contain threats that cannot be repaired. This option is always enabled.
The settings for the rule that you select appear in the preview pane. 7 8 In the preview pane, in the Action to take list, select the action to take when a threat is detected. In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. You can use variables in your customized text. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:

Notify administrators Notify internal sender Notify external sender
100 Protecting your server from risks Configuring security risk detection
10 Next to each of the items that you selected, click the down arrow and do the following:

In the Subject line box, type your customized text.
In the Message body box, type your customized text. You can use variables in your customized text. See About alert and notification variables on page 225. 11 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Configuring security risk detection

Symantec Mail Security can detect security risks. Security risks are programs that do any of the following:

Provide unauthorized access to computer systems Compromise data integrity, privacy, confidentiality, or security Present some type of disruption or nuisance
These programs can put your employees and your organization at risk for identity theft or fraud by logging keystrokes, capturing email and instant messaging traffic, or harvesting personal information, such as passwords and login identifications. Security risks can be introduced into your system unknowingly when users visit a Web site, download shareware or freeware software programs, click links or attachments in email messages, or through instant messaging clients. They can also be installed after or as a by-product of accepting an end user license agreement from another software program related to or linked in some way to the security risk. You must enable the Security Risk Rule for Symantec Mail Security to detect security risks.
Protecting your server from risks Configuring security risk detection
101
Table 6-2 lists the categories of security risks that Symantec Mail Security detects. Table 6-2 Category
Adware
Security risk categories Description

Stand-alone or appended programs that gather personal information through the Internet and relay it back to a remote computer without the users knowledge. Adware might monitor browsing habits for advertising purposes. It can also deliver advertising content.
Hack tools
Programs used to gain unauthorized access to a users computer. For example, a keystroke logger tracks and records individual keystrokes and sends this information to a remote computer. The remote user can perform port scans or vulnerability scans. Hack tools might also be used to create viruses.
Dialers
Programs that use a computer, without the users permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges. Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or bothersome. For example, a joke program might move the Recycling Bin away from the mouse when the user tries to click on it.
Joke programs
Remote access programs
Programs that let a remote user to gain access to a computer over the Internet to gain information, attack, or alter the host computer. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and then relay the information back to a remote computer. Stand-alone or appended applications that trace a users path on the Internet and relay the information to a remote computer.
Spyware
Trackware
To configure security risk detection 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antivirus, click Antivirus Settings. In the content area, in the Rules table, on the Security Risk Rule row, click the field under the Enabled column, and then click Enabled. This rule is disabled by default.
102 Protecting your server from risks Configuring file scanning limits
4 5
In the preview pane, in the Action to take list, select the action to take when a security risk is detected. In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. You can use variables in your customized text. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:

Next to each of the items that you selected, click the down arrow and do the following:

Configuring file scanning limits

Symantec Mail Security imposes limits on file extraction. These limits protect against denial-of-service attacks that are associated with overly large or complex container files that take a long time to decompose. These limits also enhance scanning performance. Symantec Mail Security contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule. See Configuring rules to address unscannable container files on page 104.
Protecting your server from risks Configuring file scanning limits
103
To configure file scanning limits 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Scanning Limits. In the content area, in the Maximum scan time (in seconds) box, type the maximum time that Symantec Mail Security can spend extracting a single container file. You can enter a value from 10 to 500000. The default value is 300. In the Maximum archive scan depth (number of levels) box, type the maximum number of nested levels of files that are decomposed within a container file. You can enter a value from 1 to 50. The default value is 10. In the Maximum size of one extracted file (in MB) box, type the maximum file size, in megabytes, for individual files in a container file. You can enter a value from 1 to 1024. The default value is 100. In the Maximum total size of all extracted files (in MB) box, type the maximum size, in megabytes, of all extracted files. You can enter a value from 1 to 1024. The default value is 200. In the Maximum number of files extracted box, type the maximum allowable number of files to be extracted. You can enter a value from 1 to 1000000. The default value is 5000. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
104 Protecting your server from risks Configuring rules to address unscannable container files
Configuring rules to address unscannable container files

A container file that cannot be scanned can put your network at risk if it contains a threat. Symantec Mail Security provides the following default rules to address unscannable container files:
Unscannable File Rule Symantec Mail Security must be able to decompose and scan a container file to detect risks. An unscannable container file that contains a threat that could pose a risk to your network. Unscannable files are those that meet a scanning limit, are a partial container file, or that generate a scanning error. You can specify how you want Symantec Mail Security to process container files that cannot be scanned. The default setting for the Unscannable File Rule is to quarantine the file and replace it with a text description. Note: Objects inserted in email messages as links are unscannable and trigger the Symantec Mail Security Unscannable File Rule. Encrypted File Rule Infected files can be intentionally encrypted. Encrypted files cannot be decrypted and scanned without the appropriate decryption tool. You can configure how you want Symantec Mail Security to process encrypted container files to protect your network from threats. The default setting for the Encrypted File Rule is to quarantine the file and replace it with a text description.
These rules are always enabled. To configure rules to address unscannable container files 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Exceptions. In the list pane, select the rule that you want to view or modify. In the preview pane, in the Action to take list, select the action to take when an unscannable file is detected. In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. You can use variables in your customized text. See About alert and notification variables on page 225.
Protecting your server from risks Configuring rules to address unscannable container files
105
Check one or more of the following to send email notifications about the detection:


106 Protecting your server from risks Configuring rules to address unscannable container files
Chapter
Identifying spam

About spam detection Blocking spam using real-time blacklists Configuring whitelists How to detect spam using Symantec Premium AntiSpam Configuring heuristic antispam protection
About spam detection

Symantec Mail Security protects your servers from unwanted email messages, such as spam. Spam is usually defined as junk or unsolicited email from a third party. The spam message sender has no discernible relationship with all or some of the message recipients. Often times, the message headers are forged or altered to conceal the origination point of the sender. Spam is not only an annoyance to users and administrators, it is also a serious security concern. Spam can be used to deliver viruses, Trojan horses, and in phishing attempts. In addition, high volumes of spam can create denial-of-service conditions in which email systems are so overloaded that legitimate email and network traffic are unable to get through. Symantec Mail Security can detect if an incoming email message is spam with a high level of accuracy.
108 Identifying spam About spam detection
You can use one of the following features to identify spam:

Symantec Premium AntiSpam Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available. See How to detect spam using Symantec Premium AntiSpam on page 114. You must have a valid Symantec Premium AntiSpam license to enable the Symantec Premium AntiSpam service. See About the Symantec Premium AntiSpam license file on page 67. Heuristic antispam Heuristic antispam uses a pattern-matching, heuristics engine to compare the contents of incoming email messages to a list of spam characteristics. You can select the antispam engine sensitivity level. See Configuring heuristic antispam protection on page 141.
You can adjust heuristic or premium antispam detection by specifying domains that are automatically permitted to bypass antispam scanning. You can also specify email addresses to which inbound emails are permitted to bypass realtime blacklist (RBL) blocking and antispam scanning. See Blocking spam using real-time blacklists on page 112. See Configuring whitelists on page 113.
Identifying spam About spam detection
109
How Symantec Mail Security detects and processes spam

When antispam detection is enabled, Symantec Mail Security analyzes incoming SMTP email messages for key characteristics of spam. It weighs its findings against characteristics of legitimate email messages and does the following based on the version of Microsoft Exchange Server that you are using:
Exchange Server 2000 Symantec Mail Security addresses spam based on the detection tool that you use as follows:
Heuristic antispam When you use heuristic spam detection, Symantec Mail Security computes a spam confidence level (SCL) that the message is spam. You can create antispam policies to specify how you want Symantec Mail Security to process messages that are detected by the heuristic antispam engine based on the computed SCL values. Symantec Premium AntiSpam When you use Symantec Premium AntiSpam, Symantec Mail Security calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, the message is defined as spam. You can define a suspected spam threshold between 25 and 89. You can also specify the actions for handling spam and suspected spam separately. You can take advantage of the Symantec Spam Folder Agent for Exchange to automatically route spam messages to a spam folder in the recipients mailbox. The spam folder agent works with Symantec Spam Plug-in for Outlook, which lets users to submit missed spam to Symantec Security Response for analysis. The Outlook plug-in also gives users the option to administer their own Blocked Senders and Allowed Senders lists and to specify languages in which they do or do not want to receive email. The Symantec Spam Folder Agent for Exchange and the Symantec Spam Plug-in for Outlook are on the product CD.
See About the Symantec Spam Folder Agent for Exchange on page 119. See About the Symantec Spam Plug-in for Outlook on page 124.
110 Identifying spam About spam detection
Exchange Server 2003
When you enable antispam detection (heuristic or premium), Symantec Mail Security stamps messages with a SCL value. The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with the SCL value that is stamped on an email message to determine the destination of the message.When the SAT value is not set, Exchange sends all messages with a SCL value to the users Junk E-mail folder. If the SAT value is set and a message has a SCL value that is higher than the SAT threshold, Exchange sends the message to the users Junk E-mail folder. If the SCL value is lower than or equal to the SAT value, the message goes into the users Inbox. See Configuring the Store Action Threshold (SAT) setting on page 111.
See About spam confidence level (SCL) values on page 110.
About spam confidence level (SCL) values

Spam confidence level values range from -1 to 9. Microsoft Exchange reserves the value of -1. Symantec Mail Security assigns a value of 0 to messages that are not spam. Messages that are determined to be spam are assigned a SCL value of 1 (extremely low likelihood that the message is spam) to 9 (extremely high likelihood that the message is spam). Some messages are exceptions to the rule and fall into the N/A category. A message is classified in the N/A category under the following circumstances:
The message is an internal Microsoft Exchange message that has already been assigned the SCL value of -1. The message was whitelisted by Symantec Mail Security on the server. The message was whitelisted by another entity (either another antispam product or Symantec Mail Security running on a different server). The message was delivered by an authenticated SMTP session, and the DoAntiSpamOnAuthSessionsBool registry key is either missing or set to non-zero. An internal error occurred. This can happen if the SPAM.NET or SPAM.DAT files are missing or corrupt.
Identifying spam About spam detection
111
About comparing Symantec Mail Security SCL values to other screening tools
If you are using Microsoft Exchange 2003 and are using heuristic antispam detection, you can configure Symantec Mail Security to compare the Symantec SCL to the SCL that is provided by another mail screening tool. To have Symantec Mail Security compare its SCL to that of another screening tool, the other tool must be configured not to take action based on its SCL. For example, if the other mail-screening tool is Microsoft Intelligent Message Filter (IMF), IMF must be set to No Action for the SCL comparison to take place. You can specify one of the following options to use when either or both SCL values do not exceed the threshold:

Highest SCL Lowest SCL Average SCL Symantecs SCL Existing SCL (the SCL that is provided by another mail screening tool)
See Configuring heuristic antispam protection on page 141.
Configuring the Store Action Threshold (SAT) setting

The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with the SCL value that is stamped on an email message to determine the destination of the message. By default, the SAT value is not set. You must configure the SAT value. You can change and view the SAT setting from the Windows command prompt. To change the SAT setting 1 2 Open the command prompt window. At the command prompt, type the following:
cd <server folder>
where <server folder> is the path to the server folder. The default location is: \Program Files\Symantec\SMSMSE\5.0\Server 3 Press Enter.
112 Identifying spam Blocking spam using real-time blacklists
At the command prompt, type the following:

SMSMSESAT <value> symantec.com
where <value> is the value that you want to set for the SAT. The domain name is optional. 5 Press Enter.
To view the current SAT setting 1 At the command prompt, type the following:
cd <server folder>
where <server folder> is the path to the server folder. The default location is: \Program Files\Symantec\SMSMSE\5.0\Server. 2 3 4 Press Enter. In the Command Prompt window, type the following
SMSMSESAT
Press Enter. The current SAT appears.
Blocking spam using real-time blacklists

One way to prevent spam is to reject connections that come from mail servers known or believed to send spam. To limit potential spam, Symantec Mail Security supports real-time blacklist (RBL) blocking. RBL blocking works by denying mail servers access to your system if those servers are identified as permitting spam to originate or relay through them. Symantec Mail Security refuses the connection attempt of mail servers that are identified on RBLs. You must subscribe to a third-party real-time blacklist provider before configuring Symantec Mail Security to perform RBL blocking. Symantec does not provide a list of RBL providers. Symantec Mail Security queries RBL providers in the order in which you list them. When Symantec Mail Security identifies a match, it stops any further processing and takes the actions that you specify. To block spam using real-time blacklists 1 2 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Blacklist and Whitelist.
Identifying spam Configuring whitelists
113
Under Real-time Blacklist, in the real-time blacklist domains box, type the domains of the RBL providers. List each entry on a separate line. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Configuring whitelists
To minimize false positives, you can enable and populate the following whitelists:
Allowed Senders Lets you list the sender domains that are permitted to bypass RBL blocking and antispam scanning Lets you list the email addresses to which inbound emails are permitted to bypass RBL blocking and antispam scanning
Unfiltered Recipients
If the Allowed Senders and Unfiltered Recipients lists are both enabled, Symantec Mail Security processes the Allowed Senders list first. Email messages that are permitted to bypass antispam scanning and RBL blocking are still scanned for risks and content violations. To configure whitelists 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Blacklist and Whitelist. In the content area, under Allowed Senders, check Bypass real-time blacklist and spam detection for messages sent from the following. In the Email and domain addresses box, type the domains and email addresses (one per line) that are permitted to bypass spam processing. Domain names must begin with either @ (at symbol) or an asterisk before the at symbol (for example, @mail.com or *@mail.com). You can use DOS wildcard characters. See About DOS wildcard style expressions on page 154. Under Unfiltered Recipients List, check Bypass real-time blacklist and spam detection for messages sent to the following.
114 Identifying spam How to detect spam using Symantec Premium AntiSpam
In the Email and domain addresses box, type the fully qualified email addresses (one per line) to which email messages are permitted to bypass spam processing and RBL blocking. You can list up to 50 email addresses. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
How to detect spam using Symantec Premium AntiSpam

Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available. Updates to the premium antispam service are handled automatically through the Symantec Premium AntiSpam service and not through LiveUpdate. You must have an active Internet connection and permit outbound secure HTTP traffic through your firewall (port 443). If your connection uses an HTTP proxy, you must manually register the service. Once Symantec Premium AntiSpam is registered and enabled, spam rules are continually downloaded from Symantec. To keep your antispam service current, Symantec Mail Security checks for updates every minute and receives new rule sets every 10 - 15 minutes. See About registering Symantec Premium AntiSpam through an ISA server on page 117. See Configuring your proxy server to download spam definition updates on page 118.
Identifying spam How to detect spam using Symantec Premium AntiSpam
115
How the Symantec Premium AntiSpam service works

Symantec Premium AntiSpam uses the Symantec Probe Network, which is a global network of decoy email addresses that attracts and collects the latest spam. When spam is received, the email security unit within Symantec Security Response issues filters that isolate similar spam messages. Table 7-1 lists the methods that Symantec Premium AntiSpam uses to identify spam. Table 7-1 Method
URL filters
Symantec Premium AntiSpam detection methods Description

Symantec builds its known-spammer list based on the URLs that appear in spam messages that are collected by the Symantec Probe Network. Symantec downloads a list of MIME filters developed by Symantec Security Response email security unit and treats any message as spam if any MIME attachment in the message matches a Symantec MIME filter. Symantec Premium AntiSpam also examines imbedded email links.
Header filters
Header filters consist of regular expression-based filtering rules that exploit commonalities or trends that are present in spam messages. Examples of spam characteristics that the header filters identify include the following:
Watermarks of spammer tools Traces of information left in messages by some spammer tools, such as the name of the program used to send the message. Modified time zones Time zones that are off by more than 12 hours. Spoofed received lines Messages that purport to be from a mail transfer agent at an organization that Symantec Security Response knows does not send outbound email.
Heuristics
Heuristic filters analyze the header, body, and envelope of an incoming message and check the message for the presence of distinct spam characteristics.
Table 7-1 Method

BrightSig2 technology
Symantec Premium AntiSpam detection methods (Continued) Description

Spam signatures work by distilling a specific spam attack down to a unique string of bits, or a signature. This is the fingerprint of a spam attack and can be used to identify variants of an attack. BrightSig2 technology characterizes spam attacks using proprietary algorithms, which are added to a database of known spam. BrightSig2 also has defenses against HTML spam which identifies HTML noise (such as comments) that spammers use to evade filters.
Attachment signatures
Attachment signatures target specific MIME attachments (for example, a specific pornographic image that is used in a realtime spam attack) and stop that attachment from reaching users. Attachment signatures make it unnecessary to block entire categories of certain attachments. Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the sources reputation value as determined by Symantec. Symantec uses the following lists to filter your messages:
Sender reputation service
Open Proxy list IP addresses that are either open proxies that are used by spammers or 'zombie' computers that are coopted by spammers. Safe list Contains IP addresses from which virtually no outgoing email is spam. Suspect list A list of IP addresses from which virtually all of the outgoing email is spam.
117
About spam foldering

You configure Symantec Mail Security to route spam and suspected spam messages directly to users spam folders based on the version of Microsoft Exchange Server that you are using, as follows:
Exchange Server 2000 You can use the Symantec Spam Folder Agent for Exchange to folder messages that are identified as spam or suspected spam. The spam folder agent creates a spam subfolder and a server-side filter in each users mailbox. This filter is applied to messages that Symantec Premium AntiSpam identifies as spam or suspected spam, routing spam into each users spam folder. The spam folder agent relieves users and administrators of the burden of using their mail clients to create filters. See About the Symantec Spam Folder Agent for Exchange on page 119. Exchange Server 2003 You can use the Store Action Threshold (SAT) settings to determine the destination of the message. See Configuring the Store Action Threshold (SAT) setting on page 111.
The Symantec Spam Plug-in for Outlook makes it easy for Outlook users to submit missed spam and false positives to Symantec. You can also configure the plug-in to send user submissions automatically to a local system administrator. The Symantec Spam Plug-in for Outlook also gives users the option to administer their own Blocked Senders and Allowed Senders lists and to specify languages in which they do or do not want to receive email. See About the Symantec Spam Plug-in for Outlook on page 124.
About registering Symantec Premium AntiSpam through an ISA server

Symantec Premium AntiSpam requires the ability to communicate by HTTPS (Port 443). If your connection uses an HTTP proxy, you must manually register the service so that spam rules can be automatically downloaded from Symantec. To register Symantec Premium AntiSpam through an ISA server that is filtering traffic for your Exchange server, do one of the following:
If the ISA server is installed on the same computer as the Exchange server, create a Host Based protocol rule to allow Any Request for the HTTPS and HTTPS server protocols.
If the ISA server is installed on a different computer from the Exchange server, create a Host Based protocol rule that specifically allows traffic for the IP Address of the Exchange server for the HTTPS and HTTPS server protocols.
Configuring your proxy server to download spam definition updates

To keep your antispam service current, Symantec Mail Security checks for updates every minute and receives new rule sets every 10 - 15 minutes. You must configure your proxy to permit updates. To configure your proxy server to download spam definition updates 1 At the command prompt, change directories to the Symantec Mail Security installation directory. The default directory is: \Program Files\Symantec\SMSMSE\5.0\Server Type the following:
register -c SpamPrevention/bmiconfig.xml -l Spam Prevention\SPAlicense.slf -p <proxyserver:proxyport>
where <proxyserver:proxyport> is the IP address of your proxy server and the port. Symantec Premium AntiSpam licenses are placed in the SpamPrevention folder. 3 4 5 6 On the Windows Start menu, click Start > Run. In the Run dialog box, type the following: regedit Click OK. In the Registry Editor window, in the left pane, browse and locate the following folder: HKEY-LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\5.0\Licensing\
119

