MSME7 6 Product Guide

Product Guide

McAfee Security for Microsoft Exchange7.6.0 Software

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or byany means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registeredtrademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Finding product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introducing McAfee Security for Microsoft Exchange 7Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Why McAfee Security for Microsoft Exchange . . . . . . . . . . . . . . . . . . . . . . . 9

Threats to your organization . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Policies to handle threats . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

How McAfee Security for Microsoft Exchange protects the Exchange Server . . . . . . . . . . 11

2 Dashboard 13Launching the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Statistical information of detected items . . . . . . . . . . . . . . . . . . . . . . . . 14

Product versions and updates . . . . . . . . . . . . . . . . . . . . . . . . . . 15Detections report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

On-demand scan and its views . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Viewing On-demand scan tasks . . . . . . . . . . . . . . . . . . . . . . . . . 18Creating an on-demand scan task . . . . . . . . . . . . . . . . . . . . . . . . 18

Status reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Scheduling a new status report . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configuration reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Scheduling a new configuration report . . . . . . . . . . . . . . . . . . . . . . 21

Graphical reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Viewing graphical reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3 Detected Items 25Detection types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Viewing detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Search filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26View results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4 Policy Manager 29Inheritance and advanced views . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Subpolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Creating subpolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Setting policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Listing all the scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Creating a new rule for a specific user . . . . . . . . . . . . . . . . . . . . . . 33

Core scanners and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring scanner settings . . . . . . . . . . . . . . . . . . . . . . . . . . 34

McAfee Security for Microsoft Exchange 7.6.0 Software Product Guide 3

Filter settings for a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Alert settings and disclaimer text . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Miscellaneous settings for a policy . . . . . . . . . . . . . . . . . . . . . . . . 48Creating a new alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Enabling Product Health Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Shared Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Configuring the shared scanners, filters, and alert settings . . . . . . . . . . . . . . 53Configuring filter rules and time slots . . . . . . . . . . . . . . . . . . . . . . 56

5 Settings and Diagnostics 59On-Access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Configuring On-Access settings for Exchange Server 2003 . . . . . . . . . . . . . . 60Configuring On-Access settings for Exchange Server 2007 or 2010 . . . . . . . . . . . 61

Configuring Mailbox Exclusion settings . . . . . . . . . . . . . . . . . . . . . . . . . 62Notifications settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuring notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Configuring Anti Spam settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Detected Items settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . 64User Interface Preferences settings . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Configuring the user interface . . . . . . . . . . . . . . . . . . . . . . . . . 65Diagnostics settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring diagnostics settings . . . . . . . . . . . . . . . . . . . . . . . . . 67Product Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Using Product Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70DAT settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Configuring DAT settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Import and Export Configuration settings . . . . . . . . . . . . . . . . . . . . . . . . 70

Exporting the existing configuration . . . . . . . . . . . . . . . . . . . . . . . 71Importing a configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Importing a Site List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Importing and exporting of blacklists and whitelists . . . . . . . . . . . . . . . . 72

Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Configuring Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

6 Frequently Asked Questions 73

A Appendix A — Using file filtering rule and actions in a real-time scenario 77

B Appendix B — Using the McAfee Security for Microsoft Exchange Access Control79

C Appendix C — SiteList Editor 81Configuring repositories and proxy settings . . . . . . . . . . . . . . . . . . . . . . . 82Adding a repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Specifying proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Index 85

Contents


Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Contents

About this guide Finding product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


What's in this guide This guide is organized to help you find the information you need.

Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a Product, then select a Version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFinding product documentation


http://mysupport.mcafee.com

1 Introducing McAfee Security forMicrosoft Exchange

McAfee Security for Microsoft Exchange uses advanced heuristics against viruses, unwanted content,potentially unwanted programs, and banned file types or messages.

McAfee Security for Microsoft Exchange protects your Microsoft Exchange server from various threatsthat could adversely affect the computers, network, or employees. It also scans:

• Subject line and body of the email messages

• Email attachments (based on file type, file name, and file size)

• Text within the email attachments

The software also includes the McAfee Anti-Spam add-on component that protects your users fromspam and phishing emails. McAfee Security for Microsoft Exchange uses Postgress 8.4.7 with thisrelease which runs under the SYSTEM account.

Contents

Overview Features Why McAfee Security for Microsoft Exchange How McAfee Security for Microsoft Exchange protects the Exchange Server

OverviewMcAfee Security for Microsoft Exchange has increased protection profile to provide the best protectionfor your Microsoft Exchange servers.

• Global Threat Intelligence — A global threat correlation engine and intelligence base of global messagingand communication behavior, that significantly increases spam detection. It is an Always-onreal-time protection that safeguards and secures you from emerging threats. Global ThreatIntelligence prevents damage and data theft even before a signature update is available. Itprovides the most up-to-date malware detection for a number of Windows-based McAfee anti-virusproducts.

• McAfee Stack Upgrade — The latest McAfee Agent and engine for the highest level of protection.

• Single product support — McAfee Security for Microsoft Exchange 7.6 supports Microsoft Exchangeversions 2003, 2007, and 2010 (see System requirements in the Installation guide for moredetails) . Installation and configuration have been simplified and includes customized silent installs,installing only the components needed on the particular server role, and two built-in configurationprofiles.

1


FeaturesThe main features of McAfee Security for Microsoft Exchange are described in this section.

• Protection from viruses — Scans all email messages for viruses and protects your Exchangeserver by intercepting, cleaning, and deleting the viruses that it detects. McAfee Security forMicrosoft Exchange uses advanced heuristic methods and identifies unknown viruses or suspectedvirus-like items and blocks them.

• Protection from spam — Helps you save bandwidth and the storage space required by yourExchange servers by assigning a spam score to each email message as it is scanned and by takingpre-configured actions on those messages.

• Protection from phishing — Detects phishing emails that fraudulently try to obtain your personalinformation.

• Capability to detect packers and potentially unwanted programs — Detects packers thatcompress and encrypt the original code of an executable file. It also detects potentially unwantedprograms (PUPs), that are software programs written by legitimate companies to alter the securitystate or privacy state of a computer.

• Content filtering — Scans content and text in the subject line or body of an email message andan email attachment. McAfee Security for Microsoft Exchange supports content filtering based onregular expressions (regex).

• File filtering — Scans an email attachment depending on its file name, type, and size of theattachment. McAfee Security for Microsoft Exchange can also filter files containing encrypted,corrupted, password-protected, and digitally signed content.

• Background scanning — Facilitates scanning of all files in the information store. You can schedulebackground scanning to periodically scan a selected set of messages with the latest engine updatesand scanning configurations. In McAfee Security for Microsoft Exchange, you can exclude mailboxesthat you don't want to be scanned.

• Product Health Alerts — These are notifications on the current status of the product's health. Youcan configure and schedule these alerts.

• Integration with McAfee ePolicy Orchestrator 4.5 or 4.6 — Integrates with ePolicyOrchestrator 4.5 or 4.6 to provide a centralized method for administering and updating McAfeeSecurity for Microsoft Exchange across your Exchange servers. This reduces the complexity of, andthe time required to, administer and update various systems.

• Web-based user interface — Provides a user-friendly web-based interface based on DHTML.

• Policy Management — The Policy Manager menu option in the product user interface listsdifferent policies you can set up and manage in McAfee Security for Microsoft Exchange.

• Centralized scanner, filter rules, and enhanced alert settings — Using scanners, you canconfigure settings that a policy can apply when scanning items. Using File Filtering rules, you canset up rules that apply to a file name, file type, and file size.

• On-demand/time-based scanning and actions — Scans email messages at convenient timesor at regular intervals.

• Multipurpose Internet Mail Extensions (MIME) scanning — A communications standard thatenables you to transfer non-ASCII formats over protocols (such as SMTP) that support only 7-bitASCII characters.

• Quarantine management — You can specify the local database to be used as a repository forquarantining infected email messages. You can choose to store quarantined messages on your ownserver running McAfee Quarantine Manager, which is called the Off-box quarantine.

1 Introducing McAfee Security for Microsoft ExchangeFeatures


• Auto-update of virus definitions, extra DATs, anti-virus and anti-spam engine — regularlyprovides updated DAT files, anti-virus scanning engine, and anti-spam engine to detect and cleanthe latest threats.

• Retention and purging of old DATs — Retain old DAT files for periods you define or purge themas needed.

• Support for Site List editor — Specify a location from which to download automatic updates forMcAfee Security for Microsoft Exchange.

• Support for Small Business Server — McAfee Security for Microsoft Exchange is compatible withSmall Business Servers.

• Detection reports — Generates status reports and graphical reports that enable you to viewinformation about detected items.

• Configuration reports — Summarizes product configuration such as information about the server,version, license status and type, product, debug logging, on-access setting, on-access policies, andgateway policies. You can specify when your server sends the configuration report to theadministrator.

• Denial-of-service attacks detection — Detects additional requests or attacks flooding andinterrupting the regular traffic on a network. A denial-of-service attack overwhelms its target withfalse connection requests, so that the target ignores legitimate requests.

Why McAfee Security for Microsoft ExchangeYour organization is vulnerable to many threats that can affect its reputation, employees, computers,and networks.

• The reputation of an organization can be affected by the loss of confidential information or throughan abuse that can lead to legal action.

• Electronic distractions and unrestricted use of email and the Internet can affect the productivity ofemployees.

• Viruses and other potentially unwanted software can damage computers, making them unusable.

• Uncontrolled use of various types of files on your networks can cause performance problems foryour entire organization.

Threats to your organizationThis section briefly describes various threats that could affect an organization.

Type of threat Description

Reputation of a company An unguarded or ill-informed remark by an employee might causelegal problems, unless it is covered by a disclaimer.

Spam (unsolicited email) Unsolicited commercial email messages are the electronicequivalent of spam or junk mail. Often they contain advertisementsthat are not expected by the recipients. Although it is more of anuisance than a threat, spam can degrade the performance of yournetwork.

Large email messages Large email messages or messages that contain numerousattachments can slow down the performance of email servers.

Mass-mailer viruses Although they can be cleaned like any other virus, they can spreadrapidly and quickly degrade the performance of your network.

Introducing McAfee Security for Microsoft ExchangeWhy McAfee Security for Microsoft Exchange 1


Type of threat Description

Email messages from unwantedsources

Disgruntled ex-employees and unscrupulous individuals who knowthe email addresses of your employees can cause distress anddistraction by sending unwanted emails.

Non-business use of email If most employees use recipient email addresses not within theirorganization, such emails are likely to be for personal ornon-business use.

Loss of company-confidentialinformation

Employees might disclose confidential information related tounreleased products, customers or partners.

Offensive language Offensive words or phrases can appear in email messages andattachments. Besides causing offense, they can provoke legalaction too.

Transfer of "entertainment" files Large video or audio files intended for entertainment might reduceyour network performance.

Inefficient file types Some files use large amounts of memory and can be slow totransfer, but alternatives are often available. For example, GIF andJPEG files are much smaller than their equivalent BMP files.

Transfer of large files Transferring large files can reduce your network performance.

Denial-of-service attack A deliberate surge of large files can seriously affect theperformance of your network, making it unusable to its legitimateusers.

Pornographic text Vulgar language or terms must not be used in emails.

Viruses and other potentiallyunwanted software

Viruses and other potentially unwanted software can quickly makecomputers and data unusable.

Corrupt content / encryptedcontent

This type of content cannot be scanned. Appropriate policies mustbe specified to handle it.

Policies to handle threatsYou can apply an existing read-only policy (known as a Master Policy) to your entire organization, orcreate other policies based on the Master Policy to suit specific needs of any part of your organization.

Default policies

McAfee Security for Microsoft Exchange helps you mitigate electronic threats with special sets of rulesand settings called policies that you can create to suit your organization.

When first installed, McAfee Security for Microsoft Exchange contains the following default policies:

• On-Access • On-Demand (Find Banned Content)

• On-Demand (Default) • On-Demand (Remove Banned Content)

• On-Demand (Find Viruses) • On-Demand (Full Scan)

• On-Demand (Remove Viruses) • Gateway

You can customize these policies to handle specific threats to your organization precisely. To learnmore about setting policies, see Policy Manager.

What is a Master Policy?

Master policies describe how items are scanned for viruses, how files are filtered, and various othersettings in different circumstances. These policies can apply to the whole organization.

From these policies, you can create additional policies as needed to apply to groups of users or domains.

1 Introducing McAfee Security for Microsoft ExchangeWhy McAfee Security for Microsoft Exchange


As you create further policies, each additional policy records whether any of its current settings areinherited from the Master Policy. A change to the Master Policy (such as an increased level ofanti-virus protection or a new file filtering rule) is instantly propagated to other policies too. TheMaster Policy also indicates how many other policies have inherited its settings.

