Professional Documents
Culture Documents
Sms Imp Guide
Sms Imp Guide
Legal Notice
Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec Logo, and Symantec AntiVirus Corporate Edition are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Windows is a trademark of Microsoft Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THIS DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs maintenance offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-tothe-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management
For information about Symantecs Maintenance Programs, you can visit our Web site at the following URL: http://www.symantec.com/techsupp/enterprise/ Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you use.
When you contact Technical Support, please have the following information available:
Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Customer service
Customer service information is available at the following URL: http://www.symantec.com/techsupp/enterprise/ Select your country or language under Global Support. Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about Symantec Value License Program Advice about Symantec's technical support options
Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com
Consulting services
Educational Services
To access more information about Enterprise Services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Symantec Software License Agreement Symantec Mail Security for Microsoft Exchange
SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (SYMANTEC) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS YOU OR YOUR) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK ON THE I DO NOT AGREE, NO BUTTON, OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE. C. use the Software on a network, provided that you have a licensed copy of the Software for each computer that can access the Software over that network; and D. after written notice to Symantec, transfer the Software on a permanent basis to another person or entity, provided that you retain no copies of the Software and the transferee agrees to the terms of this license.
1. License:
The software which accompanies this license (collectively the Software) is the property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, you will have certain rights to use the Software after your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to you. Except as may be modified by a Symantec license certificate, license coupon, or license key (each a License Module) which accompanies, precedes, or follows this license, your rights and obligations with respect to the use of this Software are as follows:
2. Content Updates:
Certain Symantec software products utilize content that is updated from time to time (antivirus products utilize updated virus definitions; content filtering products utilize updated URL lists; firewall products utilize updated firewall rules; vulnerability assessment products utilize updated vulnerability data, etc.; collectively, these are referred to as Content Updates). You may obtain Content Updates for any period for which you have purchased upgrade insurance for the product, entered into a maintenance agreement that includes Content Updates, or otherwise separately acquired the right to obtain Content Updates. This license does not otherwise permit you to obtain and use Content Updates.
You may:
A. use that number of copies of the Software as have been licensed to you by Symantec under a License Module, provided that if the Software is part of a suite of Symantec software licensed to you, the number of copies you may use of all titles of the software in the suite, including the Software, may not exceed the total number of copies so indicated in the License Module in the aggregate, as calculated by any combination of licensed suite products. Your License Module shall constitute proof of your right to make such copies. If no License Module accompanies, precedes, or follows this license, you may make one copy of the Software you are authorized to use on a single computer. B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of your computer and retain the original for archival purposes;
3. Limited Warranty:
Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to you. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the
money you paid for the Software. Symantec does not warrant that the Software will meet your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE.
6. General:
This Agreement will be governed by the laws of the State of California. This Agreement may only be modified by a License Module which accompanies this license or by a written document which has been signed by both you and Symantec. Should you have any questions concerning this Agreement, or if you desire to contact Symantec for any reason, please write: Symantec Customer Service, 555 International Way, Springfield. OR 97477.
4. Disclaimer of Damages:
REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether you accept the Software.
Contents
Technical Support Chapter 1 Introducing Symantec Mail Security for Microsoft Exchange
About Symantec Mail Security for Microsoft Exchange ................................15 Whats new in Symantec Mail Security ............................................................16 Components of Symantec Mail Security ..........................................................18 How Symantec Mail Security works .................................................................20 What you can do with Symantec Mail Security ..............................................20 Manage your Exchange environment using policies ..............................21 Scan your Exchange server for risks and violations ..............................22 Protect against threats ................................................................................22 Keep your protection up-to-date ...............................................................22 Identify spam email .....................................................................................23 Filter undesirable message content ..........................................................24 Save messages to a folder for archiving ...................................................24 Manage outbreaks ........................................................................................25 Quarantine infected message bodies and attachments .........................25 Monitor Symantec Mail Security events ..................................................26 Generate reports ..........................................................................................26 Send notifications when a threat or violation is detected .....................27 Manage single and multiple Exchange servers .......................................27 Where to get more information about Symantec Mail Security ..................27
Chapter 2
10 Contents
Post-installation tasks ........................................................................................ 50 About setting up impersonation privileges on the IWAM account ..... 51 Restarting the IIS ......................................................................................... 51 Implementing SSL communications ......................................................... 51 Accessing the Symantec Mail Security console ...................................... 52 About using Symantec Mail Security with other antivirus products ................................................................................................. 57 Setting scanning threads and number of scan processes ..................... 58 Migrating to version 5.0.3 .................................................................................. 59 Uninstalling Symantec Mail Security .............................................................. 60
Chapter 3
Activating licenses
About licensing .................................................................................................... 63 How to activate a license .................................................................................... 64 If you do not have a serial number ............................................................ 65 Obtaining a license file ............................................................................... 65 About the Symantec Premium AntiSpam license file ............................ 67 Installing license files ................................................................................. 68 Checking the license status of a server .................................................... 69 If you want to renew a license ........................................................................... 69
Chapter 4
Chapter 5
Contents
11
Release messages from the quarantine ............................................................90 Releasing messages from the quarantine by email ................................90 Releasing messages from the quarantine to a file ..................................92 Deleting an item from the quarantine ..............................................................93
Chapter 6
Chapter 7
Identifying spam
About spam detection .......................................................................................107 How Symantec Mail Security detects and processes spam .................109 About spam confidence level (SCL) values .............................................110 Blocking spam using real-time blacklists ......................................................112 Configuring whitelists .......................................................................................113 How to detect spam using Symantec Premium AntiSpam ..........................114 How the Symantec Premium AntiSpam service works ........................115 About spam foldering ................................................................................117 About registering Symantec Premium AntiSpam through an ISA server ............................................................................................117 Configuring your proxy server to download spam definition updates .................................................................................................118 About the Symantec Spam Folder Agent for Exchange .......................119 About the Symantec Spam Plug-in for Outlook ....................................124 Configuring Symantec Premium AntiSpam to identify spam ............130 What you can do with spam and suspected spam messages ...............132 Configuring heuristic antispam protection ...................................................141
Chapter 8
12 Contents
Working with content filtering rules ............................................................. 157 Specifying inbound SMTP domains ........................................................ 157 Enabling or disabling content filtering for auto-protect scanning ... 158 Creating a new rule .................................................................................... 159 Editing an existing rule ............................................................................. 159 About configuring a content filtering rule ............................................ 160 Prioritizing content filtering rules ......................................................... 168 Deleting a content filtering rule ..............................................................169 Refreshing the Active Directory groups cache ..................................... 169 How to enforce email attachment policies ....................................................170 Blocking attachments by file name ......................................................... 170 Configuring multimedia file detection ................................................... 172 Configuring executable file detection ....................................................175
Chapter 9
Chapter 10
Managing outbreaks
About outbreak management .......................................................................... 189 What defines an outbreak ........................................................................ 190 About outbreak triggers ........................................................................... 191 Enabling outbreak management ..................................................................... 192 Configuring outbreak triggers ......................................................................... 193 Configuring outbreak notifications ................................................................ 194 Clearing outbreak notifications ....................................................................... 195
Contents
13
Chapter 11
Chapter 12
Appendix A Appendix B
14 Contents
About uninstalling SESA .................................................................................. 236 About uninstalling the SIP ....................................................................... 236 About uninstalling the SESA Agent ........................................................ 237
Index
Chapter
About Symantec Mail Security for Microsoft Exchange Whats new in Symantec Mail Security Components of Symantec Mail Security How Symantec Mail Security works What you can do with Symantec Mail Security Where to get more information about Symantec Mail Security
Threats (such as viruses, Trojan horses, worms, and denial-of-service attacks) Security risks (such as adware and spyware)
16 Introducing Symantec Mail Security for Microsoft Exchange Whats new in Symantec Mail Security
Symantec Mail Security also lets you manage the protection of one or multiple Exchange servers from a single console. See What you can do with Symantec Mail Security on page 20. The Exchange environment is only one avenue by which a threat can penetrate a network. For complete protection, ensure that every computer and workstation is protected by an antivirus solution. See About using Symantec Mail Security with other antivirus products on page 57.
Symantec Mail Security is Microsoft cluster-aware. In a clustering environment, multiple nodes on the network operate like a single system to ensure high availability. Symantec Mail Security is installed as a cluster resource on an active/passive cluster. It is designed to interact with and detect the nodes that are within the cluster environment. See About installing Symantec Mail Security in a Microsoft Cluster on page 45.
Symantec Mail Security can automatically detect the Exchange servers that are within your organization using Active Directory.
Introducing Symantec Mail Security for Microsoft Exchange Whats new in Symantec Mail Security
17
User-based and You can select the users or groups for which a content filtering group-based policies policy applies. You can configure the rule to apply to all Active Directory groups or to only the users or Active Directory groups that you select. You can also specify users or groups who are exceptions to the rule. See About configuring a content filtering rule on page 160. File attachment content scanning You can scan for content violations within file attachments. Symantec Mail Security supports over 300 file attachment types and common file types, such as Microsoft Office documents, Adobe Acrobat PDF files, text files, RTF files, and database files. See About configuring a content filtering rule on page 160. Multimedia and executable file detection based on true file type Symantec Mail Security can detect multimedia and executable files based on an analysis of their true file type instead of relying on their file extensions. See Configuring multimedia file detection on page 172. See Configuring executable file detection on page 175. Summary and Detailed reports You can generate a report that contains statistics about the scanning activities that occurred on one or more mail servers. You can configure Symantec Mail Security to send the report to the email addresses that you specify. See What you can do with reports on page 211. Automatically save messages to a folder You can save messages that are identified as spam or suspected spam, or messages that trigger content filtering violations, to a specified folder. This lets you use an archiving program to automatically archive messages in the folder. See Save messages to a folder for archiving on page 24.
18 Introducing Symantec Mail Security for Microsoft Exchange Components of Symantec Mail Security
\SMSMSE\Install\ This is the software that you install to protect your Exchange servers. It protects your servers from threats (such as viruses and denial-of-service attacks), security risks (such as adware and spyware). It also detects spam email messages and unwanted content. This is the utility that lets you \ADMTOOLS\LUA\ configure one or more intranet FTP, HTTP, or LAN servers to act as internal LiveUpdate servers. LiveUpdate lets Symantec products download program and definition file updates directly from Symantec or from a LiveUpdate server. For more information, see the LiveUpdate Administrators Guide on the Symantec Mail Security product CD in the following location: \DOCS\LUA\Luadmin.pdf
This is the program that lets you install a spam foldering agent. The foldering agent works with the Symantec Premium AntiSpam service. It lets you automatically route spam and suspected spam messages to a spam folder in each users inbox. The Symantec Spam Folder Agent is recommended for Exchange 2000 servers only.
\ADMTOOLS\SPA\BSFA\
Introducing Symantec Mail Security for Microsoft Exchange Components of Symantec Mail Security
19
This is the software that lets you \ADMTOOLS\SPA\BMOP\ submit missed spam and false positives to Symantec. It also lets users administer allowed senders and blocked senders lists and block email messages based on language identification. The Outlook Plug-in is used with the Symantec Premium AntiSpam service. The Outlook Plug-in can be used on Exchange 2000 and Exchange 2003 servers.
\ADMTOOLS\SIPI\ This is the software configuration package that you must install on each computer that runs a SESA Manager. The SIP extends SESA functionality to include Symantec Mail Security event data. This is the software that makes it \DOCS\ar60enu.exe possible to read electronic documentation in Portable Document Format (PDF). Symantec Mail Security can forward infected messages and messages that contain violations from the local quarantine to the Central Quarantine, which acts as a central repository. For more information, see the Symantec Central Quarantine Administrators Guide on the Symantec Mail Security product CD in the following location: \DOCS\DIS\CentQuar.pdf \ADMTOOLS\DIS
20 Introducing Symantec Mail Security for Microsoft Exchange How Symantec Mail Security works
Risks Such as viruses, worms, Trojan horses, adware, and spyware See About protecting your server from risks on page 95. Spam See About spam detection on page 107. Content filtering rule violations See About filtering content on page 145.
See About the scanning process on page 178. When spam, a risk, or a content filtering rule violation is detected, Symantec Mail Security takes the actions that you specify in the respective polices. See Manage your Exchange environment using policies on page 21. Symantec Mail Security contains a decomposer that extracts container files so that they can be scanned for risks and content filtering violations. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule. See Configuring rules to address unscannable container files on page 104.
Manage your Exchange environment using policies Scan your Exchange server for risks and violations Protect against threats Keep your protection up-to-date Identify spam email Filter undesirable message content Save messages to a folder for archiving
Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
21
Manage outbreaks Quarantine infected message bodies and attachments Monitor Symantec Mail Security events Generate reports Send notifications when a threat or violation is detected Manage single and multiple Exchange servers
Antivirus
Antispam
Allowed senders Recipients whose email messages are not scanned for spam Real-time blacklist domains
Also lets you enable and configure the heuristic antispam engine or the Symantec Premium AntiSpam service Content Enforcement Contains rules for filtering inappropriate content in message bodies and attachments
22 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
Manual scans
Scheduled scans
Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
23
If your organization has both front-end and back-end Exchange servers, you might want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and certified Live Update definitions on the back-end mailbox servers. See About keeping your server protected on page 217. See About using Symantec Mail Security with other antivirus products on page 57. Note: To update definitions, you must have a valid content license. See About licensing on page 63.
You can enhance heuristic or premium antispam detection by specifying domains that are allowed to bypass antispam scanning or that are automatically blocked. You can also specify email addresses to which inbound emails are permitted to bypass real-time blacklist blocking and antispam scanning. See Blocking spam using real-time blacklists on page 112. See Configuring whitelists on page 113.
24 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
25
If you specify an absolute path (with ':'; for example, C:\Program Files\Archive), Symantec Mail Security creates the folder, if one does not already exist. If you specify a relative path (without ':'; for example, Archive), Symantec Mail Security creates a subfolder underneath the SavedMessages folder in the server installation directory, if one does not already exist. The mail foldering option is only available for inbound and outbound SMTP traffic.
Manage outbreaks
An outbreak occurs when the number of threats to the Microsoft Exchange system that are detected over a period of time exceeds a specified limit. Symantec Mail Security lets you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications when an outbreak is detected. You can also select an action to take when an outbreak is detected, such as deleting the entire message, deleting the attachment or message body, quarantining the attachment or message body, or logging the event. You can set rules to define an outbreak based on event. For example, the same threat occurs a specified number of times within a specified time period. You can also configure Symantec Mail Security to send notifications and alerts in the case of an outbreak. See About outbreak management on page 189.
26 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security
Generate reports
Symantec Mail Security collects and saves scan data on your Exchange servers. You can create reports from the data, which gives you a history of risk detection activity and rule violations. Report templates let you define a subset of the raw report data that is collected by Symantec Mail Security for a single server. Report templates can include different categories or combinations of security-related statistics. You can create different report templates to describe different subsets of the raw report data. Once you create a report template, you use it to generate reports. Symantec Mail Security provides two pre-configured report templates that you can modify. You can also create your own report templates. When you create or modify a report template, Symantec Mail Security provides a wizard to guide you through the configuration process.
Introducing Symantec Mail Security for Microsoft Exchange Where to get more information about Symantec Mail Security
27
The types of report templates that you can create are as follows:
Summary See Creating or modifying a Summary report template on page 203. Detailed See Creating or modifying a Detailed report template on page 208.
28 Introducing Symantec Mail Security for Microsoft Exchange Where to get more information about Symantec Mail Security
You can visit the Symantec Web site for more information about your product. The following online resources are available:
Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration Provides product news and updates www.symantec.com/ techsupp/ent/ enterprise.html www.symantec.com /licensing/els/help/en/ help.html www.enterprisesecurity. symantec.com www.securityresponse. symantec.com
Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats
Chapter
Before you install System requirements About installing Symantec Mail Security Post-installation tasks Migrating to version 5.0.3 Uninstalling Symantec Mail Security
30 Installing Symantec Mail Security for Microsoft Exchange Before you install
If you are running Symantec Brightmail AntiSpam on the same server on which you want to install Symantec Mail Security, you must uninstall Symantec Brightmail AntiSpam before you install Symantec Mail Security. The email tools feature of Symantec AntiVirus Corporate Edition is not compatible with Microsoft Exchange or Symantec Mail Security for Microsoft Exchange. You must uninstall the feature before you install Symantec Mail Security. You must disable any antivirus software that is on the server in which you want to install Symantec Mail Security. After installation, you should reenable the antivirus protection. See About using Symantec Mail Security with other antivirus products on page 57. To install Symantec Mail Security components correctly, log on as a Windows domain administrator. See Software component locations on page 30. For optimal visibility, modify your screen resolution to 1024 x 768.
Installing Symantec Mail Security for Microsoft Exchange Before you install
31
Report templates
Heuristic antispam configuration files, allowed senders files, and Symantec Premium AntiSpam configuration files
Location where Symantec Mail C:\Program Files\Symantec\SMSMSE\5.0\Server Security scans items \Temp Note: You should configure all antivirus products that scan files to exclude the Temp directory from scanning. The system scanners might try to scan and delete Symantec Mail Security files that are placed in the Temp directory during the scanning process. Dynamic-link libraries for Symantec Premium AntiSpam Manual scan configuration data Configuration files for allowed and blocked senders for Symantec Premium AntiSpam Component logs for Symantec Premium AntiSpam Statistical information on the effectiveness of Symantec Premium AntiSpam rules Console files C:\Program Files\Symantec\SMSMSE\5.0\Server \bin C:\Program Files\Symantec\SMSMSE\5.0\Server \Config C:\Program Files\Symantec\SMSMSE\5.0\Server \etc
C:\Program Files\Symantec\SMSMSE\5.0\UI
32 Installing Symantec Mail Security for Microsoft Exchange Before you install
C:\Program Files\Common Files\SymantecShared \VirusDefs C:\Program Files\Common Files\SymantecShared \Licenses C:\Program Files\Symantec\SMSMSE\5.0\Server \Verity\bin C:\Program Files\Symantec\SMSMSE\5.0\Server \DExLService\bin C:\Windows\Microsoft.NET\Framework
License files
Verity content extraction component Symantec Mail Security Web service components .NET Framework 1.1 service pack 1.1 SESA agent installation files Symantec rulesets
33
System requirements
Ensure that you meet the appropriate system requirements for the type of installation that you are performing. See About installing Symantec Mail Security on page 34.
Windows 2000 Server/Advanced Server /Data Center SP4 Windows Server 2003 Standard/Enterprise /Data Center SP1 Exchange 2000 Server SP3/Enterprise Server Exchange Server 2003/Enterprise Server Intel Server class 32-bit processor 1 GB RAM 775 MB available disk space Required available disk space for Symantec Mail Security and required third-party components. This does not include the space required for items such as quarantined messages and attachments, reports, and log data. .NET Framework version 1.1 SP1 (is automatically installed if not detected) MDAC 2.6 or higher (is automatically installed if not detected) DirectX 8.01 or higher (automatically installs DirectX 9 DirectX 8.01 or higher if not detected)
Exchange platform
See Installing Symantec Mail Security on a local server on page 35. See About installing Symantec Mail Security on remote servers on page 40. See About installing Symantec Mail Security in a Microsoft Cluster on page 45.