If the file SPARunRegister does not exist If the file SPARunRegister exists In the right pane, right-click on any blank space, and select New > DWORD Value. In the name field, type: SPARunRegister In the right pane, right-click on the file, and select Modify. In the Edit DWORD Value dialog box, in the Value data field, change the value to 0, and then click OK.
Save the file and close the Registry Editor window.
About the Symantec Spam Folder Agent for Exchange

If you are using Symantec Premium AntiSpam on Exchange Server 2000, you can take advantage of the Symantec Spam Folder Agent for Exchange. The agent creates a spam subfolder and a server-side filter in each users mailbox. This filter is applied to messages that Symantec Premium AntiSpam identifies as spam and routes the spam into each users spam folder. The spam folder agents relieve users and administrators of the burden of using their mail clients to create filters. See How spam foldering works on page 120. The Symantec Spam Folder Agent for Exchange can only be used when Symantec Premium AntiSpam is licensed and enabled. See About the Symantec Premium AntiSpam license file on page 67. See Configuring Symantec Premium AntiSpam to identify spam on page 130. Install the agent on the Exchange mail servers on which your mailboxes reside. This includes the server on which Symantec Mail Security is installed. The Symantec Spam Folder Agent should only be installed to Exchange 2000 servers. If you are using Exchange Server 2003, setting the SCL and SAT is the best method for routing spam messages to a spam folder. See About spam confidence level (SCL) values on page 110. Before you install Symantec Spam Folder Agent, you must set up a Service Account on the Exchange server. See Creating a service account for the Symantec Spam Folder Agent on page 120.
How spam foldering works

When you enable the option to send spam messages to the recipients spam folder in Symantec Mail Security (Deliver the message to the recipient's Spam folder), Symantec Premium AntiSpam adds a special X-header (x-bmiFolder: 1) to messages that are identified as spam or suspected spam. Once installed and configured on the mail server, the Symantec Spam Folder Agent for Exchange creates a server-side rule that searches for the X-header. It also creates a spam subfolder in each users mailbox. During its hourly maintenance schedule, the agent sends the messages that are identified as spam or suspected spam to the recipients spam folder. If the agent detects that the spam folder for the recipient has been deleted or moved, it recreates the subfolder. The rule runs as a high sequence number (1001), which ensures that it executes after rules with lower sequence numbers or client-side rules that your users may have created. If you have a MTA configuration that is not supported, you can create your own rule or application to take action based on this header.
Creating a service account for the Symantec Spam Folder Agent

The Symantec Spam Folder Agent requires a service account. You can use an existing account or you can create one specifically for the agent (recommended). The service account cannot be hidden from the Exchange address list. The service account that you create must include the following:
Exchange Administrator rights on the mail server on which you are installing the agent Full access to a mailbox on the local server Local system rights to act as part of the operating system and to run as a service
To create the service account for the Symantec Spam Folder Agent, you must do the following:

Create a user name Add a folder agent Delegate control of the account
To create a user name 1 2 On the taskbar, click Start > All Programs > Administrative Tools, and then click Active Directory Users and Computers. If it is not already selected, select the Users folder.
121
3 4
On the toolbar, click the Create a new user in the current container icon. In the New Object User wizard, enter the following:

First name Initials Last name User logon name
5 6 7 8
Click Next. Type a password for the service account, configure the password options, and then click Next. Click Next until the Finish icon appears. Click Finish.
To add a folder agent 1 2 3 4 5 6 7 8 9 In the Users folder, right-click on the user that you just created. Click Properties. In the Properties dialog box, on the Member Of tab, click Add. In the text field, type domain admins, and then click OK. Click OK to close the properties dialog box. On the Windows Start menu, click All Programs > Microsoft Exchange > System Manager. In the Exchange System Manager window, in the left pane, right-click the top node in the tree. Click Delegate control. On the Exchange Administration Delegation Wizard welcome screen panel, click Next.
10 On the Users or Groups panel, click Add. To delegate control of the account 1 2 In the Delegate Control window, click Browse. In the Select Users, Computers, or Groups window, under Enter the object name to select, type of the name of the service account that you created, and then click OK. In the Delegate Control window, ensure that the Role drop-down box is set to Exchange Administrator, and then click OK.
4 5
Click Next, and then click Finish. Close the Exchange System Manager window.
Installing the Symantec Spam Folder Agent for Exchange

The Symantec Spam Folder Agent for Exchange is configured to run as a Windows service. It is recommended that you install the Symantec Spam Folder Agent on each back-end Exchange mail server. Before you install the Symantec Spam Folder Agent for Exchange, ensure that the computer meets the following software and configuration requirements:

Your operating system is Windows 2000 (SP 2) or higher or Windows 2003 You are installing the agent on Microsoft Exchange 2000 You can install the agent on Microsoft Exchange 2003, but using the Exchange SAT is the recommended method. See Configuring the Store Action Threshold (SAT) setting on page 111. You have full access to a mailbox on the local Exchange server The Symantec Spam Folder Agent does not send email to or from this mailbox. You have Exchange Administrator permission on the local server You have a proper service account See Creating a service account for the Symantec Spam Folder Agent on page 120. You have activated the Symantec Premium AntiSpam license See How to activate a license on page 64.
To install the Symantec Spam Folder Agent for Exchange, you must first start the agent installation wizard. During installation, you can configure the spam folder agent settings. If a previous version of Symantec Spam Folder Agent for Exchange is installed, the install wizard automatically uninstalls it before installing the current version.
123
To start the installation wizard 1 Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, run cdstart.exe from the product CD. Click Install Spam Folder Agent. In the welcome panel, click Next. In the License Agreement panel, click I accept the terms of this license agreement, and then click Next.
2 3 4
To configure administrative settings 1 In the Setup Type panel, select one of the following, and then click Next:
Complete Installs the agent in a predefined set of folders and files Lets you tailor installation options
Custom
2 3 4 5
Under Service Account, type the Active Directory or NT Domain, user name, and password to be used by the Symantec Spam Folder Agent for Exchange. In the Mailbox box, type the mailbox alias of a valid mailbox for the Symantec Spam Folder Agent to use. In the Spam folder name box, type the name of the folder in each users mailbox where spam will be stored. In the Spam expiration box, type the number of days to retain spam messages. The default period is 30 days. You might need to adjust this setting based on the volume of spam that your organization receives. Click Next, and then click OK. If the installation process is unable to verify the existence of the spam folder because you have insufficient user rights, a dialog box appears with the message that the Act as part of the Operating System user right is required to verify these settings.
Click No, and then add the administrator account that you want the agent to use to the following security policy settings:

Act as part of the operating system Log on as a service For more information, see the Microsoft Exchange 2000 Server documentation.
Click Install, and then click Finish.
About the Symantec Spam Plug-in for Outlook

The Symantec Spam Plug-in for Outlook makes it easy for Outlook users to submit missed spam and false positives to Symantec. You can also configure the plug-in to send user submissions automatically to a local system administrator. The Symantec Spam Plug-in gives users the option to administer their own Blocked Senders and Allowed Senders Lists and to specify languages in which they do or do not want to receive email. If you are using Symantec Spam Folder Agent for Exchange, the plug-in retrieves the name of the spam folder from the Spam Folder Agent Inbox Rule. If you are not using the Symantec Spam Folder Agent for Exchange, the plug-in retrieves the Spam Folder Name value from the Windows registry. If there is no Spam Folder Name value in the Windows registry, it creates a Spam folder during installation. You can install the Symantec Spam Plug-in using any of the following methods:

Email users a link to the setup.exe file with instructions for running the file. Use remote distribution software to install the setup.exe file on your users computers. Silently install the plug-in.
If you plan to install the plug-in on multiple computers, you can modify the system-wide variables before you initiate installation. See Modifying Symantec Spam Plug-in for Outlook variables on page 125.
125
After the plug-in is installed, users have a new toolbar in their Outlook window.The toolbar contains the following elements:
This is Spam Users click this option to submit the message to the email security unit within Symantec Security Response and move it from their Inbox to their Spam folder. Users click this option to submit the message to Symantec Security Response and move it from their Spam folder to their Inbox. Users click this option to empty their Spam folder (if configured). By choosing an item from this pull-down menu, users can get information on using the plug-in, view a report (if configured), and administer their personal Blocked Senders and Allowed Senders Lists. The following options are available from the Symantec pulldown menu:
This is Not Spam
Empty Spam Folder
Symantec
Symantec Help Launches a help page for the Symantec Spam Plug-in using your default Web browser Spam Report Lets users view spam statistics (if configured) Options Sets plug-in properties, administers the users Blocked Senders and Allowed Senders lists, and lets users specify the languages in which they do or do not want to receive email About Symantec Provides information on the current version of the software
Note: For more information on using the Symantec Spam Plug-in, see the online help that is included in the plug-in.
Modifying Symantec Spam Plug-in for Outlook variables

You can modify the set up variables before you initiate installation. These settings are used during each installation of the Symantec Spam Plug-in to modify the Windows registry on each users computer.
Table 7-2 describes the plug-in variables that you can modify. Table 7-2 Variable Name
ADMIN_FALSE_ADDRESS
Symantec Spam Plug-in Setup Variables Description

The email address of the administrator to receive a copy of the false-positive submission. The default for this is an empty string. If this value is empty, then the message is not sent to the administrator. The email address of the administrator to receive a copy of the missed spam submission. The default for this is an empty string. If this value is empty, then the message is not sent to the administrator. If set to 1 (the default) or any non-zero value, treats all entries of the Outlook Contacts folder as members of the Allowed Senders List. If set to 0, does not treat any members of the Outlook Contacts folder as members of the Allowed Senders List.
ADMIN_JUNK_ADDRESS
ALLOWED_CONTACTS
AUTO_ADD_BLOCKED
If set to 1 (default), adds the sender of the message to the Blocked Senders list when submitting a spam message to the email security unit within Symantec Security Response. If set to 1 (the default) or any non-zero value, automatically generates the Allowed Senders list. If set to 0, does not automatically generate the Allowed Senders list.
AUTO_ADD_ALLOWED
CHECK_ALLOWED
If set to 1 (the default) or any non-zero value, moves messages directly to the Spam folder. If a message is in the users Allowed Senders List or (optionally) Outlook Contacts list, or if any of the messages recipients are in the users Allowed Recipients List, the message is moved to the Inbox. Otherwise, the message remains in the Spam folder. If set to 0, messages are delivered normally (to the Inbox).
CHECK_BLOCKED
If set to 1 (the default) or any non-zero value, does not process the message. If a message sender is in the users Blocked Senders List or (optionally) Outlook Contacts list, or if any of the messages recipients are in the users Blocked Senders list, the message is not processed. Otherwise, the message remains in the Spam folder. If set to 0, messages are delivered normally (to the Inbox).
127
Table 7-2 Variable Name

DELETE_SPAM
Symantec Spam Plug-in Setup Variables (Continued) Description

If set to 1 or any non-zero value, spam messages are deleted. If set to 0 (the default value), spam messages are moved to the Spam folder. Deletes messages in the Spam folder that are more than x days old. The default is 7 days. Set this value to 0 to disable this feature. Specifies whether the confirmation dialog for deleting spam appears after a message is submitted. If this variable is set to 1 (the default value) the confirmation message appears. If this variable is set to any other value or left empty, the message does not appear. Specifies whether the submission complete dialog appears after a message is submitted. If this variable is set to 1 (the default value) the submission complete message appears. If this variable is set to any other value or left empty, the message does not appear. If set to 0 (the default), the Empty Spam Folder option does not appear. If set to 1 or any non-zero value, the Empty Spam Folder option appears. This option lets users delete the contents of their Spam folders. Specifies whether the This is Not Spam option is hidden. The default is 0 (appears). Any non-zero value, including an empty value, hides the option. Specifies whether the This is Spam option appears. The default is 0 (appears). Any non-zero value, including an empty value, hides the option. If set to 1 (the default) or any non-zero value, lets users add entries to the Allowed Recipients list. If set to 0, does not let users add entries. If set to 1 (the default) or any non-zero value, lets users add entries to the Blocked Senders list. If set to 0, does not let users add entries. If set to 1 (the default) or any non-zero value, messages are marked as Read when moved to the Spam folder. If set to 0, messages are not marked as Read when moved to the Spam folder.
DELETE_X_DAYS
DISPLAY_ARE_YOU_SURE _MSGS
DISPLAY_CONFIRMATION _MSG
EMPTY_SPAM_FOLDER
HIDE_NOT_SPAM
HIDE_SPAM
MANUAL_ALLOWED
MANUAL_BLOCKED
MARK_AS_READ
Table 7-2 Variable Name
Symantec Spam Plug-in Setup Variables (Continued) Description

If set to 1 (the default) or any non-zero value, lets users view or edit the Submissions and Preferences tabs. If set to 0, does not let users view or edit the Submissions and Preferences tabs.
MODIFY_OPTIONS
MULTI_CONFIRM_MSG
This option lets you edit the confirmation message for multiple successful submissions. The default value for this string is: Thank you for submitting messages to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.
SENDER_NOT_IN_ ALLOWED
Specifies the action to take if the message sender is not in the Allowed Senders List. Normal (default): Moves the message to the Inbox. Delete: Deletes the message. Spam Folder: Moves the message to the Spam folder.
SINGLE_CONFIRM_MSG
The confirmation message for a single successful submission. The default value for this string is: Thank you for submitting a message to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.
SPAM_FOLDER SPAM_QUARANTINE_URL
The name of the Spam folder. The default is Spam. If specified, this setting causes the Spam Quarantine option to appear in the toolbar. Clicking the option displays the Spam Quarantine login page in a Web browser. If unspecified (the default), the Spam Quarantine option does not appear in the toolbar. If specified, the Spam Report option appears in the toolbar. Clicking the option displays the Spam Report application. If unspecified (the default), the Spam Report option does not appear in the toolbar.
REPORT_URL
129
To modify Symantec Spam Plug-in for Outlook variables 1 In WordPad or a similar text editing tool, open the following file on the Symantec Mail Security product CD: \ADMTOOLS\SPA\BMOP\Setup.ini This file contains the initial settings for launching the Outlook Plug-in installation package. All of the required settings can be set on the CmdLine attribute in the [Startup] section at the beginning of the setup.ini file. Change the settings in Outlook Plug-in Setup Variables. For example:
CmdLine=SPAM_FOLDER="Junk" ADMIN_FALSE_ADDRESS="admin-false@my.company.com"
2 3
See Table 7-2, Symantec Spam Plug-in Setup Variables, on page 126. 4 Save your changes to the setup.ini file and close the file.
Installing the Symantec Spam Plug-in for Outlook

To use the Symantec Spam Plug-in, ensure that the computer meets the following requirements:

Outlook 2000/2002/2003 Windows 2000/XP/2003
You can install the Symantec Spam Plug-in using any of the following methods:

Install the plug-in using the installation wizard. Perform a silent installation.
To install the Symantec Spam Plug-in for Outlook using the installation wizard 1 Close Outlook by clicking File > Exit. If you close Outlook in any other way, Outlook may continue to run in memory and return an error. Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, run cdstart.exe from the product CD. Click Install Outlook Plug-in. In the welcome panel, click Next. In the License Agreement panel, click I accept the terms of this license agreement, and then click Next.
3 4 5
In the Setup Type panel, select one of the following, and then click Next:
Complete Installs the plug-in in a predefined set of folders and files Lets you tailor installation options
Custom
7 8
Click Install. Click Finish.
To perform a silent installation 1 2 3 4 On the computer on which you want to install the plug-in, insert the Symantec Mail Security product CD into the computers CD-ROM drive. Open the Windows command prompt. At the command prompt, type the following:
cd <CD-ROM drive>:\ADMTOOLS\SPA\BMOP
At the command prompt, type the following to run the setup.exe with the following switches:
setup.exe /s /v"/qn"
If you run setup.exe with the command /s /v"/qn", the silent installation option ignores the changes made to setup.ini. To preserve your changes, add /qn to the end of the CmdLine attribute in setup.ini, and then run the silent install using the following:
setup.exe /s
Configuring Symantec Premium AntiSpam to identify spam

Before you configure Symantec Premium AntiSpam, ensure that you have done the following:
If you have an ISA server, register Symantec Premium AntiSpam through the ISA server. See About registering Symantec Premium AntiSpam through an ISA server on page 117. Configure your proxy server to permit downloads for Symantec Premium AntiSpam. See Configuring your proxy server to download spam definition updates on page 118. Install the Symantec Premium AntiSpam license. See About the Symantec Premium AntiSpam license file on page 67.
131
When you enable Symantec Premium AntiSpam, you can configure the following settings to identify and handle spam:
Reputation service Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the sources reputation value as determined by Symantec. Symantec uses the following lists to filter your messages:
Open Proxy list IP addresses that are either open proxies that are used by spammers or 'zombie' computers that are coopted by spammers. Safe list Contains IP addresses from which virtually no outgoing email is spam. Suspect list A list of IP addresses from which virtually all of the outgoing email is spam.
These lists work like antispam rules but do not create delays like those that can occur with third-party lists. Nor do these lists require any special setup. Suspected spam threshold Symantec calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, it is defined as spam. You can define a suspected spam threshold between 25 and 89. You can also specify the actions for handling spam and suspected spam separately. Symantec can determine the language in which a message is written. If you use Microsoft Outlook, you can use the Symantec Plug-in for Outlook to specify that email that is written in certain languages be treated as spam.
Language identification
To configure Symantec Premium AntiSpam to identify spam 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Settings. In the content area, under Symantec Premium AntiSpam Settings, check Enable Symantec Premium AntiSpam. Under Reputation Services, check any of the following lists that you want to use:

Open proxy list Safe list Suspect List is enabled by default and cannot be disabled.
5 6
Under Spam Scoring, select whether you want messages flagged as suspected spam. Under Spam Threshold, in the Lower spam threshold box, type the suspected spam threshold level if you choose to identify suspected spam. You can enter a value between 25 and 89. The default value is 72. Under Language ID, select whether or not you want to enable language identification. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
7 8
What you can do with spam and suspected spam messages

After you configure Symantec Premium AntiSpam settings, you can configure the actions that you want Symantec Mail Security to take for spam and suspected spam messages. You can configure Symantec Mail Security to process spam messages based on the following criteria:
Spam Messages You can specify how to dispose of messages that are identified as spam by the Symantec Premium AntiSpam service. See Processing spam messages on page 133. Suspected Spam and SCL Configure the Suspected Spam and SCL settings if you meet all of the following conditions:

You are using Exchange Server 2003 You use a mail screening tool that stamps messages with SCL values
If the premium antispam service identifies the message as suspected spam, Symantec Mail Security examines the SCL value. If the SCL value exceeds the threshold that you specify, the message is handled according the settings that you configure. See Processing suspected spam messages that exceed a SCL threshold on page 135.
133
Suspected Spam
Configure the Suspected Spam settings if you meet any of the following conditions:

You are using Exchange Server 2000. You are using Exchange Server 2003, and you do not use a mail screening tool. You are using Exchange Server 2003 with a mail screening tool, and you want to configure settings for suspected spam messages that fall below the threshold that you configured for Suspected Spam and SCL.
If the premium antispam service identifies the message as suspected spam, the message is handled according the settings that you configure. See Processing suspected spam messages on page 138.
Processing spam messages