Where does a policy apply?

The Master Policy applies to all users within an organization. However, you can create additionalpolicies in case you need exceptions to the Master Policy to suit any geographical areas, functions,mailboxes, domains, or departments within your organization. In McAfee Security for MicrosoftExchange, the general term for such additional policies is a policy group.

How McAfee Security for Microsoft Exchange protects theExchange Server

McAfee Security for Microsoft Exchange accesses all email messages that are read from and written tothe mailbox by your Exchange server.

Protecting your Microsoft Exchange server

McAfee Security for Microsoft Exchange uses the virus scanning interface of your Exchange server togain full access to all email messages that are being read from, and written to the mailbox of theExchange server.

• The anti-virus scanning engine compares the email message with all the known virus signaturesstored in the DATs.

• The content management engine scans the email message for banned content as specified in thecontent management policies in McAfee Security for Microsoft Exchange.

If these checks find any viruses or banned content within the email message, McAfee Security forMicrosoft Exchange takes the specified action. If no items are detected, McAfee Security for MicrosoftExchange passes the information back to the virus-scanning interface to complete the originalmessage request within Microsoft Exchange.

Real-time detection

The McAfee Security for Microsoft Exchange software integrates with your Exchange server and worksin real-time to detect and delete viruses or other harmful or unwanted code. It also helps youmaintain a virus-free environment by scanning the databases on your Exchange server. Each time anemail message is sent to or received from a source, McAfee Security for Microsoft Exchange scans theemail message to compare it with a list of known viruses and suspected virus-like behavior andintercepts and cleans the infected file before it spreads. It can also scan content within the emailmessage (and its attachments), using rules and policies defined in the software.

Introducing McAfee Security for Microsoft ExchangeHow McAfee Security for Microsoft Exchange protects the Exchange Server 1


Scanning of email messages

• The anti-spam, anti-virus, and the content management engines scan the email messages andprovide the result to McAfee Security for Microsoft Exchange before the content is written to the filesystem or read by the Microsoft Exchange users.

• The anti-virus and the anti-spam scanning engines compare the email message with all the knownsignatures stored in the currently installed virus definition files (DATs) and anti-spam rules. Theanti-virus engine also scans the message using selected heuristic detection methods.

• The content management engine scans the email message for banned content as specified in thecontent management policies running within the software. If there are no viruses, banned/unwanted content in the email message, McAfee Security for Microsoft Exchange passes theinformation back to Microsoft Exchange. In case of a detection, McAfee Security for MicrosoftExchange takes actions as defined within its configuration settings.

How scanning works

• Central to your McAfee Security for Microsoft Exchange are the scanning engine and DAT files. Theengine is a complex data analyzer. The DAT files contain a great deal of information includingthousands of different drivers, each of which contains detailed instructions on how to identify avirus or a type of virus.

• The scanning engine works with the DAT files. It identifies the type of the item being scanned anddecodes the content of that object to understand what the item is. It then uses the information inthe DAT files to search and locate known viruses. Each virus has a distinctive signature. There is asequence of characters unique to a virus and the engine searches for that signature. The engineuses a technique called heuristic analysis to search for unknown viruses. This involves analyzingthe object's program code and searching for distinctive features typically found in viruses.

• Once the engine has confirmed the identity of a virus, it cleans the object to the extent possible.For example, it removes an infected macro from an attachment or deletes the virus code in anexecutable file.

What and when to scan?

• The threat from viruses can come from many directions such as infected macros, shared programfiles, files shared across a network, email messages and attachments, floppy disks, filesdownloaded from the Internet, and so on. Individual McAfee Security anti-virus software productstarget specific areas of vulnerability. We recommend a multi-tiered approach to provide the fullrange of virus detection, security, and cleaning capabilities that you require.

• McAfee Security for Microsoft Exchange provides a range of options that you can further configureaccording to the demands of your system. These demands will vary depending on when and howthe component parts of your system operate and how they interact with each other and with theoutside world, particularly through emails and Internet access.

• You can configure or enable various actions that allow you to determine how your McAfee Securityfor Microsoft Exchange should deal with different items and what actions it should take on detectedor suspicious items.

1 Introducing McAfee Security for Microsoft ExchangeHow McAfee Security for Microsoft Exchange protects the Exchange Server


2 Dashboard

It is important for the administrators to know how well their server is being protected from spam,phish, viruses, potentially unwanted programs, and unwanted content.

The user interface provides critical functions for Microsoft Exchange administrators.

The dashboard in McAfee Security for Microsoft Exchange provides information about statistics,products installed including engine and DAT files, name, version and patch information for the product,server protection status, license agreement, scanned items and most common hoaxes.

Contents

Launching the dashboard Statistical information of detected items On-demand scan and its views Status reports Configuration reports Graphical reports

Launching the dashboardTo launch McAfee Security for Microsoft Exchange user interface, navigate to Product Configuration fromthe Start button.

You can also double click the program shortcut on the desktop to launch McAfee Security for MicrosoftExchange.

2


The McAfee Security for Microsoft Exchange dashboard is divided into two panes:

• The left pane has links to Dashboard, Detected Items, Policy Manager and Settings & Diagnosticsthat you can administer.

• The right pane displays information corresponding to the item you select in the left pane.

Figure 2-1 McAfee Security for Microsoft Exchange - Dashboard

Statistical information of detected itemsThe Statistics tab provides information on spam, phish, viruses, potentially unwanted programs,banned file or content detections in emails, and documents filtered by McAfee Security for MicrosoftExchange.

The reported numbers indicate the number of emails and documents that trigger any of the detectionmethods. For example, if an email contains two viruses, statistics for viruses would be incremented byone and not two. Reporting statistics are based on email messages rather than individual files ordetections and is more intuitive in a mail server environment.

The Spam and Phish statistics are available only if you have installed and activated the McAfeeAnti-Spam add-on component.

The items displayed are:

• Clean • Potentially Unwanted Programs

• Spam • Banned File types/Messages

• Phish • Unwanted Content

• Viruses

2 DashboardStatistical information of detected items


From the Graph section, you can select one of the options from the drop-down list:

• Spam Summary — View spam statistics and graph.

• Phish Summary — View phish statistics and graph.

• <Select Detections> — Select the counters in the Detections section by clicking on the icon of anitem. This enables you to view the statistics and graph of the selected counters.

You can use:

• Magnify Graph — Specify the magnification percentage of the Detections graph. This helps you viewan enlarged graph.

• Time range — Specify for which time period you would like to review statistics. The options are Last24 Hours, Last 7 Days, and Last 30 Days.

• — View statistics as a bar graph.

• — View statistics as a pie chart.

• and — Determine which statistics counters are displayed on the bar graph or pie chart. To adda counter click . To remove a counter, click . If the buttons do not appear, a specific graph typehas been selected. You can re-activate the buttons by selectingGraph.

• Reset — Reset the statistics of detected items.

From the Scanning section, you can monitor:

• The average time taken to scan an email message (in milliseconds).

• Total number of email messages scanned since the statistic counters were reset.

Product versions and updatesThe Versions & Updates section provides information on the product version, hotfix, service pack, bufferoverflow protection (enabled or disabled), product description, license type and expiry date, engineversion, and DAT version (including regular DAT, Extra.DAT).

Update Information

This tab provides information about anti-virus DAT, anti-virus engine, extra drivers, anti-spam engineversion, their status and when they were last updated.

McAfee Security for Microsoft Exchange uses the McAfee update website to automatically update itsanti-virus DAT, engine and rules on a daily basis. If McAfee Security for Microsoft Exchange ismanaged by ePolicy Orchestrator, there is no need to update the product from the dashboard. You canupdate the anti-virus DATs, anti-virus engine, and anti-spam engine through an AutoUpdate task usingthe ePolicy Orchestrator server.

1 Click Edit Schedule to display the Edit Schedule page, where you set the update schedule frequency.

2 Click Show Status. The Task Status page appears, where you can view the status of a update task.The page displays the name of the task, when it started, time required to finish the task, when thescheduled task was completed or if the task is in progress.

Click Update Now to update McAfee Security for Microsoft Exchange to the latest DAT, engine, extradrivers, and anti-spam engine version immediately.

DashboardStatistical information of detected items 2


• Anti-virus DATs, engine, and extra drivers versions are always shown in the dashboard.

• If the McAfee Anti-Spam add-on component is installed, version information for anti-spam rulesand engine is displayed.

Product Information

This tab provides information on the product name and the product version. It provides information onservice packs or hotfixes that are installed. It also provides information on the presence of McAfeeAnti-Spam add-on component.

For anti-spam and antiphish functionality, you must install the McAfee Anti-Spam add-on component.For more information on installing the McAfee Anti-Spam Add-On, see the McAfee Security for MicrosoftExchange v7.6 - Installation Guide.

Licenses

This tab provides information on the type of license being used for McAfee Security for MicrosoftExchange, when it expires, and the number of days for it to expire.

It also shows license information of the McAfee Anti-Spam add-on component if you have installed/activated it.

Detections reportThe Reports section provides information on the scanned items, posted virus descriptions, and the tophoaxes.

Recently Scanned Items

This tab displays information about items recently scanned by McAfee Security for Microsoft Exchange.The following columns are displayed.

Table 2-1 Columns for Recently Scanned Items

Column Description

Date/Time Date and time when the most recent scan was executed.

Sender Email addresses of the senders of the items that were scanned.

Recipients Email addresses of recipients of scanned items.

Subject Subject line of scanned emails.

Action Taken What action was taken on scanned items.

Filename The name of a quarantined file.

Detection Name The name of a detection. For example, the name of a virus.

Task The task associated with a particular detection.

Reasons A rule or rules that were triggered by a particular email.

Scanned By The policy setting used to scan items.

Policy Name The name of the policy that triggered a detection.

Reputation Score The authenticity level of the source of the email based on up to date informationavailable pertaining to a particular source.

Reason The reason why the email was quarantined (quarantine queue type).

— Indicates that the item is clean.

2 DashboardStatistical information of detected items


— Indicates that the item triggered one of the scanners or filters.

You can hover the cursor on to see which scanner or filter was triggered. If the item triggers severalscanners or filters, only the highest priority detection is shown.

On-demand scan and its viewsOn-demand scanning is a method for scanning emails at convenient times or regular intervals.

You can schedule regular scan operations when the server activities are comparatively low and whenthey do not interfere with your work.

McAfee Security for Microsoft Exchange enables you to create scheduled on-demand scans. You cancreate multiple schedules, each running automatically at predetermined intervals or times.

You might want to perform an on-demand scan for a number of reasons, for example:

• To check a specific file or files that has been uploaded or published.

• To check that the messages within your Microsoft Exchange server are virus-free, possibly followingDAT update, so that new viruses can be detected.

• If you have detected and cleaned a virus and want to check that your computer is completely clean.

Settings and actions can be specified in on-demand policies, which can be found under Policy Manager.There are six sets of policies that can be used for an on-demand task. These are:

• On-Demand (Default) — The default settings for all scanners and filters.

• On-Demand (Find Viruses) — Anti-virus settings and filters. These policies provide an easy means tocheck the viral content in databases.

• On-Demand (Remove Viruses) — Anti-virus settings and filters. These policies provide an easy means toremove the viral content in databases.

• On-Demand (Find Banned Content) — Content scan settings. These policies are particularly useful if youwant to see the effect of newly created/assigned content scan rules.

• On-Demand (Remove Banned Content) — Content scan settings. These policies are particularly useful if youwant to see the effect of newly created/assigned content scan rules and remove banned content.

• On-Demand (Full Scan) — Settings for all scanners and filters. These policies will be the typically usedfor scanning at regular intervals.

DashboardOn-demand scan and its views 2


Viewing On-demand scan tasksUse this task to view a list of On-demand tasks configured for McAfee Security for Microsoft Exchange.

Task

1 Under Dashboard, click On-Demand Scans . The On-Demand Scans page appears listing the configuredon-demand scan tasks.

2 Under Action, click the links to perform an action for the task.

The On-Demand Scan view contains the following columns of information for the on-demand scanschedules:

Table 2-2 Columns

Option Definition

Name Name of the scan task.

Status Indicates whether the scan task is running or stopped.

Last Run Indicates when the scan was last executed.

Next Run Indicates when the scan is next scheduled to run.

Action The action column contains links such as Modify, Delete, Run Now, Show Status, Stop thatyou can perform on the selected on-demand scan.

Modify Click Modify to edit the on-demand scan task.

Delete Deletes the selected on-demand scan task.