34 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
If you install Symantec Mail Security on a Windows 2000 Server Domain Controller that does not allow impersonation, you might have difficulty changing settings in a group view or from a remote console. You should run Microsoft Exchange on a computer that is not a Domain Controller. If this is not feasible, set the computer to allow impersonation by configuring the Impersonate a client after authentication policy for the IWAM account. See About setting up impersonation privileges on the IWAM account on page 51.
Windows 2000 Server SP4 Windows Server 2003 SP1 Windows XP SP1 Intel Server class 32-bit processor 512 MB RAM 162 MB available disk space This does not include the space required for items such as quarantined messages and attachments, reports, and log data. .NET Framework version 1.1 SP1 (is automatically installed if not detected)
See Installing the Symantec Mail Security console only on page 43.
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
35
If you have multiple servers on which you want to install or upgrade Symantec Mail Security, after you install Symantec Mail Security to a local server, you can use the Asset Management tool in the console to install the product to remote servers. See About installing Symantec Mail Security on remote servers on page 40.
You can install the product console on a computer that is not running Symantec Mail Security. This lets you manage your servers from any computer that has access to your Exchange servers. See Installing the Symantec Mail Security console only on page 43.
Microsoft Clustering If you are installing Symantec Mail Security with the Microsoft service installation Clustering service, follow the instructions for clustering service installation. See About installing Symantec Mail Security in a Microsoft Cluster on page 45.
36 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
Configure additional You can specify if you want to stop IIS during installation, setup options and specify the Web service set-up values, designate an email confirm settings notification address, install the SESA agent, and review your setup configurations. See Installing the local SESA Agent on page 235. Install licenses You can install your licenses during installation. See About licensing on page 63. If you install a valid content license, Symantec Mail Security lets you perform a LiveUpdate to obtain the most current definitions. See About keeping your server protected on page 217.
To begin the installation process 1 Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, you should run cdstart.exe from the product CD. Click Install Symantec Mail Security for Microsoft Exchange. In the InstallShield welcome panel, click Next. Click Next until you reach the Software License Agreement panel.
2 3 4
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
37
In the License Agreement panel, click I accept the terms in the license agreement, and then click Next. You must accept the terms of the license agreement for the installation to continue. In the Existing Settings panel, select one of the following, and then click Next:
Restore default settings Retain existing settings Applies the default settings of the version that you are installing. Retains your existing settings.
This panel only appears if you are upgrading. 7 In the Destination Folder panel, do one of the following:
To install the product in the default location, click Next. The default directory is as follows: C:\Program Files\Symantec\SMSMSE\5.0\Server To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next. Symantec Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam service, you cannot install the product to a directory that contains high ASCII characters.
8 9
In the Setup Type panel, click Complete, and then click Next. In the Setup Preview panel, click Next. This panel only appears if Symantec Mail Security must install a third-party component (such as .NET Framework). See Server system requirements on page 33.
38 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
To configure additional setup options 1 2 In the IIS Reset Options panel, select whether to stop IIS during installation, and then click Next. In the Web Service Setup panel, do one of the following:
Click Next if you want to accept the default values. Modify the following settings, and then click Next:
IP/Name By default, the computer name resolves to the primary external network identification card (NIC). You can also use an IP address. The IP address validates the availability of the port. Port # Port 8081 is the default port number for the Web service that is used by Symantec Mail Security. If port 8081 is being used by another application, a different default port number appears. If you change the port number, use a port number that is not used by another application. You should not use port 80. Port 80 is the port number that is used by the default Web service, which is hosted by Microsoft Internet Information Services (IIS).
In the Notification Email Address panel, do one of the following to specify the administrator to notify of violations and outbreaks:
Click Next if you want to accept the default value. Modify the originator email address, and then click Next.
In the Symantec Enterprise Security Architecture panel, select one of the following:
No Select this option if you do not have a SESA server or do not want to install the SESA agent at this time. Select this option if you have a SESA server and want to install the SESA agent. In the IP Address of SESA Server box, type the SESA IP address.
Yes
See Integrating Symantec Mail Security with SESA on page 227. 5 Click Next.
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
39
In the Setup Summary panel, review the information, and then click Next. If you need to make any modifications, click Back to return to the appropriate panel. In the Ready to Install the Program panel, click Install.
To install a license and update definitions 1 In the Install Content License File panel, do one of the following:
To install a license file Do the following:
Click Browse, locate the license file, and then click Open. Click Install, and in the confirmation dialog box, click OK. Repeat this process for each license that you have to install. Click Next.
Click Skip, and then click Next. See About licensing on page 63.
This panel only appears if you installed a valid license. 3 Click Finish. The option Show the readme file is checked by default. The Readme file contains information that is not available in the product documentation. Click Yes to restart your computer. This option only appears if Symantec Mail Security installed .NET Framework, MDAC, or DirectX during the installation process. You must restart your computer for the necessary changes to take affect.
40 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
Customize installation settings, if needed. Remote servers are installed with default installation settings. If you want to customize the installation settings and apply them to a remote server, you can add the custom features to the vpremote.dat file. See Customizing remote server installation settings on page 40. Install Symantec Mail Security on remote servers. See Installing the product on a remote server on page 42.
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
41
Table 2-2 lists the remote customization options that you can modify. Table 2-2 Property
EMAILADDRESS=
Default value
N/A
Optional value
(Email address of domain administra tor)
EXISTINGSETTINGGROUP= Controls whether to retain a previous versions settings or apply the default settings of the new version IIS_RESET= Controls whether to stop and restart IIS Determines whether to install SESA The default product installation directory
Retain
Restore
Yes
No
INSTALL_SESA=
No
Yes
INSTALLDIR=
[drive]:\ (Any valid Program path) Files\Symantec \SMSMSE\5.0\ 8081 (Any valid port)
PORTNUMBER=
The port that is used by the product for Web services Controls whether the console appears during installation
REMOTEINSTALL
1 to hide consoles Set to 1 if you are performing a silent installation (A valid SESA IP number)
SESAIP=
42 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
Warning: The following entry should not be changed: {setup.exe /s /v"/qn NOT_FROM_ARP=1}. You can append the entry. For example, {setup.exe /s /
v"/qn NOT_FROM_ARP=1 REMOTEINSTALL=1}
To customize remote server installation settings 1 Locate the folder that contains the Symantec Mail Security console files. The default location is as follows: \Program Files\Symantec\SMSMSE\5.0\UI\ Using WordPad or a similar tool, open the following file: vpremote.dat Insert one or more properties by doing the following:
2 3
Type a space after the previous or existing entry inside the quotation marks. Type the new property. The property portion of each entry is case sensitive.
Type the value immediately after the = sign with no space. The values are not case sensitive. For example, to specify a silent installation, the entry would appear as follows:
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
43
To install the product on a remote server 1 2 3 4 5 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the sidebar under Tasks, click Install/ Upgrade server(s). In the Select Server(s) window, in the Servers and server groups list, highlight one or more servers and click the >> command icon. Under Server options, check Keep installation files on server(s) to maintain the installation files on the server. Check Send group settings to apply group settings. If unchecked, existing server settings are retained. Future changes that are made to the server group are applied to the server. Click OK, and then click Close.
44 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
To install the Symantec Mail Security console only 1 Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, you should run cdstart.exe from the Symantec Mail Security product CD. Click Install Multiserver Console. If the installation program detects that you have Windows XP or that there is no version of the Exchange server installed, the installation program defaults to console only installation options. Click Next until you reach the Software License Agreement panel. In the License Agreement panel, check I accept the Terms in the license agreement, and then click Next. In the Destination Folder panel, do one of the following:
3 4 5
To install the product in the default location, click Next. The default destination directory is as follows: C:\Program Files\Symantec\SMSMSE\5.0\Server To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next. Symantec Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam service, you cannot install the product to a directory that contains high ASCII characters.
6 7 8 9
Click Next until you reach the Ready to Install the Program panel. In the Ready to Install the Program panel, click Install. The installation may take several minutes. Click Finish. Click Yes to restart your computer. This option only appears if Symantec Mail Security installed .NET Framework during the installation process. You must restart your computer for the necessary changes to take affect.
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
45
Ensure that your environment meets the pre-installation requirements. See Considerations before you install on a Microsoft Exchange cluster on page 46. Install Symantec Mail Security using the procedures for your cluster configuration. See About installing Symantec Mail Security on a cluster with one or more passive nodes on page 47. See About installing Symantec Mail Security on a Veritas cluster server on page 50. Configure the cluster resource if you are using an active/passive configuration only. See Configuring the cluster resource on page 48.
46 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
There must be an available passive node to fail to. Multiple failovers are supported only if multiple passive nodes are available. Symantec Mail Security must be installed with the same configuration and in the same locations on all nodes of the cluster.
During installation, Symantec Mail Security checks for presence of a cluster environment. If the installation is running in a cluster environment, you are prompted to register a cluster resource DLL (SMSMSEClusterResource.dll). This DLL must be registered on only one of the cluster nodes. Symantec Mail Security runs on all the nodes (even passive) immediately after installation. After the first instance of the cluster resource is configured, the service runs on only the active node or nodes. Active/active Before you install Symantec Mail Security on an active/active Exchange 2000 or 2003 cluster, ensure that the following requirements are met:
The cluster is a group of identical servers containing two nodes. An active/active cluster can contain only two nodes. At least two Exchange Virtual Servers exist and are capable of running on either node in the cluster.
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
47
About installing Symantec Mail Security on a cluster with one or more passive nodes
You can install Symantec Mail Security on Exchange servers that are running Microsoft Clustering Service with one or more passive nodes. Symantec Mail Security settings are stored in the registry and local hard drive of each individual server. Each time settings are changed, the settings are duplicated on the hard drive of the shared storage that is used as a dependency for the Symantec Mail Security resource. Any time the active node goes down and control transfers to the passive node, the passive node checks for settings on the shared hard disk storage. The settings are then downloaded to the passive node (which is now active) and applied. Symantec Mail Security is Microsoft cluster aware and does not require any specific settings prior to installing the product on a cluster with one or more passive nodes. Symantec Mail Security requires its own cluster resource. You must use IP addresses or names of the Exchange Virtual Server nodes instead of the actual server IP addresses or names for managing Symantec Mail Security through the console. When the EVS group and Symantec Mail Security cluster resource move from one node to another, the following items are not transferred:
Quarantine contents Virus definitions and spam rules Report database and generated reports Spam statistics Mailbox and public folder lists
In a cluster environment, you should manage Symantec Mail Security with a console that is installed on a computer that is not a part of the cluster rather than from one of the cluster nodes. This lets you maintain independent Symantec Mail Security settings for each Exchange Virtual Server. See Configuring the cluster resource on page 48. See Post-installation tasks on page 50.
48 Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
Handling cluster events Saving Symantec Mail Security settings for each Exchange Virtual Server to shared storage Retrieving settings from shared storage and making them active on a given cluster node Managing the Symantec Mail Security service
To configure the cluster resource 1 2 3 4 5 On the Windows taskbar, click Start > Programs > Administrative Tools > Cluster Administrator. Select an EVS group and launch the New Resource Wizard. Name the resource. You must assign a unique name to each resource. Select Symantec Mail Security for Microsoft Exchange as the resource type, and then click Next. Choose the nodes for which the resource is being created, and then click Next. The nodes should be the same as those on which EVS can operate.
Installing Symantec Mail Security for Microsoft Exchange About installing Symantec Mail Security
49
Choose the dependencies for this resource. The required dependencies are as follows:
Physical Disk Resource (disk on which the settings are saved) EVS Network Name resource
See Configuring the cluster resource on page 48. See Post-installation tasks on page 50.
Symantec Mail Security should be installed to all nodes of a cluster. The name of the server is usually used when installing to a cluster, but you can use an IP address to specify the computer. If you are using IP addresses, use the IP address of the computer and not the IP address of the cluster or virtual server. You should use the Symantec Mail Security console to schedule definition updates and scans for each server in the cluster.
For more information, see An Introduction to Symantec Mail Security and Availability for Microsoft Exchange. To view this document, on the Internet, go to the following URL: http://enterprisesecurity.symantec.com/content.cfm?articleid=6302&rnav=0
Post-installation tasks
After you install Symantec Mail Security, you can perform the following postinstallation tasks:
If you are using Windows 2000, set up the appropriate impersonation privileges on the IWAM account. See About setting up impersonation privileges on the IWAM account on page 51. Restart Internet Information Service (IIS). See Restarting the IIS on page 51. Implement SSL communications. See Implementing SSL communications on page 51. Install the license file if it was not installed during setup. See About licensing on page 63. Update definitions if a LiveUpdate was not performed during setup. See About keeping your server protected on page 217. Access the Symantec Mail Security console. See Accessing the Symantec Mail Security console on page 52.
51
Configure other antivirus products that are on the same computer as Symantec Mail Security. See About using Symantec Mail Security with other antivirus products on page 57. Configure the number of scanning threads and scan processes, if necessary. See Setting scanning threads and number of scan processes on page 58.
Restart your server. In the Windows Services window, right-click IIS Admin Service and select Restart.
To implement SSL communications 1 On the computer on which Symantec Mail Security is installed, on the Windows menu, click Start > Administrative Tools > Internet Information Services (IIS) Manager. In the server list, expand the folder for the server that is hosting Symantec Mail Security. On the Web Sites folder, right-click Symantec Mail Security for Exchange, and then click Properties. On the Directory Security tab, under Secure communications, click Server Certificate. Follow the instructions in the Web Server Certificate wizard to install the certificate. On the Directory Security tab, under Secure communications, click Edit. In the Secure Communications dialog box, check Require secure channel (SSL), and then click OK. On the Web Service tab, under Web Service Identification, in the IP Address text box, type the IP address of the Symantec Mail Security server. In the SSL Port text box, type the port to use for SSL communications. The default port for SSL communications is 636.
2 3 4 5 6 7 8 9
53
On the Windows menu, click Start > Programs > Symantec Mail Security for Microsoft Exchange > Server Management Console.
Content area
Figure 2-2 shows additional console elements. Figure 2-2 Additional console elements
List pane
Sidebar
Preview pane
Resizing bars
Monitors
55
Name: Provides the names of the servers. SMSMSE Service State: Indicates whether the services are started and stopped. If the services have been started, indicates when and for how long. Exchange State: Indicates whether the Exchange stores are enabled or disabled. Auto-Protect State: Indicates whether auto-protect scanning is enabled or disabled. Virus Definitions Date: Indicates the date of the definitions that are being used to scan messages. SPA license status: Indicates whether the Symantec Premium AntiSpam service is valid.
If you are in a server view, the Status pane provides the following information about the selected server.
Server name: Provides the name of the server. SMSMSE service state: Indicates whether the service is started and stopped. If the service has been started, indicates when and for how long. Exchange store state: Indicates whether the Exchange store is enabled or disabled. Auto-Protect state: Indicates whether auto-protect scanning is enabled or disabled. Virus definitions date: Indicates the date of the definitions that are being used to scan messages. SPA license status: Indicates whether the Symantec Premium AntiSpam service is valid.
Top Ten Threats/Security Risks This list shows the ten threats and security risks that were detected. The list also provides the number of incidents for each threat or security risk. Top Ten Spam Domains This list shows the top ten domains from which spam was most frequently received. It also provides the total number of messages from the domain, the number of messages that were classified as spam, and the percentage of spam messages that were received from the domain.
Total Violations
This pie chart illustrates the percentages of the violations in the time specified in Report Settings. If Store no data is selected, the chart is blank. Violations are shown in following categories: Threats and risks, spam, and content violations. The categories are color coded as follows:
Gold: Threats (such as viruses, Trojan horses, and worms) and security risks (such as spyware and adware) Orange: Spam Blue: Content filtering violations
57
Files scanned via VSAPI: Total number of files scanned through Microsoft Virus Scanning API (VSAPI) Files scanned via SMTP: Total number of files scanned through Simple Mail Transfer Protocol (SMTP) Messages scanned via SMTP: Total number of messages scanned through SMTP Virus infections: Total number of virus infections detected Content enforcement violations: Total number of content enforcement violations that were detected
Spam: Number of spam messages that were detected since last reset Suspected spam: Number of suspected spam messages detected since last reset Suspected spam and SCL: Number of suspected spam messages with Spam Confidence Level (SCL) that were detected since last reset Not spam: Number of messages scanned since last reset that are not spam
The Knowledge Base article also provides instructions for how you can configure Symantec AntiVirus Corporate Edition (or any other antivirus program that is running on the same computer as Symantec Mail Security) to exclude certain folders from scanning. If another antivirus program scans the Exchange directory structure or the Symantec Mail Security processing folder, it can cause false-positive threat detection, unexpected behavior on the Exchange Server, or damage to the Exchange databases.
Installing Symantec Mail Security for Microsoft Exchange Migrating to version 5.0.3
59
In the Number of scan processes box, type the number of scan processes. The default is configured during installation using the formula 2 times the number of processors plus 1. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Exception subpolicy
60 Installing Symantec Mail Security for Microsoft Exchange Uninstalling Symantec Mail Security
Certificate, license files, and Migrate as is registry keys Quarantine files Quarantine settings Spam settings Clear outbreak settings Alerting/Notification settings LiveUpdate/Rapid Release settings Match lists Spam XML file Migrate as is Migrate as is Migrate as is Migrate as is All settings migrate except the AMS and Messenger settings All settings migrate
Migrate as is Migrates as is
Installing Symantec Mail Security for Microsoft Exchange Uninstalling Symantec Mail Security
61
To uninstall Symantec Mail Security 1 2 3 4 5 6 On the server on which Symantec Mail Security is installed, on the Windows menu, click Start > Control Panel. In the Windows Control Panel, click Add or Remove Programs. Click Symantec Mail Security 5.0 for Exchange, and then click Remove. In the confirmation dialog box, click Yes. In the Information dialog box, click OK to confirm that you have stopped IIS. When the uninstallation is complete, click OK.
62 Installing Symantec Mail Security for Microsoft Exchange Uninstalling Symantec Mail Security
Chapter
Activating licenses
This chapter includes the following topics:
About licensing
Key features for Symantec Mail Security, which include definition updates and Symantec Premium AntiSpam, are activated by a license. When a license expires or no license is installed, limited functionality is available. To regain product functionality when your license expires, you must renew and reactivate your license subscription. Table 3-1 describes the licenses that are required. Table 3-1 License
Content license
Definition updates and updates to Symantec Premium AntiSpam are limited to the period of time that is specified by the license. The start and end dates of the license period depend on the terms of your license agreement. See If you want to renew a license on page 69. You must install one license file on each server that is running Symantec Mail Security or on each member of an Exchange cluster. You cannot replicate license files. Note: If you are upgrading from versions 4.x, existing licenses are automatically recognized and do not need to be reinstalled.