You can configure Symantec Mail Security to block spam messages or permit them. You can log all spam events to the specified logging destinations. See About logging events on page 197. If you choose to reject spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. If you permit spam messages, you can configure the following message delivery options:

Prevent the messages from being sent to the intended recipient Save the spam message to the folder location that you specify See Save messages to a folder for archiving on page 24. Deliver the spam message to an alternate recipient Add your customized subject line text to the message Add your customized X-header to the message Tag the message as spam for the Spam Folder Agent Use this option if you have installed the Spam Folder Agent. See About the Symantec Spam Folder Agent for Exchange on page 119. Assign a SCL value to the message Use this option if you are using Exchange 2003 and are using Exchanges SAT values to route spam messages.
To reject spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Spam Messages, under If message is Spam, check Reject the message. Check Log to log spam messages to the specified logging destinations. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To accept spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Spam Messages, under If message is Spam, check Accept the message. Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving spam messages. To save spam messages to a folder, do all of the following:

Check Save to folder.
In the Folder name box, type a folder name or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient(s) is checked. See Save messages to a folder for archiving on page 24. To add an X-header to messages sent to a folder, do all of the following: Check Add X-header. In the X-header name box, type the name for the X-header. The default name is X-Bulk.
In the X-header value box, type the X-header value. The default value is Spam. This option is only available if Save to folder is checked.
Check Deliver to alternate recipient to send spam messages to a different recipient, and type the address to which spam messages are delivered. You can only enter one address. This option is not available if Prevent delivery to original recipient(s) is checked.
135
Check Add to subject line to prepend the subject line of spam messages, and in the subject line box, type your customized text. The default text is Spam. To add an X-header to spam messages, do all of the following:

Check Add X-header. In the X-header name box, type the name of the X-header. The default text is X-Bulk. In the X-header value box, type the value for the X-header. The default value is Spam.
10 Check Tag for Spam Folder Agent Delivery to send spam messages to the Symantec Spam Folder Agent. You must have the Symantec Spam Folder Agent installed. Using the Spam Folder Agent is recommended for Exchange 2000 installations only. 11 Check Assign SCL value to message to assign a SCL value to spam messages, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 9. This option is available only for Exchange 2003. The value that you specify replaces the existing SCL values of incoming messages. 12 Check Log to log spam messages to the specified logging destinations. 13 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Processing suspected spam messages that exceed a SCL threshold

If you are using Exchange Server 2003 with a mail screening tool, you can configure Symantec Mail Security to block or permit suspected spam messages that exceed a SCL threshold. You must assign the SCL threshold for which the Suspected Spam and SCL settings apply. You can log all spam events to the specified logging destinations. See About logging events on page 197. Note: These settings do not apply for Exchange Server 2000. You can specify how you want Symantec Mail Security to process messages that are identified as suspected spam and that exceed the SCL threshold that you specify.
If you reject suspected spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. If you permit suspected spam messages that exceed the threshold, you can configure the following message delivery options:

Prevent the messages from being sent to the intended recipient Save the spam message to the folder location that you specify See Save messages to a folder for archiving on page 24. Deliver the spam message to an alternate recipient Add your customized subject line text to the message Add your customized X-header to the message Tag the message as spam for the Spam Folder Agent Use this option if you have installed the Spam Folder Agent. See About the Symantec Spam Folder Agent for Exchange on page 119. Reassign the SCL value of the message Use this option if you are using Exchange 2003 and are using Exchanges SAT values to route spam messages.
To reject suspected spam messages that exceed a SCL threshold 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam and SCL, in the If message is Suspected Spam and SCL is list, select the SCL value threshold. You can choose a value from >0 to > 8. The default value is >5. Check Reject the message. Check Log to log suspected spam messages to the specified logging destinations. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
4 5 6
To accept suspected spam messages that exceed a SCL threshold 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam and SCL, in the If message is Suspected Spam and SCL is list, select the SCL value threshold. You can choose a value from >0 to > 8. The default value is >5.
137
4 5 6
Check Accept the message. Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages. To save suspected spam messages to a folder, do all of the following:

In the Folder name box, type a folder name or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient(s) is checked. See Save messages to a folder for archiving on page 24. To add an X-header to messages sent to a folder, do all of the following: Check Add X-header. In the X-header name box, type the name for the X-header. The default text is X-Bulk.
In the X-header value box, type the X-header value. The default value is Suspected Spam. This option is only available if Save to folder is checked.
Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered. You can only specify one recipient. Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text. The default text is Spam. Check Add X-header. In the X-header name box, type the name of the X-header. The default text is X-Bulk. In the X-header value box, type the value for the X-header. The default value is Suspected Spam.
10 To add an X-header to suspected spam messages, do all of the following:

11 Check Tag for Spam Folder Agent Delivery to send suspected spam messages to the Symantec Spam Folder Agent. You must have the Symantec Spam Folder Agent installed. Using the Spam Folder Agent is recommended for Exchange 2000 installations only.
12 Check Assign SCL value to message to assign a SCL value to suspected spam messages, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 8. This option is available only for Exchange 2003. The value that you specify replaces the existing SCL values of incoming messages. 13 Check Log to log suspected spam messages to the specified logging destinations. 14 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Processing suspected spam messages

You can configure Symantec Mail Security to block or permit suspected spam messages. You can log all spam events to the specified logging destinations. See About logging events on page 197. Configure the Suspect Spam options if you meet any of the following conditions:

You are using Exchange Server 2000. You are using Exchange Server 2003, and you do not use a mail screening tool. You are using Exchange Server 2003 with a mail screening tool, and you want to configure settings for suspected spam messages that fall below the threshold that you configured for Suspected Spam and SCL.
If you reject suspected spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. If you choose to reject the message, the message delivery options are disabled. If you permit suspected spam messages, you can use the following message delivery options:

Prevent the messages from being sent to the intended recipient Save the spam message to the folder location that you specify Deliver the spam message to an alternate recipient Add your customized subject line text to the message Add your customized X-header to the message Tag the message as spam for the Spam Folder Agent Use this option if you have installed the Spam Folder Agent. See About the Symantec Spam Folder Agent for Exchange on page 119.
139
Reassign the SCL value of the message Use this option if you are using Exchange 2003 and are using Exchanges SAT values to route spam messages. See About spam confidence level (SCL) values on page 110.
To reject suspected spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam, under If message is Suspected Spam, check Reject the message. Check Log to log spam messages to the specified logging destinations. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To accept suspected spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam, under If message is Suspected Spam, check Accept the message. Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages. To save suspected spam messages to a folder, do all of the following:

In the Folder name box, type a folder name or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient(s) is checked. See Save messages to a folder for archiving on page 24. To add an X-header to messages sent to a folder, do all of the following: Check Add X-header. In the X-header name box, type the name for the X-header. The default text is X-Bulk.
In the X-header value box, type the X-header value. The default value is Suspected Spam. This option is only available if Save to folder is checked.
Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered. You can only specify one recipient. Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text. The default text is Spam. To add an X-header to suspected spam messages, do all of the following:

Check Add X-header. In the X-header name box, type the name of the X-header. The default text is X-Bulk. In the X-header value box, type the value for the X-header. The default value is Suspected Spam.
10 Check Tag for Spam Folder Agent Delivery to send suspected spam messages to the Symantec Spam Folder Agent. You must have the Symantec Spam Folder Agent installed. Using the Spam Folder Agent is recommended for Exchange 2000 installations only. 11 Check Assign SCL value to message to reassign the SCL value, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 6. This option is available only for Exchange 2003. The value that you specify replaces the existing SCL values of incoming messages. 12 Check Log to log suspected spam messages to the specified logging destinations. 13 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Identifying spam Configuring heuristic antispam protection
141
Configuring heuristic antispam protection

You can enable the heuristic antispam engine to detect spam. You can use the SCL values that Symantec Mail Security assigns to each message to specify how you want Symantec Mail Security to process the message. To configure heuristic antispam protection, do the following:
Enable heuristic antispam detection. You must enable heuristic spam detection. This option is disabled by default. If you are using Exchange Server 2003, you can also specify how you want Symantec Mail Security to address multiple SCL values. See About comparing Symantec Mail Security SCL values to other screening tools on page 111. Configure options for messages to reject. You can reject messages based on their SCL values. For example, if Symantec Mail Security assigns a message a SCL value of 9, there is a high likelihood that the message is spam. You can configure Symantec Mail Security to reject messages that have a SCL value greater than 8. Rejecting messages that have a high likelihood of being spam can help you conserve scanning resources. If you are using Exchange 2000, configure the option: Reject message if SCL is. If you are using Exchange 2003, configure the following options:

Reject message if Symantecs SCL and existing SCL are Reject message if SCL is This provides a backup configuration in the event your other mail screening tool fails to assign a SCL value.
See About comparing Symantec Mail Security SCL values to other screening tools on page 111. You can also specify whether you want to log spam messages that are rejected.
142 Identifying spam Configuring heuristic antispam protection
Configure options for messages to accept.
You can configure which messages to accept and how you want Symantec Mail Security to process the messages. For example, if Symantec Mail Security assigns a message a SCL value of 7, there is a medium likelihood that the message is spam. You can configure Symantec Mail Security to accept messages that fall below a specified SCL value. You can specify to whom the message should be delivered, or you can save the message to a file location. You can prepend the subject text and add an X-header. You can also log messages that are accepted.
To enable heuristic antispam detection 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Heuristic Detection. In the content area, under Heuristic Anti-Spam Settings, check Enable heuristic spam detection. In the Use list, select one of the following:
Highest SCL This is the default option. Lowest SCL Average SCL Symantecs SCL
Existing SCL This option is only available for Exchange Server 2003. To configure actions to take for rejected messages 1 Under Rejected Messages, check Reject message if Symantecs SCL and existing SCL are to reject messages that receive a SCL value from Symantec and another mail screening tool, and in the drop-down list, select the threshold value. You can choose a value from >5 to > 8. The default value is >8. This option is only available for Exchange Server 2003. Check Reject message if SCL is to reject messages based on SCL value, and in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. Configure this option if you use Exchange 2000 (which does not support mail screening tools). Configure this option if you use Exchange 2003 to provide a backup configuration in the event your other mail screening tool fails to assign a SCL value.
Identifying spam Configuring heuristic antispam protection
143
Check Log rejected messages to log rejected messages to the specified logging destinations. See About logging events on page 197.
To configure actions to take for accepted messages 1 Under Accepted Messages, check Prevent delivery to original recipient if SCL is to prevent the original recipient from receiving messages with a given SCL, and in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. To save messages to a folder, do all of the following:

Type a folder name in the Folder name box or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient if SCL is is checked. See Save messages to a folder for archiving on page 24. 3 To add an X-header to messages sent to a folder, do all of the following:

Check Add X-header.
In the X-header value box, type the X-header value. The default value is X-SMSMSE-SCL. This option is only available if Save to folder is checked. 4 To send messages with a given SCL to a different recipient, do all of the following:

Check Deliver to alternative recipient if SCL is. Click the drop-down list and select the threshold value. You can choose a value from >0 to > 8. The default value is >8. In the Alternative recipient box, type the address to which messages that meet the SCL criterion are delivered. You can only specify one recipient. This option is only available if Deliver to alternative recipient if SCL is is checked. This option is not available if the Save to folder option is checked.
144 Identifying spam Configuring heuristic antispam protection
To prepend the subject line of messages with a given SCL, do all of the following:

Check Add subject tag if SCL is. In the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. In the Prepend subject text box, type your customized text. The default value is Spam.
Check Add X-header, containing SCL value, if SCL is to add an X-header to messages with a given SCL, and then in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. Check Log if SCL is to log messages with a given SCL to the specified logging destinations, and in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. See About logging events on page 197. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Chapter
Filtering content using content filtering rules


About filtering content Working with match lists Working with content filtering rules How to enforce email attachment policies
About filtering content

Symantec Mail Security enhances mail security protection by filtering email messages and attachments. Symantec Mail Security can scan email messages and their attachments for offensive language, confidential information, and content with potential legal consequences. Symantec Mail Security can also block file types that could potentially contain threats. Content filtering rules let you filter messages for specific words, phrases, subject lines, senders, attachment names, attachment size, and attachment content, and take action when the specified content is found. You can apply content filtering scanning when you perform auto-protect scans, manual scans, and scheduled scans. The rules provide a front-end defense against spam email messages and new or unidentified threats. See About the scanning process on page 178.
146 Filtering content using content filtering rules About filtering content
You can also use content filtering rules with outbreak management. You can configure Symantec Mail Security to automatically add the names of outbreak triggered attachments and outbreak triggered subject text to match lists. Symantec Mail Security uses these match lists in pre-configured content filtering rules that automatically block suspicious file attachments or subjects. You can also use these match lists to create your own content filtering rules. See About outbreak management on page 189. You can create as many content filtering rules as needed. Each rule specifies the email message part to search (for example, message body, subject, sender, attachment name, or attachment content), and defines the condition that should trigger a content violation. You can enable or disable filtering for each rule. See Working with content filtering rules on page 157. See About configuring a content filtering rule on page 160. Note: The content filtering engine does not evaluate any file extension names that are inside the outer-most attachment, for example, the compressed files in a .zip file. Symantec Mail Security handles content violations according to the action that you configure for the rule. Symantec Mail Security can notify administrators and senders (internal and external) of content filtering violations. You can customize the notification message. Note: A message can trigger a single content filtering rule violation multiple times. This occurs if the mail client from which the message originated used RTF or HTML encoding. In that case, both the plain text and formatted versions of the message body are sent by the mail client to the Exchange server. Symantec Mail Security scans the plain text and formatted versions of the message body as separate message bodies.
Filtering content using content filtering rules About filtering content
147
About default content filtering rules

Table 8-1 describes the pre-configured content filter rules that Symantec Mail Security provides. Table 8-1 Rule
Allow-Only Attachment Rule
Default content enforcement rules Description

Detects and filters files with attachment types that are not on a list of permitted attachment types
Blank Subject and Sender Detects and filters messages with blank subject line and blank sender line Quarantine Triggered Attachment Names Quarantine Triggered Subjects Sample Executable File Detects and filters files if the attachment name matches a list of outbreak-triggered attachment names Detects and filters messages whose subject matches a list of outbreak-triggered subjects Detects and filters executable files based on the Sample Attachment Name match list
You must enable the default content filtering rules that you want to use. You can modify the rules as needed.
About content evaluation

Email or their attachments that match an expression in a filtering rule might violate that rule, depending on whether the rule contains AND expressions or OR expressions. Specifically, if the rule contains AND expressions, then all expressions must evaluate to true to trigger a content violation for the entire rule. However, if the rule contains OR expressions, only one expression must evaluate to true to trigger a content violation for the rule. See Elements of a content filtering rule on page 149. You can specify a filtering rule to apply to SMTP inbound messages, SMTP outbound messages, and/or internal (store) messages. See Specifying inbound SMTP domains on page 157. A content filtering rule consists of one or more conditions that you define. For example, a condition might be that an email subject line contains one or more words from a subject line match list. A rule can optionally contain one or more exceptions. For example, UNLESS the subject line contains the word Rochester. The filtering rule triggers a violation if the subject line contains words from the selected
subject line match list, such as cellular, credit, debt, diploma, or phrases like feel younger. If the subject line contains Rochester, however, the message does not trigger a violation. Symantec Mail Security evaluates a rule logically as either an OR or AND rule. By default, the entries in the Content box are OR (Match any term), which means that if any of the entries are present, the rule applies. If you check Match all terms, it becomes an AND, which means that the rule only applies if all the items in the list are present. Checking the "Attachment size is" box makes the attachment size threshold another condition for the rule. For example, assume that you are filtering subject line content. You add top secret" in the Content list. You check Attachment size is, and you select a value of >2 MB. If you check Match any term, Symantec Mail Security triggers a violation if it detects either top OR secret in the subject line OR if the message exceeds 2 MB. If you check Match all terms, Symantec Mail Security triggers a violation if it detects the words top AND secret in the subject line AND the message exceeds 2 MB. Any rule can only test one part of a message. If you want to test all the parts of a message, you have to create separate rules. However, if a rule tests an attachment, you can add an additional if/unless condition related to the attachment size.
149
Elements of a content filtering rule

A rule consists of the following elements:
Message part You can specify the part of the email message that you want to scrutinize for violations. You can select whether to apply the rule to any combination of inbound, outbound, or internal messages. You must select at least one. Whole term: Applies the rule only if the exact term in the Content box or match list is found. Case: Applies the rule only if the exact term in the same case in the Content box or match list is found. For example, if you type ACME in the Content box list, a message that contains the word Acme would not trigger a violation. Type Literal string: Matches the exact text in the box. Regular expression: Symbols and syntactic elements used to match patterns of text. See About regular expressions on page 150. Wildcards: Wildcard-style expressions provide a convenient way to specify file names. See About DOS wildcard style expressions on page 154. Comparison Type the comparison that you want to make between the message part and the value that, when matched to the message part, constitutes a content violation. For example, Equals, Does Not Equal, Contains, or Does Not Contain. You can add an UNLESS condition to a rule to make exceptions to the overall requirement. Type the numeric value or alphanumeric text string as the criteria to match. The Attachment Size is value a numeric value. The rest of the values are alphanumeric text strings. You can specify the action that you want Symantec Mail Security to take when the rule is violated.
Message flow
Match
Exception
Value
Action
When you create or modify a rule, you can also specify the sender or recipients for whom the rule applies and who to notify if the rule is violated. The message part that you select determines which comparisons that you can use.
The Message body, Subject, and Attachment Name parts interpret their value boxes according to the users choice. If you chose regular expressions, even if you type a number in the value box, Symantec Mail Security considers it text, not a number. Text strings, because they allow for regular expressions, give you flexibility in extending your text searches to find more than just a direct match. Regular expressions include metacharacters to help you broaden the search capabilities of a given rule. See About regular expressions on page 150. See About metacharacters on page 151.
About regular expressions

A regular expression is a set of symbols and syntactic elements that is used to match patterns of text. Symantec Mail Security performs matching on a line-byline basis. It does not evaluate the line feed (newline) character at the end of each input expression phrase. You can build regular expressions using a combination of normal alphanumeric characters and metacharacters. Regular expressions let you perform pattern matching in text. For example, many email messages contain a trailing number at the end of the subject line text, as in the following sample subject line: Heres a hot stock pick!43234 To write a rule to match email subject lines that have trailing numbers, compare the subject against the following regular expression: ^.+![0-9]+$ This regular expression contains the normal alphanumeric characters 0-9 and the metacharacters ^, ., +, and []. By using the subject attribute, the = operator, and the regular expression as the value, you can build a content filtering rule to catch any email messages whose subject lines end with a trailing number. This is a possible sign that the message is spam.
151
About metacharacters
Table 8-2 lists the metacharacters that you can use in regular expressions to build filtering rules. Some characters are not considered special unless you use them in combination with other characters. Note: You can use metacharacters in regular expressions to search for both single-byte and multi-byte character patterns. Table 8-2 Metacharacter
.
Metacharacter descriptions Description