Run Now Starts the selected on-demand scan task.

Show Status Click Show Status for a running on-demand scan (this tab is visible after you click RunNow). The Task Status page appears with the General tab displaying the progress of thetask. Click Settings tab to view more details.

Stop Stops the selected on-demand scan task that is running.

For instructions on creating an on-demand scan task, see the Creating an on-demand scan tasksection.

Creating an on-demand scan taskUse this task to schedule a scan at a convenient time and intervals.

You can create multiple schedules, each running automatically at predefined times or intervals.

Task

1 Click On-Demand Scans under Dashboard. The On-Demand Scans page appears.

2 Click New Scan to create a new on-demand scan task. The Choose when to scan page appears.

3 Specify when you want the scan to run, specify the duration of the scan, then click Next. The Choosewhat to scan page appears.

4 Specify which folders to scan and which folders to exclude from scanning, then click Next. TheConfigure scan settings page appears.

2 DashboardOn-demand scan and its views


5 Click Next. The page appears.

a Select the policy from the type of Policy to use drop-down list.

b Select Resumable Scanning, if you want to resume a scan from the point where it was stopped.

If the Restart from last item option is selected, you can start a task at any time and resume scanningfrom where it last stopped. For example, when scanning multiple folders, if the scan stops and isresumed, it resumes scanning the folder from where it stopped last.

6 Click Next. Type a name for the on-demand task.

7 Click Finish to complete the process of creating an on-demand scan task.

Status reportsA status report is a scheduled report sent to an administrator at a specific time. The report containsdetection statistics within that specified time frame.

You can choose a time, recipient email address or distribution list to send the report to, and a subjectfor the email. Reports are sent in HTML or CSV format. The following columns of information aredisplayed for Status Reports.

Table 2-3 Columns in a Status report

Option Definition

Name Name of the status report.

Status Indicates whether the report is being generated or has been stopped.

Last Run Indicates when the report was last generated.

Next Run Indicates when the report is next scheduled.

Action Indicates what action was taken for each item.

Refresh To refresh the display with latest reports.

New Report To schedule a new status report.

Scheduling a new status reportUse this task to schedule the generation of a status report at a convenient time and/or at intervals.

Task

1 Click Dashboard | Status Reports. The Status Reports page appears.

2 Click New Report. The Report page appears.

3 In When to report page, choose any of these options:

• Not scheduled — Select the option to set up a reporting task that you can activate later. If youare modifying a report schedule, this option allows you to stop an existing report task.

• Once — From the corresponding drop-down lists, choose a date, month, year and the time whena report task has to start. You can select the checkbox and specify the number of hours andminutes after which the report task has to stop.

• Hours — Specify how frequently, the report task should take place (in hours), and at how manyminutes past the hour. You can select the checkbox and specify the number of hours andminutes after which the report task has to stop.

DashboardStatus reports 2


• Days — Specify the time how frequently, in days, the report task should take place and at whattime of the day. You can select the checkbox and specify the number of hours and minutes afterwhich the report task has to stop.

• Weeks — Specify how frequently, in weeks, the report task should take place. You can alsospecify on which days and at what time of day the task should take place. You can select thecheckbox and specify the number of hours and minutes after which the report task has to stop.

• Months — On either the first, second, third, fourth or a last day, select a checkbox by clicking ona desired month(s) and specify a time at which a report task has to start. You can select thecheckbox and specify the number of hours and minutes after which the report task has to stop.

You can use Stop task after it has run for to specify the maximum number of hours and minutes a task canrun before it is stopped. Limiting the amount of time a report can run helps preserve systemresources. By default there is no limit on report task time.

4 Click Next. The Report Settings page appears.

5 In Recipient Email, specify the recipient’s email address to whom the report is to be sent.

6 In Subject line for report, specify the subject line in the report that is sent to the recipient.

7 In Number of Rows, specify the number of rows (n) to be displayed in the status report. Each rowin the status report displays the total number of detections for a particular day. The report containsthe detection count for the last (n) days, excluding the day when the status report is triggered. Forexample: If you specify two, the status report will contain two rows displaying detections for thelast two days, excluding today.

8 In Type of Report, specify the format of the status report, which is sent to the recipient. Theavailable options are CSV or HTML.

9 Click Next. The Please enter a task name page appears.

10 Type a meaningful name for the task.

11 Click Finish to complete the process of creating an on-demand scan task.

12 Click Back to return to the previous pages.

13 Click Cancel to remove all settings and return to the main Status Reports page.

Configuration reportsA configuration report is a scheduled report sent to an administrator at a specific time.

The configuration report will have a summary of product configurations such as: server information,version information, license status and type, product information, debug logging information,on-access settings, and on-access policies. The following columns of information are displayed.

Table 2-4 Configuration report

Option Definition

Name Name of the configuration report.

Status Indicates whether the report is being generated or has been stopped.

Last Run Indicates when the report was last generated.

Next Run Indicates when the report is next scheduled.

Action Indicates what action was taken for each item.

2 DashboardConfiguration reports


Table 2-4 Configuration report (continued)

Option Definition

Refresh To refresh the display with latest reports.

New Report To schedule a new configuration report.

Scheduling a new configuration reportUse this task to schedule the generation of a configuration report at a convenient time and/or at intervals.

You can specify an email address to which this report is to be sent.

Task

1 Click Dashboard | Configuration Reports. The Configuration Reports page appears.

2 Click New Report. The Report page appears.

3 In the When to report page, choose any of these options, then click Next.

• Not scheduled — Select the option to set up a reporting task that you can activate later. If youare modifying a report schedule, this option allows you to stop an existing report task.

• Once — From the respective drop-down lists, choose a date, month, year and the time when areport task has to start. You can select the checkbox and specify the number of hours andminutes after which the report task has to stop.

• Hours — Specify how frequently, the report task should take place (in hours), and at how manyminutes past the hour. You can select the checkbox and specify the number of hours andminutes after which the report task has to stop.

• Days — Specify how frequently, in days, the report task should take place and at what time ofthe day. You can select the checkbox and specify the number of hours and minutes after whichthe report task has to stop.

• Weeks — Specify how frequently, in weeks, the report task should take place. You can alsospecify on which days and at what time of day the task should take place. You can select thecheckbox and specify the number of hours and minutes after which the report task has to stop.

• Months — On either the first, second, third, fourth or a last day, select a checkbox by clicking ona desired month(s) and specify a time at which a report task has to start. You can select thecheckbox and specify the number of hours and minutes after which the report task has to stop.

You can use Stop task after it has run for to specify the maximum number of hours and minutes a task canrun before it is stopped. Limiting the amount of time a report can run helps preserve systemresources. By default there is no limit on report task time.

4 In the Who to report to page, fill in the form, then click Next.

a In Recipient Email, specify the recipient’s email address to whom the report is to be sent.

b In Subject line for report, specify the subject line in the report that is sent to the recipient.

5 When prompted, type a meaningful name for the task, then click Finish.

DashboardConfiguration reports 2


Graphical reportsYou can use Graphical Reports to view information about items that have triggered one or more scannersand find out how many detections match your search criteria.

You can also find out what percentage of the total detections each detection represents by using aseries of filters to specify the type of detections that are of interest.

You can use the following tabs:

• Simple — When you want to use only a few search filters and view the results as a bar graph.

• Advanced — When you want to use more complex search filters and view the results as either a bargraph or a pie chart.

Viewing graphical reportsThe Graphical Reports section gives an explicit view of quarantined items in a graph.

You can also find each detection by setting search filters to specify the types of detections that are ofinterest.

Tasks

• Using simple search filters on page 22Use this task to select simple search filters and define their parameters to search forquarantined items.

• Using advanced search filters on page 23Use this task to select advanced search filters to narrow your search of quarantined items.

Using simple search filtersUse this task to select simple search filters and define their parameters to search for quarantined items.

Task

1 Click Dashboard | Graphical Reports. The Graphical Reports page appears with the Simple tab.

2 From Time Span, select Today to view only today's quarantined items or This week to view this week'squarantined items (including today's date).

3 From Filter, select the type of quarantined item to be viewed such as spam, phish, viruses,unwanted content, or potentially unwanted programs. Select from the following:

• Top 10 Viruses — Lists the viruses that are detected the maximum number of times.

• Top 10 Spam Detections — Lists the most commonly detected spam emails.

• Top 10 Spam Recipients — Lists the recipients in an organization who have received themaximum number of spam emails.

• Top 10 Phish Detections — Lists the most commonly detected phishing emails.

• Top 10 Unwanted Programs — Lists the most common programs that are potential threats.

• Top 10 Unwanted Content Detections — Lists the most commonly detected unwanted content.

2 DashboardGraphical reports


• Top 10 Infected Files — Lists the files that are most commonly detected as infections.

• Top 10 Detections — Includes all the above detection categories.

4 Click Search. The search results are shown in the View Results pane.

In Magnify Graph, you can specify the magnification percentage of the graph. This helps in viewingan enlarged and clearer graph.

Using advanced search filtersUse this task to select advanced search filters to narrow your search of quarantined items.

Task

1 Click Dashboard | Graphical Reports. The Graphical Reports page appears.

2 Click the Advanced tab.

3 Select up to three filters from the list:

Table 2-5 Primary Filters

Filter Description

Subject To search by the subject line of an email.

Recipients To search by a valid email address of the recipient.

Reason To search by the reason for which the item to be detected. Refer to thesecondary filters below.

Ticket Number To search using a ticket number. A ticket number is a 16-digit alpha-numericentry which is auto-generated by the software for every detection.

Detection Name To search by the name of a detected item.

Spam Score To search by a spam score.

Spam score is a number that indicates the amount of potential spam contained within an emailmessage. The engine applies anti-spam rules to each email messages it scans. Each rule isassociated with a score. To assess the risk that an email message contains spam, these scores areadded together to give an overall spam score for that email message. The higher the overall spamscore, the higher the risk that the email messages contains spam.

Secondary filters are available only for the primary filter Reason, you can select any one of thefollowing.

If you do not want to specify a secondary filter, make sure the secondary filter field is empty. Formore information about the search filters, see the Search filters section.

Table 2-6 Secondary Filters

Filter Description

Anti-Virus Whether it was an anti-virus program that detected the harmful email.

Banned Content Certain content in the email that is banned.

File Filter Whether it was a file filter that detected a harmful file in an email.

Anti-Spam The anti-spam rule version that executed the scan.

Encrypted or Corrupted Content that has been encrypted or corrupted.

Potentially UnwantedProgram

Are software programs that could alter the security or privacy policies ofa computer on which they have been inadvertently installed.

DashboardGraphical reports 2


Table 2-6 Secondary Filters (continued)

Filter Description

Phish Phish or Phishing is a method used by individuals to obtain personalinformation by unfair or fraudulent means.

Packer A program that can compress executable files and possibly encrypt theoriginal code.

Mail Size The size of the email (in kilobytes).

Encrypted Email content that has been encrypted.

Signed Whether the email has a signature.

Corrupted Email content that is corrupted.

Denial of Service Is an incident in which a user or an organization is deprived of theservices of a resource they would normally expect to have.

Protected Content Email content that is protected.

Password Protected The content (attachment) can be viewed only with the help of a password.

Blocked MIME Emails are blocked due to certain Multipurpose Internet Mail Extension(MIME) settings.

4 Select All Dates or a Date Range from the drop-down lists.

5 Select Bar Graph or Pie Chart as required.

6 If you select Pie Chart, select a filter from the drop-down list to Query on:

Table 2-7 Options for Query on

Filter Description

Recipients To query on a valid email address of the recipient.

Sender To query on a valid email address of the sender.

Filename To query on the name of the quarantined file.

Detection Name To query by the name of a detected item.

Subject To query on the subject line of the email.

Reason To query on a reason for which the item was detected.

Rule Name To query on the name of the rule that triggered the detection.

Policy Name To query on the name of the policy that made the detection.

7 In Maximum Results, specify the maximum number of segments you want to appear in the piechart. For example, if you are interested only in viewing the three most frequently assigned spamscores, type 3.

Query on and Maximum Results are available only for pie chart.

8 Click Search. The search results are shown in the View Results pane.

2 DashboardGraphical reports


3 Detected Items

You can use Detected Items to view information about email messages that contain spam, phish,viruses, potential unwanted programs, banned file types or messages, and unwanted content.

Use the search filters to find email messages that are of interest and view the results of the search.

Contents

Detection types Viewing detected items Search filters View results

Detection typesDetection or Detected item is something identified by security software as a potential threat, such as avirus, spam, phish, unwanted content, banned file type, fraudulent website, or an intrusion.