65
The license file that Symantec sends to you is contained within a .zip file. The .slf file that is contained within the .zip file is the actual license file. Ensure that your inbound email environment permits .zip email message attachments. Warning: License files are digitally signed. If you try to edit a license file, you will corrupt the file and render it invalid. To obtain a license file 1 In a Web browser, type the following address: https://licensing.symantec.com Your Web browser must use 128-bit encryption to view the site. If a Security Alert dialog box appears, click OK. In the Serial Number box, type the 11-digit serial number that is provided on the license certificate, and then click Next. If you are registering multiple types of licenses, type one of the serial numbers. If you have an additional license that you want to register, in the Number 2 box, type the serial number. Click Enter another serial number to add additional serial numbers, and in the serial number box, type the serial number. Repeat this step until you have added the serial numbers for all of the licenses that you want to register. Click Next. In the Email Address box, type the email address where you want Symantec to send the license file. In the Confirm Email Address box, type the email address again, and then click Next.
2 3
4 5
6 7 8
67
Provide your contact information in the boxes available, and then click Next. First name, last name, work phone, and email address fields must be completed to continue the registration process.
10 Confirm that the license registration information is accurate, and then click Complete this registration. Symantec sends you an email message that contains the license file in an attachment. If the email message does not arrive within two hours, an error might have occurred, such as an invalid email address entry. Try again to obtain the license file through the Symantec Web site. If the problem continues, contact Symantec Technical Support. See Where to get more information about Symantec Mail Security on page 27.
In Step 3, under Enter path to the license file, type the fully qualified path to the license file. If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file. Click Browse, select the license file, and then click Open. If the license file does not reside on the same computer, you can locate the file using My Network Places.
4 5
Click Install. Repeat steps 3 and 4 for each license that you have to install.
To install license files to a remote server or server group 1 2 3 4 5 In the console on the toolbar, click Change. In the Select Asset window, select Global Group or a specific server or server group from the menu. Click Select. On the primary navigation bar, click Admin. In the sidebar under Views, click Licensing.
69
In Step 3, under Enter path to the license file, type the fully qualified path to the license file. If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file. Click Browse, select the license file, and then click Open. If the license file does not reside on the same computer, you can locate the file using My Network Places.
Click Install. If a server within a server group is already licensed, the license file is reapplied. The license file with the latest expiration date is applied. Repeat steps 6 and 7 for each license that you have to install.
The process for license renewal depends on how you purchased your software, as follows:
If you purchased Symantec Mail Security through the Symantec Value or Elite Enterprise Licensing programs To determine whether your Maintenance Agreement has been renewed and if new licenses are available, contact your administrator, reseller, or Symantec account manager. After your Maintenance Agreement is renewed, you receive new serial numbers that you can register to obtain your new license files. For more information about license renewal, on the Internet, go to the following URL: www.symantecstore.com/renew
Chapter
About managing your Exchange servers Deploying settings to a server or group How to manage servers and server groups
You can configure settings for each server individually. To configure and manage multiple servers, you can use the following groups:
Global Group All of the servers that you manage through the Symantec Mail Security console are part of the Global server group. This group includes servers that are added to user-defined groups as well as servers that are added to multi-server management control but are not assigned to a specific server group. When you configure and apply Global Group settings, the changes are propagated to all servers in all groups. Changes that are made at the Global Group level overwrite all individual server and userdefined server group settings. User-defined server groups A user-defined server group is a grouping of servers that have common roles and, therefore, require similar configurations. Configuring settings for a group simplifies server management. For example, a server group might be all of the mail servers that are used by a department (for example, marketing) or the physical location of a group of mail servers (for example, third floor servers in Building A). A managed server can only belong to one user-defined group. All servers belong to the Global Group. See Moving a server to another group on page 78.
See Viewing the status of a server on page 75. Settings for an individual server are stored by the server. Symantec Mail Security saves the settings for groups in the following default file location: \Documents and Settings\All Users\Application Data\Symantec\SMSMSE\5.0 When you delete a group, the associated files are automatically deleted.
73
You can manage change deployment using the following toolbar icons:
Deploy changes Lets you deploy your changes. If you are in the server view, deploys your changes to the server. If you are in the group view, deploys your changes to each server in the group. Discard changes Lets you cancel pending changes. When you cancel pending changes, settings are returned to their configuration as of the last time changes were successfully deployed. If changes are pending, lets you apply pending changes to the group settings, and then pushes out the group settings to all of the servers in the group. If no changes are pending, pushes out the group settings to all of the servers in the group. Note: Any configuration settings that were made to an individual server within the group are overwritten. This option is only available in group view.
After you deploy your changes, the Operation Status window indicates which changes were successfully applied. To deploy pending changes to a server or group 1 2 3 In the console on the toolbar, click Deploy changes. In the Pending changes window, click Deploy changes. In the Operation Status window, click Close when the operation is complete.
To apply pending changes (if any) and deploy group settings to each server in the group 1 2 3 In the console on the toolbar, click Deploy all settings. The Deploy all settings icon is only enabled in group view. In the confirmation dialog box, click OK. In the Operation Status window, click Close when the operation is complete.
To cancel pending changes 1 2 In the console on the toolbar, click Discard changes. In the confirmation dialog box, click OK.
74 Managing your Exchange servers How to manage servers and server groups
Modifying or viewing server or server group settings Viewing the status of a server Creating a server group Adding servers to a group Moving a server to another group Synchronizing group settings to a server Restoring default settings to a server or group Removing a server from group management Removing a server group Importing and exporting settings Modifying the port and communication properties of a server
Managing your Exchange servers How to manage servers and server groups
75
Latest update for installed version Sunset date for installed version Currently available version
Virus definition date The date of definition files that are on the server Virus definition revision Virus definitions count Latest virus definitions update attempt The revision number of the definition files on the server
Exchange store state Whether the Exchange store is started or stopped SMSMSE service state Whether the Symantec Mail Security service is started or stopped
76 Managing your Exchange servers How to manage servers and server groups
Symantec Premium AntiSpam Virus definition license status Symantec Premium AntiSpam license status Auto-Protect state Number of items in quarantine
Whether auto-protect scanning is started or stopped The number of items in the local quarantine
To view the status of a server 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Server Status. In the Server Status list pane, select the server whose status you want to view. If you are in a server view, the server is already selected. Press F5 to refresh the list. Refreshing the list might take several minutes for a large group.
Managing your Exchange servers How to manage servers and server groups
77
To create a server group 1 2 3 4 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the sidebar under Tasks, click Add group. In the Add New Management Group window, type a name for the server group, and then click OK. Click Close.
78 Managing your Exchange servers How to manage servers and server groups
In the Available servers list, select one or more servers, and then click the >> command icon. In the Server name or IP box, type the server name or IP address of the server that you want to add, and then click the >> command icon.
Under Server options, in the TCP port number box, type the TCP port number for the server or group of servers that you want to add. The default port number is 8081. The port number must be the same for all servers that you want to add. The port number and SSL setting must be identical for the console to communicate with the server. See Modifying the port and communication properties of a server on page 83. Check Send group settings to apply group settings to the newly added server. If unchecked, existing server settings are retained. Future changes that are made to the server group are applied to the server. Check Install SMSMSE to install Symantec Mail Security to the newly added server. Check Keep installation files on server(s) to maintain the installation files on the server. Click OK, and then click Close.
7 8 9
Managing your Exchange servers How to manage servers and server groups
79
To drag a server to another group 1 2 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary. Select the server that you want to move and drag it into the new server group. In the confirmation dialog box, click OK. Click Close.
3 4 5
To move a server to another group using the Move Server window 1 2 In the console on the menu bar, click Tasks > Manage Assets. In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary. Do one of the following:
Select the server that you want to move, and then under Tasks, click Move server. Right-click on the server that you want to move, and then click Move server. Select the server group to which you want to add the server. In the Select a group or add a new group box, type the name of a new server group.
5 6
Click Send group settings to server to apply the settings of the targeted server group to the server. Click OK, and then click Close.
80 Managing your Exchange servers How to manage servers and server groups
Managing your Exchange servers How to manage servers and server groups
81
3 4 5
82 Managing your Exchange servers How to manage servers and server groups
To import settings 1 2 3 4 5 In the console on the menu bar, click File > Import. In the confirmation dialog box, click OK. In the Select the file to save exported settings window, locate the file that you want to import. Click Open. In the console on the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Managing your Exchange servers How to manage servers and server groups
83
5 6
84 Managing your Exchange servers How to manage servers and server groups
Chapter
About the quarantine Forwarding quarantined items to the Quarantine Server Establishing local quarantine thresholds Viewing the contents of the local quarantine Release messages from the quarantine Deleting an item from the quarantine
86 Quarantining messages and attachments Forwarding quarantined items to the Quarantine Server
Quarantine Server
You can forward infected files that are in the local quarantine to the Quarantine Server, if one has been set up on your network. When you send quarantined files to the Quarantine Server, the files are forwarded to Symantec for analysis in real-time using HTTPS communications. Symantec automatically distributes updated definitions to the Quarantine Server when they are available. The Quarantine Server is a component of Symantec AntiVirus Central Quarantine. Symantec Mail Security supports version 3.3 or later of the Symantec AntiVirus Central Quarantine Server. Version 3.3 is provided on the Symantec Mail Security CD in the following location and must be installed separately: \ADMTOOLS\DIS For more information about the Symantec AntiVirus Central Quarantine, see the Symantec Central Quarantine Administrators Guide, which is located on the product CD in the following location: \DOCS\DIS\CentQuar.pdf Note: Files that contain non-viral threats, are unscannable, or violate content filtering rules are not forwarded to the Quarantine Server.
87
7 8
In the Network Protocol list, click the drop-down menu and select the appropriate network protocol. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
The maximum file size (in megabytes or gigabytes) of the quarantine The maximum number of days to retain a message or attachment in the quarantine
You can also specify the actions that you want Symantec Mail Security to take when a threshold is met. To establish local quarantine thresholds 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Quarantine Settings. In the content area, under Quarantine Thresholds, check Maximum number of items to limit the number of quarantined items, and then type the maximum number of messages or attachments to retain in the quarantine. This item is checked by default. The default value is 1000. To limit the maximum size of the quarantine, do the following:
Check Maximum size of quarantine. This item is checked by default Type the maximum size of the quarantine. The default value is 500. Click the drop-down menu and select MB or GB. The default value is MB.
88 Quarantining messages and attachments Viewing the contents of the local quarantine
Check Retain items in quarantine to limit how long an item is quarantined, and then type the number of days. The default value is 90.
To specify an action to take when a quarantine threshold is met 1 Under When a threshold is met, check Notify Administrator to send notification messages to an administrator list. See Configuring notification settings for scan violations on page 188. Check Notify others to send notification messages to additional people. In the Notify others box, type the email addresses of the people to whom you want notifications sent. Separate email addresses with commas. Check Delete oldest items to remove items that meet a threshold. This option is not enabled by default. If Delete oldest items is not checked and a quarantine size threshold is reached, the event is logged. Symantec Mail Security sends a notification to the recipients that are specified on the Quarantine Settings page. Under Administrator Notification, in the Subject Line box, type your subject line text. In the Message Body box, type the administrator notification message body. You can use variables in the message body. See About alert and notification variables on page 225. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
2 3
5 6
Quarantining messages and attachments Viewing the contents of the local quarantine
89
Table 5-1 lists the information that is found in the Quarantine list pane. Table 5-1 Item
Time encrypted
Sent to QServer
When you select an item in the Quarantine, details about the message (and attachments, if any) appear in the preview pane. Table 5-2 lists the detailed information that is shown in the preview pane. Table 5-2 Item
Time encrypted
Attachment Name
Policy or rule that was violated Location in the system where the file was intercepted Address of the sender of the message Intended recipient(s) of the message Whether the file was sent to the Quarantine Server If a virus was detected, the name of the virus
To view the contents of the local quarantine 1 2 3 4 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Quarantine. This option is not available in group view. In the list pane, click an item to view the items details. The data appears in the preview pane. Press F5 to refresh the display.
Releasing messages from the quarantine by email Releasing messages from the quarantine to a file
Messages that are released from the quarantine are rescanned for threats. Remove or repair the threat before you release the message from the local quarantine. Otherwise, if your virus policy is to quarantine threats, Symantec Mail Security returns the message to the quarantine. Messages released from the quarantine are not filtered for spam, content filtering, or file filtering rules.
91
In the sidebar under Tasks, click Select all to select all of the items in the quarantine.
In the list pane under Quarantine, select the items that you want to release. To select multiple items, press CTRL and select the items that you want to release. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
4 5
In the sidebar under Tasks, click Release by mail. In the Releasing by mail window, select one of the following:
Send to original intended recipient(s) Sends the message to the intended recipient. The names of the original recipients are listed in the Original recipient(s) list. This list cannot be modified. This option is enabled by default. Send to administrators Sends the selected file to the administrator whose address appears in the Administrators list. The administrator address cannot be modified in the Releasing by mail window. You can modify the address on the Monitors > Notification/ Alerts Settings page. See Configuring notification settings for scan violations on page 188. Send to the following Sends the selected file to the addresses that appear in the Alternate recipients list. In the Alternate recipients list, type the email address to which you want to email the selected quarantined item. Type each entry on a separate line.
6 7
Click OK. In the Operation Status window, click Close when the operation is complete.
In the sidebar under Tasks, click Select all to select all of the items in the quarantine. In the list pane under Quarantine, select the items that you want to release. To select multiple items, press CTRL and select the items that you want to release. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
4 5
In the sidebar under Tasks, click Release to file (Save). In the Releasing to file and delete dialog box, select one of the following:
Yes Removes the item from the quarantine after it has been saved to the Release folder. The item remains in the quarantine after it has been saved to the Release folder. Cancels the file release operation.
No
Cancel
6 7
In the confirmation dialog box, click OK. In the Operation Status window, click Close when the operation is complete.
93
In the sidebar under Tasks, click Select all to select all of the items in the quarantine. In the list pane under Quarantine, select the items that you want to remove. To select multiple items, press CTRL and select the items that you want to delete. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.
Chapter
About protecting your server from risks Configuring threat detection Configuring security risk detection Configuring file scanning limits Configuring rules to address unscannable container files
96 Protecting your server from risks About protecting your server from risks
Mass-mailer worms
Denial-of-service attacks
Symantec Mail Security protects your network from file attachments that can overload the system and cause denial-ofservice attacks. This includes container files that are overly large, that contain large numbers of embedded, compressed files, or that are designed to maliciously use resources and degrade performance. To reduce your exposure to denial-ofservice threats, you can impose limits to control how Symantec Mail Security handles container files. See Configuring file scanning limits on page 102.
Security risks
Symantec Mail Security detects security risks, such as adware, dialers, hack tools, joke programs, remote access programs, spyware, and trackware. See Configuring security risk detection on page 100.
Symantec Mail Security also helps you detect and block potential risks from entering your network, such as unscannable and encrypted container files. See Configuring rules to address unscannable container files on page 104. When a risk is detected, the incident is logged to the locations that you specify. You can also configure Symantec Mail Security to issue alerts when risks are detected or when an outbreak occurs. See About outbreak management on page 189. See How Symantec Mail Security detects risks on page 97.
Protecting your server from risks About protecting your server from risks
97
Heuristics
To configure threat detection 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antivirus, click Antivirus Settings. In the content pane under Antivirus Settings, check Enable virus scanning. Virus scanning is enabled by default.
99
Medium
Check Delete mass-mailer worm-infected messages (no notifications) to automatically delete mass-mailer messages. This feature is enabled by default. In the Rules table, select any of the following rules to view or modify:
Basic Virus Rule Applies to messages or attachments that contain threats that can be repaired. This option is always enabled. Unrepairable Virus Rule Applies to messages or attachments that contain threats that cannot be repaired. This option is always enabled.
The settings for the rule that you select appear in the preview pane. 7 8 In the preview pane, in the Action to take list, select the action to take when a threat is detected. In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. You can use variables in your customized text. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:
100 Protecting your server from risks Configuring security risk detection
10 Next to each of the items that you selected, click the down arrow and do the following:
In the Message body box, type your customized text. You can use variables in your customized text. See About alert and notification variables on page 225. 11 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Provide unauthorized access to computer systems Compromise data integrity, privacy, confidentiality, or security Present some type of disruption or nuisance
These programs can put your employees and your organization at risk for identity theft or fraud by logging keystrokes, capturing email and instant messaging traffic, or harvesting personal information, such as passwords and login identifications. Security risks can be introduced into your system unknowingly when users visit a Web site, download shareware or freeware software programs, click links or attachments in email messages, or through instant messaging clients. They can also be installed after or as a by-product of accepting an end user license agreement from another software program related to or linked in some way to the security risk. You must enable the Security Risk Rule for Symantec Mail Security to detect security risks.
101
Table 6-2 lists the categories of security risks that Symantec Mail Security detects. Table 6-2 Category
Adware
Hack tools
Programs used to gain unauthorized access to a users computer. For example, a keystroke logger tracks and records individual keystrokes and sends this information to a remote computer. The remote user can perform port scans or vulnerability scans. Hack tools might also be used to create viruses.
Dialers
Programs that use a computer, without the users permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges. Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or bothersome. For example, a joke program might move the Recycling Bin away from the mouse when the user tries to click on it.
Joke programs
Programs that let a remote user to gain access to a computer over the Internet to gain information, attack, or alter the host computer. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and then relay the information back to a remote computer. Stand-alone or appended applications that trace a users path on the Internet and relay the information to a remote computer.
Spyware
Trackware
To configure security risk detection 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antivirus, click Antivirus Settings. In the content area, in the Rules table, on the Security Risk Rule row, click the field under the Enabled column, and then click Enabled. This rule is disabled by default.
102 Protecting your server from risks Configuring file scanning limits
4 5
In the preview pane, in the Action to take list, select the action to take when a security risk is detected. In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. You can use variables in your customized text. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:
Next to each of the items that you selected, click the down arrow and do the following:
In the Message body box, type your customized text. You can use variables in your customized text. See About alert and notification variables on page 225. 8 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
103
To configure file scanning limits 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Scanning Limits. In the content area, in the Maximum scan time (in seconds) box, type the maximum time that Symantec Mail Security can spend extracting a single container file. You can enter a value from 10 to 500000. The default value is 300. In the Maximum archive scan depth (number of levels) box, type the maximum number of nested levels of files that are decomposed within a container file. You can enter a value from 1 to 50. The default value is 10. In the Maximum size of one extracted file (in MB) box, type the maximum file size, in megabytes, for individual files in a container file. You can enter a value from 1 to 1024. The default value is 100. In the Maximum total size of all extracted files (in MB) box, type the maximum size, in megabytes, of all extracted files. You can enter a value from 1 to 1024. The default value is 200. In the Maximum number of files extracted box, type the maximum allowable number of files to be extracted. You can enter a value from 1 to 1000000. The default value is 5000. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
104 Protecting your server from risks Configuring rules to address unscannable container files
These rules are always enabled. To configure rules to address unscannable container files 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Exceptions. In the list pane, select the rule that you want to view or modify. In the preview pane, in the Action to take list, select the action to take when an unscannable file is detected. In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. You can use variables in your customized text. See About alert and notification variables on page 225.