Period: Matches any single character of the input sequence. Circumflex: Represents the beginning of the input line. For example, ^A is a regular expression that matches the letter A at the beginning of a line. The ^ character is only special at the beginning of a regular expression or after the ( or | characters. Dollar sign: Represents the end of the input line. For example, A$ is a regular expression that matches the letter A at the end of a line. The $ character is only special at the end of a regular expression or before the ) or | characters. Asterisk: Matches zero or more instances of the string to the immediate left of the asterisk. For example, A* matches A, AA, AAA, and so on. It also matches the null string (zero occurrences of A). Question mark: Matches zero or one instance of the string to the immediate left of the question mark. Plus sign: Matches one or more instances of the string to the immediate left of the plus sign. Escape: Turns on or off the special meaning of metacharacters. For example, \. only matches a dot character. \$ matches a literal dollar sign character. Note that \\ matches a literal \ character. Pipe: Matches either expression on either side of the pipe. For example, exe|com|zip matches exe, com, or zip.
Table 8-2 Metacharacter

[string]
Metacharacter descriptions (Continued) Description

Brackets: Inside the brackets, matches a single character or collating element, as in a list. The string inside the brackets is evaluated literally, as if an escape character (\) were placed before each character in the string. If the initial character in the bracket is a circumflex (^), then the expression matches any character or collating element except those inside the bracket expression. If the first character after any potential circumflex (^) is a dash (-) or a closing bracket (]), then that character matches only a literal dash or closing bracket.
(string) $string$
Parentheses: Groups parts of regular expressions, which gives the string inside the parentheses precedence over the rest.
The order of metacharacters, from highest to lowest precedence, is as follows:

() | [] \ Precedence override OR List Escape Start with
You can link several regular expressions to form a larger one to match certain content in email.
153
Table 8-3 lists examples of regular expressions that show how pattern matching is accomplished with the use of metacharacters and alphanumeric characters. Table 8-3 Regular expressions Description
Matches any line of text that contains the three letters abc in that order. Your results may differ depending on the comparison that you use to create the filtering rule. For example, if you build a rule to match the word Free and use the Contains comparison, then the filtering engine detects all words that contain the word Free instead of an exact match (for example, Freedom). However, if you use the Equal comparison, then the filtering engine detects only exact matches of the word Free with no other surrounding text. If you use the Contains comparison with Whole words only, then the filtering engine detects Free as a stand-alone word, even if there are other words present in the text that is being searched. a.c Matches any string that begins with the letter a, followed by any character, followed by the letter c. Matches any line that contains exactly one character. (The newline character is not counted.) Matches any string beginning with the letter a, followed by either zero or more instances of the letter b, or zero or more instances of the letter c, followed by the letter d. Matches any file name that has two, three-letter extensions (for example, Filename.gif.exe). This regular expression is helpful in blocking email attachments with double extensions. For example: If Attachment Name = .+\....\.... [0-9a-zA-Z]+[0-9a-zAZ]+ Matches an embedded comment in the middle of meaningful HTML text. Embedding comments within HTML text is a trick that spam senders use to bypass some pattern-matching software. Matches a white space character zero or more times.
Regular expression
abc
^.$
a(b*|c*)d
.+\....\....
\s*
154 Filtering content using content filtering rules Working with match lists
About DOS wildcard style expressions

DOS wildcard style expressions (*, ., and ?) provide a convenient way to specify file names, similar to the way in which DOS wildcard characters are used. For example, match lists of type DOS wildcard are typically used with the Attachment Name Attribute to specify file names such as *.exe. In addition, a DOS wildcard expression lets you easily specify files without extensions. Table 8-4 describes the DOS wildcard style expressions. Table 8-4 DOS wildcard expression
* ? . *.
DOS wildcard expressions Equivalent regular Description expression

.* [^\.] \. [^\.]+\.? Zero or more of any character Any one character except the period (.) Literal period character Does not contain a period, but can end with one
Working with match lists

You can create a match list that includes words, email addresses, or domains that you want to filter. Match lists provide a way to filter content that applies to a specific situation. Match lists support literal strings, DOS wildcard-style expressions, or regular expressions. See About regular expressions on page 150. See About DOS wildcard style expressions on page 154.
Filtering content using content filtering rules Working with match lists
155
Table 8-5 lists the pre-configured match lists that are provided. Table 8-5 Match list name
Outbreak Triggered Attachment Names
Pre-configured match lists Description

When you enable outbreak management, Symantec Mail Security adds the names of outbreak triggered attachments to the Outbreak Triggered Attachment Names match list. You can use this match list with the Quarantine Triggered Attachment Names content filtering rule. This rule lets you automatically quarantine files with attachment names that are found in the Outbreak Triggered Attachment Names match list. You can edit the rule description and the text in the Filter list. Leave the match type as wild cards. See Configuring outbreak triggers on page 193.
Outbreak Triggered Subject Lines
When you enable outbreak management, Symantec Mail Security adds the names of outbreak triggered subject lines to the Outbreak Triggered Subject Lines match list. You can use this match list with the Quarantine Triggered Subjects content filtering rule. This rule lets you automatically quarantine files with subject line text that is found in the Outbreak Triggered Subject Lines match list. You can edit the rule description and the text in the Filter list. Leave the match type as literal. See Configuring outbreak triggers on page 193.
Sample Attachment Name
This contains a list of attachment file names or extensions that might contain malicious code. You can edit the rule description and add or remove file extensions in the Filter list. Leave the match type as wild cards.
Sample Executable File Names
This list contains file names or extensions that can potentially execute malicious code. Leave the match type as wild cards.
Sample Message Body Words
This list contains key words and phrases typically found in the bodies of spam email messages. You can edit the rule description, add or remove key words and phrases in the Filter list, and modify the match type. The default match type is literal.
Sample Multimedia File Names
This list contains file names or extensions of multimedia files. Leave the match type as wild cards.
156 Filtering content using content filtering rules Working with match lists
Table 8-5 Match list name
Pre-configured match lists (Continued) Description

This list contains key words and phrases typically found in spam email message subject lines. You can edit the rule description, add or remove key words and phrases in the Filter list, and modify the match type. The default match type is literal.
Sample Subject Line
You can create new match lists and delete or edit words in a match list. After you create a match list, you can define a content filtering rule that refers to the match list. To create or edit a match list 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Match Lists. Do one of the following:
Create a match list In the sidebar under Tasks, click Add match list. In the content area under Match Lists, select the list that you want to edit, and then in the sidebar under Tasks, click Edit match list.
Edit an existing match list
In the Add new match list window, in the Title box, type a name for the match list. You can only configure the title when you are creating a new match list. In the Description box, type a description for the match list. In the Type box, select one of the following:

5 6
Literal string
Regular expression See About regular expressions on page 150. Wild cards See About DOS wildcard style expressions on page 154.
In the Filter box, type a literal string, regular expression, or DOS wildcardstyle expression. Enter one expression per line. You can link several regular expressions to form a larger one to match certain content in email.
Filtering content using content filtering rules Working with content filtering rules
157
8 9
Click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To delete a match list 1 2 3 4 5 6 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Match Lists. In the content area, under Match Lists, select the match list that you want to delete. In the sidebar under Tasks, click Delete match list. In the confirmation dialog box, click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Working with content filtering rules

The following list describes what you can do with content filtering rules:

Specifying inbound SMTP domains Enabling or disabling content filtering for auto-protect scanning Creating a new rule Editing an existing rule About configuring a content filtering rule Prioritizing content filtering rules Deleting a content filtering rule Refreshing the Active Directory groups cache
Specifying inbound SMTP domains

By default, inbound SMTP rules apply to messages that have at least one recipient who has a mailbox in the Exchange organization. Outbound SMTP rules apply to messages that have at least one recipient that does not have a mailbox in the Exchange organization.
158 Filtering content using content filtering rules Working with content filtering rules
You can modify these settings by specifying the domains that your organization considers local. By adding a domain to the domain list, emails with recipients for that domain are considered local, even if they do not have a mailbox locally. Note: A single message can be considered both inbound and outbound. In this case, both inbound and outbound rules are applied to the message. To specify inbound SMTP domains 1 2 3 4 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click System Settings. In the content area, under System Settings, check Use list below to specify inbound SMTP domains. In the List of internal domains box, type the domain or domains that define which email messages domains are inbound. Type only one domain per line. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Enabling or disabling content filtering for auto-protect scanning

You can enable or disable content filtering for auto-protect scanning. You enable content filtering scanning for manual and scheduled scans when you configure those scanning options. See About manual scans on page 180. See About scheduling a scan on page 183. To enable or disable content filtering for auto-protect scanning 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. In the content area under Content Filtering Rules, do one of the following:
Check Enable content filtering to enable content filtering for autoprotect scanning. Uncheck Enable content filtering to disable content filtering for autoprotect scanning.
On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
159
Creating a new rule

You can create as many content filtering rules as you need. To create a new rule 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. In the sidebar under Tasks, click Add new rule. Configure the rule. See About configuring a content filtering rule on page 160. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Editing an existing rule

You can modify existing rules as needed. To edit an existing rule 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. In the content area, do one of the following:
Click the rule that you want to edit, and in the sidebar under Tasks, click Edit rule. Double-click the rule that you want to edit.
4 5
Modify the rule as needed. See About configuring a content filtering rule on page 160. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
About configuring a content filtering rule

You can create and modify content filtering rules as needed. To create a content filtering rule, do the following:
Specify the rule name and provide a description. See Specifying a rule name and description on page 160. Specify the conditions of the rule. See Configuring rule conditions on page 161. Specify any exceptions to the rule. See Configuring exceptions to the rule on page 163. Configure the actions that you want Symantec Mail Security to take if the rule is violated. See Configuring rule actions on page 164. Specify the users and groups to whom the rule applies. See Specifying the users and groups in which the rule applies on page 166. Specify who to notify if the rule is violated. See Specifying who to notify if the rule is violated on page 167.
Specifying a rule name and description

You should provide a meaningful name for your content filtering rule so that you can easily identify the rule in the Content filtering rules table and in reports. Symantec Mail Security also lets you provide a detailed description of the rule. To specify a rule name and description 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. Do one of the following:
Create a rule Modify an existing rule In the sidebar under Tasks, click Add new rule. In the content area, double-click the rule that you want to edit.
4 5
In the Name box, type the name of the rule. This is a required entry. In the Description box, type a brief description of the rule.
161
Configuring rule conditions

You must configure the conditions in which the rule applies. Rule conditions specify what content triggers the violation. Enabling the Attachment size is box makes the attachment size threshold another condition for the rule. See About content evaluation on page 147. To configure rule conditions 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. Do one of the following:
On the Rule tab, in the Message part to scan box, select one of the following:

Message Body Subject Sender Attachment Name Attachment Content Inbound messages Outbound messages
Under Apply rule to, check one or more of the following:

Internal messages (store) At least one of these boxes must be checked. 6 Under Rule Content, in the Match type box, select one of the following:

Literal string Regular expression Wild cards
Check one or more of the following options:
Whole term This option is not available when you select the Regular expression match type. Case This option is not available when you select the Sender or Attachment Name message part options. Equals Does Not Equal Contains Does Not Contain
Under Content, select one of the following:

Select one of the following:

Match any term Triggers a violation if any term in the list (including any term in selected match lists) is found Triggers a violation if all of the terms in the list (including all of the terms in the selected match lists) are found
Match all terms
10 In the Content list, do one of the following:
Type words or phrases to be filtered. Type each entry on a separate line. Click Add match list if you want to select a match list for the rule, and then select a match list from the menu. See Working with match lists on page 154.
11 Check Attachment size is to add the attachment size as a condition of the rule, and then configure the comparison value and attachment size.
163
Configuring exceptions to the rule

You can add an UNLESS condition to a rule to make exceptions to the overall requirement. You can also make file attachment size an exception to the rule. See About content evaluation on page 147. To configure exceptions to the rule 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. Do one of the following:
4 5
Configure the rule conditions. See Configuring rule conditions on page 161. On the Rule tab, under Unless, select one of the following:

Equals Does Not Equal Contains This is the default option. Does Not Contain Type words or phrases that override the filtering of the entries in the Content list. Type each entry on a separate line. Click Add match list if you want to select a match list for the rule, and then select a match list from the menu. See Working with match lists on page 154.
In the Match any term list, do any of the following:
Check Or attachment size is to add the attachment size as a condition of the Unless conditions, and then configure the comparison value and attachment size.
Configuring rule actions

Rule actions let you specify the actions that you want Symantec Mail Security to take if a violation occurs.
Configure rule actions

Symantec Mail Security provides the following options for processing messages that trigger content filtering rule violations:

Delete entire message Delete attachment/message body and replace with text You can customize the replacement text. Quarantine attachment/message body and replace with text You can customize the replacement text. Add tag to beginning of subject line You can customize the text that you want to prepend the subject line. This rule action is not available if you apply the rule to the internal messages (store). Save to folder You can specify the folder in which you want to save the email message. You can also add an X-header to the message and customize and the X-header name and value. This rule action is not available if you apply the rule to the internal messages (store). See Save messages to a folder for archiving on page 24. Log only Logs the event to the specified logging destinations. See About logging events on page 197.
To configure rule actions to delete the message 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. Do one of the following:
On the Rule tab, under Rule Action, in the When a violation occurs box, select Delete entire message.
165
To configure rule actions to delete the attachment and message body and replace with text 1 2 On the Rule tab, under Rule Action, in the When a violation occurs box, select Delete attachment/message body and replace with text. In the Replacement text box, type your customized text. See About alert and notification variables on page 225.
To configure rule actions to quarantine the attachment and message and replace with text 1 2 On the Rule tab, under Rule Action, in the When a violation occurs box, select Quarantine attachment/message body and replace with text. In the Replacement text box, type your customized text.
To configure rule actions to prepend the subject line 1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Add tag to beginning of subject line. This rule action is not available if you apply the rule to the internal messages (store). In the Subject line tag box, type the customized text that you want to prepend to the subject line.
To configure rule actions to save the message to a folder 1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Save to folder. This rule action is not available if you apply the rule to the internal messages (store). In the Folder name box, type the name of the folder or click the browse [...] command icon and select a folder name from the list. To add an X-header to messages sent to a folder, do all of the following:

2 3
Check Add X-header. In the X-header name box, type the name for the X-header. In the X-header value box, type the X-header value.
To configure rule actions to only log the event
On the Rule tab, under Rule Action, in the When a violation occurs box, select Log only.
Specifying the users and groups in which the rule applies

Symantec Mail Security lets you specify the users and groups in which the rule applies. You can also specify who is an exception to the rule. You can add users based on SMTP addresses, or you can select groups from Active Directory. If you do not specify users, the rule applies to all senders and recipients. Note: You can select any Active Directory group except the Users group. Adding the Users group to Active Directory Groups list results in unintended behavior. To specify the users and groups in which the rule applies 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. Do one of the following:
4 5
Click the Users tab. Under Sender/recipient Selection, do one of the following:
To apply the rule based on the sender Click Sender, and then select one of the following:

Apply if the sender of the message is in the list Apply if the sender of the message is NOT in the list
To apply the rule based on the recipient
Click Recipient, and then select one of the following:

Apply if ANY of the recipients of the message are in the list Apply if ANY of the recipients of the message are NOT in the list Apply if ALL of the recipients of the message are in the list Apply if ALL of the recipients of the message are NOT in the list
167
Under List of Users or Groups, in the SMTP addresses box, do one of the following:
Type the addresses of the users that you want to include or exclude. Type one address per line. To add a pre-configured match list that contains user addresses, click Add Match List and select a match list. You can only insert one match list. You can combine a match list with typed addresses. See Working with match lists on page 154.
7 8
Under the Active Directory groups list, to select groups from Active Directory, click Add. In the Active Directory domains and groups window, under Available groups, select the group that you want to add and click the >> command icon. The group that you select appears in the Selected groups list. To deselect a group in the Selected groups list, click on the group entry, and then click the << command icon. Click OK.
Specifying who to notify if the rule is violated

Symantec Mail Security lets you specify who you want to notify when a rule is violated. To specify who to notify if the rule is violated 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. Do one of the following:
4 5
Click the Notifications tab. Check any of the following:


In the Subject line box, type the subject line text.
In the Message body box, type the message body text. See About alert and notification variables on page 225. 7 8 Click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Prioritizing content filtering rules

Symantec Mail Security evaluates all of the content filtering rules that you enable. If a message violates more than one rule, Symantec Mail Security applies the most severe disposition of all of the rules. For example, assume that you have two content filtering rules enabled: Rule A and Rule B. Rule A is the highest priority, and the rule action is Log only. Rule B is the lowest priority, and the rule action is to Delete entire message. A message that violates both rules is deleted. If the message violates more than one rule and all of the rules have the same disposition, Symantec Mail Security uses the prioritization categorization to determine which rule to apply. For example, assume that you have two content filtering rules enabled: Rule C and Rule D. Rule C is the highest priority, the rule action is Add tag to the beginning of subject line, and your customized text is Spam. Rule D is the lowest priority, the rule action is Add tag to the beginning of subject line, and your customized text is Prohibited content. A message that violates both rules will have the subject line prepended with Spam. The rule order does not change in the Content filtering rules table. You can only view and modify rule prioritization in the Rule prioritization window. To prioritize content filtering rules 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. In the sidebar under Tasks, click Prioritize rules. More than one rule must be enabled to prioritize rules. In the Rule prioritization window, click a rule to select it. Click Move up or Move down until the rule is at the priority that you want. Rules are prioritized from top to bottom, with the top being the highest priority.
169
6 7
Click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Deleting a content filtering rule

You can delete a content filtering rule when it is no longer needed. To delete a content filtering rule 1 2 3 4 5 6 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. In the content area, in the Content filtering rules table, select the rule that you want to delete. In the sidebar under Tasks, click Delete rule. In the confirmation dialog box, click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Refreshing the Active Directory groups cache

Symantec Mail Security refreshes the Active Directory group cache when you create or edit a content filtering rule. You should manually update the cache if you modify the users in an Active Directory group that is used in a content filtering rule. For example, you create a content filtering rule that applies to the Active Directory group Executives. After you deploy your changes, Symantec Mail Security updates the groups cache. Then you add a person to the Executives group. You must update the Active Directory groups cache so that the rule applies to the person that you just added to the group. To update the Active Directory group cache, you must have access to Active Directory or be logged onto a client in the Active Directory domain. To refresh the Active Directory groups cache 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. In the sidebar under Tasks, click Update Active Directory groups cache now. In the Operation Status window, click Close when the operation is complete.
170 Filtering content using content filtering rules How to enforce email attachment policies
How to enforce email attachment policies

Symantec Mail Security contains the following default rules that let you enforce email attachment policies:
File Name Rule Lets you filter attachments by file name. See Blocking attachments by file name on page 170. Multimedia File Rule Lets you block certain multimedia files, such as video and music files. See Configuring multimedia file detection on page 172. Executable File Rule Lets you block executable files. See Configuring executable file detection on page 175.
Blocking attachments by file name

You can filter files by file name to protect your network during an outbreak. For example, in the case of a new email-borne threat, if you know the file name of the infected attachment, you can use this information to block any infected email messages. You can configure Symantec Mail Security to match words and phrases that are in a match list against the names of files. Names of both noncontainer files (individual files without embedded files) and container files (files with embedded files) are examined. If a match is found, the prohibited file is blocked. If the prohibited file is within a container file, the entire container file is blocked. For example, if an incoming .zip file named sample.zip contains three executable files (a.exe, b.doc, and c.bat), sample.zip would be blocked if any of the following occurs:
The match list contains one of the literal strings: sample.zip, a.exe, b.doc, or c.bat The match list contains one of the DOS wildcard expressions: *.zip, *.exe, *.doc, or *.bat The match list contains one of the regular expressions: sample\.\w{3}, a\.\w{3}, b\.\w{3}, or c\.\w{3}
See Working with match lists on page 154.
Filtering content using content filtering rules How to enforce email attachment policies
171
To block attachments by file name, do the following:

Enable the File Name Rule. Select the match list that contains the file name attachments that you want detected. You can create or modify match lists when you modify the File Name Rule. You can only select one match list. Specify the action to take if a violation is detected, who to notify of the violation, and the notification message text.
To enable the File Name Rule 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click File Filtering Rules. In the content area, in the File Filtering Rules table, on the File Name Rule row, click the field under the Enabled column, and then click Enabled. This rule is disabled by default.
To select an existing match list that does not need to be modified 1 2 In the File Filtering Rules preview pane, click Select. In the Select a match list window, in the Name table, select the match list, and then click Select.
To create a match list or modify an existing match list 1 2 In the File Filtering Rules preview pane, click Select. In the Select a match list window, do one of the following:
To modify an existing match list, select the match list, and on the toolbar, click Edit match list.
To create a new match list, on the toolbar, click Add match list. See Working with match lists on page 154.
3 4 5
Under Filter, type the file attachment names that you want to add to the match list. Click OK. In the Select a match list window, click Select to select the match list that you just created or modified.
To specify the action to take if a violation is detected 1 In the File Filtering Rules preview pane, in the Action to take list, select one of the following:

Delete entire message Delete attachment/message body and replace with text Quarantine attachment/message body and replace with text Log only
In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:


In the Message body box, type your customized text. See About alert and notification variables on page 225. 5 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Configuring multimedia file detection

Your organization might want to prohibit users from receiving email messages that contain multimedia file attachments, such as music and video files. When you enable the Multimedia File Rule, Symantec Mail Security detects the supported file extensions and types and takes the actions that you specify. Blocking multimedia file attachments not only helps your organization enforce content policies, it also conserves scanning and file storage resources.
173
Symantec Mail Security can determine if a file is a true multimedia file by analyzing the file contents, rather than just looking at the file name extension. If the file is a multimedia file, Symantec Mail Security takes the actions that you specify when you enable the Multimedia File Rule. Note: Symantec Mail Security can determine the true file type of a well-formed binary file. The true file type of a binary file variant cannot always be accurately determined. If you want to enhance multimedia file detection, you can create a content filtering rule that uses the Sample Multimedia File Names match list. When you enable the rule, Symantec Mail Security detects messages with the attachment extensions that are listed in the Sample Multimedia File Names match list and takes the actions that you specify. It does not perform an analysis to determine true file type. See About configuring a content filtering rule on page 160. Table 8-6 lists the multimedia file types that Symantec Mail Security supports (this list cannot be modified). Table 8-6 File type
Amiga MED/OctaMED Tracker Module Sound File AU Audio File Audacity Audio Block Audio Interchange File Audio Video Interleave File Impulse Tracker Music Module Microsoft Windows Media File MPEG AlbumWrap Wrapped Music File Archive MPEG Movie Clip MultiTracker Music Module Musical Instrument Digital Interface Postscript File QuickTime Video Clip
Supported multimedia file types File extension

*.MED *.AU *.AU *.AIFF, *.AIFC *.AVI *.IT *.WMV *.MP3 *.MPEG *.MTM *.MIDI *.PS *.QT, *.MOV
Table 8-6 File type

RealMedia File
Supported multimedia file types (Continued) File extension

*.RA *.STX *.S3M *.SHN *.WAV
Scream Tracker Music Interface Kit Song/Module ScreamTracker v3 Sound File Shorten Audio Compression File Waveform Audio
To configure multimedia file detection 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click File Filtering Rules. In the content area, in the File Filtering Rules table, click Multimedia File Rule. In the content area, in the Content Filtering Rules table, on the Multimedia File Rule row, click the field under the Enabled column, and then click Enabled. In the information dialog box, click OK. In the preview pane, in the Action to take list, select one of the following to specify the action to take when a multimedia file is detected:

5 6
Delete entire message Delete attachment/message body and replace with text Quarantine attachment/message body and replace with text This is the default option. Log only
In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:

175

Configuring executable file detection

Risks are only found in file types that contain executable code. You can enhance threat detection by identifying executable files. When you enable the Executable File Rule, Symantec Mail Security detects executable files and takes the actions that you specify. Symantec Mail Security can determine if a file is a true executable file by analyzing the file contents, rather than just looking at the file name extension. If the file is an executable file, Symantec Mail Security takes the actions that you specify when you enable the Executable File Rule. Note: Symantec Mail Security can determine the true file type of a well-formed binary file. The true file type of a binary file variant cannot always be accurately determined. If you want to enhance executable file detection, you can create a content filtering rule that uses the Sample Executable File Names match list. When you enable the rule, Symantec Mail Security detects messages with the attachment extensions that are listed in the Sample Executable File Names match list and takes the actions that you specify. It does not perform an analysis to determine true file type. See About configuring a content filtering rule on page 160. The Executable File Rule recognizes X86 32-bit Windows/DOS *.EXE executables. To configure executable file detection 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click File Filtering Rules. In the content area, in the File Filtering Rules table, on the Executable File Rule row, click the field under the Enabled column, and then click Enabled. This rule is disabled by default.
4 5
In the information dialog box, click OK. In the preview pane, in the Action to take list, select one of the following to specify the action to take when an executable file is detected:

Delete entire message Delete attachment/message body and replace with text Quarantine attachment/message body and replace with text This is the default option. Log only
In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. See About alert and notification variables on page 225. To send email notifications about the detection, check one or more of the following:


Chapter
Scanning your Exchange servers for threats and violations


About the scanning process Configuring auto-protect scanning About manual scans About scheduling a scan Configuring notification settings for scan violations
178 Scanning your Exchange servers for threats and violations About the scanning process
About the scanning process

To detect risks, spam, and content filtering rule violations, you can perform the following types of scans:
Auto-protect scans When enabled, auto-protect scanning runs constantly. In this mode, Symantec Mail Security scans and detects threats and violations in real-time. Auto-protect scans apply to everything on the Exchange server (that is, items in all public folders and mailboxes and messages that are processed by the Microsoft Exchange SMTP service). Auto-protect scanning applies to all policies. See Configuring auto-protect scanning on page 179. Manual scans A manual scan is an on-demand scan of public folders and mailboxes. Manual scanning applies to all policies, except antispam. You can specify which file folders and mailboxes to scan during a manual scan. You can also specify the content filtering rules that you want enabled for the manual scan. See About manual scans on page 180. Scheduled scans Scheduled scans run unattended, usually at off-peak periods. Scheduled scanning applies to all policies, except antispam. You can specify which file folders and mailboxes to scan during a scheduled scan. You can also specify the content filtering rules that you want enabled for the scheduled scan. See About scheduling a scan on page 183.
When Symantec Mail Security detects a security risk or a violation during a scan, it takes the action that you specify for that policy. For example, when a threat is detected, Symantec Mail Security takes the action that you specify in the Antivirus Settings policy.
Scanning your Exchange servers for threats and violations Configuring auto-protect scanning
179
Configuring auto-protect scanning

Auto-protect scanning provides continuous risk, spam, and content filtering rule violation detection. When you enable auto-protect scanning, Symantec Mail Security scans email messages as they pass through the Exchange server. Infected message bodies and attachments, spam messages, and content filtering rule violations are detected on a real-time basis, based on the settings that you enable and configure. When background scanning is enabled, Microsoft Exchange creates a background thread for each message database in the Exchange store. These threads run at a lower priority to minimize the impact on other Exchange server actions. As each thread reads through the messages in the database, it detects the messages that have not been scanned by the latest definitions and scans them with Symantec Mail Security. This is useful if you have updated your definitions and need to re-scan the entire store with these new definitions. When you select the On virus definition update, force rescan before allowing access to information store setting for auto-protect scanning, Microsoft Exchange does not allow access to any messages in the store until Symantec Mail Security re-scans them. Warning: The Scan message bodies option is enabled by default to provide the greatest level of protection. If you disable this option, Symantec Mail Security can not detect risks in inbound message bodies nor scan message bodies for content filtering rules as they pass through the Exchange server. To configure auto-protect scanning 1 2 3 In the console on the primary navigation bar, click Scans. In the sidebar under Views, click Auto-Protect. In the content area, check any of the following auto-protect options that you want to enable:

Enable Auto-protect Enable background scanning On virus definition update, force rescan before allowing access to information store Scan message bodies Virus scan messages during SMTP transport
180 Scanning your Exchange servers for threats and violations About manual scans
About manual scans

You can perform manual scans when you want to scan messages for specific purposes. For example, you can create a content filtering rule to detect a particular category of subject-line violations that are associated with a new threat, and then run the scan immediately. To perform a manual scan, do the following:
Configure the manual scan parameters. You can configure basic scanning options and specify the mailboxes and public folders that you want to scan. You can also enable content filtering scanning and enabled the content filtering rules that you want to apply to the scan. See Configuring the manual scan parameters on page 180. Run the manual scan. See Running a manual scan on page 182. View the manual scan results. See Viewing manual scan results on page 183.
Configuring the manual scan parameters

Before you run a manual scan, you must configure the parameters for the scan. When you deploy your changes, the parameters remain the same until you change them.
Configure the manual scan parameters

Symantec Mail Security lets you specify the following parameters for a manual scan:
Basic scanning options Basic scanning options include the following:
The number of minutes that the scan should run When the next scan is performed, it starts where the prior scan left off. To scan only items that have been modified since the last scan Scanning only items that have been modified decreases overall scanning time. Scan message bodies Scanning message bodies increases the overall scanning time.
Scan location
You can specify the mailboxes and public folders that you want included or excluded from the scan. This option is not available if you are in a group view.
Scanning your Exchange servers for threats and violations About manual scans
181
Content filtering
Content filtering scanning is enabled by default, but you can disable the feature. If content filtering is enabled, you must also enable the rules that you want to apply to the scan.
To configure basic scanning options 1 2 3 4 In the console on the primary navigation bar, click Scans. In the sidebar under Views, click Manual Scan. Under Tasks, click Edit manual scan. In the Manual scan wizard, under Scan Options, check one or more of the following:
Stop scanning after __ minutes. If you select this option, type the number of minutes you want the scan to run. The default value is 120. Only scan items modified since last scan. Scan message bodies.
Click Next.
To configure the scan location 1 Under Scan Location, to specify mailboxes to scan, select one of the following:
All mailboxes Scans all mailboxes. This option is enabled by default. Exclude mailboxes Specific mailboxes No mailboxes are scanned. Only the mailboxes that you select in the Mailboxes list are scanned.
To specify public folders to scan, select one of the following:

All public folders Scans all public folders. This option is enabled by default. Exclude public folders Specific public folders No public folders are scanned.
Only the public folders that you select in the Public Folders list are scanned.
182 Scanning your Exchange servers for threats and violations About manual scans
Click Next.
To disable content filtering scanning 1 2 3 Uncheck Enable content filtering. This option is enabled by default. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To enable content filtering scanning 1 2 Check Enable content filtering. This option is enabled by default. Do any of the following:

To add a new content filtering rule, on the toolbar, click Add new rule. To modify an existing content filtering rule, on the toolbar, click Edit rule.
To delete an existing content filtering rule, click Delete rule. See About configuring a content filtering rule on page 160.
3 4 5
Click the field under the Enable column and select Enable to enable the rules that you want to apply to the scan. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Running a manual scan

After you configure the manual scan parameters, you can perform the manual scan. See Viewing manual scan results on page 183. To run a manual scan 1 2 3 4 In the console on the primary navigation bar, click Scans. In the sidebar under Views, click Manual Scan. Under Tasks, click Run now. To stop the scan before it finishes, in sidebar under Tasks, click Stop. In the Operation Status window, click Close when the operation is complete.
Scanning your Exchange servers for threats and violations About scheduling a scan
183
Viewing manual scan results

The Manual Scan page shows the results of the most recent manual scan. To view scan results 1 2 3 In the console on the primary navigation bar, click Scans. In the sidebar under Views, select Manual Scan. Press F5 to refresh the page. This process might take several minutes for large server groups.
About scheduling a scan

In addition to auto-protect scanning and manual scanning, you can schedule scans to look for different types of policy violations. See Creating a scheduled scan on page 183. See Editing a scheduled scan on page 184. See Configuring scheduled scan options on page 184. See Enabling a scheduled scan on page 187. See Deleting a scheduled scan on page 187.
Creating a scheduled scan

You can create as many scheduled scans as you need. When you create a scheduled scan, it is disabled by default. You must enable the scan so that it runs according to the schedule that you specify. See Enabling a scheduled scan on page 187. To create a schedule scan 1 2 3 4 5 In the console on the primary navigation bar, click Scans. In the sidebar under Views, select Scheduled Scans. Under Tasks, click Add new scan. Configure the schedule scan options. See Configuring scheduled scan options on page 184. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
184 Scanning your Exchange servers for threats and violations About scheduling a scan
Editing a scheduled scan

You can modify an existing scheduled scan as needed. You must enable the scan so that it runs according to the schedule that you specify. See Enabling a scheduled scan on page 187. To edit a schedule scan 1 2 3 In the console on the primary navigation bar, click Scans. In the sidebar under Views, select Scheduled Scans. In the content pane, do one of the following:
Select the scheduled scan that you want to modify, and in the sidebar under Tasks, click Edit scan. Under the Name column, double-click the scheduled scan that you want to modify.
4 5
Modify the schedule scan options as needed. See Configuring scheduled scan options on page 184. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Configuring scheduled scan options

Symantec Mail Security provides a wizard that guides you through the process of configuring a scheduled scan. After you configure the scheduled scan options, you must enable the scan so that it runs according to the schedule that you specify. See Enabling a scheduled scan on page 187. You can configure the following scheduled scan options:

Name of the scan and the basic scan options Mailboxes and public folders that you want to scan Content filtering rules that you want to apply to the scan Scan schedule
To configure basic scanning options 1 2 In the console on the primary navigation bar, click Scans. In the sidebar under Views, select Scheduled Scans.
185

Create a new scan Modify an existing scan In the sidebar under Tasks, click Add new scan. In the content area, under the Name column, double-click the scan that you want to modify.
4 5
In the Scan name box, type the name for the scan. This option is only available if you are creating a new scheduled scan. Under Scan Options, check Stop after scanning ___ minutes to limit the amount of time for the scan, and then type the maximum scanning time in minutes. If Symantec Mail Security reaches this limit, it stops scanning. The next scheduled scan starts where the previous scan stopped. Check Only scan items modified since last scan to exclude items that have not changed since the last scan. Check Scan message bodies to scan message bodies. Click Next.
6 7 8
To select what to scan 1 Under Scan Location, to specify mailboxes to scan, select one of the following:
All mailboxes Scans all mailboxes. This option is enabled by default. Exclude mailboxes Specific mailboxes No mailboxes are scanned. Only the mailboxes that you select in the Mailboxes list are scanned.
To specify public folders to scan, select one of the following:

All public folders Scans all public folders. This option is enabled by default. Exclude public folders Specific public folders No public folders are scanned.
Only the public folders that you select in the Public Folders list are scanned.
Click Next.
186 Scanning your Exchange servers for threats and violations About scheduling a scan
To scan for content filtering rules 1 2 Click Enable content filtering to enable content filtering rule scanning for the scheduled scan. Do any of the following:

To add a new content filtering rule, on the toolbar, click Add new rule. To modify an existing content filtering rule, on the toolbar, click Edit rule.
To delete an existing content filtering rule, click Delete rule. See About configuring a content filtering rule on page 160.
3 4
Click the field under the Enable column and select Enable to enable the rules that you want to apply to the scan. Click Next.
To specify the scanning schedule 1 2 3 In the Time of day to run box, select the time of day that you want Symantec Mail Security to perform the scan (in 24-hour format). Under Days to run on, check the days of the week that you want the scan to run. Under Dates of the month to run on, select any of the following:
1st The scan runs on the first day of each month. The scan runs on the 15th day of each month. The scan runs on the last day of each month.
15th
End of the month
4 5
Check Run scan at service start to perform a scan when the service starts. Do not enable the Run scan at service start option in a cluster environment. Check Run scan when virus definitions change to perform a scan when new definitions are received. Leave this feature disabled if you update definitions at hourly intervals. If this option is enabled, the scheduled scan runs each time definitions are updated. Because definitions are delivered hourly, the scan might not complete before new definitions are available. This can impact overall mail throughput. See Scheduling definition updates on page 221.
187
6 7
Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Enabling a scheduled scan

After you create or modify a scheduled scan, you must enable the scan so that it runs according to the schedule that you specify. Scheduled scans are disabled by default. To enable a schedule scan 1 2 3 4 5 In the console on the primary navigation bar, click Scans. In the sidebar under Views, select Scheduled Scans. In the content pane, select the scheduled scan that you want to enable. Click the field under the Enabled column, and then click Enabled. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Deleting a scheduled scan

You can delete a scheduled scan when it is no longer needed. To delete a scheduled scan 1 2 3 4 5 In the console on the primary navigation bar, click Scans. In the sidebar under Views, click Scheduled Scans. Select the scan that you want to delete. In the sidebar under Tasks, click Delete scan. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
188 Scanning your Exchange servers for threats and violations Configuring notification settings for scan violations
Configuring notification settings for scan violations

When you configure notification and alert settings, you specify the administrators, users, or computers that should receive email notifications. Restrict the issuing of alerts to a small list of interested administrators to avoid unnecessary interruptions. Email notifications can be issued when a Symantec Mail Security scan detects a policy violation or an outbreak. An alert can also be sent to notify an administrator when a server experiences a critical service failure. Note: Email notifications are sent only to names and addresses that can be resolved against Active Directory objects. You specify the subject line and message text for each type of notification message when you configure policies and rules. To configure notification settings for scan violations 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Notification/Alerts Settings. In the content area, under Email notifications, in the Address of sender to use in email notification box, type the email address of the sender that you want to use for email notifications. In the Administrators or others to notify box, type the email addresses of administrators and users to notify. Separate each entry by commas. If you are including an email address that is not within your domain, type the fully qualified email address (for example, user@mycompany.com). On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Chapter
10
Managing outbreaks

About outbreak management Enabling outbreak management Configuring outbreak triggers Configuring outbreak notifications Clearing outbreak notifications
About outbreak management

An outbreak situation occurs when an excessive number of threats or events that exhibit virus-like behavior occur on a network. When an outbreak occurs, prompt identification of the situation and notification of administrative staff is critical. Symantec Mail Security lets you manage outbreaks by doing the following:
Enable Outbreak Management. See Enabling outbreak management on page 192. Specify the criteria for an outbreak. The criteria consist of the number of times that an event must occur during a specified time interval. See What defines an outbreak on page 190. See About outbreak triggers on page 191. See Configuring outbreak triggers on page 193.
190 Managing outbreaks About outbreak management
Define the email notifications to send to the administrator when an outbreak is detected. See Configuring outbreak notifications on page 194. End the outbreak event after the situation is managed. See Clearing outbreak notifications on page 195.
What defines an outbreak

When defining an outbreak, you must specify the number of occurrences of an event that must occur within a specified time frame. Although there are no standard numbers to use when specifying frequencies, take into consideration the following:

Threat potential of the event category that is being monitored Size of your mail system Amount of mail that is typically processed Stringency with which you want to define an outbreak
Symantec Mail Security monitors your server at regular intervals to detect outbreaks (the default setting is every 2 minutes). When Symantec Mail Security checks your server for outbreaks, it checks the events that occurred within the specified period of time (the default setting is 20 minutes). If Symantec Mail Security detects an outbreak, it issues an outbreak notification. For example, assume that you enable outbreak management, configure Symantec Mail Security to monitor for outbreaks every 2 minutes, and enable the Same virus outbreak trigger using the default configuration. Figure 10-1 provides an explanation of the events that would occur if Symantec Mail Security detects 50 messages that contain the Eicar virus at 1:05 P.M. and 50 messages that contain the Eicar virus at 1:19 P.M.
Managing outbreaks About outbreak management
191
Figure 10-1
Example of an outbreak event
About outbreak triggers

The set of defining criteria for an outbreak is called an outbreak trigger. Each outbreak trigger only monitors one type of event and defines an outbreak as the frequency of the specified event within a given time period. For example, one outbreak trigger could be defined as the occurrence of 50 or more unscannable files within one hour. Another outbreak trigger could be defined as 30 or more filtering rule violations within 15 minutes.
192 Managing outbreaks Enabling outbreak management
If you enable multiple outbreak triggers and a message is received that violates more than one, Symantec Mail Security goes into outbreak mode and stops looking for additional outbreaks. Only one outbreak rule is triggered. Outbreak triggers apply to auto-protect scans only. See Configuring outbreak triggers on page 193.
Enabling outbreak management

Outbreak management is enabled by default. You can specify the interval during which you want Symantec Mail Security to check for outbreaks. By default, the interval is set to every two minutes. Note: At least one outbreak trigger must be enabled for outbreak management to work. See Configuring outbreak triggers on page 193. To enable outbreak management 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Outbreak. In the content area under Outbreak, check Enable Outbreak Management. This option is enabled by default. In the Check for Outbreaks every ___ minutes box, type the interval in minutes that you want Symantec Mail Security to monitor your server for outbreaks. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Managing outbreaks Configuring outbreak triggers
193
Configuring outbreak triggers

Symantec Mail Security provides the following outbreak triggers:

Same attachment name Same subject Same virus Unrepairable viruses Unscannable files Filtering violations Total viruses
You can enable or disable the triggers. You can also modify the number of occurrences for a violation and the span of time in which the events must occur to constitute an outbreak. You can specify whether to notify an administrator when an outbreak occurs. See Configuring outbreak notifications on page 194. When you enable outbreak management, you can also configure Symantec Mail Security to automatically add the names of outbreak triggered attachments to the Outbreak Triggered Attachment Names match list and outbreak triggered subject text to the Outbreak Triggered Subject Lines match list. Symantec Mail Security uses these match lists for pre-configured content filtering rules that automatically block suspicious file attachments or subjects. You can also use these match lists to create your own content filtering rules. See Working with content filtering rules on page 157. To configure outbreak triggers 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Outbreak. In the content area, in the table, select the trigger that you want to modify. The trigger that you select is highlighted in blue. In the Enable column, click the drop down menu, and select Enabled or Disabled. In the Occurrences column, type the number of instances that must occur to constitute an outbreak. The default value is 100.
194 Managing outbreaks Configuring outbreak notifications
In the Time column, type the span of time in which the instances must occur to constitute an outbreak. The default value is 20. In the Units column, click the drop down menu, and select one of the following:
Minutes This is the default setting Hours Days
In the Notify Administrator column, check the box if you want to notify an administrator of the outbreak. See Configuring outbreak notifications on page 194. In the Update Match List column, check the box if you want to automatically add the attachment name or subject to the Outbreak Triggered Names match list or Outbreak Triggered Subjects match list. The trigger must be activated. This option is only available for the Same attachment name and Same subject triggers. See Working with match lists on page 154.
10 In the Rule column, click View Rule to view or modify the associated content filtering rule. This option is only available for the Same attachment name and Same subject triggers. See Working with content filtering rules on page 157. 11 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Configuring outbreak notifications

When you configure outbreak management settings, you can customize the notification subject line and message text that is sent to the administrator. You can use variables to customize your text. See What defines an outbreak on page 190. See About alert and notification variables on page 225. To configure outbreak notifications 1 2 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Outbreak.
Managing outbreaks Clearing outbreak notifications
195
3 4 5 6 7
In the content area, in the preview pane, under Initial Notification, in the Subject Line box, type your customized subject line text. In the Message Body box, type your customized message body text. Under Subsequent Notifications, in the Subject Line box, type your customized subject line text. In the Message Body box, type your customized message body text. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Clearing outbreak notifications

During an outbreak, subsequent notifications are sent based on the Time and Units interval that you specify until the outbreak is no longer in effect. You can end subsequent outbreak notifications by clearing the current outbreak. See Configuring outbreak triggers on page 193. See Configuring outbreak notifications on page 194. To clear outbreak notifications 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Outbreak. Under Tasks, click Clear current outbreak.
196 Managing outbreaks Clearing outbreak notifications
Chapter
11
Logging events and generating reports


About logging events About report templates What you can do with reports
About logging events

Symantec Mail Security logs events to the following locations:
Windows Application Event Log Server events and policy violations are reported in the Windows Application Event Log. Symantec Mail Security provides an Event Log that lets you view Windows Application Event Log entries in chronological order with the most current event at the top. The event log displays information, warning, and error events. See Viewing the Symantec Mail Security Event log on page 198.
198 Logging events and generating reports About logging events
Symantec Mail Security Reports database
Symantec Mail Security logs extensive report data on threats, security risks, content violations, spam, and server information to a reports database. You can use this data to generate summary or detailed reports based on different subsets of the data. When you define a report, you specify criteria such as the time span of the collected data, whether to show specific violations or all violations, and the output format of the report. See About report templates on page 201. You can specify how long Symantec Mail Security maintains data in the Reports database. You can also purge the database at any time. See Specifying the duration for storing data in the Reports database on page 200. See Purging the Reports database on page 201.
Symantec Enterprise Security Architecture (SESA)
If you have installed SESA, you can enable SESA alerts. Although SESA is not part of Symantec Mail Security, it logs information, such as threat detection and content enforcement violations, across an entire organization. Selecting Enable SESA Logging enables the reporting of security events to the SESA Manager, where the events are sent to the SESA DataStore. When Enable SESA Logging is selected, you specify the IP address of the SESA server, which sends events to a designated SESA Manager computer. See About SESA on page 227.
Viewing the Symantec Mail Security Event log

Symantec Mail Security reports server events and policy violations (such as threat detections and content filtering rule policy violations) to the Windows Application Event Log. You can access the Windows Application Event Log on the computer on which Symantec Mail Security is installed. For more information about how to access and use the Windows Application Event Log, see the documentation for your Exchange server. The Symantec Mail Security Event Log lets you view and sort event data that is generated by Symantec Mail Security and written to the Windows Application Event Log. You can filter event data by categories. You can also select a start date from which to begin displaying event data. When you select an event in the Event Log table, details about the event appear in the preview pane. The Symantec Mail Security Event Log displays the 5000 most recent Symantec Mail Security events from the Windows Application Event Log, per server. For example, if your group contains five servers, the event log can display up to 25,000 events.
Logging events and generating reports About logging events
199
The Event Log displays the following information:

Server Timestamp Severity Category Name of the server on which the event occurred Date and time the event occurred Severity categories are: Warning, Information, and Error Categories are as follows:

Auto-Protect Content Filtering Engine Content Filtering Rules Encrypted Error Licensing LiveUpdate/Rapid Release Manual and Scheduled Scanning Outbreak Management Quarantine Scanning Service Spam Filter Engine Symantec Premium AntiSpam Threat/Security Risk Unscannable VSAPI
Message
Description of the event
The Event Log does not refresh automatically. You must press F5 to refresh the display with the most recent list of events. You can view the Symantec Mail Security Event Log from the console. You can sort and filter events by different criteria. In group view, if the Event Log is blank, you can manually refresh the page. You can also refresh the page in a group or server view to view the most recent events. In a large group, refreshing the page might take several minutes. To view the Symantec Mail Security Event Log 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Event Log. Click the column headers to sort the list data by different criteria.
200 Logging events and generating reports About logging events
To populate and refresh the Symantec Mail Security Event Log
Press F5.
To filter the Symantec Mail Security Event Log 1 Under the Event Log table, in the Number of items per page list, select a number of items that you want to view per page. The default value is 10. In the List field, select a category on which to filter the event data. In the entries since list, select a start date from which to begin displaying event data. Click Display to show the filtered data.
2 3 4
Specifying the duration for storing data in the Reports database

Symantec Mail Security stores data on threat detection, definitions, spam, policy violations, scanning, and server events in a Reports database. You can use this data to generate reports that include subsets of this data. You can configure Symantec Mail Security to retain this data for the period of time that you specify. Once the data is removed, it cannot be used in reports. For example, assume that you configure Symantec Mail Security to retain data for six months. If you generate a report for the past year, only the data for most recent six months appears in the report. Symantec Mail Security provides a separate option to include spam data. Selecting this option increases the time that is required to generate reports, which could affect system performance. Consider using this option short-term (for example, a few weeks) to evaluate spam-related issues. See Resetting statistics on page 216.
Logging events and generating reports About report templates
201
To specify the duration for storing data in the Reports database 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Settings. In the content area, select one of the following:
Store all data Store no data Keeps all data indefinitely. No data is retained. Selecting this options means there is no data from which to generate reports. The data is cleared after the specified time period. If you select this option, type the number of months of data to store. Only summary spam data is stored unless you check enable the Include Spam Data option. The default option is 12.
Store data for __ months
4 5
Check Include Spam Data to include all spam-related events. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Purging the Reports database

In addition to configuring the period of time that you want Symantec Mail Security to store data in the Reports database, you can purge the Reports database at any time. When you purge the Reports database, all data is removed. There is no data from which to generate a report up to the time it is purged. To purge the Reports database 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Settings. Under Tasks, click Reset database statistics.
About report templates

Report templates let you define a subset of the raw report data that is collected by Symantec Mail Security for a single server. The goal of creating a template is to describe a set of data that summarizes threats, security risks, content violations, spam, and server information, which can be saved and used to generate on-demand or scheduled reports. Report templates can include different categories or combinations of security-related statistics.
202 Logging events and generating reports About report templates
You can create different report templates to describe different subsets of the raw report data. After you create a report template, you can use it to generate reports. Note: Reports cannot be generated with a new or updated report template until you deploy your changes. Symantec Mail Security provides two pre-configured reports that you can modify. You can also create your own report templates. When you create or modify a report template, Symantec Mail Security provides a wizard to guide you through the configuration process. The types of report templates that you can create are as follows:
Summary See Creating or modifying a Summary report template on page 203. Detailed See Creating or modifying a Detailed report template on page 208.
About report output formats

When you generate a Summary report, the only report format option that is available is HTML. You can configure Symantec Mail Security to send copies of the report to the people that you specify. The recipients email client must support and permit HTML-based attachments. If you use Outlook Express, you need to modify the following settings:
On the Security tab, deselect the option Do not allow attachments to be saved or opened that could potentially be a virus. On the Read tab, deselect the option Read all messages in plain text.
When you generate a Detailed report, Symantec Mail Security can save the report in HTML format or comma-separated value (.csv) format. The benefit of generating reports in .csv format are as follows:
You can view or print the complete report data in an application, such as Microsoft Excel. If you have Microsoft Excel on your computer, a .csv file opens automatically as an Excel spreadsheet. You can import the data into a third-party reporting application to generate custom charts and reports.
See Accessing a report on page 212.
203
Creating or modifying a Summary report template

You can customize the Summary report template to contain the information that you want to include in a report. After you create the Summary template, it appears in the Report Templates table. You can modify the template at any time. If you configure the template to create reports on demand, you can generate the report from the Reports > Report Templates page. If you configure the template to generate a scheduled report, Symantec Mail Security automatically generates the report based on the schedule that you specify. See Generating a report on demand on page 211. Note: Symantec Mail Security does not support emailing reports that are larger than 5 MB. When Symantec Mail Security generates a report that is larger than 5 MB, it logs the event to the Windows Application Event Log. You can view the report on the Reports page. Symantec Mail Security provides a wizard that helps you configure your report template. To identify the report to be created or modified 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Templates. Do one of the following:
Create a new Executive Summary report template Modify an existing report template. In the sidebar under Tasks, click Add new template.
In the content pane, in the Report Templates table, double-click the template that you want to modify.
To configure the report template options 1 Under Report Template Options, in the Template name box, type a name for the report template. This option is only available if you are creating a new report template. In the Description box, type a description for the template.
Under Report type, click Executive summary. When you select Executive summary, the Report format is automatically configured for HTML. Check Email report to the following recipients and type one or more addresses to which the report should be delivered. Separate entries with semicolons. Click Next.
To configure the report time range 1 Under Report Time Range, in the Time range list, select the time range for the report. The default setting is Past Day. In the Start time and End time boxes, select the dates and times for the start and end of the report time range. This option is only available if you selected the Customized time range.
To configure on demand report generation 1 2 Under Report Generation Option, click On demand. Click Next.
To configure scheduled report generation 1 2 3 Under Report Generation Option, click Scheduled. In the Generate report at list, select the time of day to generate the report. Click Daily, Weekly, or Monthly. If you select Weekly or Monthly, select the day of the week or month to generate the report. Click Next.
To configure the report chart options 1 Under Report Chart Options, select any of the following

Total violations chart Threats and security risks chart, and then select the chart granularity. The default setting is Week. Content violation chart, and then select the chart granularity. The default setting is Week. Spam pie chart
Click Next.
205
To configure report content 1 Under Executive Summary Template Options, select the options that you want to appear in the Summary report. Data selections are as follows:
Show scan summary

Files scanned by SMTP Messages scanned by SMTP Files scanned by VSAPI Total number of files that were processed by SMTP during the current reporting period Total number of messages that were processed by SMTP during the current reporting period Total number of files that were processed by VSAPI during the current reporting period
The data that is included in the report is as of the last time the statistics were reset. See Resetting statistics on page 216.
Threats and security risks

Total threats Total number of threats that were detected during the current reporting period Table of top threats that were detected during the current reporting period Number of threats to include in the Top Threats Table Total number of unrepairable threats that were detected during the current reporting period Total number of unscannable files that were detected during the current reporting period Number of messages in which mass-mailer threats were detected during the current reporting period Number of security risks that were detected during the current reporting period
Top threats table
Number to include Unrepairable threats
Unscannable files
Mass-mailer threats
Total security risks
Infection disposition
Threats repaired Number of threats that were repaired during the current reporting period Number of threats that were deleted during the current reporting period Number of threats that were quarantined during the current reporting period
Threats deleted
Threats quarantined
2 3
Click Next. Under Executive Summary Template Options, select the data that you want to appear in the Executive Summary report. Data selections are as follows:
Current options
Total attachments blocked Total number of attachments that were blocked during the current reporting period Total number of messages containing inappropriate content that were detected during the current reporting period Total multimedia/executable attachments that were blocked during the current reporting period
Total content violations
Total multimedia/exe attachments blocked
Total encrypted attachments Total encrypted attachment that were blocked blocked during the current reporting period Table of top content violations No. of items to include Table of top content violations that were detected during the current reporting period Number of items to include in the Table of Top Content Violations Table of top attachments that were blocked during the current reporting period Number of items to include in the Table of Top Attachments Blocked
Table of top attachments blocked No. of items to include
207
Spam options
Table of top spammers Table of top spam sources that were identified during the current reporting period Number of items to include in the Table of Top Spammers Total number of spam categories that were identified during the current reporting period Type an SCL level. The default value is 8. Spam by domain Total number of spam domains that were identified during the current reporting period Number of domains to include in the Spam by Domain list
No. of items to include
Spam by category
SCL to consider as spam
No. of items to include
The data that is included in the report is as of the last time the statistics were reset. See Resetting statistics on page 216.
Real-time blacklist options

RBL rejected Total number of messages that were rejected by Real-time blacklists Total number of messages that were checked against Real-time blacklists
RBL total checks
The data that is included in the report is as of the last time the statistics were reset. See Resetting statistics on page 216. 4 5 6 7 8 Click Next. Under Executive Summary Template Options, check Show server information. Select the data that you do want to appear in the Executive Summary report. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Creating or modifying a Detailed report template

After you create the Detailed template, it appears in the Report Templates table. You can modify the template at any time. If you configure the template to create reports on demand, you can generate the report from the Reports > Report Templates page. If you configure the template to generate a scheduled report, Symantec Mail Security automatically generates the report based on the schedule that you specify. See Generating a report on demand on page 211. Note: When you create a Detailed report, you might want to limit your date range to less than 30 days. Generating a Detailed report over 30 days might consume large amounts of system memory, depending on the number of violations that are in the report database.
Note: Symantec Mail Security does not support emailing reports that are larger than 5 MB. When Symantec Mail Security generates a report that is larger than 5 MB, it logs the event to the Windows Application Event Log. You can view the report on the Reports page. Symantec Mail Security provides a wizard that helps you configure your report template. To identify the report to be created or modified 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Templates. Do one of the following:
Create a new Detailed report template Modify an existing report template. In the sidebar under Tasks, click Add new template.
In the content pane, in the Report Templates table, double-click the template that you want to modify.
209
To configure the report template options 1 In the Under Report Template Options panel, in the Template name box, type a name for the report template. This option is only available if you are creating a new template. In the Description box, type a description for the template. Under Report type, click Detailed. Under Report format, select the report format. See About report output formats on page 202. Check Email report to the following recipients and type one or more addresses to which the report should be delivered. Separate entries with semicolons. Click Next.
2 3 4 5
To configure the report time range 1 Under Report Time Range, in the Time range list, select the time range for the report. The default setting is Past Day. In the Start time and End time boxes, select the dates and times for the start and end of the report time range. This option is only available if you selected the Customized time range.
To configure on demand report generation 1 2 Under Report Generation Option, click On demand. Click Next.
To configure scheduled report generation 1 2 3 Under Report Generation Option, click Scheduled. In the Generate report at list, select the time of day to generate the report. Click Daily, Weekly, or Monthly. If you select Weekly or Monthly, select the day of the week or month to generate the report. Click Next.
To configure the report chart options 1 Under Report Chart Options, select any of the following

Total violations chart Threats and security risks chart, and then select the chart granularity. The default setting is Week. Content violation chart, and then select the chart granularity. The default setting is Week. Spam pie chart
Click Next.
To configure report content 1 2 Under Detailed Template Options, in the Type of violation list, select the type of violation that you want to appear in the report. In the Sender filter box, type an identifying characteristic of the sender whose messages will appear in the report. This can be the domain name or address of the sender, or a name or word, or a wildcard expression. In the Violation filter list, do one of the following:
Select a pre-defined violation filter. The list consists of the default rules (for example, Basic Virus Rule ) that are provided when you install the product. Filter selections vary based on the type of violation that you choose. Click User Defined Rule, and in the Rule name box, type the name of a content filtering rule that you created. This option is only available if you select the violation types All or Content Enforcement.
4 5 6
Select the columns that you want to appear in the detailed report. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Logging events and generating reports What you can do with reports
211
Deleting a report template

You can delete a report template when it is no longer needed. To delete a report template 1 2 3 4 5 6 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Templates. In the content area, select the template that you want to delete. In the sidebar under Tasks, click Delete template. In the confirmation dialog box, click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
What you can do with reports

The following lists the tasks that you can do to reports:

Generating a report on demand Accessing a report Printing a report Saving report data Deleting a report Resetting statistics
Generating a report on demand