Table 3-1 Detection types

Detectiontypes

Description

Spam Spam is an unwanted email message, specifically unsolicited bulk message. Spam isflooding the Internet with many copies of the same message, in an attempt to forcethe message on people who would not otherwise select to receive it. Most spam iscommercial advertising, often for dubious products, get-rich-quick schemes, orquasi-legal services. Spam costs the sender very little to send -- most of the costsare paid for by the recipient or the carriers rather than by the sender.

Phish Phish is a method of fraudulently obtaining personal information (such aspasswords, social security numbers, credit card details and so on) by sendingspoofed email messages that look like they have come from a trusted source suchas legitimate companies or banks. Typically, phishing email messages request thatrecipients click the link in the email to verify or update contact details or credit cardinformation.

Viruses Virus is a program or code that replicates and infects other programs, boot sector,partition sector, or document that supports macros by inserting itself or attachingitself to that medium.

PotentiallyUnwantedPrograms

Potentially unwanted programs are the software programs written by legitimatecompanies that might alter the security state or the privacy posture of the computeron which they are installed. This software can, but does not necessarily includespyware, adware, dialers, and can be downloaded in conjunction with a programwanted by the user.

UnwantedContent

This is any content that triggers a content scanning rule. It might include offensive,abusive, unpleasing words or even company's confidential information.

Banned Filetypes/Messages

Certain types of file attachments are prone to viruses. The ability to blockattachments by file extension is another layer of security for your mail system. Bothinternal and external email messages are checked for banned content.

3


Viewing detected itemsUse this task to search for the detections. You can select the desired detection type from the availabledrop-down list.

Task

1 Click Detected Items | All Items. The <All Items> page appears.

2 Select any of the available search filters from the drop-down lists.

3 Select All Dates or a Date Range from the drop-down lists.

4 Select a logical operator to use multiple search filters.

• And — To consider both the former and the latter filters.

• Or — To consider either the former or the latter filter.

5 Click Search. A list of quarantined items matching your search criteria are displayed in the ViewResults section.

Click Clear Filter to return to the default search filter settings.

Search filtersUse these search filters in combination with other available criteria to narrow your search of detecteditems.

The filter options vary according to the detected item selected.

Option definitions

The available search filters are:

Table 3-2 Search filters

Search filter Definition

Action taken You can search for an item based on the action that was taken on it (deleted/cleaned/intercepted/quarantined and so on).

Anti-Spam Engine You can search for an item based on the anti-spam engine that scans email messagesfor spam and phishing attacks, using anti-spam, anti-phishing, and extra rules.

Anti-Spam Rule You can search for an item based on the anti-spam rules that are updated every fewminutes to catch the latest spam campaigns sent by spammers.

Anti-Virus DAT You can search for an item based on the anti-virus DAT version with a distinctivesignature.

Anti-Virus Engine You can search for an item based on the anti-virus engine that had a sequence ofcharacters unique to a virus/unwanted content.

Banned Phrases You can search by the content of banned phrases.

Detection Name You can search for a detected item based on its name.

File Name You can search by the name of the detected file in the quarantined item.

Folder You can search by the folder where quarantined items are stored.

Policy Name You can search for an item by a policy name that detected the item.

Reason You can search for an item based on the reason why it was detected.

Reasons You can search by a rule or rules that were triggered by a particular email.

3 Detected ItemsViewing detected items


Table 3-2 Search filters (continued)

Search filter Definition

Recipients You can search for an item through the recipient's email address.

Reputation Score You can search by the authenticity level of the source of the email based on up todate information available.

Rule Name You can search for an item based on the rule that triggered one or more scanners/filters.

Scanned by You can search for an item by the scanner name that detected the item.

Sender You can search for an item by the sender's email address.

Sender IP You can search for an item by the IP address of the sender's system.

Server You can search for an item based on a specific server version.

Spam Score Spam score is a number that indicates the amount of potential spam contained withinan email message. The engine applies anti-spam rules to each email messages itscans. Each rule is associated with a score. To assess the risk that an email messagecontains spam, these scores are added together to give an overall spam score for thatemail message. The higher the overall spam score, the higher the risk that the emailmessages contains spam.

State You can search for an item based on its status.

Subject You can search for an item based on the subject line of the email message.

Ticket Number A ticket number is a unique alphanumeric identifier assigned to a specific detectionand delivered as a notification through email. It helps identify the associated detection.

Each item selected under Detected Items will have a corresponding set of search filters.

For instructions to view the detected items, see the Viewing detected items section.

View resultsIn the View Results pane, you can view the results of the search based on the parameters you defined.

You can then execute various actions on these detected items.

Table 3-3 Types of actions

Action Definition

Release To release a quarantined item. Select an applicable record from the View Resultspane and click Release. The original email message is released from the databasefor delivery to the intended recipient.

Download To download a quarantined item. Select an applicable record from the View Resultspane and click Download.

Export to CSV File To export and save records in .CSV format. Select an applicable record from theView Results pane and click Export to CSV File.

Columns to display To select additional column headers to be listed in the View Results pane.

Submit to McAfee Labs To submit a quarantined item to McAfee Labs. Select an applicable record fromthe View Results pane, then click Submit to McAfee Labs. This option is enabled only forspecific quarantined items which may be of interest to the McAfee team forfurther investigation.

View To view the quarantined item.

Forward To forward the quarantined items to recipients as required.

Detected ItemsView results 3


Table 3-3 Types of actions (continued)

Action Definition

Add to allow senders To add a sender's email address to the list of addresses from which emails shouldbe allowed.

Add to block senders To add a sender's email address to the list of addresses from which emails shouldbe blocked.

Each record in the View Results pane has an image, which indicates:

Icon Description

A record which can be released or downloaded.

A record which cannot be released or downloaded.

A record which can be submitted to McAfee Labs for investigation.

For instructions to view the detected items, see the Viewing detected items section.

3 Detected ItemsView results


4 Policy Manager

Policy Manager is a product feature that allows you to configure/manage different policies and actions inthe product. It determines how different types of threats are treated when detected.

Each policy specifies the settings and actions that are used by the policy and the actions taken when adetection is triggered for the data in the Exchange environment. The settings are given names and canbe used by many policies at the same time. However, the actions are specific to a particular policy. Forexample, you can create anti-virus policies and create multiple child policies from it. However, you canhave a different action for each policy.

The different policies that you can set up are listed under the Policy Manager. Each type of policy has adefault Master Policy. The Master Policy cannot be deleted because there must always be one policy fromwhich others can be created. The Master Policy is configured to cover most situations, however youcan create subpolicies to meet specific requirements.

Types of policies

Table 4-1 Types of policies

Policy Description

On-Access Create policies for email messages every time they are opened, copied or saved todetermine if they contain a virus or other potentially unwanted code. On-accessscanning is also called real-time scanning.

On-Demand (Default) Create policies that are activated at set intervals or on demand, to find a virus orother potentially unwanted code.

On-Demand (FindViruses)

Create policies that are activated at set intervals or on demand, to find a virus orother Potentially Unwanted Programs (PUPs) and other possible threats.

On-Demand (RemoveViruses)

Create policies that are activated at set intervals or on demand, and which removeviruses, Potentially Unwanted Programs (PUPs) and other possible threats.

On-Demand (FindBanned Content)

Create policies that are activated at set intervals or on demand, to find a bannedcontent that you do not want to appear in email messages.

On-Demand (RemoveBanned Content)

Create policies that are activated at set intervals or on demand, and which removecontent that you do not want to appear in email messages. For example, if anemail message contains a particular word or phrase, you can set up a policy toautomatically replace the content of that email message with an alert message.You can use this type of policy to prevent unwanted information entering orleaving your organization.

On-Demand (FullScan)

Create full scan policies that are activated at set intervals to scan for viruses,spam, phishing emails, banned/unwanted content and other harmful codes.

Gateway Create policies for email messages every time they are opened, copied or saved todetermine if it is a spam, phish, MIME files or HTML files.

Shared Resource — Set up resources that can be used by more than one policy. This is more efficient thansetting up the same resource separately for each policy. For more information, see the SharedResources section. For Example, instead of creating two disclaimers; one for the Internal mail policyand another for External mail policy, you can create a single disclaimer that can be used by bothpolicies. The disclaimer is a resource that is shared by more than one policy.

4


Contents

Inheritance and advanced views Subpolicies Setting policies Core scanners and filters Alert settings and disclaimer text Creating a new alert Enabling Product Health Alerts Shared Resource

Inheritance and advanced viewsThe Inheritance View enables you to view policy settings inherited from some other policies.

Inheritance view

Once you have created subpolicies, McAfee Security for Microsoft Exchange needs to determine whichpolicy is going to be applied for an email. For this purpose, every policy is assigned a priority. Fordeciding a policy to be applied to the email, attributes of the email are used to evaluate rules for eachpolicy in the order of priority. If the rules of the policy are satisfied, that policy is applied to the email.However, if the rules of the policy are not satisfied, McAfee Security for Microsoft Exchange moves onto evaluating the next priority policy. If none of the subpolicies can be applied to the email, the MasterPolicy is used to scan the email.

Using inheritance, you can create policies which inherit their settings and actions from another policy,The policy that inherits the settings is known as the subpolicy, and the policy from which it inheritsthose settings is know as the parent policy.

Inheritance should not be confused with sharing of settings. An inherited policy uses the same namedsetting and action as the parent policy. If the parent policy starts using a different setting, the samenamed setting is used by the subpolicy. Similarly any changes to the actions in the parent policy isalso reflected in the subpolicies.

Up to three levels of inheritance is supported. This allows customization of product behavior fordifferent groups of users in an organization/domain.

Advanced view

The Advanced View enables you to use the arrow icon within the Move column to change the order inwhich the subpolicies are applied. Using Advanced View in conjunction with Inheritance View allows a greaterlevel of customization while maintaining a lesser number of settings.

If you apply multiple policies to a single user, you might want to prioritize which policy takes precedence.

SubpoliciesYou can create subpolicies to have specialized behavior for groups of users in the Exchange serverenvironment.

Subpolicies allow you to create customized actions for detecting items while using shared settings.

4 Policy ManagerInheritance and advanced views


Creating subpoliciesUse this task to create subpolicies for situations not covered by the Master Policy.

Task

1 From Policy Manager, select a menu item for which you want to create a Subpolicy.

2 Click Create Sub-policy. The Create a Sub-policy page appears.

3 Type a Sub-policy name that identifies the policy and what it does.

4 Type a Description for the policy (optional).

5 Select the Parent policy for the sub-policy.

6 Click Next. The Create a Sub-policy - Trigger Rules page appears.

7 Specify the conditions when the policy should trigger.

8 Select Any of the rules apply, All rules apply or None of the rules apply for the specific user.

9 Click New Rule and select the required policy rule.

10 Click Add to select the trigger rule.

11 Click Next. The Create a Sub-policy - Scanner and Filters page appears.

12 Select Inherit all settings from the parent policy to inherit all properties of the parent policy, else select thepolicy to inherit from another policy by clicking Initialize selected settings with values copied from another policy.

13 Click Finish.

Setting policiesYou can set up policies that determine how different types of threats are treated when detected.

Each policy specifies the settings and actions that are used by the policy when a detection is triggeredfor the data in an Exchange server environment. The settings are given names and can be used bymany policies at the same time. However, the actions are specific to a particular policy.

Tasks

• Listing all the scanners on page 31In the List All Scanners tab, you can configure different types of policy settings.

• Creating a new rule for a specific user on page 33Use this task to create a new rule and specify the conditions for the rule to be applied for aparticular user.

Listing all the scannersIn the List All Scanners tab, you can configure different types of policy settings.

The type of settings that are available depends on which policy is selected.

Task

1 From Policy Manager, select a submenu item. The policy page for the submenu item appears.

2 Click Master Policy.

Policy ManagerSetting policies 4


3 Select the policy that you want to view and configure. You can then use Selection to select the typeof configuration settings you want to view and configure for the selected policy. You can configure apolicy so that it applies only for a specific user.

The Scanners, Filters, and Miscellaneous settings displayed vary corresponding to the option selectedunder Policy Manager.

Table 4-2 Policy configuration

Option Definition

Policy To select the policy you want to configure.

Add Scanner/Filter To configure the policy so that it applies only at specific times. For example,you can create anti-virus setting that is applicable on weekends.

Only some filters can be turned off. Filters that cannot be turned off act as aprerequisite for other scanners and filters. For example, when we identify adigitally signed email, we need to decide if we should scan the attachments ofthe email or not. If settings for signed emails were turned off, we cannot takethis decision.