Protecting your server from risks Configuring rules to address unscannable container files
105
Check one or more of the following to send email notifications about the detection:
Next to each of the items that you selected, click the down arrow and do the following:
In the Message body box, type your customized text. You can use variables in your customized text. See About alert and notification variables on page 225. 8 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
106 Protecting your server from risks Configuring rules to address unscannable container files
Chapter
Identifying spam
This chapter includes the following topics:
About spam detection Blocking spam using real-time blacklists Configuring whitelists How to detect spam using Symantec Premium AntiSpam Configuring heuristic antispam protection
You can adjust heuristic or premium antispam detection by specifying domains that are automatically permitted to bypass antispam scanning. You can also specify email addresses to which inbound emails are permitted to bypass realtime blacklist (RBL) blocking and antispam scanning. See Blocking spam using real-time blacklists on page 112. See Configuring whitelists on page 113.
109
Heuristic antispam When you use heuristic spam detection, Symantec Mail Security computes a spam confidence level (SCL) that the message is spam. You can create antispam policies to specify how you want Symantec Mail Security to process messages that are detected by the heuristic antispam engine based on the computed SCL values. Symantec Premium AntiSpam When you use Symantec Premium AntiSpam, Symantec Mail Security calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, the message is defined as spam. You can define a suspected spam threshold between 25 and 89. You can also specify the actions for handling spam and suspected spam separately. You can take advantage of the Symantec Spam Folder Agent for Exchange to automatically route spam messages to a spam folder in the recipients mailbox. The spam folder agent works with Symantec Spam Plug-in for Outlook, which lets users to submit missed spam to Symantec Security Response for analysis. The Outlook plug-in also gives users the option to administer their own Blocked Senders and Allowed Senders lists and to specify languages in which they do or do not want to receive email. The Symantec Spam Folder Agent for Exchange and the Symantec Spam Plug-in for Outlook are on the product CD.
See About the Symantec Spam Folder Agent for Exchange on page 119. See About the Symantec Spam Plug-in for Outlook on page 124.
When you enable antispam detection (heuristic or premium), Symantec Mail Security stamps messages with a SCL value. The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with the SCL value that is stamped on an email message to determine the destination of the message.When the SAT value is not set, Exchange sends all messages with a SCL value to the users Junk E-mail folder. If the SAT value is set and a message has a SCL value that is higher than the SAT threshold, Exchange sends the message to the users Junk E-mail folder. If the SCL value is lower than or equal to the SAT value, the message goes into the users Inbox. See Configuring the Store Action Threshold (SAT) setting on page 111.
The message is an internal Microsoft Exchange message that has already been assigned the SCL value of -1. The message was whitelisted by Symantec Mail Security on the server. The message was whitelisted by another entity (either another antispam product or Symantec Mail Security running on a different server). The message was delivered by an authenticated SMTP session, and the DoAntiSpamOnAuthSessionsBool registry key is either missing or set to non-zero. An internal error occurred. This can happen if the SPAM.NET or SPAM.DAT files are missing or corrupt.
111
About comparing Symantec Mail Security SCL values to other screening tools
If you are using Microsoft Exchange 2003 and are using heuristic antispam detection, you can configure Symantec Mail Security to compare the Symantec SCL to the SCL that is provided by another mail screening tool. To have Symantec Mail Security compare its SCL to that of another screening tool, the other tool must be configured not to take action based on its SCL. For example, if the other mail-screening tool is Microsoft Intelligent Message Filter (IMF), IMF must be set to No Action for the SCL comparison to take place. You can specify one of the following options to use when either or both SCL values do not exceed the threshold:
Highest SCL Lowest SCL Average SCL Symantecs SCL Existing SCL (the SCL that is provided by another mail screening tool)
where <server folder> is the path to the server folder. The default location is: \Program Files\Symantec\SMSMSE\5.0\Server 3 Press Enter.
where <value> is the value that you want to set for the SAT. The domain name is optional. 5 Press Enter.
To view the current SAT setting 1 At the command prompt, type the following:
cd <server folder>
where <server folder> is the path to the server folder. The default location is: \Program Files\Symantec\SMSMSE\5.0\Server. 2 3 4 Press Enter. In the Command Prompt window, type the following
SMSMSESAT
113
Under Real-time Blacklist, in the real-time blacklist domains box, type the domains of the RBL providers. List each entry on a separate line. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Configuring whitelists
To minimize false positives, you can enable and populate the following whitelists:
Allowed Senders Lets you list the sender domains that are permitted to bypass RBL blocking and antispam scanning Lets you list the email addresses to which inbound emails are permitted to bypass RBL blocking and antispam scanning
Unfiltered Recipients
If the Allowed Senders and Unfiltered Recipients lists are both enabled, Symantec Mail Security processes the Allowed Senders list first. Email messages that are permitted to bypass antispam scanning and RBL blocking are still scanned for risks and content violations. To configure whitelists 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Blacklist and Whitelist. In the content area, under Allowed Senders, check Bypass real-time blacklist and spam detection for messages sent from the following. In the Email and domain addresses box, type the domains and email addresses (one per line) that are permitted to bypass spam processing. Domain names must begin with either @ (at symbol) or an asterisk before the at symbol (for example, @mail.com or *@mail.com). You can use DOS wildcard characters. See About DOS wildcard style expressions on page 154. Under Unfiltered Recipients List, check Bypass real-time blacklist and spam detection for messages sent to the following.
114 Identifying spam How to detect spam using Symantec Premium AntiSpam
In the Email and domain addresses box, type the fully qualified email addresses (one per line) to which email messages are permitted to bypass spam processing and RBL blocking. You can list up to 50 email addresses. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
115
Header filters
Header filters consist of regular expression-based filtering rules that exploit commonalities or trends that are present in spam messages. Examples of spam characteristics that the header filters identify include the following:
Watermarks of spammer tools Traces of information left in messages by some spammer tools, such as the name of the program used to send the message. Modified time zones Time zones that are off by more than 12 hours. Spoofed received lines Messages that purport to be from a mail transfer agent at an organization that Symantec Security Response knows does not send outbound email.
Heuristics
Heuristic filters analyze the header, body, and envelope of an incoming message and check the message for the presence of distinct spam characteristics.
116 Identifying spam How to detect spam using Symantec Premium AntiSpam
Attachment signatures
Attachment signatures target specific MIME attachments (for example, a specific pornographic image that is used in a realtime spam attack) and stop that attachment from reaching users. Attachment signatures make it unnecessary to block entire categories of certain attachments. Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the sources reputation value as determined by Symantec. Symantec uses the following lists to filter your messages:
Open Proxy list IP addresses that are either open proxies that are used by spammers or 'zombie' computers that are coopted by spammers. Safe list Contains IP addresses from which virtually no outgoing email is spam. Suspect list A list of IP addresses from which virtually all of the outgoing email is spam.
117
The Symantec Spam Plug-in for Outlook makes it easy for Outlook users to submit missed spam and false positives to Symantec. You can also configure the plug-in to send user submissions automatically to a local system administrator. The Symantec Spam Plug-in for Outlook also gives users the option to administer their own Blocked Senders and Allowed Senders lists and to specify languages in which they do or do not want to receive email. See About the Symantec Spam Plug-in for Outlook on page 124.
If the ISA server is installed on the same computer as the Exchange server, create a Host Based protocol rule to allow Any Request for the HTTPS and HTTPS server protocols.
118 Identifying spam How to detect spam using Symantec Premium AntiSpam
If the ISA server is installed on a different computer from the Exchange server, create a Host Based protocol rule that specifically allows traffic for the IP Address of the Exchange server for the HTTPS and HTTPS server protocols.
where <proxyserver:proxyport> is the IP address of your proxy server and the port. Symantec Premium AntiSpam licenses are placed in the SpamPrevention folder. 3 4 5 6 On the Windows Start menu, click Start > Run. In the Run dialog box, type the following: regedit Click OK. In the Registry Editor window, in the left pane, browse and locate the following folder: HKEY-LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\5.0\Licensing\
119
120 Identifying spam How to detect spam using Symantec Premium AntiSpam
Exchange Administrator rights on the mail server on which you are installing the agent Full access to a mailbox on the local server Local system rights to act as part of the operating system and to run as a service
To create the service account for the Symantec Spam Folder Agent, you must do the following:
Create a user name Add a folder agent Delegate control of the account
To create a user name 1 2 On the taskbar, click Start > All Programs > Administrative Tools, and then click Active Directory Users and Computers. If it is not already selected, select the Users folder.
121
3 4
On the toolbar, click the Create a new user in the current container icon. In the New Object User wizard, enter the following:
5 6 7 8
Click Next. Type a password for the service account, configure the password options, and then click Next. Click Next until the Finish icon appears. Click Finish.
To add a folder agent 1 2 3 4 5 6 7 8 9 In the Users folder, right-click on the user that you just created. Click Properties. In the Properties dialog box, on the Member Of tab, click Add. In the text field, type domain admins, and then click OK. Click OK to close the properties dialog box. On the Windows Start menu, click All Programs > Microsoft Exchange > System Manager. In the Exchange System Manager window, in the left pane, right-click the top node in the tree. Click Delegate control. On the Exchange Administration Delegation Wizard welcome screen panel, click Next.
10 On the Users or Groups panel, click Add. To delegate control of the account 1 2 In the Delegate Control window, click Browse. In the Select Users, Computers, or Groups window, under Enter the object name to select, type of the name of the service account that you created, and then click OK. In the Delegate Control window, ensure that the Role drop-down box is set to Exchange Administrator, and then click OK.
122 Identifying spam How to detect spam using Symantec Premium AntiSpam
4 5
Click Next, and then click Finish. Close the Exchange System Manager window.
Your operating system is Windows 2000 (SP 2) or higher or Windows 2003 You are installing the agent on Microsoft Exchange 2000 You can install the agent on Microsoft Exchange 2003, but using the Exchange SAT is the recommended method. See Configuring the Store Action Threshold (SAT) setting on page 111. You have full access to a mailbox on the local Exchange server The Symantec Spam Folder Agent does not send email to or from this mailbox. You have Exchange Administrator permission on the local server You have a proper service account See Creating a service account for the Symantec Spam Folder Agent on page 120. You have activated the Symantec Premium AntiSpam license See How to activate a license on page 64.
To install the Symantec Spam Folder Agent for Exchange, you must first start the agent installation wizard. During installation, you can configure the spam folder agent settings. If a previous version of Symantec Spam Folder Agent for Exchange is installed, the install wizard automatically uninstalls it before installing the current version.
123
To start the installation wizard 1 Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, run cdstart.exe from the product CD. Click Install Spam Folder Agent. In the welcome panel, click Next. In the License Agreement panel, click I accept the terms of this license agreement, and then click Next.
2 3 4
To configure administrative settings 1 In the Setup Type panel, select one of the following, and then click Next:
Complete Installs the agent in a predefined set of folders and files Lets you tailor installation options
Custom
2 3 4 5
Under Service Account, type the Active Directory or NT Domain, user name, and password to be used by the Symantec Spam Folder Agent for Exchange. In the Mailbox box, type the mailbox alias of a valid mailbox for the Symantec Spam Folder Agent to use. In the Spam folder name box, type the name of the folder in each users mailbox where spam will be stored. In the Spam expiration box, type the number of days to retain spam messages. The default period is 30 days. You might need to adjust this setting based on the volume of spam that your organization receives. Click Next, and then click OK. If the installation process is unable to verify the existence of the spam folder because you have insufficient user rights, a dialog box appears with the message that the Act as part of the Operating System user right is required to verify these settings.
124 Identifying spam How to detect spam using Symantec Premium AntiSpam
Click No, and then add the administrator account that you want the agent to use to the following security policy settings:
Act as part of the operating system Log on as a service For more information, see the Microsoft Exchange 2000 Server documentation.
Email users a link to the setup.exe file with instructions for running the file. Use remote distribution software to install the setup.exe file on your users computers. Silently install the plug-in.
If you plan to install the plug-in on multiple computers, you can modify the system-wide variables before you initiate installation. See Modifying Symantec Spam Plug-in for Outlook variables on page 125.
125
After the plug-in is installed, users have a new toolbar in their Outlook window.The toolbar contains the following elements:
This is Spam Users click this option to submit the message to the email security unit within Symantec Security Response and move it from their Inbox to their Spam folder. Users click this option to submit the message to Symantec Security Response and move it from their Spam folder to their Inbox. Users click this option to empty their Spam folder (if configured). By choosing an item from this pull-down menu, users can get information on using the plug-in, view a report (if configured), and administer their personal Blocked Senders and Allowed Senders Lists. The following options are available from the Symantec pulldown menu:
Symantec
Symantec Help Launches a help page for the Symantec Spam Plug-in using your default Web browser Spam Report Lets users view spam statistics (if configured) Options Sets plug-in properties, administers the users Blocked Senders and Allowed Senders lists, and lets users specify the languages in which they do or do not want to receive email About Symantec Provides information on the current version of the software
Note: For more information on using the Symantec Spam Plug-in, see the online help that is included in the plug-in.
126 Identifying spam How to detect spam using Symantec Premium AntiSpam
Table 7-2 describes the plug-in variables that you can modify. Table 7-2 Variable Name
ADMIN_FALSE_ADDRESS
ADMIN_JUNK_ADDRESS
ALLOWED_CONTACTS
AUTO_ADD_BLOCKED
If set to 1 (default), adds the sender of the message to the Blocked Senders list when submitting a spam message to the email security unit within Symantec Security Response. If set to 1 (the default) or any non-zero value, automatically generates the Allowed Senders list. If set to 0, does not automatically generate the Allowed Senders list.
AUTO_ADD_ALLOWED
CHECK_ALLOWED
If set to 1 (the default) or any non-zero value, moves messages directly to the Spam folder. If a message is in the users Allowed Senders List or (optionally) Outlook Contacts list, or if any of the messages recipients are in the users Allowed Recipients List, the message is moved to the Inbox. Otherwise, the message remains in the Spam folder. If set to 0, messages are delivered normally (to the Inbox).
CHECK_BLOCKED
If set to 1 (the default) or any non-zero value, does not process the message. If a message sender is in the users Blocked Senders List or (optionally) Outlook Contacts list, or if any of the messages recipients are in the users Blocked Senders list, the message is not processed. Otherwise, the message remains in the Spam folder. If set to 0, messages are delivered normally (to the Inbox).
127
DELETE_X_DAYS
DISPLAY_ARE_YOU_SURE _MSGS
DISPLAY_CONFIRMATION _MSG
EMPTY_SPAM_FOLDER
HIDE_NOT_SPAM
HIDE_SPAM
MANUAL_ALLOWED
MANUAL_BLOCKED
MARK_AS_READ
128 Identifying spam How to detect spam using Symantec Premium AntiSpam
MODIFY_OPTIONS
MULTI_CONFIRM_MSG
This option lets you edit the confirmation message for multiple successful submissions. The default value for this string is: Thank you for submitting messages to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.
SENDER_NOT_IN_ ALLOWED
Specifies the action to take if the message sender is not in the Allowed Senders List. Normal (default): Moves the message to the Inbox. Delete: Deletes the message. Spam Folder: Moves the message to the Spam folder.
SINGLE_CONFIRM_MSG
The confirmation message for a single successful submission. The default value for this string is: Thank you for submitting a message to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.
SPAM_FOLDER SPAM_QUARANTINE_URL
The name of the Spam folder. The default is Spam. If specified, this setting causes the Spam Quarantine option to appear in the toolbar. Clicking the option displays the Spam Quarantine login page in a Web browser. If unspecified (the default), the Spam Quarantine option does not appear in the toolbar. If specified, the Spam Report option appears in the toolbar. Clicking the option displays the Spam Report application. If unspecified (the default), the Spam Report option does not appear in the toolbar.
REPORT_URL
129
To modify Symantec Spam Plug-in for Outlook variables 1 In WordPad or a similar text editing tool, open the following file on the Symantec Mail Security product CD: \ADMTOOLS\SPA\BMOP\Setup.ini This file contains the initial settings for launching the Outlook Plug-in installation package. All of the required settings can be set on the CmdLine attribute in the [Startup] section at the beginning of the setup.ini file. Change the settings in Outlook Plug-in Setup Variables. For example:
CmdLine=SPAM_FOLDER="Junk" ADMIN_FALSE_ADDRESS="admin-false@my.company.com"
2 3
See Table 7-2, Symantec Spam Plug-in Setup Variables, on page 126. 4 Save your changes to the setup.ini file and close the file.
You can install the Symantec Spam Plug-in using any of the following methods:
Install the plug-in using the installation wizard. Perform a silent installation.
To install the Symantec Spam Plug-in for Outlook using the installation wizard 1 Close Outlook by clicking File > Exit. If you close Outlook in any other way, Outlook may continue to run in memory and return an error. Insert the Symantec Mail Security product CD in the CD-ROM drive. The installation program launches automatically. If it does not, run cdstart.exe from the product CD. Click Install Outlook Plug-in. In the welcome panel, click Next. In the License Agreement panel, click I accept the terms of this license agreement, and then click Next.
3 4 5
130 Identifying spam How to detect spam using Symantec Premium AntiSpam
In the Setup Type panel, select one of the following, and then click Next:
Complete Installs the plug-in in a predefined set of folders and files Lets you tailor installation options
Custom
7 8
To perform a silent installation 1 2 3 4 On the computer on which you want to install the plug-in, insert the Symantec Mail Security product CD into the computers CD-ROM drive. Open the Windows command prompt. At the command prompt, type the following:
cd <CD-ROM drive>:\ADMTOOLS\SPA\BMOP
At the command prompt, type the following to run the setup.exe with the following switches:
setup.exe /s /v"/qn"
If you run setup.exe with the command /s /v"/qn", the silent installation option ignores the changes made to setup.ini. To preserve your changes, add /qn to the end of the CmdLine attribute in setup.ini, and then run the silent install using the following:
setup.exe /s
If you have an ISA server, register Symantec Premium AntiSpam through the ISA server. See About registering Symantec Premium AntiSpam through an ISA server on page 117. Configure your proxy server to permit downloads for Symantec Premium AntiSpam. See Configuring your proxy server to download spam definition updates on page 118. Install the Symantec Premium AntiSpam license. See About the Symantec Premium AntiSpam license file on page 67.
