14
Copyright © 2004 ESET
All rights reserved. No part of this publication may be reproduced, stored in a retrievalsystem or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without a prior written agreement.
ESET reserves the right to change any of the described application modules without prior notice.
Certain names of program products and company names used in this document mightbe registered trademarks or trademarks owned by other companies.
ESET1317 Ynez Place, Suite CDCoronado, CA 92 118U.S.A.
Website: www.eset.comPhone: +1 (619) 437 7037
NOD32 for MS Exchange Server 2.0
NOD32 for MS Exchange Server 2.0 is a brand new NOD32 antivirus version designed forscanning e−mail traffic routed by the MS Exchange Servers.
The major differences between the NOD32 and the NOD32 for MS Exchange Serverinclude a new module designed specifically for MS Exchange Servers called XMON and theabsence of IMON and EMON modules.
This document describes the XMON module. Before reading this document, please readthe NOD32 users guide first.
The XMON module communicates with the MS Exchange Server via its antivirus interface VSAPI and checks all the stored and routed e−mail messages through the MSExchange server. XMON runs on MS Exchange Server 5.5 Service Pack 3 and higher, MSExchange Server 2000 Service Pack 1 and higher and MS Exchange Server 2003.
XMON scans e−mail messages stored in the MS Exchange Server storage. This storage isplaced on the server file system as a single file and using non−standard settings in AMON(on−access scanner) running on the same server might lead to collision between XMON andAMON. To avoid the collision make sure that the AMON module is not set to scan all files.If you have set AMON to scan all files (not recommended) exclude the following two directories from scanning:
%ProgramFiles%\exchsrvr\mdbdata\
%ProgramFiles%\exchsrvr\mtadata\
It is not recommended to set the default settings for infected files to “rename” whileusing the option to scan all files. All infected files would be rechecked at each scan and further renamed. The consequent renaming would slow down your computer.
3
Installation
If you are running any previous version of the NOD32 for Exchange Server, please uninstallit before the installation of the NOD32 for Exchange Server 2.0
The installation wizard will help you to install the NOD32 for MS Exchange Server. Pleasefollow the on−screen instructions.
If you want to install XMON, check the Activate antivirus protection for MS ExchangeServer checkbox. To activate the XMON service, you need to locate and select the licensefile provided upon purchase of the XMON license. Use the Browse button to locate thelicense file.
This screen is present in all installation scenarios.
4
XMON
The main window
To open the XMON main window, click on the XMON icon in the Control Center window.If the XMON is displayed in grey color, the MS Exchange Server is not present on the localcomputer or the MS Exchange server version is not supported by XMON. If the XMON isdisplayed in red color, the XMON module is not active. To activate the XMON, check theActivate Control checkbox.
The main XMON window shows the number of scanned, infected and cleaned files (a fileis each e−mail message and its attachments). The main window also displays the virus data−base version (with the date of the last update in the parentheses) and MS Exchange versionrunning on the local server.
Active control – check box for XMON activation. To activate the XMON, mark the checkbox. To disable it, uncheck it. Before XMON deactivation you will be requested to confirmits shutdown. If you really want to turn off XMON, press Yes.The MS Exchange server checks the settings of the XMON module each minute, so the newXMON settings come into effect after a few seconds. Turning XMON on and off will takeabout a minute to take effect.
Settings – enables you to alter the default XMON settingsRun NOD32 – activates the NOD32 on−demand scanner
5
XMON Setting
The left part of the XMON Settings window shows nine possible setting areas of XMON.The setting parameters in each setting area are shown in the right part of the window. The MS Exchange server checks the settings of the XMON module each minute, so the newXMON settings come into effect after a few seconds.
The Scanner page shows the following properties:Background scanning – if checked, all the messages handled by the Exchange server are
scanned in the background. XMON keeps track of what messages it scanned and the version of virus database it used. If you are opening a message not scanned by the mostcurrent virus database, XMON scans it before opening it in your e−mail client. The back−ground testing will save you time when opening messages from the Exchange server,because upon opening the message it is already scanned.
Proactive scanning – new inbound messages are scanned in the order they are received.If this checkbox is marked and a user opens a message that has not been scanned yet, thismessage is scanned before the other messages waiting in the scanning queue.
Scan plain text message bodies – enables scanning plain text messagesScan RTF message bodies – enables scanning RTF message bodies. The RTF message
bodies may contain macro−virusesVerify file size – When checked, XMON determines the precise size of file attachments
in e−mail messages going through the Exchange server and does not rely on the file sizeprovided by the Exchange server. The Exchange server provides only an approximate attachment size for encoded messages. Determination of the precise attachment size mayslow down the scanning process, but raises the virus detection precision.
Scan transported messages – When checked, XMON scans also messages that are notstored on the local MS Exchange server and are delivered to other e−mail serversthrough the local Exchange server.
Repeat scanning button – By clicking the Repeat scanning button all the messagesstored on the local MS Exchange server are scanned again. Upon each virus databaseupdate the XMON scans all the messages stored on the Exchange server again as well.
6
Default button – By clicking the Default button, all the properties on Scanner page areset to default.
When clicking the Default button, a confirmation window will allow you to confirm orreject your selection. By clicking Yes, you will activate the default settings.
The Detection page contains the following settings:Signatures – when checked, XMON uses the signature based virus detectionHeuristics – when checked, XMON uses heuristic method based virus detectionAdvanced Heuristics – when checked, XMON uses Advanced Heuristics based virus
detection. Advanced Heuristics is a unique set of heuristic methods capable of detecting themost dangerous internet worms.