Core Scanners To configure the policy for each type of scanner. Typical core scanner optionsinclude:

• Anti-Virus Scanner

• Content Scanning

• File Filtering

Filters Disclaimer Text To configure the policy for each type of filter. Typical filters include:

• Corrupt Content • Mail Size Filtering

• Protected Content • Scanner Control

• Encrypted Content • MIME Mail Settings

• Signed Content • HTML Files

• Password Protected Files

Miscellaneous settings To configure the alert settings and disclaimer messages for polices. Miscellaneousoptions include:

• Alert Settings

• Disclaimer Text

Tasks

• Adding scanner/filter on page 32Use this task to add a scanner or filter.

Adding scanner/filterUse this task to add a scanner or filter.

Task


2 Click Master Policy, then select List All Scanners | Add Scanner/Filter.

The Add Scanner/Filter option is available only for the submenu item On-Access.

3 From Specify the category drop-down list, select the required scanner or filter.

4 Policy ManagerSetting policies


4 From When to use this instance section, select an existing time slot or create a new one.

5 Click Save.

Creating a new rule for a specific userUse this task to create a new rule and specify the conditions for the rule to be applied for a particularuser.

Task


2 Click Master policy. The sub-policy page appears.

3 Click the Specify Users tab to specify users for whom a policy will be applied.

4 Click New Rule.

5 In the Specify a policy rule pane, select the policy rule, then specify the condition for the rule. You canalso Copy rules from another policy, if policies are available.

6 Click Add to add the rule or Delete to remove the selected rule.

7 Click Apply to save the rule to the specific user.

Core scanners and filtersThis section highlights the types of core scanners and filters that can be applied when creating policies.

Scanners

You can use Core Scanners to configure a policy for each type of scanner. Typical core scanners include:

• Anti-Virus Scanner • File Filtering

• Anti-Spam • Anti-Phishing

• Content Scanning

Filters

You can use Filters to configure a policy for each type of filter. Typical filters include:

• Corrupt Content • Mail Size Filtering

• Protected Content • Scanner Control

• Encrypted Content • MIME Mail Settings

• Signed Content • HTML Files

• Password Protected Files

Policy ManagerCore scanners and filters 4


Miscellaneous

You can use Miscellaneous to configure:

• Alert Settings

• Disclaimer Text

Configuring scanner settingsThis section provides information on creating new sets of options for scanners, then specifying anappropriate action to be taken on the item detected by those scanners.

Tasks

• Configuring anti-virus scanner settings on page 34Anti-Virus Scanner consists of computer programs that attempt to identify, thwart andeliminate computer viruses and other malicious software. Use this task to configure theanti-virus scanner settings.

• Configuring anti-spam scanner settings on page 37Use this task to configure various settings for the anti-spam scanner.

• Configuring content scanner settings on page 39McAfee Security for Microsoft Exchange can identify the textual data in a mail/attachmentfor scanning. You can create content rules to specify banned content and assign them tothe policies. Use this task to configure the content scanner settings.

• Configuring file filtering scanner settings on page 40Use this task to define the scanner settings for file filtering based on the filename orextension. Using this filter, administrators can block unwanted files from user mailboxes.

• Configuring the antiphish scanner settings on page 41Use this task to define the settings to block phishing messages at the gateway, using spamrules and engine.

Configuring anti-virus scanner settingsAnti-Virus Scanner consists of computer programs that attempt to identify, thwart and eliminate computerviruses and other malicious software. Use this task to configure the anti-virus scanner settings.

Task

1 From Policy Manager, select a submenu item that has the anti-virus scanner. The policy page for thesubmenu item appears.

2 Click Master policy, then click List All Scanners tab.

3 Click Anti-Virus Scanner.

4 In Activation, select Enable to activate the anti-virus scanner settings for the selected submenu item.

5 From the Options drop-down list, select <create new set of options>. The Anti-Virus Scanner Settings page appears.

6 In Instance name, type a unique name for the anti-virus scanner setting instance. This field is mandatory.

7 In Basic Options tab under Specify which files to scan, select one of these options:

• Scan all files — To specify that all the files should be scanned regardless of their type.

• Default file types — To specify that only the default file types should be scanned.

• Defined file types — To specify which file types should be scanned.

4 Policy ManagerCore scanners and filters


8 Select additional scanner option(s) available in Scanner options. You can select:

• Scan archive files (ZIP, ARJ, RAR...)

• Find unknown file viruses

• Find unknown macro viruses

• Enable McAfee Global Threat Intelligence file reputation — This enables the threat intelligence gathered byMcAfee Labs that would prevent damage and data theft before a signature update is available.Select the Sensitivity level from the options available.

• Scan all files for macros

• Find all macros and treat as infected

• Remove all macros from document files

9 On the Advanced tab under Custom malware categories, specify the items to be treated as malware. Thereare two ways to select malware types:

• Select the malware types from the list of checkboxes.

• Select Specific detection names, type a malware category, then click Add.

When typing a malware category name, you can use wildcards for pattern matching.

10 Select the Do not perform custom malware check if the object has already been cleaned option, if the cleaned itemsmust not be subjected to the custom malware check.

11 In Clean options, specify what happens to files that are reduced to zero bytes after being cleaned.Select any one of these options:

• Keep zero byte file — To keep files that have been cleaned and is of zero bytes.

• Remove zero byte file — To remove any file that has zero bytes after being cleaned.

• Treat as a failure to clean — To treat zero byte files as if they cannot be cleaned, and apply the failureto clean action.

12 In Packers tab, select:

• Enable detection — To enable or disable the detection of packers.

• Exclude specified names — To specify which packers can be excluded from being scanned.

• Include only specified names — To specify which packers you want the software to detect.

• Add — To add packer names to a list. You can use wildcards to match names.

• Delete — To remove packer names you have added. This link is activated if you click Add.

13 In PUPs tab, select:

• Enable detection — To enable or disable the detection of PUPs. Click the disclaimer link and read thedisclaimer before configuring PUP detection.

• Select the program types to detect — To specify whether each type of PUP in the list should be detectedor ignored.

• Exclude specified names — To specify which PUPs can be excluded from being scanned. For example,if you have enabled spyware detection, you can create a list of spyware programs that you wantthe software to ignore.



• Include only specified names — To specify which PUPs you want the software to detect. For example, ifyou enable spyware detection and specify that only named spyware programs should bedetected, all other spyware programs are ignored.

• Add — To add PUP names to a list. You can use wildcards to match names.

• Delete — To delete PUP names that you have added. This link is activated if you click Add.

The McAfee website http://vil.nai.com/vil/default.aspx contains a list of PUP names. Use theSearch in Category option to select PUPs.

14 Click Save to return to the policy page.

15 In Actions to take, click Edit. In the following tabs, specify the anti-virus scanner actions that must betaken if a virus (or virus-like behavior) is detected:

• Cleaning — Select Attempt to clean any detected virus or trojan to activate various actions. Select theaction(s) to be taken from:

• Log — To record the detection in a log.

• Quarantine — To store a copy of the item in a quarantine database.

• Notify administrator — To send an alert message to the email administrator.

• Notify internal sender — To send an alert message to the sender, when the original emailoriginates from the same domain as the server.

• Notify external sender — To send an alert message to the sender, when the original email doesnot originate from the same domain as the server.

• Notify internal recipient — To send an alert message to the recipient, when the recipient is in thesame domain as the server.

• Notify external recipient — To send an alert message to the recipient, when the recipient is not inthe same domain as the server.

• Default Actions — From Take the following action drop-down list, select an action.

• Replace item with an alert

• Delete embedded item

• Delete message

• Allow through

16 Select the corresponding alert document or click Create to make a new alert document. From And alsoselect additional actions to be taken .

• Custom Malware

• Packers

• PUPs




http://vil.nai.com/vil/default.aspx

Configuring anti-spam scanner settingsUse this task to configure various settings for the anti-spam scanner.

Task

1 From Policy Manager, select the submenu item Gateway that has the anti-spam scanner. The policypage for the submenu item appears.

2 Click Master policy, then click List All Scanners | Anti-Spam.

To enable Global Threat Intelligence, see Configuring Anti Spam settings.

3 In Activation, select Enable.

4 In the Options drop-down list, select <create new set of options>. The Anti-Spam Settings page appears.

5 In Instance name, type a unique name for the anti-spam scanner setting instance. This field ismandatory.

6 In Options tab, under Scoring, type the values for:

• High score threshold — If the overall spam score is 15 or more.

• Medium score threshold — If the overall spam score is 10 or more, but less than 15.

• Low score threshold — If the overall spam score is 5 or more, but less than 10.

To use the default values of spam scores, select the Use default option. These default settings havebeen carefully optimized to maintain the balance between a high spam detection rate and a lowfalse positive rate. In the unlikely event that you need to change these settings, a technical notice isavailable from Technical Support.

7 In Reporting, under the Spam reporting threshold is drop-down list, select High, Medium, Low, or Custom tospecify the point at which an email message should be marked as spam.

8 In Custom score, type a specific spam score at which email messages should be marked as spam.This field is enabled only if you select the Custom option in step 6.

9 Select or deselect Add prefix to subject of spam messages as required.

10 From the Add a spam score indicator drop-down list, select:

• Never - To have the Internet header of an email message without the spam score indicator.

• To spam messages only — To add a spam score indicator to the Internet header of spam emailmessages only.

• To non-spam messages only — To add a spam score indicator to the Internet header of non-spamemail messages only.

• To all messages — To add a spam score indicator to the Internet header of all email messages.

Spam score indicator is a symbol used in the spam report that is added to the email message'sInternet headers to indicate the amount of potential spam contained in an email message.

11 From the Attach a spam report drop-down list, select:

• Never - To display an email message without the spam score indicator.

• To spam messages only — To add a spam report to spam email messages only.



• To non-spam messages only — To add a spam report to non-spam email messages only.

• To all messages — To add a spam report to all email messages.

12 Select or deselect Verbose reporting to specify whether verbose reporting is required or not. Verbosereporting includes the names and descriptions of the anti-spam rules that have been triggered.

Verbose reporting is available only if you do not select Never in step 11.

13 On the Advanced tab, use:

• Maximum message size to scan (KB) — To specify the maximum size of an email message (in kilobytes)that can be scanned. You can type a size up to 999,999,999 kilobytes, although typical spamemail messages are quite small. Default value is 250 KB.

• Maximum width of spam headers (Bytes) — To specify the maximum size (in bytes) that the spam emailmessage header can be. The minimum header width that you can specify is 40 characters andthe maximum is 999 characters. Default value is 76.

Spammers often add extra information to headers for their own purposes.

• Maximum number of reported rules — To specify the maximum number of anti-spam rules that can beincluded in a spam report. The minimum number of rules you can specify is 1 and the maximumis 999. Default value is 180.

• Header name — To specify a different name for the email header. You can use this email headerand its header value (below) when tracking email messages and applying rules to thosemessages. These fields are optional, and accept up to 40 characters.

• Header value — To specify a different value for the email header.

• Add header — To specify that the header should be added to none of the email messages, all ofthe email messages, only spam email messages or only to non-spam email messages.

• Select or deselect the Use alternative header names when a mail is not spam option as required.

14 In Mail Lists tab, under Blacklisted senders, Whitelisted senders, Blacklisted recipients and Whitelisted recipients, typethe email addresses of the blacklisted and whitelisted senders and recipients.

Email messages sent to or from an email address on a blacklist are treated as spam, even if they donot contain spam-like characteristics. Email messages sent to or from email addresses on a whitelistare not treated as spam, even if they contain spam-like characteristics.

Click Add to add email addresses to a list and the checkbox beside each address tospecify whether it is currently enabled or not. Click Delete All to remove an email addressfrom the list. You cannot add the same email address more than once. You can usewildcard characters to match multiple addresses.

15 In Rules tab, enter the rule name and select Enable rule to activate it. Click Add to display a list ofavailable rules.

Click Reset to return to the default anti-spam settings.

16 In the list, against each rule, click Edit to modify the rule; click Delete to remove the rule.




18 In Actions to take if spam is detected, click Edit. In the following tabs, specify the anti-spam scanneractions that must be taken if a spam is detected:

• High Score

• Medium Score

• Low Score


Configuring content scanner settingsMcAfee Security for Microsoft Exchange can identify the textual data in a mail/attachment forscanning. You can create content rules to specify banned content and assign them to the policies. Usethis task to configure the content scanner settings.

Task

1 From Policy Manager, select a submenu item that has the content scanner. The policy page for thesubmenu item appears.

2 Click Master policy, then click List All Scanners.

3 Click Content Scanning.

4 Select Enable to activate the content scanner settings for the selected submenu item.

5 In Options, you can use:

• Include document and database formats in content scanning — To include document and database formatswhen scanning content.