131
When you enable Symantec Premium AntiSpam, you can configure the following settings to identify and handle spam:
Reputation service Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the sources reputation value as determined by Symantec. Symantec uses the following lists to filter your messages:
Open Proxy list IP addresses that are either open proxies that are used by spammers or 'zombie' computers that are coopted by spammers. Safe list Contains IP addresses from which virtually no outgoing email is spam. Suspect list A list of IP addresses from which virtually all of the outgoing email is spam.
These lists work like antispam rules but do not create delays like those that can occur with third-party lists. Nor do these lists require any special setup. Suspected spam threshold Symantec calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, it is defined as spam. You can define a suspected spam threshold between 25 and 89. You can also specify the actions for handling spam and suspected spam separately. Symantec can determine the language in which a message is written. If you use Microsoft Outlook, you can use the Symantec Plug-in for Outlook to specify that email that is written in certain languages be treated as spam.
Language identification
To configure Symantec Premium AntiSpam to identify spam 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Settings. In the content area, under Symantec Premium AntiSpam Settings, check Enable Symantec Premium AntiSpam. Under Reputation Services, check any of the following lists that you want to use:
Open proxy list Safe list Suspect List is enabled by default and cannot be disabled.
132 Identifying spam How to detect spam using Symantec Premium AntiSpam
5 6
Under Spam Scoring, select whether you want messages flagged as suspected spam. Under Spam Threshold, in the Lower spam threshold box, type the suspected spam threshold level if you choose to identify suspected spam. You can enter a value between 25 and 89. The default value is 72. Under Language ID, select whether or not you want to enable language identification. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
7 8
You are using Exchange Server 2003 You use a mail screening tool that stamps messages with SCL values
If the premium antispam service identifies the message as suspected spam, Symantec Mail Security examines the SCL value. If the SCL value exceeds the threshold that you specify, the message is handled according the settings that you configure. See Processing suspected spam messages that exceed a SCL threshold on page 135.
133
Suspected Spam
Configure the Suspected Spam settings if you meet any of the following conditions:
You are using Exchange Server 2000. You are using Exchange Server 2003, and you do not use a mail screening tool. You are using Exchange Server 2003 with a mail screening tool, and you want to configure settings for suspected spam messages that fall below the threshold that you configured for Suspected Spam and SCL.
If the premium antispam service identifies the message as suspected spam, the message is handled according the settings that you configure. See Processing suspected spam messages on page 138.
Prevent the messages from being sent to the intended recipient Save the spam message to the folder location that you specify See Save messages to a folder for archiving on page 24. Deliver the spam message to an alternate recipient Add your customized subject line text to the message Add your customized X-header to the message Tag the message as spam for the Spam Folder Agent Use this option if you have installed the Spam Folder Agent. See About the Symantec Spam Folder Agent for Exchange on page 119. Assign a SCL value to the message Use this option if you are using Exchange 2003 and are using Exchanges SAT values to route spam messages.
134 Identifying spam How to detect spam using Symantec Premium AntiSpam
To reject spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Spam Messages, under If message is Spam, check Reject the message. Check Log to log spam messages to the specified logging destinations. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To accept spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Spam Messages, under If message is Spam, check Accept the message. Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving spam messages. To save spam messages to a folder, do all of the following:
In the Folder name box, type a folder name or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient(s) is checked. See Save messages to a folder for archiving on page 24. To add an X-header to messages sent to a folder, do all of the following: Check Add X-header. In the X-header name box, type the name for the X-header. The default name is X-Bulk.
In the X-header value box, type the X-header value. The default value is Spam. This option is only available if Save to folder is checked.
Check Deliver to alternate recipient to send spam messages to a different recipient, and type the address to which spam messages are delivered. You can only enter one address. This option is not available if Prevent delivery to original recipient(s) is checked.
135
Check Add to subject line to prepend the subject line of spam messages, and in the subject line box, type your customized text. The default text is Spam. To add an X-header to spam messages, do all of the following:
Check Add X-header. In the X-header name box, type the name of the X-header. The default text is X-Bulk. In the X-header value box, type the value for the X-header. The default value is Spam.
10 Check Tag for Spam Folder Agent Delivery to send spam messages to the Symantec Spam Folder Agent. You must have the Symantec Spam Folder Agent installed. Using the Spam Folder Agent is recommended for Exchange 2000 installations only. 11 Check Assign SCL value to message to assign a SCL value to spam messages, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 9. This option is available only for Exchange 2003. The value that you specify replaces the existing SCL values of incoming messages. 12 Check Log to log spam messages to the specified logging destinations. 13 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
136 Identifying spam How to detect spam using Symantec Premium AntiSpam
If you reject suspected spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. If you permit suspected spam messages that exceed the threshold, you can configure the following message delivery options:
Prevent the messages from being sent to the intended recipient Save the spam message to the folder location that you specify See Save messages to a folder for archiving on page 24. Deliver the spam message to an alternate recipient Add your customized subject line text to the message Add your customized X-header to the message Tag the message as spam for the Spam Folder Agent Use this option if you have installed the Spam Folder Agent. See About the Symantec Spam Folder Agent for Exchange on page 119. Reassign the SCL value of the message Use this option if you are using Exchange 2003 and are using Exchanges SAT values to route spam messages.
To reject suspected spam messages that exceed a SCL threshold 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam and SCL, in the If message is Suspected Spam and SCL is list, select the SCL value threshold. You can choose a value from >0 to > 8. The default value is >5. Check Reject the message. Check Log to log suspected spam messages to the specified logging destinations. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
4 5 6
To accept suspected spam messages that exceed a SCL threshold 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam and SCL, in the If message is Suspected Spam and SCL is list, select the SCL value threshold. You can choose a value from >0 to > 8. The default value is >5.
137
4 5 6
Check Accept the message. Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages. To save suspected spam messages to a folder, do all of the following:
In the Folder name box, type a folder name or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient(s) is checked. See Save messages to a folder for archiving on page 24. To add an X-header to messages sent to a folder, do all of the following: Check Add X-header. In the X-header name box, type the name for the X-header. The default text is X-Bulk.
In the X-header value box, type the X-header value. The default value is Suspected Spam. This option is only available if Save to folder is checked.
Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered. You can only specify one recipient. Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text. The default text is Spam. Check Add X-header. In the X-header name box, type the name of the X-header. The default text is X-Bulk. In the X-header value box, type the value for the X-header. The default value is Suspected Spam.
11 Check Tag for Spam Folder Agent Delivery to send suspected spam messages to the Symantec Spam Folder Agent. You must have the Symantec Spam Folder Agent installed. Using the Spam Folder Agent is recommended for Exchange 2000 installations only.
138 Identifying spam How to detect spam using Symantec Premium AntiSpam
12 Check Assign SCL value to message to assign a SCL value to suspected spam messages, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 8. This option is available only for Exchange 2003. The value that you specify replaces the existing SCL values of incoming messages. 13 Check Log to log suspected spam messages to the specified logging destinations. 14 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
You are using Exchange Server 2000. You are using Exchange Server 2003, and you do not use a mail screening tool. You are using Exchange Server 2003 with a mail screening tool, and you want to configure settings for suspected spam messages that fall below the threshold that you configured for Suspected Spam and SCL.
If you reject suspected spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. If you choose to reject the message, the message delivery options are disabled. If you permit suspected spam messages, you can use the following message delivery options:
Prevent the messages from being sent to the intended recipient Save the spam message to the folder location that you specify Deliver the spam message to an alternate recipient Add your customized subject line text to the message Add your customized X-header to the message Tag the message as spam for the Spam Folder Agent Use this option if you have installed the Spam Folder Agent. See About the Symantec Spam Folder Agent for Exchange on page 119.
139
Reassign the SCL value of the message Use this option if you are using Exchange 2003 and are using Exchanges SAT values to route spam messages. See About spam confidence level (SCL) values on page 110.
To reject suspected spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam, under If message is Suspected Spam, check Reject the message. Check Log to log spam messages to the specified logging destinations. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To accept suspected spam messages 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Premium AntiSpam Actions. In the content area, under Suspected Spam, under If message is Suspected Spam, check Accept the message. Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages. To save suspected spam messages to a folder, do all of the following:
In the Folder name box, type a folder name or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient(s) is checked. See Save messages to a folder for archiving on page 24. To add an X-header to messages sent to a folder, do all of the following: Check Add X-header. In the X-header name box, type the name for the X-header. The default text is X-Bulk.
In the X-header value box, type the X-header value. The default value is Suspected Spam. This option is only available if Save to folder is checked.
140 Identifying spam How to detect spam using Symantec Premium AntiSpam
Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered. You can only specify one recipient. Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text. The default text is Spam. To add an X-header to suspected spam messages, do all of the following:
Check Add X-header. In the X-header name box, type the name of the X-header. The default text is X-Bulk. In the X-header value box, type the value for the X-header. The default value is Suspected Spam.
10 Check Tag for Spam Folder Agent Delivery to send suspected spam messages to the Symantec Spam Folder Agent. You must have the Symantec Spam Folder Agent installed. Using the Spam Folder Agent is recommended for Exchange 2000 installations only. 11 Check Assign SCL value to message to reassign the SCL value, and in the drop-down list, select the threshold value. You can choose a value from 1 to 9. The default value is 6. This option is available only for Exchange 2003. The value that you specify replaces the existing SCL values of incoming messages. 12 Check Log to log suspected spam messages to the specified logging destinations. 13 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
141
Reject message if Symantecs SCL and existing SCL are Reject message if SCL is This provides a backup configuration in the event your other mail screening tool fails to assign a SCL value.
See About comparing Symantec Mail Security SCL values to other screening tools on page 111. You can also specify whether you want to log spam messages that are rejected.
You can configure which messages to accept and how you want Symantec Mail Security to process the messages. For example, if Symantec Mail Security assigns a message a SCL value of 7, there is a medium likelihood that the message is spam. You can configure Symantec Mail Security to accept messages that fall below a specified SCL value. You can specify to whom the message should be delivered, or you can save the message to a file location. You can prepend the subject text and add an X-header. You can also log messages that are accepted.
To enable heuristic antispam detection 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Antispam, click Heuristic Detection. In the content area, under Heuristic Anti-Spam Settings, check Enable heuristic spam detection. In the Use list, select one of the following:
Highest SCL This is the default option. Lowest SCL Average SCL Symantecs SCL
Existing SCL This option is only available for Exchange Server 2003. To configure actions to take for rejected messages 1 Under Rejected Messages, check Reject message if Symantecs SCL and existing SCL are to reject messages that receive a SCL value from Symantec and another mail screening tool, and in the drop-down list, select the threshold value. You can choose a value from >5 to > 8. The default value is >8. This option is only available for Exchange Server 2003. Check Reject message if SCL is to reject messages based on SCL value, and in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. Configure this option if you use Exchange 2000 (which does not support mail screening tools). Configure this option if you use Exchange 2003 to provide a backup configuration in the event your other mail screening tool fails to assign a SCL value.
143
Check Log rejected messages to log rejected messages to the specified logging destinations. See About logging events on page 197.
To configure actions to take for accepted messages 1 Under Accepted Messages, check Prevent delivery to original recipient if SCL is to prevent the original recipient from receiving messages with a given SCL, and in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. To save messages to a folder, do all of the following:
Type a folder name in the Folder name box or click the browse [...] command icon and select a folder name from the list. This option is only available if Prevent delivery to original recipient if SCL is is checked. See Save messages to a folder for archiving on page 24. 3 To add an X-header to messages sent to a folder, do all of the following:
In the X-header value box, type the X-header value. The default value is X-SMSMSE-SCL. This option is only available if Save to folder is checked. 4 To send messages with a given SCL to a different recipient, do all of the following:
Check Deliver to alternative recipient if SCL is. Click the drop-down list and select the threshold value. You can choose a value from >0 to > 8. The default value is >8. In the Alternative recipient box, type the address to which messages that meet the SCL criterion are delivered. You can only specify one recipient. This option is only available if Deliver to alternative recipient if SCL is is checked. This option is not available if the Save to folder option is checked.
To prepend the subject line of messages with a given SCL, do all of the following:
Check Add subject tag if SCL is. In the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. In the Prepend subject text box, type your customized text. The default value is Spam.
Check Add X-header, containing SCL value, if SCL is to add an X-header to messages with a given SCL, and then in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. Check Log if SCL is to log messages with a given SCL to the specified logging destinations, and in the drop-down list, select the threshold value. You can choose a value from >0 to > 8. The default value is >8. See About logging events on page 197. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Chapter
About filtering content Working with match lists Working with content filtering rules How to enforce email attachment policies
146 Filtering content using content filtering rules About filtering content
You can also use content filtering rules with outbreak management. You can configure Symantec Mail Security to automatically add the names of outbreak triggered attachments and outbreak triggered subject text to match lists. Symantec Mail Security uses these match lists in pre-configured content filtering rules that automatically block suspicious file attachments or subjects. You can also use these match lists to create your own content filtering rules. See About outbreak management on page 189. You can create as many content filtering rules as needed. Each rule specifies the email message part to search (for example, message body, subject, sender, attachment name, or attachment content), and defines the condition that should trigger a content violation. You can enable or disable filtering for each rule. See Working with content filtering rules on page 157. See About configuring a content filtering rule on page 160. Note: The content filtering engine does not evaluate any file extension names that are inside the outer-most attachment, for example, the compressed files in a .zip file. Symantec Mail Security handles content violations according to the action that you configure for the rule. Symantec Mail Security can notify administrators and senders (internal and external) of content filtering violations. You can customize the notification message. Note: A message can trigger a single content filtering rule violation multiple times. This occurs if the mail client from which the message originated used RTF or HTML encoding. In that case, both the plain text and formatted versions of the message body are sent by the mail client to the Exchange server. Symantec Mail Security scans the plain text and formatted versions of the message body as separate message bodies.
147
Blank Subject and Sender Detects and filters messages with blank subject line and blank sender line Quarantine Triggered Attachment Names Quarantine Triggered Subjects Sample Executable File Detects and filters files if the attachment name matches a list of outbreak-triggered attachment names Detects and filters messages whose subject matches a list of outbreak-triggered subjects Detects and filters executable files based on the Sample Attachment Name match list
You must enable the default content filtering rules that you want to use. You can modify the rules as needed.
148 Filtering content using content filtering rules About filtering content
subject line match list, such as cellular, credit, debt, diploma, or phrases like feel younger. If the subject line contains Rochester, however, the message does not trigger a violation. Symantec Mail Security evaluates a rule logically as either an OR or AND rule. By default, the entries in the Content box are OR (Match any term), which means that if any of the entries are present, the rule applies. If you check Match all terms, it becomes an AND, which means that the rule only applies if all the items in the list are present. Checking the "Attachment size is" box makes the attachment size threshold another condition for the rule. For example, assume that you are filtering subject line content. You add top secret" in the Content list. You check Attachment size is, and you select a value of >2 MB. If you check Match any term, Symantec Mail Security triggers a violation if it detects either top OR secret in the subject line OR if the message exceeds 2 MB. If you check Match all terms, Symantec Mail Security triggers a violation if it detects the words top AND secret in the subject line AND the message exceeds 2 MB. Any rule can only test one part of a message. If you want to test all the parts of a message, you have to create separate rules. However, if a rule tests an attachment, you can add an additional if/unless condition related to the attachment size.
149
Message flow
Match
Exception
Value
Action
When you create or modify a rule, you can also specify the sender or recipients for whom the rule applies and who to notify if the rule is violated. The message part that you select determines which comparisons that you can use.
150 Filtering content using content filtering rules About filtering content
The Message body, Subject, and Attachment Name parts interpret their value boxes according to the users choice. If you chose regular expressions, even if you type a number in the value box, Symantec Mail Security considers it text, not a number. Text strings, because they allow for regular expressions, give you flexibility in extending your text searches to find more than just a direct match. Regular expressions include metacharacters to help you broaden the search capabilities of a given rule. See About regular expressions on page 150. See About metacharacters on page 151.
151
About metacharacters
Table 8-2 lists the metacharacters that you can use in regular expressions to build filtering rules. Some characters are not considered special unless you use them in combination with other characters. Note: You can use metacharacters in regular expressions to search for both single-byte and multi-byte character patterns. Table 8-2 Metacharacter
.
152 Filtering content using content filtering rules About filtering content
(string) \(string\)
Parentheses: Groups parts of regular expressions, which gives the string inside the parentheses precedence over the rest.
You can link several regular expressions to form a larger one to match certain content in email.
153
Table 8-3 lists examples of regular expressions that show how pattern matching is accomplished with the use of metacharacters and alphanumeric characters. Table 8-3 Regular expressions Description
Matches any line of text that contains the three letters abc in that order. Your results may differ depending on the comparison that you use to create the filtering rule. For example, if you build a rule to match the word Free and use the Contains comparison, then the filtering engine detects all words that contain the word Free instead of an exact match (for example, Freedom). However, if you use the Equal comparison, then the filtering engine detects only exact matches of the word Free with no other surrounding text. If you use the Contains comparison with Whole words only, then the filtering engine detects Free as a stand-alone word, even if there are other words present in the text that is being searched. a.c Matches any string that begins with the letter a, followed by any character, followed by the letter c. Matches any line that contains exactly one character. (The newline character is not counted.) Matches any string beginning with the letter a, followed by either zero or more instances of the letter b, or zero or more instances of the letter c, followed by the letter d. Matches any file name that has two, three-letter extensions (for example, Filename.gif.exe). This regular expression is helpful in blocking email attachments with double extensions. For example: If Attachment Name = .+\....\.... [0-9a-zA-Z]+<!--.*-->[0-9a-zAZ]+ Matches an embedded comment in the middle of meaningful HTML text. Embedding comments within HTML text is a trick that spam senders use to bypass some pattern-matching software. Matches a white space character zero or more times.
Regular expression
abc
^.$
a(b*|c*)d
.+\....\....
\s*
154 Filtering content using content filtering rules Working with match lists
Filtering content using content filtering rules Working with match lists
155
Table 8-5 lists the pre-configured match lists that are provided. Table 8-5 Match list name
Outbreak Triggered Attachment Names
When you enable outbreak management, Symantec Mail Security adds the names of outbreak triggered subject lines to the Outbreak Triggered Subject Lines match list. You can use this match list with the Quarantine Triggered Subjects content filtering rule. This rule lets you automatically quarantine files with subject line text that is found in the Outbreak Triggered Subject Lines match list. You can edit the rule description and the text in the Filter list. Leave the match type as literal. See Configuring outbreak triggers on page 193.
This contains a list of attachment file names or extensions that might contain malicious code. You can edit the rule description and add or remove file extensions in the Filter list. Leave the match type as wild cards.
This list contains file names or extensions that can potentially execute malicious code. Leave the match type as wild cards.