After you create a report template, you can use it to generate reports of policy violation information. Symantec Mail Security automatically appends the current date and time to the name of your report template when it names the report. This lets you run the same report on different dates and compare the data. See Accessing a report on page 212. To generate a report on demand 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Templates. In the Report Templates table, select the report that you want to generate.
212 Logging events and generating reports What you can do with reports
4 5
In the sidebar under Tasks, click Generate Report. In the Operation Status window, click Close when the operation is complete.
Accessing a report
You can view a report from the console or from the Symantec Mail Security Reports folder. If you view a report from the console, you must be in a server view. The Reports page in the console displays the following information:
Name Type Date Created Format Template Name Status Name of report Detailed or Summary Date and time the report was generated Format output (HTML or CSV) Template from which the report was generated Current status of the report generation The report statuses are as follows:

Ready: The report is generated and can be viewed. Generating: The report is currently being generated. Failed: The report generation has failed. The event is logged to the Windows Application Event Log.
A report can only be viewed when its status is Ready.
When Symantec Mail Security generates a report (scheduled or on demand), the report is also automatically saved in its own folder in the Symantec Mail Security Reports folder. You can browse to the folder location and view the report file. Note: When you delete a report in the console, the file is automatically deleted from the Symantec Mail Security Reports folder. See Deleting a report on page 215.
213
To access a report from the console 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Reports. In the content pane in the Reports table, do one of the following:
Select the report that you want to view, and in the sidebar under Tasks, click View Report. Double-click the report.
Click F5 To refresh the page.
See Printing a report on page 214. See Saving report data on page 214. To access a report from the Symantec Mail Security Reports folder 1 2 Right-click on the Windows Start menu and select Explore. Browse to the Symantec Mail Security Reports folder. The default location is as follows: \Program Files\Symantec\SMSMSE\5.0\Server\Reports Double-click the report folder that contains the report that you want to view. Do one of the following:
For a report in .html format For a report in .csv format Double-click the file to view it. The report appears the same as if it were accessed from the console. Open the .csv file in a program such as Microsoft Excel to view it. Files created in .csv format contain raw data and must be viewed in a program that can interpret the data.
3 4
See About report output formats on page 202.
Printing a report
If you have a printer configured, you can print a report. Symantec Mail Security provides features that let you configure the page set up and preview the report. Print reports in landscape mode to prevent the data from being cut off at the right margin. To print a report 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Reports. In the content pane in the Reports table, do one of the following:
On the toolbar, do any of the following:

Configure printer options Preview the report Click Page Setup. Click Print Preview. You can print the report from the Print Preview window. Click Print.
Print the report
Click OK.
Saving report data

You can save reports to the destination of your choice. This lets you manage and maintain your reports. It also lets you email reports or lets users access the reports that they want to view. To save report data 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Reports. In the content pane in the Reports table, do one of the following:
215
4 5
On the toolbar, click Save. In the Save Web Page window, do the following:

In the File name box, type the name of the file. In the Save as type box, select the file type. The default value is Web Page, complete (*.htm, *.html) In the Encoding box, select the encoding that you want to use. The default value is Unicode.
6 7
Click Save. Click OK.
Deleting a report
You can delete a report when it is no longer needed or after you have saved the report to a file location. This lets you manage the volume of reports on the Reports page. See Saving report data on page 214. Note: When you delete a report in the console, the file is automatically deleted from the Symantec Mail Security Reports folder. See Accessing a report on page 212. To delete a report 1 2 3 4 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Reports. In the content pane in the Reports table, select the report that you want to delete. In the sidebar under Tasks, click Delete Report.
Resetting statistics
You can reset statistics for reporting purposes. Resetting statistics also resets the Activity Summary information on Home page. To reset statistics 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Settings. Under Tasks, select one of the following:

Reset Auto-Protect statistics Reset spam statistics Reset database statistics Selecting this option purges all data from the Reports database. See Purging the Reports database on page 201. Reset all statistics
Chapter
12
Updating your protection


About keeping your server protected How to update definitions Distributing definitions to multiple servers
About keeping your server protected

Symantec Mail Security relies on up-to-date information to detect and eliminate risks. One of the most common reasons that problems occur is that definition files are not up-to-date. Symantec regularly supplies updated definition files that contain the necessary information about all newly discovered risks. Regular updates of that information maximize security and guard your organizations Exchange mail system against infections and the downtime that is associated with an outbreak. Symantec Mail Security lets you update your protection from threats and security risks using the following tools:
LiveUpdate When LiveUpdate runs, it downloads and installs available definitions from the Symantec LiveUpdate server. LiveUpdate certified definitions undergo stringent testing and are updated daily. LiveUpdate is enabled by default with a recommended daily schedule. However, you can modify the schedule. Rapid Release Rapid Release definitions provide the fastest response to emerging threats and are updated approximately every hour. Rapid Release definitions are delivered by FTP and provide reliable first-line protection.
218 Updating your protection About keeping your server protected
Both methods let you update definitions on demand and automatically, based on the schedule that you specify. You can run Rapid Release definition updates instead of or in addition to LiveUpdate updates. For example, you can schedule daily LiveUpdates, and then manually run Rapid Release when a new threat emerges. If your organization has both front-end and back-end Exchange Servers, you might want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and leverage certified Live Update definitions on the Exchange back-end mailbox servers. Note: If you have Symantec AntiVirus Corporate Edition installed, you must let Symantec AntiVirus update definitions. See About using Symantec Mail Security with other antivirus products on page 57. You must have a valid content license to update definition files. A content license is a grant by Symantec Corporation for you to update Symantec corporate software with the latest associated content, such as new definitions. When you do not have a content license or your license expires, your product does not receive the most current definitions, and your servers are vulnerable to risks. See About licensing on page 63.
Configuring a proxy server to permit LiveUpdate definitions

Some organizations use proxy servers to control connections to the Internet. To use LiveUpdate, you might need to specify the address and port of the proxy server as well as a user name and password. If needed, you can modify the proxy server configuration settings through LiveUpdate. LiveUpdate can use an HTTP, FTP, or ISP proxy server. To configure FTP settings for LiveUpdate 1 2 3 On the Windows menu, click Start > Control Panel. In the Control Panel window, double-click Symantec LiveUpdate. In the LiveUpdate Configuration dialog box, on the FTP tab, click I want to customize my FTP settings for LiveUpdate. When this setting is checked, the Use a proxy server for FTP connections option appears and is checked by default. In the Address box, type the IP address of the FTP proxy server.
Updating your protection About keeping your server protected
219
5 6
In the port box, type the port number. Typically, the port number for FTP is 21. Click OK.
To configure HTTP settings for LiveUpdate 1 2 3 On the Windows menu, click Start > Control Panel. In the Control Panel window, double-click Symantec LiveUpdate. In the LiveUpdate Configuration dialog box, on the HTTP tab, click I want to customize my HTTP settings for LiveUpdate. When this setting is checked, the Use a proxy server for HTTP connections option appears and is checked by default. In the Address box, type the IP address of the HTTP proxy server. In the port box, type the port number. Typically, the port number for HTTP is 80. Click I need authorization to connect through my firewall or proxy server when a user name and password are required to access the HTTP proxy server, under HTTP Authentication, and then type the user name and password. Click OK.
4 5 6
To use an ISP dial-up connection for LiveUpdate 1 2 3 4 On the Windows menu, click Start > Control Panel. In the Control Panel window, double-click Symantec LiveUpdate. In the LiveUpdate Configuration dialog box, in the ISP tab, click Customized settings for LiveUpdate. Under Use this Dial-up Networking connection, do one of the following:

In the drop-down list, select the appropriate connection. If the connection that you want to use is not found in the drop-down list, click Add, and then follow the Location Information Wizard instructions to add a connection.
5 6
Type your ISP user name and password. Click OK.
220 Updating your protection How to update definitions
About setting up your own LiveUpdate server

The LiveUpdate Administration Utility lets you set up an intranet HTTP, FTP, or LAN server, or a directory on a standard file server to handle LiveUpdate operations for your network. The LiveUpdate Administration Utility is available on the Symantec Mail Security product CD in the following location: \ADMTOOLS\LUA For more information, see the LiveUpdate Administrators Guide on the Symantec Mail Security product CD in the following folder location: \DOCS\LUA If you set up your own LiveUpdate server, you must edit the LiveUpdate configuration for Symantec Mail Security to point to the local LiveUpdate server. For more information, contact Symantec Service and Support. See Where to get more information about Symantec Mail Security on page 27.
How to update definitions

You can update definitions using any of the following methods:
Perform updates on demand See Updating definitions on demand on page 220. Schedule automatic updates See Scheduling definition updates on page 221.
Updating definitions on demand

You can use LiveUpdate for Rapid Release to download the most current definitions on demand. You must be in a server view to perform an on-demand definitions update. To update definitions on demand 1 2 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click LiveUpdate/Rapid Release Status.
Updating your protection How to update definitions
221
Under Tasks, select one of the following:

Run LiveUpdate Certified Definitions Run Rapid Release Definitions (via FTP)
In the Operation Status window, click Close when the operation is complete.
Scheduling definition updates

You can schedule Symantec Mail Security to perform definition updates automatically. If you have multiple servers that you want to perform their own updates using the same settings, you can configure the settings in the Global Group view or a user-defined group view. When you deploy your changes, the settings are deployed to all of the servers in the group. If you configure LiveUpdate to run on a schedule and deploy the changes to a group, it runs at the specified time in the local time zone of each server. If auto-protect scanning is enabled and you are updating definitions at hourly intervals (using Rapid Release or LiveUpdate), disable at least one of the following auto-protect features on servers that have a message store:

Enable background scanning On virus definition update, force rescan before allowing access to information store
When both of these options are enabled, the message store is rescanned each time definitions are updated. If you update definitions at hourly intervals, this can impact overall mail throughput. See Configuring auto-protect scanning on page 179. Also disable the Run scan when virus definitions change feature for all scheduled scans if you update definitions at hourly intervals. If this option is enabled in a scheduled scan, the scheduled scan runs each time definitions are updated. Because definitions are delivered more frequently, the scan might not complete before new definitions are available. This can impact overall mail throughput. See About scheduling a scan on page 183. To schedule definition updates 1 2 3 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click LiveUpdate/Rapid Release Schedule. In the content pane, under LiveUpdate/Rapid Release Schedule, check Enable automatic virus definitions updates. This option is enabled by default.
222 Updating your protection Distributing definitions to multiple servers
Select one of the following:

Use Rapid Release definitions Use Certified LiveUpdate definitions This option is enabled by default. Select Run every [ ] hours, and then select the interval in hours that you want to run LiveUpdate or Rapid Release. The default value is 1 hour. Select Run at a specific time, and then type the time of day (in 24-hour format) and check the day or days of the week that you want LiveUpdate to run. This option is not available for Rapid Release.
Under Schedule, do one of the following:
Distributing definitions to multiple servers

You can update LiveUpdate definitions on multiple servers by doing the following:
Performing a LiveUpdate Push the updated definitions to the servers in the group You can run LiveUpdate so that you can distribute the most upto-date definitions that are available. When you distribute definitions to multiple servers, you must have a valid license for each server or the definitions are not be applied. See About licensing on page 63.
Note: Symantec Mail Security does not support distributing Rapid Release definitions to multiple servers. To distribute definitions to multiple servers, you must be in a group view. To distribute definitions to multiple servers 1 2 3 4 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click Group LiveUpdate Status. Under Tasks, click Run LiveUpdate. In the LiveUpdate options panel, click Start.
Updating your protection Distributing definitions to multiple servers
223
5 6
When LiveUpdate is complete, click Close. In the sidebar under Tasks, click Send virus definitions to servers.
224 Updating your protection Distributing definitions to multiple servers
Appendix
Using variables to customize alerts and notifications

This chapter includes the following topic:
About alert and notification variables
About alert and notification variables

Symantec Mail Security lets you customize notification and alert messages using variables. Note: The percent (%) sign is used to surround variables in the replacement text and email notification fields. However, when a single percent sign (%) is placed in the text, it is filtered out and does not appear in the email notifications. Table A-1 lists the variables that you can use and their descriptions. Table A-1 Use
Multiple notifications
Replacement variables for alerts and notifications Variable

%n%
Description
Starts a new line in the notification message
%server%
Autofills with the name of the server on which a violation was discovered
226 Using variables to customize alerts and notifications About alert and notification variables
Table A-1 Use

Rule violation notifications
Replacement variables for alerts and notifications (Continued) Variable

%action%
Description
Autofills with the description of the action taken in response to a rule violation Autofills with the name of the attachment in which a rule violation has been found Autofills with the date and time of a violation Autofills with any general information available about the violation Autofills with the name of the location at which a violation was discovered, for example, inbox, outbox, public folder Autofills with the name of the policy of which the violated rule is a part Autofills with the name of the intended recipient of a message in which a violation was discovered Autofills with the name of the rule that was violated Autofills with the name of the scan that discovered a violation Autofills with the name of the sender of a message in which a violation was discovered Autofills with the contents of the subject line Autofills with the name of the violation detected Autofills with the number of messages that violate the outbreak trigger Autofills with the threshold level of an identified outbreak trigger Autofills with the name of the outbreak trigger that detected an outbreak
%attachment%
%datetime% %information%
%location%
%policy%
%recipient%
%rule%
%scan%
%sender%
%subject% %violation% Outbreak notifications %count%
%threshold%
%trigger%
Appendix
Integrating Symantec Mail Security with SESA


About SESA Interpreting Symantec Mail Security events in SESA Configuring logging to SESA About uninstalling SESA
About SESA
In addition to using the Symantec Mail Security Event Log and the Windows Application Event Log, you can also log events to the Symantec Enterprise Security Architecture (SESA). SESA integrates multiple Symantec Enterprise Security products and third-party products to provide a central point of control of security within an organization. It provides a common management framework for SESA-enabled security products, such as Symantec Mail Security, that protect your IT infrastructure from malicious code, intrusions, and blended threats. SESA increases your organizations security posture by simplifying the task of monitoring and managing the multitude of security-related events and products that exist in todays corporate environments. The event categories and classes include threats, security risks, content filtering, network security, spam, and systems management. The range of events varies depending on the Symantec applications that are installed and managed by SESA.
228 Integrating Symantec Mail Security with SESA About SESA
Table B-1 lists the versions of SESA that Symantec Mail Security supports. Table B-1 Supported versions of SESA
Version Description
2.1 This version of SESA is a software-only solution. You can monitor and manage security-related events through the SESA Console. The SESA Console is the common console that provides manageable integration of security technologies (Symantec or otherwise), Symantec Security Services, and Symantec Security Response. You can query, filter, and sort data to reduce the security-related events that you see through the SESA Console. This lets you focus on threats that require your attention. You can configure alert notifications in response to events, and generate, save, and print tabular and graphical reports of event status, based on filtered views that you create. SESA is purchased and installed separately. SESA must be installed and working properly before you can configure Symantec Mail Security to log events to SESA. For more information, see the SESA 2.1 documentation. 2.5 This version of SESA is a software component of the Symantec Security Information Manager 4.0 appliance. SESA is seamlessly integrated with Symantec Incident Manager, the software component for the Symantec Security Information Manager appliance. Together, these tools provide you with an open, standards-based foundation for managing security events from Symantec clients, gateways, servers, and Web servers. SESA Agents collect events from security products and send the events to the SESA Manager. The SESA Manager sends the events to the Correlation Manager, which uses a sophisticated set of rules to filter, aggregate, and correlate the events into security incidents. The Correlation Manager sends the incidents to Symantec Incident Manager for evaluation, tracking, and response. Symantec Incident Manager evaluates the impact of incidents on the associated systems and assigns incident severities. A built-in Knowledge Base provides information about the vulnerabilities that are associated with the incident. The Knowledge Base also suggests tasks that you can assign to a help desk ticket for resolution. Symantec Security Information Manager is purchased and installed separately. The appliance must be installed and working properly before you can configure Symantec Mail Security to log events to SESA. For more information, see the Symantec Security Information Manager documentation.
Integrating Symantec Mail Security with SESA Interpreting Symantec Mail Security events in SESA
229
Note: Refer to the SESA/Symantec Security Information Manager documentation for the latest recommended version of the Java Runtime Environment.
Interpreting Symantec Mail Security events in SESA

SESA provides extensive event management capabilities, such as common logging of normalized event data for SESA-enabled security products like Symantec Mail Security. The event categories and classes include threats (such as viruses), security risks (such as adware and spyware), content filtering rule violations, network security, spam, and systems management. For more information about interpreting events in SESA and on the event management capabilities of SESA, see the SESA or Symantec Security Information Manager documentation. Table B-2 lists the events that are logged to SESA. Table B-2 Event ID (SES_EVENT_ <Unique ID>)
GENERIC_CONTENT SPAM_CONTENT Warning Warning
Security events that are logged to SESA Severity Event Class Rule Description (Reason sent)
DATA_INCIDENT Content filtering rule name DATA_INCIDENT Heuristic antispam: Spam score: [ ] percent Premium antispam: [spam] or [suspected spam]
UNSCANNABLE_VIO LATION VIRUS
Warning
DATA_INCIDENT Scan error
Warning: Deleted/ Repaired Minor: Quarantined Major: Infected (log only)
DATA_VIRUS_ INCIDENT
Threats
Mass-mailer clean up
DATA_GREYWARE_ CONTENT
Warning
DATA_INCIDENT Security risk (category, such as adware)
230 Integrating Symantec Mail Security with SESA Configuring logging to SESA
Configuring logging to SESA

The logging of events to SESA is in addition to logging events in the Symantec Mail Security Event Log and the Windows Application Event Log. Logging to SESA is activated independently of the Symantec Mail Security Event Log. You can send a subset of the events that are logged by Symantec Mail Security to SESA. To configure logging to SESA, you must complete the following steps:
Configure SESA to recognize Symantec Mail Security For SESA to receive events from Symantec Mail Security, you must run the SESA Integration Wizard that is specific to Symantec Mail Security for Microsoft Exchange. The SESA Integration Wizard installs the appropriate integration components for identifying the individual security product (in this case, Symantec Mail Security for Microsoft Exchange) to SESA. See Configuring SESA 2.1 to recognize Symantec Mail Security on page 231. See Configuring SESA 2.5 to recognize Symantec Mail Security on page 232. Install a local SESA Agent on the computer that is running Symantec Mail Security Configure the Windows hosts file The local SESA Agent handles the communication between Symantec Mail Security and SESA. See Installing the local SESA Agent on page 235. If you are using the Symantec Security Information Manager, you must add server name and IP address of the information manager to the Windows hosts file. See Updating the Windows hosts file to log events to SESA 2.5 on page 235. Configure Symantec Mail Security to send logging events to SESA You use the console to configure Symantec Mail Security to communicate with the local SESA Agent and to log events to SESA. See Configuring Symantec Mail Security to log events to SESA on page 236.
Integrating Symantec Mail Security with SESA Configuring logging to SESA
231
Configuring SESA 2.1 to recognize Symantec Mail Security