• Scan the text of all attachments — To scan the text of all attachments.

• Create — To create a new alert message when the content of an email message is replaced due toa rule being triggered. See the Creating a new alert section for instructions.

• View/Hide — To display or hide the preview of the alert message. If the preview is hidden, clickingthis link displays it. If the preview is displayed, clicking this link hides it.

6 In Content Scanner rules and associated actions, click Add rule. The Content Rules page appears.

7 In Specify actions for a selection of content rules:

a Select a rule group from the Select rules group drop-down menu that will trigger an action if one ormore of its rules are broken.

b In Select rules from this group, specify if all rules or only rules with a specific severity rating should beincluded. The options are Severity - Low, Severity - Medium, and Severity - High.

Selecting the Select all option overrides all the three rules.

8 In If detected, take the following action:, select the content scanner actions that must be taken if somecontent in an email message is detected.

9 From And also, select one or more additional actions.


To enable Regex and know its details, see Creating shared filter rules.



Configuring file filtering scanner settingsUse this task to define the scanner settings for file filtering based on the filename or extension. Usingthis filter, administrators can block unwanted files from user mailboxes.

Task

1 From Policy Manager, select a submenu item that has the file filtering scanner. The policy page for thesubmenu item appears.


3 Click File Filtering, then select Enable to activate the file filtering scanner settings for the selectedsubmenu item..

4 In Alert Selection, click:

• Create — To create a new alert message when the attachment (or a file) of an email message isreplaced due to a rule being triggered. See the Creating a new alert section for instructions.

• View/Hide — To display or hide the preview of the alert message. If the preview is hidden, clickingthis link displays it. If the preview is displayed, clicking this link hides it.

5 In File filtering rules and associated actions, from the Available rules drop-down menu, select Create new rule. TheFile Filtering Rule page appears.

6 Type a unique Rule name. Give the rule, a meaningful name, so that you can easily identify it andwhat it does. For example, FilesOver5MB.

7 In Filename filtering, select Enable file name filtering to enable file filtering according to the file names. Forexample, if you type *.exe, this file filtering rule is applied to any file that has a .exe file nameextension.

8 In Take action when the file name matches, specify the names of the files that are affected by this rule. Youcan use the * and ? wildcard characters to match multiple filenames. For example, if you want tofilter out executable files, type *.exe.

9 Click Add to add the file names to the filtering list or Delete to remove file names from the filtering list.

10 In File category filtering, select Enable file category filtering to enable file filtering according to their file type.

a In Take action when the file category is, specify the type of files that are affected by this rule.

File types are divided into categories and subcategories.

b In File categories, select a file type. An asterisk symbol (*) appears next to the file type to indicatethat the selected file type will be filtered.

c In Subcategories, select the subcategory you want to filter.

• To select more than one subcategory, use Ctrl+Click or Shift+Click.

• To select all of the subcategories, click All.

• Click Clear selections to undo the last selection.

d Select Extend this rule to unrecognized file categories to apply this rule to any other file categories andsubcategories that are not specifically mentioned in the categories and subcategories lists.



11 In File size filtering, select Enable file size filtering to filter files according to their file size.

a In Take action when the file size is, select Greater than to specify that the action should only be applied ifthe file is larger than the size specified.

b Select Less Than to specify that the action should only be applied if the file is smaller than thesize specified.


13 Click the Change link of the rule and specify actions that must be taken when a file/attachment in anemail message is detected and filtered.

14 Click Delete, to remove a rule.

15 Send an email from your Microsoft Outlook with an executable file attached. The file filtering rule istriggered and the actions specified in steps 7 - 11 take place.

Configuring the antiphish scanner settingsUse this task to define the settings to block phishing messages at the gateway, using spam rules andengine.

Task

1 From Policy Manager, select a submenu item that has the antiphish scanner. The policy page for thesubmenu item appears. Antiphish scanner is available only in Gateway.


3 Click a policy name, then click Anti-Phishing.

4 Select Enable to activate the antiphish scanner settings for the selected submenu item.

5 In the Options drop-down list, select <create new set of options>. The Anti-Phishing Settings page appears.

6 In Instance name, type a unique name for the antiphish scanner setting instance. This field is mandatory.

7 In Reporting Options, select or deselect these options as required:

• Add prefix to subject of phishing messages — To specify that you want to add text to the start of thesubject line of any email message that probably contains phish.

• Add a phish indicator header to messages — To specify whether a phish indicator is added to the Internetheader of any email message that probably contains phish.

• Attach a phish report — To specify whether a phish report should be generated and added to anemail message.

• Verbose reporting — To specify whether the names and a detailed description of the antiphish rulesthat have been triggered should be included in the email message. This option is available onlyif the Attach a phish report option is selected.


9 In Actions to take, click Edit and specify the antiphish scanner actions that must be taken if a phish isdetected.


Filter settings for a policyYou can configure different types of filter settings for a policy. The type of settings that are availabledepends on which policy is selected.



Tasks

• Configuring corrupt content filter settings on page 42The content of some email messages can become corrupt, which means that the content ofthe email message cannot be scanned.

• Configuring protected content filter settings on page 42The content of some email messages is protected, which means that the content of theemail message cannot be scanned.

• Configuring encrypted content filter settings on page 43Email messages can be encrypted, meaning that the content of those messages is encodedand therefore not accessible to unauthorized parties.

• Configuring signed content filter settings on page 43Whenever information is sent electronically, it can be accidentally or willfully altered. Toovercome this, some email software use a digital signature — the electronic form of ahandwritten signature.

• Configuring password-protected archives filter settings on page 44You can protect an archive with a password and sent through an email. Password-protectedfiles cannot be accessed without a password and cannot be scanned.

• Configuring mail size filter settings on page 44Mail size filtering allows you to specify an action that will be applied to email messagesbased on their size.

• Configuring the scanner control filter settings on page 45You can use Scanner Control Settings to limit the nesting level, file size, and scan time that isallowed when the email messages are scanned.

• Configuring MIME mail filter settings on page 45Multipurpose Internet Mail Extensions (MIME) is a communications standard that enablesthe transfer of non-ASCII formats over protocols (such as SMTP) that supports only 7-bitASCII characters.

• Configuring HTML file filter settings on page 47HTML file filter allows you to search for elements or executables such as ActiveX, Javaapplets, VBScripts in HTML components.

Configuring corrupt content filter settingsThe content of some email messages can become corrupt, which means that the content of the emailmessage cannot be scanned.

Corrupt content policies specify how email messages with corrupt content are handled when detected.

Task



3 Click Corrupt Content.

4 In Actions, click Edit to specify the filter actions that must be taken when corrupt content is detected.


Configuring protected content filter settingsThe content of some email messages is protected, which means that the content of the email messagecannot be scanned.

Protected content policies specify how email messages with protected content are handled whendetected.



Task



3 Click Protected Content.

4 In Actions, click Edit to specify the filter actions that must be taken when protected content is detected.


Configuring encrypted content filter settingsEmail messages can be encrypted, meaning that the content of those messages is encoded andtherefore not accessible to unauthorized parties.

Encrypted content uses a "key" and encryption mathematical algorithms to decrypt it. Encryptedcontent policies specify how encrypted email messages are handled when detected.

Task



3 Click Encrypted Content.

4 In Actions, click Edit to specify the filter actions that must be taken when encrypted content is detected.


Encrypted content settings are applicable to encrypted attachments in internal emails and toencrypted internet email messages.

Configuring signed content filter settingsWhenever information is sent electronically, it can be accidentally or willfully altered. To overcome this,some email software use a digital signature — the electronic form of a handwritten signature.

A digital signature is extra information added to a sender’s message that identifies and authenticatesthe sender and the information in the message. It is encrypted and acts like a unique summary of thedata. Typically, a long string of letters and numbers appears at the end of a received email message.The email software then re-examines the information in the sender’s message, and creates a digitalsignature. If that signature is identical to the original, the data has not been altered.

If the email message contains a virus, bad content, or is too large, the software might clean orremove some part of the message. The email message is still valid, and can be read, but the originaldigital signature is 'broken'. The recipient cannot rely on the contents of the email message becausethe contents might also have been altered in other ways. Signed content policies specify how emailmessages with digital signatures are handled.

Task



3 Click Signed Content.



4 In Actions, click Edit to specify the filter actions that must be taken when signed content is detected.


Signed content settings are applicable to signed internet emails and signed attachments.

Configuring password-protected archives filter settingsYou can protect an archive with a password and sent through an email. Password-protected filescannot be accessed without a password and cannot be scanned.

Password-protected files policies specify how email messages that contain a password-protected filesare handled.

Task



3 Click Password-Protected Files.

4 In Actions, click Edit to specify the filter actions that must be taken when an email messagecontaining password-protected file is detected.


Configuring mail size filter settingsMail size filtering allows you to specify an action that will be applied to email messages based on theirsize.

Task

1 From Policy Manager, click Gateway. The Gateway Policies page appears.


3 Click Mail Size Filtering.

4 In Activation, select Enable to activate the email size filter settings for the selected submenu item.

5 In Options, you can use:

• Default Settings — To view a summary of the mail size option set that is used by default.

• <create new set of options> — To configure mail size filtering options. The options are:

• Instance name — Type a unique name for the mail size filter setting instance. This field ismandatory.

• Maximum overall mail size (KB) — Specify the maximum size (in kilobytes) that an email messagecan be. The recommended size is 100,000 kilobytes (10 megabytes).

• Maximum attachment size (KB) — Specify the maximum size (in kilobytes) that the attachment(s)of an email message can be. The recommended size is 32000 kilobytes.

• Maximum number of attachments — Specify the maximum number of attachments an emailmessage can have. The recommended size is 500 attachments (maximum).

• Edit — To edit the selected option set.



6 In Actions, click Edit. In the following tabs, specify the mail size filter actions that must be taken ifthe size of the email message/attachment and the number of email attachments exceed thespecified number:

• Message Size

• Attachment Size

• Attachment Count


Mail size filtering is applicable to both inbound and outbound email messages.

Configuring the scanner control filter settingsYou can use Scanner Control Settings to limit the nesting level, file size, and scan time that is allowed whenthe email messages are scanned.

Task1 From Policy Manager, select a submenu item. The policy page for the submenu item appears.


3 Click Scanner Control.

4 In Options, click <create new set of options>.

5 In Instance name, type a unique name for the scanner control filter setting instance. This field ismandatory.

6 In Maximum nesting level, specify the level to which the scanner should scan, when an attachmentcontains compressed files, and other compressed files within. We recommend that you limitscanning to a depth of 100.

7 In Maximum expanded file size (MB), specify the maximum number of megabytes a file can be whenexpanded for scanning. We recommend a maximum size of 100 megabytes.

8 In Maximum scan time (minutes), specify the maximum number of minutes that should be spent scanningany file. We recommend a maximum of 10 minutes.


10 In Alert selection, you can select which alert to use when a scanner control option is triggered. Youcan use:

• Create — To create a new alert message for this policy.

• View/Hide — To display or hide the alert text. If the text is hidden, clicking this link displays it. Ifthe text is displayed, clicking this link hides it.

11 In Actions, click Edit to specify the filter actions that must be taken when the maximum nesting levelin a zip attachment/file size/scanning time of the item exceeds and if scanning an item fails.


Configuring MIME mail filter settingsMultipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transferof non-ASCII formats over protocols (such as SMTP) that supports only 7-bit ASCII characters.

MIME defines different ways of encoding the non-ASCII formats so that they can be represented usingcharacters in the 7-bit ASCII character set.



Task



3 Click MIME Mail Settings.

4 In Options, select <create new set of options>. The Mail Settings page appears.

5 In Instance name, type a unique name for the MIME email filter setting instance. This field is mandatory.

6 In Options tab, type a Prefix to message subject.

a In Preferred re-encoding of attachments in a MIME message, select a re-encoding method that is used whenre-encoding attachments in MIME messages from the options available.

b In Preferred re-encoding of modified subject headers, select a re-encoding method that is used whenre-encoding the subject headers in the MIME messages from the options available.

c In If re-encoding a subject header fails, select one of these options :

• Treat as an error — The MIME message is bounced.

• Fallback to UTF-8 — The MIME message is encoded into UTF-8.

7 In Advanced tab, select one of these encoding methods to use while encoding the text part of anemail message:

• Quoted-Printable, which is best suited for messages that mainly contain ASCII characters, but alsocontains some byte values outside that range.

• Base64, which has a fixed overhead and is best suited for non-text data, and for messages thatdo not have a lot of ASCII text.