This list contains key words and phrases typically found in the bodies of spam email messages. You can edit the rule description, add or remove key words and phrases in the Filter list, and modify the match type. The default match type is literal.
This list contains file names or extensions of multimedia files. Leave the match type as wild cards.
156 Filtering content using content filtering rules Working with match lists
You can create new match lists and delete or edit words in a match list. After you create a match list, you can define a content filtering rule that refers to the match list. To create or edit a match list 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Match Lists. Do one of the following:
Create a match list In the sidebar under Tasks, click Add match list. In the content area under Match Lists, select the list that you want to edit, and then in the sidebar under Tasks, click Edit match list.
In the Add new match list window, in the Title box, type a name for the match list. You can only configure the title when you are creating a new match list. In the Description box, type a description for the match list. In the Type box, select one of the following:
5 6
Literal string
Regular expression See About regular expressions on page 150. Wild cards See About DOS wildcard style expressions on page 154.
In the Filter box, type a literal string, regular expression, or DOS wildcardstyle expression. Enter one expression per line. You can link several regular expressions to form a larger one to match certain content in email.
Filtering content using content filtering rules Working with content filtering rules
157
8 9
Click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To delete a match list 1 2 3 4 5 6 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Match Lists. In the content area, under Match Lists, select the match list that you want to delete. In the sidebar under Tasks, click Delete match list. In the confirmation dialog box, click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Specifying inbound SMTP domains Enabling or disabling content filtering for auto-protect scanning Creating a new rule Editing an existing rule About configuring a content filtering rule Prioritizing content filtering rules Deleting a content filtering rule Refreshing the Active Directory groups cache
158 Filtering content using content filtering rules Working with content filtering rules
You can modify these settings by specifying the domains that your organization considers local. By adding a domain to the domain list, emails with recipients for that domain are considered local, even if they do not have a mailbox locally. Note: A single message can be considered both inbound and outbound. In this case, both inbound and outbound rules are applied to the message. To specify inbound SMTP domains 1 2 3 4 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click System Settings. In the content area, under System Settings, check Use list below to specify inbound SMTP domains. In the List of internal domains box, type the domain or domains that define which email messages domains are inbound. Type only one domain per line. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Check Enable content filtering to enable content filtering for autoprotect scanning. Uncheck Enable content filtering to disable content filtering for autoprotect scanning.
On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Filtering content using content filtering rules Working with content filtering rules
159
Click the rule that you want to edit, and in the sidebar under Tasks, click Edit rule. Double-click the rule that you want to edit.
4 5
Modify the rule as needed. See About configuring a content filtering rule on page 160. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
160 Filtering content using content filtering rules Working with content filtering rules
Specify the rule name and provide a description. See Specifying a rule name and description on page 160. Specify the conditions of the rule. See Configuring rule conditions on page 161. Specify any exceptions to the rule. See Configuring exceptions to the rule on page 163. Configure the actions that you want Symantec Mail Security to take if the rule is violated. See Configuring rule actions on page 164. Specify the users and groups to whom the rule applies. See Specifying the users and groups in which the rule applies on page 166. Specify who to notify if the rule is violated. See Specifying who to notify if the rule is violated on page 167.
4 5
In the Name box, type the name of the rule. This is a required entry. In the Description box, type a brief description of the rule.
Filtering content using content filtering rules Working with content filtering rules
161
On the Rule tab, in the Message part to scan box, select one of the following:
Message Body Subject Sender Attachment Name Attachment Content Inbound messages Outbound messages
Internal messages (store) At least one of these boxes must be checked. 6 Under Rule Content, in the Match type box, select one of the following:
162 Filtering content using content filtering rules Working with content filtering rules
Whole term This option is not available when you select the Regular expression match type. Case This option is not available when you select the Sender or Attachment Name message part options. Equals Does Not Equal Contains Does Not Contain
Type words or phrases to be filtered. Type each entry on a separate line. Click Add match list if you want to select a match list for the rule, and then select a match list from the menu. See Working with match lists on page 154.
11 Check Attachment size is to add the attachment size as a condition of the rule, and then configure the comparison value and attachment size.
Filtering content using content filtering rules Working with content filtering rules
163
4 5
Configure the rule conditions. See Configuring rule conditions on page 161. On the Rule tab, under Unless, select one of the following:
Equals Does Not Equal Contains This is the default option. Does Not Contain Type words or phrases that override the filtering of the entries in the Content list. Type each entry on a separate line. Click Add match list if you want to select a match list for the rule, and then select a match list from the menu. See Working with match lists on page 154.
Check Or attachment size is to add the attachment size as a condition of the Unless conditions, and then configure the comparison value and attachment size.
164 Filtering content using content filtering rules Working with content filtering rules
Delete entire message Delete attachment/message body and replace with text You can customize the replacement text. Quarantine attachment/message body and replace with text You can customize the replacement text. Add tag to beginning of subject line You can customize the text that you want to prepend the subject line. This rule action is not available if you apply the rule to the internal messages (store). Save to folder You can specify the folder in which you want to save the email message. You can also add an X-header to the message and customize and the X-header name and value. This rule action is not available if you apply the rule to the internal messages (store). See Save messages to a folder for archiving on page 24. Log only Logs the event to the specified logging destinations. See About logging events on page 197.
To configure rule actions to delete the message 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click Content Filtering Rules. Do one of the following:
Create a rule Modify an existing rule In the sidebar under Tasks, click Add new rule. In the content area, double-click the rule that you want to edit.
On the Rule tab, under Rule Action, in the When a violation occurs box, select Delete entire message.
Filtering content using content filtering rules Working with content filtering rules
165
To configure rule actions to delete the attachment and message body and replace with text 1 2 On the Rule tab, under Rule Action, in the When a violation occurs box, select Delete attachment/message body and replace with text. In the Replacement text box, type your customized text. See About alert and notification variables on page 225.
To configure rule actions to quarantine the attachment and message and replace with text 1 2 On the Rule tab, under Rule Action, in the When a violation occurs box, select Quarantine attachment/message body and replace with text. In the Replacement text box, type your customized text.
To configure rule actions to prepend the subject line 1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Add tag to beginning of subject line. This rule action is not available if you apply the rule to the internal messages (store). In the Subject line tag box, type the customized text that you want to prepend to the subject line.
To configure rule actions to save the message to a folder 1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Save to folder. This rule action is not available if you apply the rule to the internal messages (store). In the Folder name box, type the name of the folder or click the browse [...] command icon and select a folder name from the list. To add an X-header to messages sent to a folder, do all of the following:
2 3
Check Add X-header. In the X-header name box, type the name for the X-header. In the X-header value box, type the X-header value.
On the Rule tab, under Rule Action, in the When a violation occurs box, select Log only.
166 Filtering content using content filtering rules Working with content filtering rules
4 5
Click the Users tab. Under Sender/recipient Selection, do one of the following:
To apply the rule based on the sender Click Sender, and then select one of the following:
Apply if the sender of the message is in the list Apply if the sender of the message is NOT in the list
Apply if ANY of the recipients of the message are in the list Apply if ANY of the recipients of the message are NOT in the list Apply if ALL of the recipients of the message are in the list Apply if ALL of the recipients of the message are NOT in the list
Filtering content using content filtering rules Working with content filtering rules
167
Under List of Users or Groups, in the SMTP addresses box, do one of the following:
Type the addresses of the users that you want to include or exclude. Type one address per line. To add a pre-configured match list that contains user addresses, click Add Match List and select a match list. You can only insert one match list. You can combine a match list with typed addresses. See Working with match lists on page 154.
7 8
Under the Active Directory groups list, to select groups from Active Directory, click Add. In the Active Directory domains and groups window, under Available groups, select the group that you want to add and click the >> command icon. The group that you select appears in the Selected groups list. To deselect a group in the Selected groups list, click on the group entry, and then click the << command icon. Click OK.
4 5
168 Filtering content using content filtering rules Working with content filtering rules
Next to each of the items that you selected, click the down arrow and do the following:
In the Message body box, type the message body text. See About alert and notification variables on page 225. 7 8 Click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Filtering content using content filtering rules Working with content filtering rules
169
6 7
Click OK. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
170 Filtering content using content filtering rules How to enforce email attachment policies
The match list contains one of the literal strings: sample.zip, a.exe, b.doc, or c.bat The match list contains one of the DOS wildcard expressions: *.zip, *.exe, *.doc, or *.bat The match list contains one of the regular expressions: sample\.\w{3}, a\.\w{3}, b\.\w{3}, or c\.\w{3}
Filtering content using content filtering rules How to enforce email attachment policies
171
Enable the File Name Rule. Select the match list that contains the file name attachments that you want detected. You can create or modify match lists when you modify the File Name Rule. You can only select one match list. Specify the action to take if a violation is detected, who to notify of the violation, and the notification message text.
To enable the File Name Rule 1 2 3 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click File Filtering Rules. In the content area, in the File Filtering Rules table, on the File Name Rule row, click the field under the Enabled column, and then click Enabled. This rule is disabled by default.
To select an existing match list that does not need to be modified 1 2 In the File Filtering Rules preview pane, click Select. In the Select a match list window, in the Name table, select the match list, and then click Select.
To create a match list or modify an existing match list 1 2 In the File Filtering Rules preview pane, click Select. In the Select a match list window, do one of the following:
To modify an existing match list, select the match list, and on the toolbar, click Edit match list.
To create a new match list, on the toolbar, click Add match list. See Working with match lists on page 154.
3 4 5
Under Filter, type the file attachment names that you want to add to the match list. Click OK. In the Select a match list window, click Select to select the match list that you just created or modified.
172 Filtering content using content filtering rules How to enforce email attachment policies
To specify the action to take if a violation is detected 1 In the File Filtering Rules preview pane, in the Action to take list, select one of the following:
Delete entire message Delete attachment/message body and replace with text Quarantine attachment/message body and replace with text Log only
In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:
Next to each of the items that you selected, click the down arrow and do the following:
In the Message body box, type your customized text. See About alert and notification variables on page 225. 5 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Filtering content using content filtering rules How to enforce email attachment policies
173
Symantec Mail Security can determine if a file is a true multimedia file by analyzing the file contents, rather than just looking at the file name extension. If the file is a multimedia file, Symantec Mail Security takes the actions that you specify when you enable the Multimedia File Rule. Note: Symantec Mail Security can determine the true file type of a well-formed binary file. The true file type of a binary file variant cannot always be accurately determined. If you want to enhance multimedia file detection, you can create a content filtering rule that uses the Sample Multimedia File Names match list. When you enable the rule, Symantec Mail Security detects messages with the attachment extensions that are listed in the Sample Multimedia File Names match list and takes the actions that you specify. It does not perform an analysis to determine true file type. See About configuring a content filtering rule on page 160. Table 8-6 lists the multimedia file types that Symantec Mail Security supports (this list cannot be modified). Table 8-6 File type
Amiga MED/OctaMED Tracker Module Sound File AU Audio File Audacity Audio Block Audio Interchange File Audio Video Interleave File Impulse Tracker Music Module Microsoft Windows Media File MPEG AlbumWrap Wrapped Music File Archive MPEG Movie Clip MultiTracker Music Module Musical Instrument Digital Interface Postscript File QuickTime Video Clip
174 Filtering content using content filtering rules How to enforce email attachment policies
Scream Tracker Music Interface Kit Song/Module ScreamTracker v3 Sound File Shorten Audio Compression File Waveform Audio
To configure multimedia file detection 1 2 3 4 In the console on the primary navigation bar, click Policies. In the sidebar under Content Enforcement, click File Filtering Rules. In the content area, in the File Filtering Rules table, click Multimedia File Rule. In the content area, in the Content Filtering Rules table, on the Multimedia File Rule row, click the field under the Enabled column, and then click Enabled. In the information dialog box, click OK. In the preview pane, in the Action to take list, select one of the following to specify the action to take when a multimedia file is detected:
5 6
Delete entire message Delete attachment/message body and replace with text Quarantine attachment/message body and replace with text This is the default option. Log only
In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. See About alert and notification variables on page 225. Check one or more of the following to send email notifications about the detection:
Filtering content using content filtering rules How to enforce email attachment policies
175
Next to each of the items that you selected, click the down arrow and do the following:
In the Message body box, type your customized text. See About alert and notification variables on page 225. 10 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
176 Filtering content using content filtering rules How to enforce email attachment policies
4 5
In the information dialog box, click OK. In the preview pane, in the Action to take list, select one of the following to specify the action to take when an executable file is detected:
Delete entire message Delete attachment/message body and replace with text Quarantine attachment/message body and replace with text This is the default option. Log only
In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message. See About alert and notification variables on page 225. To send email notifications about the detection, check one or more of the following:
Next to each of the items that you selected, click the down arrow and do the following:
In the Message body box, type your customized text. See About alert and notification variables on page 225. 9 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Chapter
About the scanning process Configuring auto-protect scanning About manual scans About scheduling a scan Configuring notification settings for scan violations
178 Scanning your Exchange servers for threats and violations About the scanning process
When Symantec Mail Security detects a security risk or a violation during a scan, it takes the action that you specify for that policy. For example, when a threat is detected, Symantec Mail Security takes the action that you specify in the Antivirus Settings policy.
Scanning your Exchange servers for threats and violations Configuring auto-protect scanning
179
Enable Auto-protect Enable background scanning On virus definition update, force rescan before allowing access to information store Scan message bodies Virus scan messages during SMTP transport
On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
180 Scanning your Exchange servers for threats and violations About manual scans
Configure the manual scan parameters. You can configure basic scanning options and specify the mailboxes and public folders that you want to scan. You can also enable content filtering scanning and enabled the content filtering rules that you want to apply to the scan. See Configuring the manual scan parameters on page 180. Run the manual scan. See Running a manual scan on page 182. View the manual scan results. See Viewing manual scan results on page 183.
The number of minutes that the scan should run When the next scan is performed, it starts where the prior scan left off. To scan only items that have been modified since the last scan Scanning only items that have been modified decreases overall scanning time. Scan message bodies Scanning message bodies increases the overall scanning time.
Scan location
You can specify the mailboxes and public folders that you want included or excluded from the scan. This option is not available if you are in a group view.
Scanning your Exchange servers for threats and violations About manual scans
181
Content filtering
Content filtering scanning is enabled by default, but you can disable the feature. If content filtering is enabled, you must also enable the rules that you want to apply to the scan.
To configure basic scanning options 1 2 3 4 In the console on the primary navigation bar, click Scans. In the sidebar under Views, click Manual Scan. Under Tasks, click Edit manual scan. In the Manual scan wizard, under Scan Options, check one or more of the following:
Stop scanning after __ minutes. If you select this option, type the number of minutes you want the scan to run. The default value is 120. Only scan items modified since last scan. Scan message bodies.
Click Next.
To configure the scan location 1 Under Scan Location, to specify mailboxes to scan, select one of the following:
All mailboxes Scans all mailboxes. This option is enabled by default. Exclude mailboxes Specific mailboxes No mailboxes are scanned. Only the mailboxes that you select in the Mailboxes list are scanned.
Only the public folders that you select in the Public Folders list are scanned.
182 Scanning your Exchange servers for threats and violations About manual scans
Click Next.
To disable content filtering scanning 1 2 3 Uncheck Enable content filtering. This option is enabled by default. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
To enable content filtering scanning 1 2 Check Enable content filtering. This option is enabled by default. Do any of the following:
To add a new content filtering rule, on the toolbar, click Add new rule. To modify an existing content filtering rule, on the toolbar, click Edit rule.
To delete an existing content filtering rule, click Delete rule. See About configuring a content filtering rule on page 160.
3 4 5
Click the field under the Enable column and select Enable to enable the rules that you want to apply to the scan. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Scanning your Exchange servers for threats and violations About scheduling a scan
183
184 Scanning your Exchange servers for threats and violations About scheduling a scan
Select the scheduled scan that you want to modify, and in the sidebar under Tasks, click Edit scan. Under the Name column, double-click the scheduled scan that you want to modify.
4 5
Modify the schedule scan options as needed. See Configuring scheduled scan options on page 184. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Name of the scan and the basic scan options Mailboxes and public folders that you want to scan Content filtering rules that you want to apply to the scan Scan schedule
To configure basic scanning options 1 2 In the console on the primary navigation bar, click Scans. In the sidebar under Views, select Scheduled Scans.
Scanning your Exchange servers for threats and violations About scheduling a scan
185
4 5
In the Scan name box, type the name for the scan. This option is only available if you are creating a new scheduled scan. Under Scan Options, check Stop after scanning ___ minutes to limit the amount of time for the scan, and then type the maximum scanning time in minutes. If Symantec Mail Security reaches this limit, it stops scanning. The next scheduled scan starts where the previous scan stopped. Check Only scan items modified since last scan to exclude items that have not changed since the last scan. Check Scan message bodies to scan message bodies. Click Next.
6 7 8
To select what to scan 1 Under Scan Location, to specify mailboxes to scan, select one of the following:
All mailboxes Scans all mailboxes. This option is enabled by default. Exclude mailboxes Specific mailboxes No mailboxes are scanned. Only the mailboxes that you select in the Mailboxes list are scanned.
Only the public folders that you select in the Public Folders list are scanned.
Click Next.
186 Scanning your Exchange servers for threats and violations About scheduling a scan
To scan for content filtering rules 1 2 Click Enable content filtering to enable content filtering rule scanning for the scheduled scan. Do any of the following:
To add a new content filtering rule, on the toolbar, click Add new rule. To modify an existing content filtering rule, on the toolbar, click Edit rule.
To delete an existing content filtering rule, click Delete rule. See About configuring a content filtering rule on page 160.
3 4
Click the field under the Enable column and select Enable to enable the rules that you want to apply to the scan. Click Next.
To specify the scanning schedule 1 2 3 In the Time of day to run box, select the time of day that you want Symantec Mail Security to perform the scan (in 24-hour format). Under Days to run on, check the days of the week that you want the scan to run. Under Dates of the month to run on, select any of the following:
1st The scan runs on the first day of each month. The scan runs on the 15th day of each month. The scan runs on the last day of each month.
15th
4 5
Check Run scan at service start to perform a scan when the service starts. Do not enable the Run scan at service start option in a cluster environment. Check Run scan when virus definitions change to perform a scan when new definitions are received. Leave this feature disabled if you update definitions at hourly intervals. If this option is enabled, the scheduled scan runs each time definitions are updated. Because definitions are delivered hourly, the scan might not complete before new definitions are available. This can impact overall mail throughput. See Scheduling definition updates on page 221.
Scanning your Exchange servers for threats and violations About scheduling a scan
187
6 7
Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
188 Scanning your Exchange servers for threats and violations Configuring notification settings for scan violations
Chapter
10
Managing outbreaks
This chapter includes the following topics:
About outbreak management Enabling outbreak management Configuring outbreak triggers Configuring outbreak notifications Clearing outbreak notifications
Enable Outbreak Management. See Enabling outbreak management on page 192. Specify the criteria for an outbreak. The criteria consist of the number of times that an event must occur during a specified time interval. See What defines an outbreak on page 190. See About outbreak triggers on page 191. See Configuring outbreak triggers on page 193.