To configure SESA to receive events from Symantec Mail Security, run the SESA Integration Wizard on each computer that is running the SESA Manager. The SESA Integration Wizard installs the appropriate integration components for identifying Symantec Mail Security to SESA. You must run the SESA Integration Wizard for each SESA Manager computer to which you are forwarding events from Symantec Mail Security. To configure SESA 2.1 to recognize Symantec Mail Security, you must first launch the SESA Integration Wizard. The wizard guides you through the installation procedures. To start the SESA 2.1 Installation Wizard 1 On the computer on which the SESA Manager is installed, create a folder for the datapackage.sip file, for example: C:\Datapackage Insert the Symantec Mail Security product CD into the CD-ROM drive. Copy the following file to the newly created folder: ADMTOOLS\SIPI\smsmse50.sip On the computer on which the SESA Manager is installed, insert the SESA CD1 - SESA Manager CD into the CD-ROM drive. At the command prompt, change directories on the CD to the following location: \SIPI To start the SESA Integration Wizard, at the command prompt, type:
java -jar setup.jar
2 3 4 5
To configure SESA 2.1 to recognize Symantec Mail Security 1 2 In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information window. In the SESA Directory Domain Administrator Information window, type the specific information about the SESA Domain Administrator and the SESA Directory.
SESA Directory Domain Administrator Name Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password.
SESA Directory Domain Administrator Password
Log on to domain (in dotted notation)
Type the SESA administrative domain. An example of dotted notation is: NorthAmerica.SES
Host Name or IP Address of SESA Directory
If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer.
For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide. Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).
In the SESA Integration Package to Install window, type or browse to the location in which the SESA Integration Package is located, and then click OK. Click Next, and then follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard. Repeat steps 1 through 4 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.
Configuring SESA 2.5 to recognize Symantec Mail Security

The Symantec Security Information Manager Web configuration interface provides a link that you can use to download and install the SESA Integration Wizard. The wizard installs SESA Integration Packages (SIPs) for Symantec Mail Security. The SIP contains the configuration settings and event schemas that SESA requires to recognize and log events from Symantec Mail Security. You must run the SESA Integration Wizard for each Symantec Security Information Manager to which you are forwarding events from Symantec Mail Security.
233
To configure SESA 2.5 to recognize Symantec Mail Security, you must first download the SESA Integration Wizard from the Symantec Security Information Manager. The wizard guides you through the installation procedures. To download the SESA 2.5 SIP Integration Wizard 1 2 3 4 5 6 7 8 Insert the Symantec Mail Security product CD into the CD-ROM drive. Copy the following file to your local computer: ADMTOOLS\SIPI\smsmse50.sip Open a Web browser, and in the address bar, type the IP address of the appliance. If prompted, type the Log on name, password, and domain, and then click Log On. In the Symantec Security Information Manager console, in the left pane, click Register SIPs. Click Download SIP Integration Wizard. In the File Download dialog box, click Save. Type or browse to the location in which you want to save the SESA Integration Wizard installation file. SIPI.zip is the file that is downloaded. In the Download complete dialog box, click Close.
10 Locate the SIPI.zip file, double-click it, and unpack the file to the desired folder. To configure SESA 2.5 to recognize Symantec Mail Security 1 2 In the folder where you unpacked the SIPI.zip file, double-click setup.jar. The SESA Integration Wizard appears. In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information panel.
In the SESA Directory Domain Administrator Information panel, type the specific information about the SESA Domain Administrator and the SESA Directory.
SESA Directory Domain Administrator Name Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password. Type the SESA administrative domain. An example of dotted notation is: NorthAmerica.SES Host Name or IP Address of SESA Directory Do one of the following:
SESA Directory Domain Administrator Password Log on to domain (in dotted notation)
If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer. To change the IP address, you must use the SESA console, not the Symantec Mail Security console.
For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide. Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).
In the SESA Integration Package to Install panel, type or browse to the location in which you saved the SESA Integration Package (smsmse50.sip), and then click Next. Click Next and follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard. Repeat steps 1 through 5 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.
5 6
235
Installing the local SESA Agent

The local SESA Agent handles the communication between Symantec Mail Security and SESA and is installed on the same computer that is running Symantec Mail Security. The local SESA Agent is provided as part of the software distribution package for Symantec Mail Security. Ordinarily, the local SESA Agent is installed automatically when the user elects to enable logging and alerting to SESA. This can be done at installation or at any time afterward. When you have more than one SESA-enabled product installed on a single computer, these products can share a local SESA Agent. However, each product must register with the Agent. Thus, even if an Agent has already been installed on the computer for another SESA-enabled security product, you must run the installer to register Symantec Mail Security for Microsoft Exchange. To install the SESA Agent using the SESA Agent Installer that Symantec Mail Security provides, run the Installer on all computers on which Symantec Mail Security is installed. You install the SESA Agent when you install Symantec Mail Security. See About installing Symantec Mail Security on remote servers on page 40.
Updating the Windows hosts file to log events to SESA 2.5

You must add the IP address and server name of the Symantec Security Information Manager to your Windows hosts file. To update the Windows hosts file to log events to SESA 2.5 1 On the computer on which you have installed Symantec Mail Security, open the following file: <Windows>\System32\Drivers\Etc\Hosts Add the following entry: <sesa-server-ip> <sesa-server-name> Save and close the file.
2 3
236 Integrating Symantec Mail Security with SESA About uninstalling SESA
Configuring Symantec Mail Security to log events to SESA

After you have installed the local SESA Agent to handle communications between Symantec Mail Security and SESA, you must ensure that logging to SESA is activated. These settings are located on the Symantec Mail Security Settings database. After you configure Symantec Mail Security to log events to SESA, check the server status to confirm that logging to SESA is enabled. If it is not, you can start the SESA Agent using Windows Services. To configure Symantec Mail Security to log events to SESA 1 2 3 4 5 In the console on the primary navigation bar, click Monitors. In the sidebar click Notifications/Alerts Settings. Under SESA Alerts, check Enable Logging and Alerting to SESA Server. Type the IP address in the IP address of the SESA server box. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To start the SESA AgentStart service using the Windows Services 1 2 On the the Windows menu, click Start > Control Panel > Administrative Tools > Services. Under Name, right-click SESA AgentStart, and then click Start.
About uninstalling SESA

When Symantec Mail Security is no longer forwarding messages to SESA, you can uninstall the SESA components.
About uninstalling the SIP

You uninstall the SESA Integration Package from the SESA Manager computer. If you are using SESA version 2.5, you must first purge all items in the event log for all products, not just Symantec Mail Security. For more information about how to uninstall the SIP, see the SESA documentation.
Integrating Symantec Mail Security with SESA About uninstalling SESA
237
About uninstalling the SESA Agent

The local SESA Agent is automatically uninstalled when you uninstall Symantec Mail Security. When more than one product is using the Agent, the uninstall script removes only the Symantec Mail Security for Microsoft Exchange registration and leaves the Agent in place. When no other security products are using the Agent, the uninstall script uninstalls the Agent as well. See Uninstalling Symantec Mail Security on page 60.
238 Integrating Symantec Mail Security with SESA About uninstalling SESA
Index
Symbols
.csv (comma-separated value) report format 202 .NET Framework 33, 34, 35, 40 .zip files. See container files
A
Active Directory 16, 17, 166, 169 Active Summary 216 Adobe Acrobat Reader 19 adware. See security risks Allowed Senders list 113 antispam filtering about 107 configuring heuristic antispam 141 configuring real-time blacklists 112 configuring Symantec Premium AntiSpam 131 configuring the SAT value 111 configuring whitelists 113 how it works 109 licensing requirements 64 SCL values, about 110 antivirus Basic Virus Rule 99 detecting mass-mailer viruses 98 enabling detection 98 how Symantec Mail Security detects viruses 97 logging detections 197 modifying virus policies 99 quarantining viruses 85 setting Bloodhound detection level 98 Unrepairable Virus Rule 99 updating protection against 217 antivirus definitions. See definitions antivirus products, other 57 attachments Allow-Only Attachment Rule 147 blocking by attachment name 170 detecting executables 175 detecting multimedia files 172 enforcing email attachment policies 170 Executable File Rule 170
attachments (continued) filtering 145 making attachment size a rule condition 148 Outbreak Triggered Attachment Names match list 155 Quarantined Triggered Attachment Names Rule 147 Sample Attachment Name match list 155 Sample Executable File Names match list 155 Sample Multimedia File Names match list 155 auto-protect scans 158, 179
B
background scanning 179 Basic Virus Rule 99 Bloodhound heuristics technology 97
C
clusters configuring the cluster resource 48 considerations before installing on 46 installing on 45 installing on an active/active cluster 49 Veritas cluster server 50 console about 53 accessing 52 Home page 54 installing console only 43 primary navigation bar 54 system requirements 34 container files blocking unscannable 104 configuring limits 102 decomposing 97 denial-of-service attacks 102 encrypted 96, 104 unscannable 96 content area 53
240 Index
content filtering rules about 145 blocking attachments by name 170 configuring 160 configuring exceptions 163 configuring rule conditions 161 creating 159 deleting 169 detecting executable files 175 detecting multimedia file types 172 editing 159 elements of 149 enabling for auto-protect scanning 158 enforcing attachment policies 170 evaluating content 147 literal string 149 managing 157 managing match lists 154 metacharacters 151 multiple violations 146 notifying when rules are violated 167 pre-configured rules 147 prioritizing 168 refreshing Active Directory groups 169 regular expressions 150 rule names and descriptions 160 specifying actions 164 specifying local domains 157 specifying users to whom rules apply 166 wildcards 149 content license 63
E
Encrypted File Rule 104 Event Log about 197 contents 199 filtering contents 200 viewing 198 Executable File Rule 170 executable files, detecting 155, 175 Executive Summary. See templates expressions regular 150 wildcard 154
F
features new and enhanced 16 protecting and managing your server 20 filtering. See content filtering rules formats, report output 202 FTP proxy server, LiveUpdate connection 218
G
Global Group 72
H
hack tools. See security risks help 27 heuristic antispam. See antispam filtering heuristics 97 Home page 54, 55, 216 HTML encoding 146 report output format 202 HTTP proxy server, LiveUpdate connection 218 hyper-threaded processor 58
D
definitions 220 about 97 distributing to multiple servers 222 licensing requirements 63, 218 LiveUpdate Administration Utility, about 220 updating 217 denial-of-service attacks 96, 102 deploy all settings 72 deploy changes 72 Detailed. See templates dialers. See security risks DirectX 33, 35, 40 discard changes 72 domains, specifying local 157 DOS wildcard expressions 154
I
IIS (Internet Information Services) 51 impersonation 34, 51 inbound/outbound settings 157 installation before you install 29 customizing remote server installation settings 40 installation options 34
Index
241
installation (continued) installing on a cluster 45 installing on a local server 35 installing on a remote server 40 installing the console only 43 installing the SESA Agent 235 post-installation tasks 50 security and access permissions 32 system requirements 33 uninstalling 60 upgrading 59 Intel Xeon processors 58 ISA server, registering Symantec Premium AntiSpam through 117 ISP proxy server, LiveUpdate connection 218 IWAM account 34, 51
J
joke programs. See security risks
L
languages 131 license activating 64 content license 63 expiration 64 installing license files 68 locating the serial number 65 obtaining a license file 65 renewing 69 requirements 63 software updates 63 status 69 Symantec Premium AntiSpam license 64, 67 upgrading 64 list pane 54 literal string 149 LiveUpdate about 217 distributing definitions to multiple servers 222 licensing requirements 63 updating definitions on demand 220 scheduled 221 using proxy servers 220 LiveUpdate Administration Utility 18, 220 local domains, specifying 157
local quarantine about 85 establishing thresholds 87 forwarding events to the Quarantine Server 86 purging 93 releasing messages by mail 90 to file 92 viewing contents 88 logs See also reports Event Log about 197 contents 199 filtering contents 200 logging destinations 197 Reports database about 198 purging 201 storing data 200 SESA 198 Windows Application Event Log 197
M
manual scans about 178 configuring 180 running 182 viewing results 183 mass-mailer worms 96 match lists about 154 pre-configured 155 MDAC 33, 35, 40 menu bar 53 messages See also risks See also scans archiving 24 metacharacters 151 Microsoft Certificate Services 2.0 51 Microsoft Excel 202 Microsoft IMF (Intelligent Message Filter) 111 migration 59 multimedia file type detection 172 multiserver console settings 59
242 Index
N
notifications settings 188
O
Open Proxy list 116, 131 outbreak management about adding outbreak items to pre-configured match lists 193 clearing 195 configuring notifications 194 configuring triggers 193 defining an outbreak 190 enabling 192 triggers, about 191 outbreaks. See outbreak management
P
policies 21 post-installation tasks 50 premium antispam service. See Symantec Premium AntiSpam preview pane 54 primary navigation bar 53, 54 Probe Network 115 processing limits 102 protection, server 217 proxy server LiveUpdate 220 Symantec Premium AntiSpam 118
Q
Quarantine Server See also local quarantine about 86 forwarding events to 86
regular expressions 150 regulatory requirements 24 remote access programs. See security risks replacement variables 225 reports See also templates accessing 212 creating or modifying 203, 208 deleting 212, 215 email notification limitations 203, 208 generating on demand 211 managing 211 printing 214 Reports page display information 212 resetting statistics 216 saving data 214 viewing with third-party tools 202 Reports database about 198 purging 201 storing data 200 reputation service 131 resizing bars 54 risks See also security risks See also threats Bloodhound heuristics technology 97 categories of 95 configuring security risk detection 100 configuring threat detection 98 decomposing container files 97 how risks are detected 97 setting container file limits 102 RTF encoding 146
S
Safe list 116, 131 SAT (Store Action Threshold) 111 scan processes 58 scanning limits 102 scanning threads 58 scans auto-protect 178, 179 background scanning 179 blocking unscannable files 104 manual 180 notifying of violations 188 scheduled 183
R
Rapid Release about 217 licensing requirements 63 updating definitions on demand 220 scheduled 221 RBL. See real-time blacklists real-time blacklists 112, 113
Index
243
scheduled scans about 178 configuring scan options 184 creating 183 deleting 187 editing 184 enabling 187 SCL (spam confidence level) values 110 screen resolution, recommended 30 security and access permissions 32 security risks See also risks about 96 categories of 101 configuring detection 100 serial numbers, licensing 65 server domain controller 34, 51 server groups See also servers adding servers 77 applying definitions 222 creating 76 deleting 81 deploying all settings 72 deploying changes 72 Global 72 managing, about 74 pushing out settings to servers 80 restoring default settings 80 server settings file location 72 user-defined 72 viewing settings 74 server protection 217 servers See also server groups adding to groups 77 deploying changes 72 importing and exporting settings 82 managing, about 74 modifying communication properties 83 moving to another group 78 removing from group management 81 restoring default settings 80 synchronizing settings 80 viewing settings 74 viewing the status 75 SESA about 198, 227 configuring logging to 230
SESA (continued) configuring to recognize Symantec Mail Security 231, 232 installing Agent 235 Integration Wizard 231, 232 uninstalling 236 versions 228 settings, importing and exporting 82 sidebar 54 spam foldering 117 spam. See antispam filtering spyware. See security risks SSL (Secure Socket Layer) communications 51, 83 statistics, resetting 216 string, literal 149 Suspect list 116, 131 Symantec AntiVirus Corporate Edition email tools feature 30 updating definitions 57, 218 Symantec Brightmail AntiSpam 30 Symantec Elite Enterprise Licensing program 70 Symantec Mail Security for Microsoft Exchange about 15 accessing the console 52 configuring Symantec AntiVirus on the same computer 57 features 16, 20 getting more information 27 locating software components 30 Symantec Mail Security Reports folder 212 Symantec Premium AntiSpam See also antispam filtering about 114 configuring 131 configuring your proxy server 118 how it works 115 identifying languages 131 methods for detecting spam 115 Outlook plug-in 124 processing spam 132 registering through an ISA server 117 reputation service 131 scoring suspected spam 131 spam folder agent 119 spam foldering 117 Symantec Probe Network 115 Symantec Spam Folder Agent for Exchange See also Symantec Premium AntiSpam See also Symantec Spam Plug-in for Outlook
244 Index
Symantec Spam Folder Agent for Exchange (continued) about 119 creating a service account 120 installing 122 Symantec Spam Plug-in for Outlook See also Symantec Premium AntiSpam See also Symantec Spam Folder Agent for Exchange about 124 identifying languages 131 installing 129 modifying variables 125 toolbar elements 125 system requirements 33
V
variables, replacement 225 Veritas cluster server 50 virus See also risks Basic Virus Rule 99 configuring detection 98 detecting mass-mailer viruses 98 enabling detection 98 how Symantec Mail Security detects 97 logging detections 197 modifying virus policies 99 quarantining 85 setting Bloodhound detection level 98 Unrepairable Virus Rule 99 updating protection against 217 virus definitions. See definitions
T
templates about 201 creating or modifying 203, 208 deleting 211 Detailed 202 output formats 202 Summary 202 threats See also risks Bloodhound technology 98 configuring detection 98 detecting mass-mailer infected messages 98 types detected 95 toolbar 53 trackware. See security risks Trojan horses 95
W
whitelists 113 wildcard expressions, DOS 154 Windows Application Event Log about 197 viewing contents of in Symantec Mail Security 198 worms 95
U
Unfiltered Recipients list 113 uninstalling SESA 236 Symantec Mail Security for Microsoft Exchange 60 Unrepairable Virus Rule 99 Unscannable File Rule 104 updates. See definitions upgrade product version 59

Sms Imp Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sms Imp Guide

Uploaded by

Copyright:

Available Formats

Symantec Mail Security for Microsoft Exchange Implementation Guide

Symantec Mail Security for Microsoft Exchange Implementation Guide

Contacting Technical Support

Licensing and registration

Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Maintenance agreement resources

Additional enterprise services

You may not:

5. U.S. Government Restricted Rights:

Installing Symantec Mail Security for Microsoft Exchange

Managing your Exchange servers

Quarantining messages and attachments

Protecting your server from risks

Filtering content using content filtering rules

Scanning your Exchange servers for threats and violations

Logging events and generating reports

Updating your protection

Using variables to customize alerts and notifications

Integrating Symantec Mail Security with SESA

Introducing Symantec Mail Security for Microsoft Exchange

About Symantec Mail Security for Microsoft Exchange

Unwanted content Unsolicited email messages (spam)

Whats new in Symantec Mail Security

New and enhanced features Description

Improved support for cluster environments

Automatic server discovery

Table 1-1 Feature

New and enhanced features (Continued) Description

Components of Symantec Mail Security

Product components Description Location on the product CD

LiveUpdate Administration Utility

Symantec Spam Folder Agent for Exchange

Table 1-2 Component

Product components (Continued) Description Location on the product CD

Symantec Enterprise Security Administration (SESA) Integration Package (SIP)

Adobe Acrobat Reader 6.0

Symantec Central Quarantine

How Symantec Mail Security works

What you can do with Symantec Mail Security

Manage your Exchange environment using policies

Scan your Exchange server for risks and violations

See About the scanning process on page 178.

Protect against threats

Keep your protection up-to-date

Identify spam email

Filter undesirable message content

Save messages to a folder for archiving

Quarantine infected message bodies and attachments

Monitor Symantec Mail Security events

Send notifications when a threat or violation is detected

Manage single and multiple Exchange servers

Where to get more information about Symantec Mail Security

Installing Symantec Mail Security for Microsoft Exchange

Before you install

Before you install the product, you should do the following:

Software component locations

Software component locations Location

C:\Program Files\Symantec\SMSMSE\5.0\Server \Quarantine

Table 2-1 Component

Software component locations (Continued) Location

Data files for reports that are generated

C:\Program Files\Symantec\SMSMSE\5.0\Server \Reports\Templates C:\Program Files\Symantec\SMSMSE\5.0\Server \MatchLists C:\Program Files\Symantec\SMSMSE\5.0\Server \SpamPrevention

Match list files

C:\Program Files\Symantec\SMSMSE\5.0\Server \logs C:\Program Files\Symantec\SMSMSE\5.0\Server \stats