• 8-Bit, which is best suited for use with SMTP servers that support the 8BIT MIME transport SMTPextension.

You can perform step 6b only if you select Re-encode using the original encoding scheme or Re-encode using thefollowing character set from Preferred re-encoding of modified subject headers.

a Select or deselect Do not encode if text is 7-bit as required.

b In Default decode character set, select a character set that should be used for decoding when one isnot specified by the MIME headers.

c In Maximum number of MIME parts, specify the maximum number of MIME parts that can be containedin a MIME message. Default value is 10000 MIME parts.

d In Header corruption in a MIME message, select the required option.

e In NULL characters in the headers of a MIME message, select the required option.

f In Quoted-printable characters encoding in a MIME message, select the required option.

8 In MIME Types tab, specify which MIME types should be treated as text attachments and which, asbinary attachments.

Click Add to add the MIME types to the list or Delete to delete a MIME type from a list. Duplicateentries are not allowed.



9 In Character Sets tab, select a Character set, Alternatives, deselect the Fixed checkbox, and click Add tospecify an alternative character set mapping to the one specified in the MIME message.

Click Edit to edit character mappings, Delete to delete character mappings and Save to save anychanges you have made to the character mappings.

The Save option is available only when you click Edit.

10 Click Save.

11 In Alert selection, you can select which alert to use when a MIME type is blocked. You can use:

• Create — To create a new alert message for this policy.

• View/Hide — To display or hide the alert text. If the text is hidden, clicking this link displays it. Ifthe text is displayed, clicking this link hides it.

12 In Incomplete message actions, click Edit to specify the filter actions that must be taken when a partialMIME or external MIME type is encountered.


Configuring HTML file filter settingsHTML file filter allows you to search for elements or executables such as ActiveX, Java applets,VBScripts in HTML components.

If any of this content is found in HTML, it is removed. This filter works only if Content Scanner is enabled.

Task



3 Click HTML Files.

4 In Options, click <create new set of options>. The HTML Files page appears.

5 In Instance name, type a unique name for the scanner control filter setting instance. This field ismandatory.

6 In Scan the following elements, select any of these option(s):

• Comments — To scan for comment elements in the HTML message. For example:

<!-- comment text --!>

• Metadata — To scan for metadata elements in the HTML message. For example:

< META EQUI="Expires" Content="Tue, 04 June 2007 21:29:02">

• Links URLs ("<ahref=...") — To scan for URL elements in the HTML message. For example:

<a HREF="McAfee.htm">

• Source URLS ("<img src=...") — To scan for source URL elements in the HTML message. For example:

<IMG SRC="..\..\images\icons\mcafee_logo_rotating75.gif">

• JavaScript / VBScript — To scan for JavaScript or Visual Basic script in the HTML message. For example:

<script language="javascript" scr="mfe/mfe.js">



7 In Remove the following executable elements, select any of these option(s):

• JavaScript / VBScript — To remove JavaScript or Visual Basic script elements from the HTMLmessage. For example:

<script language="javascript" scr="mfe/mfe.js">

• Java applets — To remove Java applet elements from the HTML message. For example:

<APPLET code="XYZApp.class" codebase="HTML ....."></APPLET>

• ActiveX controls — To remove ActiveX control elements from the HTML message. For example:

<OBJECT ID="clock" data="http://www.mcafee.com/vscan.png" type="image/png"> VirusScan Image </OBJECT>

• Macromedia Flash — To remove Macromedia Flash elements from the HTML message. This optiongets enabled if you have selected ActiveX controls. For example:

<EMBED SCR="somefilename.swf" width="500" height="200">


Alert settings and disclaimer textAlert messages are used to notify a person when a particular event occurs.

You can use Alert Settings to set up additional information about these alerts.

A disclaimer is a piece of text, typically a legal statement that is added to an email message.Disclaimers are applicable only to outbound email messages.

Miscellaneous settings for a policyYou can configure different types miscellaneous settings for a policy. The type of settings that areavailable depends on which policy is selected.

Tasks

• Configuring alert message settings on page 48A message that is sent to the McAfee Security for Microsoft Exchange administrator tonotify them that a scanner has detected an issue with a scanned item.

• Configuring disclaimer text settings on page 49A disclaimer is a piece of text, typically a legal statement that is added to an emailmessage.

Configuring alert message settingsA message that is sent to the McAfee Security for Microsoft Exchange administrator to notify them thata scanner has detected an issue with a scanned item.

Use this task to configure the alert message settings.

Task



3 Click Alert Settings.

4 Policy ManagerAlert settings and disclaimer text


4 In Options, select the default alert settings available or select <create new set of options> to define youralert settings. The Alert Settings page appears.

5 In Instance name, type a unique name for the alert message setting instance. This field is mandatory.

6 Select HTML or Plain text as the Alert format.

7 From the Character encoding drop-down menu, select a required character set.

8 In Alert filename, specify the file name for this alert, including the appropriate HTML (.htm) or plaintext (.txt) file extension.

9 Select or deselect Enable alert headers to enable the use of an alert header.

10 In the Alert header text entry box, type the header for the alert.

11 From Show, select HTML content (WYSIWYG) or HTML content (source) depending on whether the HTML textshould be shown as compiled code or source code in the Alert header.

The Show option is only available if you have selected HTML as the alert message format.

12 Select Enable alert footers to enable the use of an alert footer as needed.

13 In the Alert footer text entry box, type the footer for the alert.

14 From Show, select HTML content (WYSIWYG) or HTML content (source) depending on whether the HTML textshould be shown as compiled code or source code in the Alert footer.

The Show option is only available if you have selected HTML as the alert message format.


Configuring disclaimer text settingsA disclaimer is a piece of text, typically a legal statement that is added to an email message.

Use this task to configure the disclaimer text.

Task

1 From Policy Manager, click Gateway. The policy page for the submenu item appears.


3 Click a policy name, then click Disclaimer Text from the Miscellaneous category.

4 Select Enable to activate the disclaimer text settings for the selected submenu item.

5 In Options, select <create new set of options>. The Disclaimer Text page appears.

6 In Instance name, type a unique name for the disclaimer text setting instance. This field is mandatory.

7 In Disclaimer message (plain text only), type the disclaimer text message in plain text format.

8 From the Insert disclaimer drop-down menu, select Before any message text, After any message text or As anattachment depending on where/how the disclaimer text should be inserted in the email message.


Disclaimers are applicable only to outbound email messages.

Policy ManagerAlert settings and disclaimer text 4


Creating a new alertUse this task to create a new alert message for actions taken by a scanner or filter.

Task

1 From Policy Manager, select a submenu item that has the content scanner. The policy page for thesubmenu item appears.


3 Click Content Scanning (or an appropriate scanner, filter, or miscellaneous).

4 In Options, click Create. The Alert Editor page appears.

5 Type a meaningful Alert name.

6 In Content Scanning Alert, select the required Style, Font, Size, and Tokens from the respective drop-downlists.

These options are available only if you select HTML content (WYSIWYG) from the Show drop-down menu.

7 Use any of these tools available in Content Scanning Alert.

Table 4-3 Toolbar options

Options Description

Bold To make the selected text bold.

Italic To make the selected text italic.

Underline To underline the selected text.

Align Left To left align the selected paragraph.

Center To center the selected paragraph.

Align Right To right align the selected paragraph.

Justify To adjust the selected paragraph so that the lines within the paragraph fill agiven width, with straight left and right edges.

Ordered List To make the selected text into a numbered list.

Unordered List To make the selected text into a bulleted list.

Outdent To move the selected text a set distance to the right.

Indent To move the selected text a set distance to the left.

Text Color To change the color of the selected text.

Background Color To change the background color of the selected text.

Horizontal Rule To insert a horizontal line.

Insert Link To insert a hyperlink where the cursor is currently positioned. In URL, type theURL. In Text, type the name of the hyperlink as you want it to appear in thealert message. If you want the link to open a new window, select Open link innew window, then click Insert Link.

4 Policy ManagerCreating a new alert


Table 4-3 Toolbar options (continued)

Options Description

Insert Image To insert an image where the cursor is currently positioned. In Image URL, typethe location of the image. In Alternative text, type the text you want to use inplace of the image when images are suppressed or the alert message isdisplayed in a text-only browser. If you want to give the image a title, type thetitle name in Use this text as the image title. Click Insert Image.

Insert Table To insert a table at the current cursor position. Type the values in Rows, Columns,Table width, Border thickness, Cell padding, and Cell spacing to configure the table, thenclick Insert Table.

8 From the Show drop-down menu, specify how the alert message should be displayed within the userinterface. You can select:

• HTML content (WYSIWYG) — To hide the underlying HTML code and display only the content of thealert message.

• HTML content (source) — To display the alert message with the HTML code as it appears beforecompilation.

• Plain-text content — To display the content as plain text.

You can use the following notification fields to include them in your alert message. For example,in your alert message, if you want the name of the detected item and the action taken when itwas detected, use %vrs% and %act% on the Alert Editor page.

Table 4-4 Notification fields you can use

Notification field options Description

%dts% Date and time

%sdr% Sender

%ftr% Filter

%fln% File name

%rul% Rule name

%act% Action taken

%fdr% Folder

%vrs% Detection name

%trs% State (Train state)

%tik% Ticket number

%idy% Scanned by

%psn% Policy name

%svr% Server

%avd% Anti-virus DAT

%ave% Anti-virus engine

%rpt% Recipient

%rsn% Reason

%sbj% Subject

%ssc% Spam score

Policy ManagerCreating a new alert 4


Table 4-4 Notification fields you can use (continued)

Notification field options Description

%ase% Anti-spam engine

%asr% Anti-spam rules


Click Reset to undo all changes you have made since you last saved the alert message.

Enabling Product Health Alerts Use this task to enable Product Health Alerts to send notifications on the product's status andconfigure these alerts.

Task

1 Click Settings & Diagnostics | Notifications. The Notifications page appears.

2 Under Notifications, in Product Health Alerts, select Enable. If your McAfee Security for MicrosoftExchange is managed by ePolicy Orchestrator and you want a notification to be sent to ePolicyOrchestrator, select Alert ePolicy Orchestrator. To send a notification to the administrator, select AlertAdministrator.

3 In Notify when, select an event or events when a notification is to be sent.

4 To send a notification immediately when the selected event occurs, select Immediate. To schedule anotification to be sent at a particular time of the day, select Daily and enter the values or hours andminutes.

Shared ResourceWhen setting up policies, you might want the same resource to be used by more than one policy.

For example, you might want to use the same disclaimer in both internal and external emailmessages. Instead of creating two disclaimers, one for the internal mail policy, one for the externalmail policy, you can create a single disclaimer that can be used by both policies. The disclaimer can bethought of as a resource that is shared by more than one policy.

You can use Shared Resource to:

• View resource settings.

• Create new resources.

• Change resource settings, so that the changes are picked up by all policies using those sharedresources.

• Delete shared resources that are no longer in use.

Shared resource is explained using Anti-Virus Scanner Settings. The settings for other scanners and filtersmay vary, however most of them are similar.

4 Policy ManagerEnabling Product Health Alerts


Configuring the shared scanners, filters, and alert settingsThis section provides information on creating and configuring shared scanners, filters, and alerts.

You can configure scanner-related settings that a policy can apply when scanning items.

Tasks

• Creating shared scanners and alerts on page 53Use this task to create a new shared scanner and its corresponding alert message.

• Creating shared file filtering rule on page 55Use this task to filter files on the basis of their size, content or name.

Creating shared scanners and alertsUse this task to create a new shared scanner and its corresponding alert message.

Task

1 From Policy Manager, click Shared Resource. The Shared Resources page appears.

2 In Scanners & Alerts tab, click Create New for Scanner for a selected Category you want to create a newshared resource. (For example, for the anti-virus scanner category)

3 Type the shared Instance name and specify the Basic Options for the shared resource.

• Select Scan all files to scan all files, regardless of their type.

• Select Default file types to specify that only the default file types should be scanned.

• Select Defined file types to specify which file types should be scanned.

If you select Defined file types, type a three-letter file extension. Longer file extensions are includedthrough pattern matching so that "CLA" will match ".class" files. Click Add. All lower case extensionsare converted to upper case extensions.

4 In Scanner options, select the scanner options for the shared resource.

• Scan archive files (ZIP, ARJ, RAR...) — To scan inside archive files, such as ZIP files.

• Find unknown file viruses — To use heuristic analysis techniques to search for unknown viruses.

• Find unknown macro viruses — To find unknown viruses in macros.

• Scan all files for macros — To scan all files for macros.

• Find all macros and treat as infected — To find macros in files and treat them as infected items.