Define the email notifications to send to the administrator when an outbreak is detected. See Configuring outbreak notifications on page 194. End the outbreak event after the situation is managed. See Clearing outbreak notifications on page 195.
Threat potential of the event category that is being monitored Size of your mail system Amount of mail that is typically processed Stringency with which you want to define an outbreak
Symantec Mail Security monitors your server at regular intervals to detect outbreaks (the default setting is every 2 minutes). When Symantec Mail Security checks your server for outbreaks, it checks the events that occurred within the specified period of time (the default setting is 20 minutes). If Symantec Mail Security detects an outbreak, it issues an outbreak notification. For example, assume that you enable outbreak management, configure Symantec Mail Security to monitor for outbreaks every 2 minutes, and enable the Same virus outbreak trigger using the default configuration. Figure 10-1 provides an explanation of the events that would occur if Symantec Mail Security detects 50 messages that contain the Eicar virus at 1:05 P.M. and 50 messages that contain the Eicar virus at 1:19 P.M.
191
Figure 10-1
If you enable multiple outbreak triggers and a message is received that violates more than one, Symantec Mail Security goes into outbreak mode and stops looking for additional outbreaks. Only one outbreak rule is triggered. Outbreak triggers apply to auto-protect scans only. See Configuring outbreak triggers on page 193.
193
Same attachment name Same subject Same virus Unrepairable viruses Unscannable files Filtering violations Total viruses
You can enable or disable the triggers. You can also modify the number of occurrences for a violation and the span of time in which the events must occur to constitute an outbreak. You can specify whether to notify an administrator when an outbreak occurs. See Configuring outbreak notifications on page 194. When you enable outbreak management, you can also configure Symantec Mail Security to automatically add the names of outbreak triggered attachments to the Outbreak Triggered Attachment Names match list and outbreak triggered subject text to the Outbreak Triggered Subject Lines match list. Symantec Mail Security uses these match lists for pre-configured content filtering rules that automatically block suspicious file attachments or subjects. You can also use these match lists to create your own content filtering rules. See Working with content filtering rules on page 157. To configure outbreak triggers 1 2 3 4 5 In the console on the primary navigation bar, click Policies. In the sidebar under General, click Outbreak. In the content area, in the table, select the trigger that you want to modify. The trigger that you select is highlighted in blue. In the Enable column, click the drop down menu, and select Enabled or Disabled. In the Occurrences column, type the number of instances that must occur to constitute an outbreak. The default value is 100.
In the Time column, type the span of time in which the instances must occur to constitute an outbreak. The default value is 20. In the Units column, click the drop down menu, and select one of the following:
In the Notify Administrator column, check the box if you want to notify an administrator of the outbreak. See Configuring outbreak notifications on page 194. In the Update Match List column, check the box if you want to automatically add the attachment name or subject to the Outbreak Triggered Names match list or Outbreak Triggered Subjects match list. The trigger must be activated. This option is only available for the Same attachment name and Same subject triggers. See Working with match lists on page 154.
10 In the Rule column, click View Rule to view or modify the associated content filtering rule. This option is only available for the Same attachment name and Same subject triggers. See Working with content filtering rules on page 157. 11 On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
195
3 4 5 6 7
In the content area, in the preview pane, under Initial Notification, in the Subject Line box, type your customized subject line text. In the Message Body box, type your customized message body text. Under Subsequent Notifications, in the Subject Line box, type your customized subject line text. In the Message Body box, type your customized message body text. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Chapter
11
About logging events About report templates What you can do with reports
Symantec Mail Security logs extensive report data on threats, security risks, content violations, spam, and server information to a reports database. You can use this data to generate summary or detailed reports based on different subsets of the data. When you define a report, you specify criteria such as the time span of the collected data, whether to show specific violations or all violations, and the output format of the report. See About report templates on page 201. You can specify how long Symantec Mail Security maintains data in the Reports database. You can also purge the database at any time. See Specifying the duration for storing data in the Reports database on page 200. See Purging the Reports database on page 201.
If you have installed SESA, you can enable SESA alerts. Although SESA is not part of Symantec Mail Security, it logs information, such as threat detection and content enforcement violations, across an entire organization. Selecting Enable SESA Logging enables the reporting of security events to the SESA Manager, where the events are sent to the SESA DataStore. When Enable SESA Logging is selected, you specify the IP address of the SESA server, which sends events to a designated SESA Manager computer. See About SESA on page 227.
199
Auto-Protect Content Filtering Engine Content Filtering Rules Encrypted Error Licensing LiveUpdate/Rapid Release Manual and Scheduled Scanning Outbreak Management Quarantine Scanning Service Spam Filter Engine Symantec Premium AntiSpam Threat/Security Risk Unscannable VSAPI
Message
The Event Log does not refresh automatically. You must press F5 to refresh the display with the most recent list of events. You can view the Symantec Mail Security Event Log from the console. You can sort and filter events by different criteria. In group view, if the Event Log is blank, you can manually refresh the page. You can also refresh the page in a group or server view to view the most recent events. In a large group, refreshing the page might take several minutes. To view the Symantec Mail Security Event Log 1 2 3 In the console on the primary navigation bar, click Monitors. In the sidebar under Views, click Event Log. Click the column headers to sort the list data by different criteria.
Press F5.
To filter the Symantec Mail Security Event Log 1 Under the Event Log table, in the Number of items per page list, select a number of items that you want to view per page. The default value is 10. In the List field, select a category on which to filter the event data. In the entries since list, select a start date from which to begin displaying event data. Click Display to show the filtered data.
2 3 4
201
To specify the duration for storing data in the Reports database 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Settings. In the content area, select one of the following:
Store all data Store no data Keeps all data indefinitely. No data is retained. Selecting this options means there is no data from which to generate reports. The data is cleared after the specified time period. If you select this option, type the number of months of data to store. Only summary spam data is stored unless you check enable the Include Spam Data option. The default option is 12.
4 5
Check Include Spam Data to include all spam-related events. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
You can create different report templates to describe different subsets of the raw report data. After you create a report template, you can use it to generate reports. Note: Reports cannot be generated with a new or updated report template until you deploy your changes. Symantec Mail Security provides two pre-configured reports that you can modify. You can also create your own report templates. When you create or modify a report template, Symantec Mail Security provides a wizard to guide you through the configuration process. The types of report templates that you can create are as follows:
Summary See Creating or modifying a Summary report template on page 203. Detailed See Creating or modifying a Detailed report template on page 208.
On the Security tab, deselect the option Do not allow attachments to be saved or opened that could potentially be a virus. On the Read tab, deselect the option Read all messages in plain text.
When you generate a Detailed report, Symantec Mail Security can save the report in HTML format or comma-separated value (.csv) format. The benefit of generating reports in .csv format are as follows:
You can view or print the complete report data in an application, such as Microsoft Excel. If you have Microsoft Excel on your computer, a .csv file opens automatically as an Excel spreadsheet. You can import the data into a third-party reporting application to generate custom charts and reports.
203
In the content pane, in the Report Templates table, double-click the template that you want to modify.
To configure the report template options 1 Under Report Template Options, in the Template name box, type a name for the report template. This option is only available if you are creating a new report template. In the Description box, type a description for the template.
Under Report type, click Executive summary. When you select Executive summary, the Report format is automatically configured for HTML. Check Email report to the following recipients and type one or more addresses to which the report should be delivered. Separate entries with semicolons. Click Next.
To configure the report time range 1 Under Report Time Range, in the Time range list, select the time range for the report. The default setting is Past Day. In the Start time and End time boxes, select the dates and times for the start and end of the report time range. This option is only available if you selected the Customized time range.
To configure on demand report generation 1 2 Under Report Generation Option, click On demand. Click Next.
To configure scheduled report generation 1 2 3 Under Report Generation Option, click Scheduled. In the Generate report at list, select the time of day to generate the report. Click Daily, Weekly, or Monthly. If you select Weekly or Monthly, select the day of the week or month to generate the report. Click Next.
To configure the report chart options 1 Under Report Chart Options, select any of the following
Total violations chart Threats and security risks chart, and then select the chart granularity. The default setting is Week. Content violation chart, and then select the chart granularity. The default setting is Week. Spam pie chart
Click Next.
205
To configure report content 1 Under Executive Summary Template Options, select the options that you want to appear in the Summary report. Data selections are as follows:
The data that is included in the report is as of the last time the statistics were reset. See Resetting statistics on page 216.
Unscannable files
Mass-mailer threats
Infection disposition
Threats repaired Number of threats that were repaired during the current reporting period Number of threats that were deleted during the current reporting period Number of threats that were quarantined during the current reporting period
Threats deleted
Threats quarantined
2 3
Click Next. Under Executive Summary Template Options, select the data that you want to appear in the Executive Summary report. Data selections are as follows:
Current options
Total attachments blocked Total number of attachments that were blocked during the current reporting period Total number of messages containing inappropriate content that were detected during the current reporting period Total multimedia/executable attachments that were blocked during the current reporting period
Total encrypted attachments Total encrypted attachment that were blocked blocked during the current reporting period Table of top content violations No. of items to include Table of top content violations that were detected during the current reporting period Number of items to include in the Table of Top Content Violations Table of top attachments that were blocked during the current reporting period Number of items to include in the Table of Top Attachments Blocked
207
Spam options
Table of top spammers Table of top spam sources that were identified during the current reporting period Number of items to include in the Table of Top Spammers Total number of spam categories that were identified during the current reporting period Type an SCL level. The default value is 8. Spam by domain Total number of spam domains that were identified during the current reporting period Number of domains to include in the Spam by Domain list
Spam by category
The data that is included in the report is as of the last time the statistics were reset. See Resetting statistics on page 216.
The data that is included in the report is as of the last time the statistics were reset. See Resetting statistics on page 216. 4 5 6 7 8 Click Next. Under Executive Summary Template Options, check Show server information. Select the data that you do want to appear in the Executive Summary report. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Note: Symantec Mail Security does not support emailing reports that are larger than 5 MB. When Symantec Mail Security generates a report that is larger than 5 MB, it logs the event to the Windows Application Event Log. You can view the report on the Reports page. Symantec Mail Security provides a wizard that helps you configure your report template. To identify the report to be created or modified 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Templates. Do one of the following:
Create a new Detailed report template Modify an existing report template. In the sidebar under Tasks, click Add new template.
In the content pane, in the Report Templates table, double-click the template that you want to modify.
209
To configure the report template options 1 In the Under Report Template Options panel, in the Template name box, type a name for the report template. This option is only available if you are creating a new template. In the Description box, type a description for the template. Under Report type, click Detailed. Under Report format, select the report format. See About report output formats on page 202. Check Email report to the following recipients and type one or more addresses to which the report should be delivered. Separate entries with semicolons. Click Next.
2 3 4 5
To configure the report time range 1 Under Report Time Range, in the Time range list, select the time range for the report. The default setting is Past Day. In the Start time and End time boxes, select the dates and times for the start and end of the report time range. This option is only available if you selected the Customized time range.
To configure on demand report generation 1 2 Under Report Generation Option, click On demand. Click Next.
To configure scheduled report generation 1 2 3 Under Report Generation Option, click Scheduled. In the Generate report at list, select the time of day to generate the report. Click Daily, Weekly, or Monthly. If you select Weekly or Monthly, select the day of the week or month to generate the report. Click Next.
To configure the report chart options 1 Under Report Chart Options, select any of the following
Total violations chart Threats and security risks chart, and then select the chart granularity. The default setting is Week. Content violation chart, and then select the chart granularity. The default setting is Week. Spam pie chart
Click Next.
To configure report content 1 2 Under Detailed Template Options, in the Type of violation list, select the type of violation that you want to appear in the report. In the Sender filter box, type an identifying characteristic of the sender whose messages will appear in the report. This can be the domain name or address of the sender, or a name or word, or a wildcard expression. In the Violation filter list, do one of the following:
Select a pre-defined violation filter. The list consists of the default rules (for example, Basic Virus Rule ) that are provided when you install the product. Filter selections vary based on the type of violation that you choose. Click User Defined Rule, and in the Rule name box, type the name of a content filtering rule that you created. This option is only available if you select the violation types All or Content Enforcement.
4 5 6
Select the columns that you want to appear in the detailed report. Click Finish. On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Logging events and generating reports What you can do with reports
211
Generating a report on demand Accessing a report Printing a report Saving report data Deleting a report Resetting statistics
212 Logging events and generating reports What you can do with reports
4 5
In the sidebar under Tasks, click Generate Report. In the Operation Status window, click Close when the operation is complete.
Accessing a report
You can view a report from the console or from the Symantec Mail Security Reports folder. If you view a report from the console, you must be in a server view. The Reports page in the console displays the following information:
Name Type Date Created Format Template Name Status Name of report Detailed or Summary Date and time the report was generated Format output (HTML or CSV) Template from which the report was generated Current status of the report generation The report statuses are as follows:
Ready: The report is generated and can be viewed. Generating: The report is currently being generated. Failed: The report generation has failed. The event is logged to the Windows Application Event Log.
When Symantec Mail Security generates a report (scheduled or on demand), the report is also automatically saved in its own folder in the Symantec Mail Security Reports folder. You can browse to the folder location and view the report file. Note: When you delete a report in the console, the file is automatically deleted from the Symantec Mail Security Reports folder. See Deleting a report on page 215.
Logging events and generating reports What you can do with reports
213
To access a report from the console 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Reports. In the content pane in the Reports table, do one of the following:
Select the report that you want to view, and in the sidebar under Tasks, click View Report. Double-click the report.
See Printing a report on page 214. See Saving report data on page 214. To access a report from the Symantec Mail Security Reports folder 1 2 Right-click on the Windows Start menu and select Explore. Browse to the Symantec Mail Security Reports folder. The default location is as follows: \Program Files\Symantec\SMSMSE\5.0\Server\Reports Double-click the report folder that contains the report that you want to view. Do one of the following:
For a report in .html format For a report in .csv format Double-click the file to view it. The report appears the same as if it were accessed from the console. Open the .csv file in a program such as Microsoft Excel to view it. Files created in .csv format contain raw data and must be viewed in a program that can interpret the data.
3 4
214 Logging events and generating reports What you can do with reports
Printing a report
If you have a printer configured, you can print a report. Symantec Mail Security provides features that let you configure the page set up and preview the report. Print reports in landscape mode to prevent the data from being cut off at the right margin. To print a report 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Reports. In the content pane in the Reports table, do one of the following:
Select the report that you want to view, and in the sidebar under Tasks, click View Report. Double-click the report.
Click OK.
Select the report that you want to view, and in the sidebar under Tasks, click View Report. Double-click the report.
Logging events and generating reports What you can do with reports
215
4 5
On the toolbar, click Save. In the Save Web Page window, do the following:
In the File name box, type the name of the file. In the Save as type box, select the file type. The default value is Web Page, complete (*.htm, *.html) In the Encoding box, select the encoding that you want to use. The default value is Unicode.
6 7
Deleting a report
You can delete a report when it is no longer needed or after you have saved the report to a file location. This lets you manage the volume of reports on the Reports page. See Saving report data on page 214. Note: When you delete a report in the console, the file is automatically deleted from the Symantec Mail Security Reports folder. See Accessing a report on page 212. To delete a report 1 2 3 4 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Reports. In the content pane in the Reports table, select the report that you want to delete. In the sidebar under Tasks, click Delete Report.
216 Logging events and generating reports What you can do with reports
Resetting statistics
You can reset statistics for reporting purposes. Resetting statistics also resets the Activity Summary information on Home page. To reset statistics 1 2 3 In the console on the primary navigation bar, click Reports. In the sidebar under Views, click Report Settings. Under Tasks, select one of the following:
Reset Auto-Protect statistics Reset spam statistics Reset database statistics Selecting this option purges all data from the Reports database. See Purging the Reports database on page 201. Reset all statistics
Chapter
12
About keeping your server protected How to update definitions Distributing definitions to multiple servers
Both methods let you update definitions on demand and automatically, based on the schedule that you specify. You can run Rapid Release definition updates instead of or in addition to LiveUpdate updates. For example, you can schedule daily LiveUpdates, and then manually run Rapid Release when a new threat emerges. If your organization has both front-end and back-end Exchange Servers, you might want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and leverage certified Live Update definitions on the Exchange back-end mailbox servers. Note: If you have Symantec AntiVirus Corporate Edition installed, you must let Symantec AntiVirus update definitions. See About using Symantec Mail Security with other antivirus products on page 57. You must have a valid content license to update definition files. A content license is a grant by Symantec Corporation for you to update Symantec corporate software with the latest associated content, such as new definitions. When you do not have a content license or your license expires, your product does not receive the most current definitions, and your servers are vulnerable to risks. See About licensing on page 63.
219
5 6
In the port box, type the port number. Typically, the port number for FTP is 21. Click OK.
To configure HTTP settings for LiveUpdate 1 2 3 On the Windows menu, click Start > Control Panel. In the Control Panel window, double-click Symantec LiveUpdate. In the LiveUpdate Configuration dialog box, on the HTTP tab, click I want to customize my HTTP settings for LiveUpdate. When this setting is checked, the Use a proxy server for HTTP connections option appears and is checked by default. In the Address box, type the IP address of the HTTP proxy server. In the port box, type the port number. Typically, the port number for HTTP is 80. Click I need authorization to connect through my firewall or proxy server when a user name and password are required to access the HTTP proxy server, under HTTP Authentication, and then type the user name and password. Click OK.
4 5 6
To use an ISP dial-up connection for LiveUpdate 1 2 3 4 On the Windows menu, click Start > Control Panel. In the Control Panel window, double-click Symantec LiveUpdate. In the LiveUpdate Configuration dialog box, in the ISP tab, click Customized settings for LiveUpdate. Under Use this Dial-up Networking connection, do one of the following:
In the drop-down list, select the appropriate connection. If the connection that you want to use is not found in the drop-down list, click Add, and then follow the Location Information Wizard instructions to add a connection.
5 6
Perform updates on demand See Updating definitions on demand on page 220. Schedule automatic updates See Scheduling definition updates on page 221.
221
Run LiveUpdate Certified Definitions Run Rapid Release Definitions (via FTP)
In the Operation Status window, click Close when the operation is complete.
Enable background scanning On virus definition update, force rescan before allowing access to information store
When both of these options are enabled, the message store is rescanned each time definitions are updated. If you update definitions at hourly intervals, this can impact overall mail throughput. See Configuring auto-protect scanning on page 179. Also disable the Run scan when virus definitions change feature for all scheduled scans if you update definitions at hourly intervals. If this option is enabled in a scheduled scan, the scheduled scan runs each time definitions are updated. Because definitions are delivered more frequently, the scan might not complete before new definitions are available. This can impact overall mail throughput. See About scheduling a scan on page 183. To schedule definition updates 1 2 3 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click LiveUpdate/Rapid Release Schedule. In the content pane, under LiveUpdate/Rapid Release Schedule, check Enable automatic virus definitions updates. This option is enabled by default.