To get the best virus detection results, use all three above mentioned virus detectionmethods.
The Heuristics level settings enable you to set the extent of using the NOD32 heuristicsmethod in virus detection. It is recommended to use the Standard level of heuristics,because selecting the Deep heuristics may cause false positive alarms.
The Targets settings lets you select the types of attachments that should be scanned. Whenscanning archives the scanning procedure is more time consuming, because the archivemust be opened for scanning.
7
The Extensions page enables you to set which file types should be included in virus scanning. It is recommended to use the default settings and let XMON scan all the possiblydangerous file types. Adding new file types into the scanning process may decreasethe scanning rate.
Scan all files – marking this check box, XMON will scan all files types found in messageattachments. The file types list will show file types excluded from scanning.
Extensions included in scanning – this list shows the file types included in the virusscanning. You can use wild cards such as “?” and “*” to define file extensions of files thatshould be scanned
Add button – enables you to add a new file extension to the file extension listRemove button – removes the selected file extension from the listDefault button – restores the default extension list settingScan extension−less files – adds scanning files without extensions
To add a new extension use alpha numerical characters and wildcards such as “?” and “*”.To add an extension, click OK.
8
The Actions page lets you select what actions should be taken upon virus detection.When scanning archives is enabled, the Actions page shows what action should be takenupon virus detection in files and various archive types.
The When virus is found settings let you choose what action should be taken upon virusdetection. When scan archives option in the Targets section is activated, this pane containsseparate settings for archives and files.
Clean – XMON attempts to clean the virus from the infected file. When the attempt fails,the action selected in the When virus cannot be cleaned settings is executed.
No action, mark as infected – when selected the Exchange server is notified about theinfection and the user cannot open the infected message attachment.
Rename attachment/ delete message – XMON changes the attachment extension, sothat it cannot be opened or run. If the message body contains a virus, the message will bedeleted.
Delete – XMON deletes the infected message, or the attachment if only the attachmentis infected. The deletion process can be adjusted in the Deleting setting page.
Quarantine – when checked, the infected messages will be stored in Quarantine.Messages stored in Quarantine can be scanned again using a newer virus database if possible for precise virus detection.
When virus cannot be cleaned settings lets you select what action should be taken whenattempt to clean an infected message fails. Some of the infections cannot be cleaned,because the XMON does not have a cleaning procedure for them.
9
The Rules settings lets you select a default action for handling specified file types listed inthis list. If there are more than one rule for a single file type, the first rule in the list isapplied. The actions listed in this list are executed prior to virus scanning
Add button – enables you to add a new rule.Modify button – modifies the selected ruleRemove button – removes the selected ruleMove up – moves up the selected rule and increases its priorityMove down – moves down the selected rule and decreases its priority
10
Sender of message – the rule applies to a message sent by the selected sender.Subject of message – the rule applies to a message with the selected subject lineThe string in the two above mentioned fields is used as a substring for searching the
matching messages, so that you do not have to know the whole subject line or e−mailaddress. When using other than alphanumerical characters, use parentheses and quotes.You can also create conditions using logical operators AND, OR, NOT.
File name mask – File name mask enables you to select a certain file selection using amask created from alphanumerical characters and wildcards “?” and “*”.To use more thanone mask, separate them by a comma.
The Action section lets you select what actions should be taken upon match with the abovementioned search criteria.
Scan for viruses as … – XMON will scan for viruses as if the file attachment was one ofthe selected file types.
No action – XMON declares the message to be cleanRename attachment/ delete message – XMON alters the file extension so that it
cannot be opened or run.Delete – XMON deletes the selected messageMark as infected – XMON marks the selected message as infectedQuarantine – The selected message will be stored in QuarantineDescription – Rule description used in the Exchange server log when the rule is applied
11
The Deleting page lets you select what action should be made when a message is selectedfor deletion.
When deleting message settings lets you select what actions should be taken when thewhole message is marked for deletion.
Delete message body – XMON deletes the body of the infected message. The recipientwill receive the message header and non−infected attachments
Overwrite message body with virus protocol – XMON overwrites the message bodywith a virus protocol or a rule description.
Delete whole message – XMON deletes the whole message including all attachments
When deleting attachments settings lets you select what action should be taken when a message is marked for deletion.
Truncate file to zero size – XMON truncates the attachment to zero size and lets therecipient see the attachment file name.
Replace file with virus protocol – XMON replaces the infected file with a virus protocolor rule description
Delete whole message – XMON deletes the whole message along with all its attachments
12
The Performance page lets you select performance parameters for XMON.Number of threads – this parameter lets you select how many threads should be used
for virus scanning. More threads on multiprocessor machines can increase the scanningrate. Microsoft recommends using the following formula to determine the number ofthreads used: Number of physical processors times 2 plus 1 = number of threads used.
Time limit (for Exchange 5.5) – sets the time interval for running the virus scannerTime limit (for Exchange 2000 and 2003) – a time limit for scanning an individual file
13
The Protocol settings page lets you select how the virus scanning protocol/log should beassembled.
Log all files – when checked, all scanned files are listed in the scanning log, includingnon−infected files
Synchronous logging – when checked, all the log entries are immediately written intothe log file without storing them in the log cache
Scope – This setting lets you select what the scope of logging activities. The moredetailed the scope, the more activities are written into the log file
Log server version – when checked, XMON writes the server version into the log fileLog license – when checked, XMON writes the XMON license into the log fileLog rules – when checked, XMON writes the list of currently enabled rules into the log
file
The License page lets you view details of the currently used XMON license.Update button – opens a file selection dialogue box for selecting a new license key.
14