Use Rapid Release definitions Use Certified LiveUpdate definitions This option is enabled by default. Select Run every [ ] hours, and then select the interval in hours that you want to run LiveUpdate or Rapid Release. The default value is 1 hour. Select Run at a specific time, and then type the time of day (in 24-hour format) and check the day or days of the week that you want LiveUpdate to run. This option is not available for Rapid Release.
On the toolbar, click Deploy changes to apply your changes. See Deploying settings to a server or group on page 72.
Note: Symantec Mail Security does not support distributing Rapid Release definitions to multiple servers. To distribute definitions to multiple servers, you must be in a group view. To distribute definitions to multiple servers 1 2 3 4 In the console on the primary navigation bar, click Admin. In the sidebar under Views, click Group LiveUpdate Status. Under Tasks, click Run LiveUpdate. In the LiveUpdate options panel, click Start.
223
5 6
When LiveUpdate is complete, click Close. In the sidebar under Tasks, click Send virus definitions to servers.
Appendix
Description
Starts a new line in the notification message
%server%
Autofills with the name of the server on which a violation was discovered
226 Using variables to customize alerts and notifications About alert and notification variables
Description
Autofills with the description of the action taken in response to a rule violation Autofills with the name of the attachment in which a rule violation has been found Autofills with the date and time of a violation Autofills with any general information available about the violation Autofills with the name of the location at which a violation was discovered, for example, inbox, outbox, public folder Autofills with the name of the policy of which the violated rule is a part Autofills with the name of the intended recipient of a message in which a violation was discovered Autofills with the name of the rule that was violated Autofills with the name of the scan that discovered a violation Autofills with the name of the sender of a message in which a violation was discovered Autofills with the contents of the subject line Autofills with the name of the violation detected Autofills with the number of messages that violate the outbreak trigger Autofills with the threshold level of an identified outbreak trigger Autofills with the name of the outbreak trigger that detected an outbreak
%attachment%
%datetime% %information%
%location%
%policy%
%recipient%
%rule%
%scan%
%sender%
%threshold%
%trigger%
Appendix
About SESA Interpreting Symantec Mail Security events in SESA Configuring logging to SESA About uninstalling SESA
About SESA
In addition to using the Symantec Mail Security Event Log and the Windows Application Event Log, you can also log events to the Symantec Enterprise Security Architecture (SESA). SESA integrates multiple Symantec Enterprise Security products and third-party products to provide a central point of control of security within an organization. It provides a common management framework for SESA-enabled security products, such as Symantec Mail Security, that protect your IT infrastructure from malicious code, intrusions, and blended threats. SESA increases your organizations security posture by simplifying the task of monitoring and managing the multitude of security-related events and products that exist in todays corporate environments. The event categories and classes include threats, security risks, content filtering, network security, spam, and systems management. The range of events varies depending on the Symantec applications that are installed and managed by SESA.
Table B-1 lists the versions of SESA that Symantec Mail Security supports. Table B-1 Supported versions of SESA
Version Description
2.1 This version of SESA is a software-only solution. You can monitor and manage security-related events through the SESA Console. The SESA Console is the common console that provides manageable integration of security technologies (Symantec or otherwise), Symantec Security Services, and Symantec Security Response. You can query, filter, and sort data to reduce the security-related events that you see through the SESA Console. This lets you focus on threats that require your attention. You can configure alert notifications in response to events, and generate, save, and print tabular and graphical reports of event status, based on filtered views that you create. SESA is purchased and installed separately. SESA must be installed and working properly before you can configure Symantec Mail Security to log events to SESA. For more information, see the SESA 2.1 documentation. 2.5 This version of SESA is a software component of the Symantec Security Information Manager 4.0 appliance. SESA is seamlessly integrated with Symantec Incident Manager, the software component for the Symantec Security Information Manager appliance. Together, these tools provide you with an open, standards-based foundation for managing security events from Symantec clients, gateways, servers, and Web servers. SESA Agents collect events from security products and send the events to the SESA Manager. The SESA Manager sends the events to the Correlation Manager, which uses a sophisticated set of rules to filter, aggregate, and correlate the events into security incidents. The Correlation Manager sends the incidents to Symantec Incident Manager for evaluation, tracking, and response. Symantec Incident Manager evaluates the impact of incidents on the associated systems and assigns incident severities. A built-in Knowledge Base provides information about the vulnerabilities that are associated with the incident. The Knowledge Base also suggests tasks that you can assign to a help desk ticket for resolution. Symantec Security Information Manager is purchased and installed separately. The appliance must be installed and working properly before you can configure Symantec Mail Security to log events to SESA. For more information, see the Symantec Security Information Manager documentation.
Integrating Symantec Mail Security with SESA Interpreting Symantec Mail Security events in SESA
229
Note: Refer to the SESA/Symantec Security Information Manager documentation for the latest recommended version of the Java Runtime Environment.
Security events that are logged to SESA Severity Event Class Rule Description (Reason sent)
DATA_INCIDENT Content filtering rule name DATA_INCIDENT Heuristic antispam: Spam score: [ ] percent Premium antispam: [spam] or [suspected spam]
Warning
DATA_VIRUS_ INCIDENT
Threats
Mass-mailer clean up
DATA_GREYWARE_ CONTENT
Warning
230 Integrating Symantec Mail Security with SESA Configuring logging to SESA
231
2 3 4 5
To configure SESA 2.1 to recognize Symantec Mail Security 1 2 In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information window. In the SESA Directory Domain Administrator Information window, type the specific information about the SESA Domain Administrator and the SESA Directory.
SESA Directory Domain Administrator Name Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password.
232 Integrating Symantec Mail Security with SESA Configuring logging to SESA
Type the SESA administrative domain. An example of dotted notation is: NorthAmerica.SES
If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer.
For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide. Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).
In the SESA Integration Package to Install window, type or browse to the location in which the SESA Integration Package is located, and then click OK. Click Next, and then follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard. Repeat steps 1 through 4 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.
233
To configure SESA 2.5 to recognize Symantec Mail Security, you must first download the SESA Integration Wizard from the Symantec Security Information Manager. The wizard guides you through the installation procedures. To download the SESA 2.5 SIP Integration Wizard 1 2 3 4 5 6 7 8 Insert the Symantec Mail Security product CD into the CD-ROM drive. Copy the following file to your local computer: ADMTOOLS\SIPI\smsmse50.sip Open a Web browser, and in the address bar, type the IP address of the appliance. If prompted, type the Log on name, password, and domain, and then click Log On. In the Symantec Security Information Manager console, in the left pane, click Register SIPs. Click Download SIP Integration Wizard. In the File Download dialog box, click Save. Type or browse to the location in which you want to save the SESA Integration Wizard installation file. SIPI.zip is the file that is downloaded. In the Download complete dialog box, click Close.
10 Locate the SIPI.zip file, double-click it, and unpack the file to the desired folder. To configure SESA 2.5 to recognize Symantec Mail Security 1 2 In the folder where you unpacked the SIPI.zip file, double-click setup.jar. The SESA Integration Wizard appears. In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information panel.
234 Integrating Symantec Mail Security with SESA Configuring logging to SESA
In the SESA Directory Domain Administrator Information panel, type the specific information about the SESA Domain Administrator and the SESA Directory.
SESA Directory Domain Administrator Name Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password. Type the SESA administrative domain. An example of dotted notation is: NorthAmerica.SES Host Name or IP Address of SESA Directory Do one of the following:
SESA Directory Domain Administrator Password Log on to domain (in dotted notation)
If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer. To change the IP address, you must use the SESA console, not the Symantec Mail Security console.
For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide. Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).
In the SESA Integration Package to Install panel, type or browse to the location in which you saved the SESA Integration Package (smsmse50.sip), and then click Next. Click Next and follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard. Repeat steps 1 through 5 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.
5 6
235
2 3
236 Integrating Symantec Mail Security with SESA About uninstalling SESA
To start the SESA AgentStart service using the Windows Services 1 2 On the the Windows menu, click Start > Control Panel > Administrative Tools > Services. Under Name, right-click SESA AgentStart, and then click Start.
237
238 Integrating Symantec Mail Security with SESA About uninstalling SESA
Index
Symbols
.csv (comma-separated value) report format 202 .NET Framework 33, 34, 35, 40 .zip files. See container files
A
Active Directory 16, 17, 166, 169 Active Summary 216 Adobe Acrobat Reader 19 adware. See security risks Allowed Senders list 113 antispam filtering about 107 configuring heuristic antispam 141 configuring real-time blacklists 112 configuring Symantec Premium AntiSpam 131 configuring the SAT value 111 configuring whitelists 113 how it works 109 licensing requirements 64 SCL values, about 110 antivirus Basic Virus Rule 99 detecting mass-mailer viruses 98 enabling detection 98 how Symantec Mail Security detects viruses 97 logging detections 197 modifying virus policies 99 quarantining viruses 85 setting Bloodhound detection level 98 Unrepairable Virus Rule 99 updating protection against 217 antivirus definitions. See definitions antivirus products, other 57 attachments Allow-Only Attachment Rule 147 blocking by attachment name 170 detecting executables 175 detecting multimedia files 172 enforcing email attachment policies 170 Executable File Rule 170
attachments (continued) filtering 145 making attachment size a rule condition 148 Outbreak Triggered Attachment Names match list 155 Quarantined Triggered Attachment Names Rule 147 Sample Attachment Name match list 155 Sample Executable File Names match list 155 Sample Multimedia File Names match list 155 auto-protect scans 158, 179
B
background scanning 179 Basic Virus Rule 99 Bloodhound heuristics technology 97
C
clusters configuring the cluster resource 48 considerations before installing on 46 installing on 45 installing on an active/active cluster 49 Veritas cluster server 50 console about 53 accessing 52 Home page 54 installing console only 43 primary navigation bar 54 system requirements 34 container files blocking unscannable 104 configuring limits 102 decomposing 97 denial-of-service attacks 102 encrypted 96, 104 unscannable 96 content area 53
240 Index
content filtering rules about 145 blocking attachments by name 170 configuring 160 configuring exceptions 163 configuring rule conditions 161 creating 159 deleting 169 detecting executable files 175 detecting multimedia file types 172 editing 159 elements of 149 enabling for auto-protect scanning 158 enforcing attachment policies 170 evaluating content 147 literal string 149 managing 157 managing match lists 154 metacharacters 151 multiple violations 146 notifying when rules are violated 167 pre-configured rules 147 prioritizing 168 refreshing Active Directory groups 169 regular expressions 150 rule names and descriptions 160 specifying actions 164 specifying local domains 157 specifying users to whom rules apply 166 wildcards 149 content license 63
E
Encrypted File Rule 104 Event Log about 197 contents 199 filtering contents 200 viewing 198 Executable File Rule 170 executable files, detecting 155, 175 Executive Summary. See templates expressions regular 150 wildcard 154
F
features new and enhanced 16 protecting and managing your server 20 filtering. See content filtering rules formats, report output 202 FTP proxy server, LiveUpdate connection 218
G
Global Group 72
H
hack tools. See security risks help 27 heuristic antispam. See antispam filtering heuristics 97 Home page 54, 55, 216 HTML encoding 146 report output format 202 HTTP proxy server, LiveUpdate connection 218 hyper-threaded processor 58
D
definitions 220 about 97 distributing to multiple servers 222 licensing requirements 63, 218 LiveUpdate Administration Utility, about 220 updating 217 denial-of-service attacks 96, 102 deploy all settings 72 deploy changes 72 Detailed. See templates dialers. See security risks DirectX 33, 35, 40 discard changes 72 domains, specifying local 157 DOS wildcard expressions 154
I
IIS (Internet Information Services) 51 impersonation 34, 51 inbound/outbound settings 157 installation before you install 29 customizing remote server installation settings 40 installation options 34
Index
241
installation (continued) installing on a cluster 45 installing on a local server 35 installing on a remote server 40 installing the console only 43 installing the SESA Agent 235 post-installation tasks 50 security and access permissions 32 system requirements 33 uninstalling 60 upgrading 59 Intel Xeon processors 58 ISA server, registering Symantec Premium AntiSpam through 117 ISP proxy server, LiveUpdate connection 218 IWAM account 34, 51
J
joke programs. See security risks
L
languages 131 license activating 64 content license 63 expiration 64 installing license files 68 locating the serial number 65 obtaining a license file 65 renewing 69 requirements 63 software updates 63 status 69 Symantec Premium AntiSpam license 64, 67 upgrading 64 list pane 54 literal string 149 LiveUpdate about 217 distributing definitions to multiple servers 222 licensing requirements 63 updating definitions on demand 220 scheduled 221 using proxy servers 220 LiveUpdate Administration Utility 18, 220 local domains, specifying 157
local quarantine about 85 establishing thresholds 87 forwarding events to the Quarantine Server 86 purging 93 releasing messages by mail 90 to file 92 viewing contents 88 logs See also reports Event Log about 197 contents 199 filtering contents 200 logging destinations 197 Reports database about 198 purging 201 storing data 200 SESA 198 Windows Application Event Log 197
M
manual scans about 178 configuring 180 running 182 viewing results 183 mass-mailer worms 96 match lists about 154 pre-configured 155 MDAC 33, 35, 40 menu bar 53 messages See also risks See also scans archiving 24 metacharacters 151 Microsoft Certificate Services 2.0 51 Microsoft Excel 202 Microsoft IMF (Intelligent Message Filter) 111 migration 59 multimedia file type detection 172 multiserver console settings 59
242 Index
N
notifications settings 188
O
Open Proxy list 116, 131 outbreak management about adding outbreak items to pre-configured match lists 193 clearing 195 configuring notifications 194 configuring triggers 193 defining an outbreak 190 enabling 192 triggers, about 191 outbreaks. See outbreak management
P
policies 21 post-installation tasks 50 premium antispam service. See Symantec Premium AntiSpam preview pane 54 primary navigation bar 53, 54 Probe Network 115 processing limits 102 protection, server 217 proxy server LiveUpdate 220 Symantec Premium AntiSpam 118
Q
Quarantine Server See also local quarantine about 86 forwarding events to 86
regular expressions 150 regulatory requirements 24 remote access programs. See security risks replacement variables 225 reports See also templates accessing 212 creating or modifying 203, 208 deleting 212, 215 email notification limitations 203, 208 generating on demand 211 managing 211 printing 214 Reports page display information 212 resetting statistics 216 saving data 214 viewing with third-party tools 202 Reports database about 198 purging 201 storing data 200 reputation service 131 resizing bars 54 risks See also security risks See also threats Bloodhound heuristics technology 97 categories of 95 configuring security risk detection 100 configuring threat detection 98 decomposing container files 97 how risks are detected 97 setting container file limits 102 RTF encoding 146
S
Safe list 116, 131 SAT (Store Action Threshold) 111 scan processes 58 scanning limits 102 scanning threads 58 scans auto-protect 178, 179 background scanning 179 blocking unscannable files 104 manual 180 notifying of violations 188 scheduled 183
R
Rapid Release about 217 licensing requirements 63 updating definitions on demand 220 scheduled 221 RBL. See real-time blacklists real-time blacklists 112, 113
Index
243
scheduled scans about 178 configuring scan options 184 creating 183 deleting 187 editing 184 enabling 187 SCL (spam confidence level) values 110 screen resolution, recommended 30 security and access permissions 32 security risks See also risks about 96 categories of 101 configuring detection 100 serial numbers, licensing 65 server domain controller 34, 51 server groups See also servers adding servers 77 applying definitions 222 creating 76 deleting 81 deploying all settings 72 deploying changes 72 Global 72 managing, about 74 pushing out settings to servers 80 restoring default settings 80 server settings file location 72 user-defined 72 viewing settings 74 server protection 217 servers See also server groups adding to groups 77 deploying changes 72 importing and exporting settings 82 managing, about 74 modifying communication properties 83 moving to another group 78 removing from group management 81 restoring default settings 80 synchronizing settings 80 viewing settings 74 viewing the status 75 SESA about 198, 227 configuring logging to 230
SESA (continued) configuring to recognize Symantec Mail Security 231, 232 installing Agent 235 Integration Wizard 231, 232 uninstalling 236 versions 228 settings, importing and exporting 82 sidebar 54 spam foldering 117 spam. See antispam filtering spyware. See security risks SSL (Secure Socket Layer) communications 51, 83 statistics, resetting 216 string, literal 149 Suspect list 116, 131 Symantec AntiVirus Corporate Edition email tools feature 30 updating definitions 57, 218 Symantec Brightmail AntiSpam 30 Symantec Elite Enterprise Licensing program 70 Symantec Mail Security for Microsoft Exchange about 15 accessing the console 52 configuring Symantec AntiVirus on the same computer 57 features 16, 20 getting more information 27 locating software components 30 Symantec Mail Security Reports folder 212 Symantec Premium AntiSpam See also antispam filtering about 114 configuring 131 configuring your proxy server 118 how it works 115 identifying languages 131 methods for detecting spam 115 Outlook plug-in 124 processing spam 132 registering through an ISA server 117 reputation service 131 scoring suspected spam 131 spam folder agent 119 spam foldering 117 Symantec Probe Network 115 Symantec Spam Folder Agent for Exchange See also Symantec Premium AntiSpam See also Symantec Spam Plug-in for Outlook
244 Index
Symantec Spam Folder Agent for Exchange (continued) about 119 creating a service account 120 installing 122 Symantec Spam Plug-in for Outlook See also Symantec Premium AntiSpam See also Symantec Spam Folder Agent for Exchange about 124 identifying languages 131 installing 129 modifying variables 125 toolbar elements 125 system requirements 33
V
variables, replacement 225 Veritas cluster server 50 virus See also risks Basic Virus Rule 99 configuring detection 98 detecting mass-mailer viruses 98 enabling detection 98 how Symantec Mail Security detects 97 logging detections 197 modifying virus policies 99 quarantining 85 setting Bloodhound detection level 98 Unrepairable Virus Rule 99 updating protection against 217 virus definitions. See definitions
T
templates about 201 creating or modifying 203, 208 deleting 211 Detailed 202 output formats 202 Summary 202 threats See also risks Bloodhound technology 98 configuring detection 98 detecting mass-mailer infected messages 98 types detected 95 toolbar 53 trackware. See security risks Trojan horses 95
W
whitelists 113 wildcard expressions, DOS 154 Windows Application Event Log about 197 viewing contents of in Symantec Mail Security 198 worms 95
U
Unfiltered Recipients list 113 uninstalling SESA 236 Symantec Mail Security for Microsoft Exchange 60 Unrepairable Virus Rule 99 Unscannable File Rule 104 updates. See definitions upgrade product version 59