• Remove all macros from document files — To remove all macros from document files.

5 Click Advanced tab. The Custom Malware categories page appears.

In Custom malware categories, you can specify which items should be treated as malware. When settingup a policy, you can specify that the selected malware items are treated differently to viruses. Forexample, you might specify that an alert message is sent to an administrator whenever an infectedemail message is detected, but make an exception when a mass-mailer is involved. Mass-mailersspread by generating large numbers of email messages, and if an alert was generated for each ofthese email messages, the number of alerts generated would only add to the problem.

6 Select the specific malware types from the list or type the detection names you want to detect.When typing in the detection name, you can use wildcard characters for pattern matching.

Policy ManagerShared Resource 4


7 Specify the Clean options for the shared scanner when the cleaning is attempted and the file is of zerobytes after cleaning. You could keep the file, remove it or treat the scan as failed.

Cleaning an item can remove some types of malware. You can specify whether items that havealready been successfully cleaned should be subject to the custom malware check.

8 Click Packers. The Packer detection page appears.

Executable files can be compressed with a packer that shrinks, and possibly encrypts the originalcode. A packer can be used to conceal software that is a security risk. For example, a packedexecutable could contain a Trojan horse.

9 Select or deselect Enable detection to enable or disable the detection of packers.

10 Select Exclude specified names or Include only specified names to specify which packers can be ignored ordetected.

• Click Add to add packer names to a list.

• Click Delete to remove packer names from a list.

When specifying packer names, you can use wildcard to match multiple names.

11 Click PUPs, the Potentially Unwanted Programs detection page appears.

In PUPs, you can configure detection for the following PUPs such as Spyware, Adware, Remoteadministration tools, Dialers, Password crackers, Joke programs and other PUPs that are notincluded in the categories.

12 Click Enable detection to enable or disable the detection of PUPs.

Click the disclaimer link and read the disclaimer before configuring PUP detection.

13 Select each type of PUP in Program types to be detected or ignored.

14 Select Exclude specified names or Include only specified names to list by name the PUPs that you want thesoftware to ignore or detect, then click Add.

You can use wildcard to match names. For example, type the name of the spyware and click Add.Repeat this step until you have added the names of all the spyware programs you want the softwareto ignore or detect.

15 Click Save.

16 Click Cancel to delete all changes and return to the home page.

17 In Alerts, click View to see the default anti-virus scanner alert or click Create New and create a newalert message. For instructions, see the Creating a new alert section.


To delete all changes and return to the policy page, click Cancel.

4 Policy ManagerShared Resource


Creating shared file filtering ruleUse this task to filter files on the basis of their size, content or name.

Task

1 From Policy Manager, click Shared Resource. The Shared Resource page appears.

2 Click the Filter Rules tab.

3 In File Filtering Rules, click Create New. The File Filtering Rule page appears.

4 Type a unique Rule name. Give the rule a meaningful name, so that you can easily identify it andwhat it does. For example, FilesOver5MB.

5 In Filename filtering, select Enable file name filtering to enable file filtering according to the file names.

6 In Take action when the file name matches, specify the names of the files that are affected by this rule. Youcan use the * and ? wildcard characters to match multiple filenames. For example, if you want tofilter any Microsoft PowerPoint files, type *.ppt.


8 In Take action when the file category is, specify the type of files that are affected by this rule.


9 In File categories, click a file type. An asterisk symbol (*) appears next to the file type to indicate thatthe selected file type will be filtered.

10 In Subcategories, click the subcategory you want to filter.

• To select more than one subcategory, use Ctrl+Click or Shift+Click.

• To select all of the subcategories, click All.

• Click Clear selections to undo the last selection.

11 Select Extend this rule to unrecognized file categories to apply this rule to any other file categories andsubcategories that are not specifically mentioned in the categories and subcategories lists.

12 In File size filtering, select Enable file size filtering to filter files according to their file size.

13 In Take action when the file size is, select an option, then click Save.

• Greater than to specify that the action should only be applied if the file is larger than the size specified.

• Less than to specify that the action should only be applied if the file is smaller than the size specified.


15 Click a policy name. Select the Active option for the file filtering scanner, then click File Filtering.

16 In File Filtering rules and associated actions, select the rule you created from the Available rules drop-down menu.

17 Click the Change link of the rule to specify actions that must be taken when a file/attachment in anemail message is detected and filtered.


See the Appendix A — Using file filtering rule and actions in a real-time scenario section for moreinformation.



Configuring filter rules and time slotsYou can use this feature to create rules that a policy can apply to the content of emails and text inattachments, and to set up different time 'slots' that can be applied to policies.

Tasks

• Creating shared filter rules on page 56Use this task to configure rules that a policy can apply to the content of mails, and text inattachments.

• Creating shared time slots on page 57Use this task to set up different time slots that can be applied to policies.

Creating shared filter rulesUse this task to configure rules that a policy can apply to the content of mails, and text in attachments.

Task


2 Click Filter Rules tab, then click Create New for Content Scanner Rules for a selected category. The New ContentScanner Rule page appears.

3 Type the Rule Name and Description for the rule.

4 Select Add this rule to this category's rules group to add the new rule to the rules group for the selectedcategory.

5 Under Word or Phrase, specify the words or phrases to look for, in The rule will trigger when the following word orphrase is found. Then select one of the following options:

• Exact Match — If enabled, the rule is triggered only if the word or phrase exactly matches with thespecified word or phrase.

• Regular Expression — If enabled, the rule is triggered for specified text that is a regular expression.This is a precise and concise method for matching strings of text, such as words, characters orpatterns of characters.

For example, the sequence of characters "tree" appearing consecutively in any context, such astrees, street, backstreet.

Refer http://www.regular-expressions.info/reference.html or http://www.zytrax.com/tech/web/regex.htm for more details.

• Use Wildcards — If enabled, the rule is triggered for the specified word or phrase that containwildcard characters. (Wildcard characters are often used in place of one or more characterswhen you do not know what the real character is or you do not want to type the entire name).

• Starts with — If enabled, the rule is triggered for specified text that forms the beginning of theword or phrase.

• Ends with — If enabled, the rule is triggered for specified text that forms the last part of the wordor phrase.

• Case Sensitive — If enabled, the rule is triggered if the case of the specified text matches the wordor phrase.

6 Select Specify additional contextual words or phrases, if you want to add contextual words.

7 Select from Trigger if ALL of the phrases are present, Trigger if ANY of the phrases are present or Trigger if NONE of thephrases are present from the drop-down menu.



8 Select within a block of to specify the number of Characters from a block to be scanned.

9 Click Add Contextual word to type additional words or phrases.

10 Specify the word or phrase in Specify words or phrases, select one of the conditions (same options as inStep 5), then click Add.

11 Under File Format, select Everything to enable all the file categories and its subcategories. You canselect multiple categories and file types within the selected categories to be matched. Selecting Allin the subcategory selector overrides any other selections that may have already been made.

12 If you have not selected Everything, then click Clear selections to deselect any of the selected file typeoptions.

13 Click Save to return to the policy page, then click Apply.

Creating shared time slotsUse this task to set up different time slots that can be applied to policies.

Task


2 Click Time Slots tab.

3 Click Create New. The Time Slot page appears.

4 Type a unique Time slot name.

5 Under Select day and time, select the required day(s).

6 Select All day or Selected hours one wants to put into the created time slot. If you select Selected hours,select the Start and End time from the drop-down.


Master policies use All the time slot. If you want a policy to be active during a different time slot, youmust create a subpolicy and specify a different time slot.





5 Settings and Diagnostics

This section describes the settings and diagnostics you can perform with McAfee Security for MicrosoftExchange.

Contents

On-Access settings Configuring Mailbox Exclusion settings Notifications settings Configuring Anti Spam settings Detected Items settings User Interface Preferences settings Diagnostics settings Product Log settings DAT settings Import and Export Configuration settings Proxy Settings

On-Access settingsIn this section you can configure the general On-Access settings, Microsoft Virus Scanning API (VSAPI)settings, background scan settings and transport scan settings.

What is Microsoft Virus Scanning API (VSAPI)

VSAPI is implemented at a very low-level in the Exchange Information Store. This allows a virusscanning application to run with high performance, and guarantees that the message will be scannedbefore any client can access the message or its attachment.

This allows messages and attachments to be scanned once before delivery, rather than multiple times(depending on the number of mailboxes to which the message is delivered). This single-instancescanning also helps prevent messages from being re-scanned when a message is copied, which resultsin improved system performance.

What is Proactive Scanning

Proactive scanning is a type of scanning that is made possible by Microsoft VSAPI. You can prioritizethe scanning of messages and files written to the store. It enables objects from the store to bescanned in order of priority. Items passing in and out of the store receive a priority rating and areplaced in a scanning queue. The scanning queue allows prioritization and re-prioritization of items inthe queue.

5


For example, if a user tries to open an item that has not been scanned, it is assigned a high priority,whereas items being saved or posted to public folders are assigned a low priority. This is known aspriority based queuing. When all the high priority items have been scanned, scanning of lower priorityitems begins. The latter scans on a first-in-first-out (FIFO) basis.

What is Background Scanning

Background scanning is a type of on-access scanning made possible within Microsoft Exchange2003/2007 by Microsoft VSAPI, which does not scan all files on access, reducing the scanner'sworkload. It scans the databases on which it has been enabled. Background scanning is off by default.

What is Transport Scanning

Transport scanning allows you to scan SMTP traffic before it enters the Exchange information store.SMTP Transport scanning can perform scanning of routed email messages that are not destined for thelocal server and can stop delivery of messages.

SMTP Transport scanning can be applied to Microsoft Exchange 2003 with the VSAPI 2.5.

Configuring On-Access settings for Exchange Server 2003Use this task to configure the general on-access settings, Microsoft Virus Scanning API (VSAPI)settings, background scan settings and transport scan settings for Exchange server 2003.

By default, the McAfee®

Transport Scanner is enabled and scans all the email messages. If youdeselect Transport Scan Settings, Microsoft Virus Scanning API (VSAPI v 2.5) scans the email messages.

If you set the On scan failure to Remove, all emails that are detected as potentially harmful arequarantined and deleted. When scanning is not in progress and you try to forward, release, download orview these quarantined items under Detected Items | All Items, an operation failed error message isdisplayed. The forward, release, download and view operations for these quarantined items are possiblewhen McAfee Security for Microsoft Exchange starts scanning again. Product Health Alerts andNotifications are also quarantined and deleted if On scan failure is set to Remove.

Task

1 Click Settings & Diagnostics | On-Access Settings. The On-Access Settings page appears.

2 From General, choose Allow Through or Remove for On Scan Failure depending on whether you want to allowthe email message through or delete it, if scanning fails.

3 From Microsoft Virus Scanning API (VSAPI), you can use:

• Enabled — To specify whether VSAPI is enabled or not. If disabled, the following options alsobecomes inactive.

• Proactive Scanning — To scan when messages and files are written to the Store.

• Background Scanning — To specify whether background scanning is enabled or not. You can useEnable At and Disable At to schedule the background scanning.

• Scan Timeout (seconds) — To specify the length of time to wait for a scan before timing out. Thedefault value is 180 seconds.

• Number of Scan Threads — To specify the maximum number of scan threads for various processes.You can select the Default option if you don't want to specify the number of scan threads.

VSAPI should be disabled while moving or restoring backup mailboxes.

4 From Transport Scan Settings, select Enable to benefit from bi-directional SMTP scanning control.

5 Settings and DiagnosticsOn-Access settings


5 From Direction Based Scanning, you can select:

• Scan Inbound Mails — To scan messages coming from an external server (for example,Internet-based email messages). If this is selected and the other two options are deselected,then a mail going to a different domain is not scanned.

• Scan Outbound Mails — To scan any email that leaves your Exchange server or Exchangeorganization. Email messages are designated as outbound if at least one recipient has anexternal address.

• Scan Internal Mails — To scan email messages that are being routed from one location inside yourdomain to another location inside your domain. Email messages are designated as Internal ifthey originate from inside your domain and ALL the recipients are located inside your domain.

6 Select Enable routing to the user junk folders on this server to route junk emails to the user junk folders on theemail server.

Configuring On-Access settings for Exchange Server 2007 or2010Use this task to configure the general On-Access settings, Microsoft Virus Scanning API (VSAPI)settings, background scan settings and transport scan settings for Exchange server 2007 and 2010.

Background scanning capabilities in McAfee Security for Microsoft Exchange are enhanced using thenew features available in VSAPI v 2.6.

There is also a stamping mechanism in case of Microsoft Exchange Server 2007 or 2010. After anemail message is scanned, the McAfee Transport Scanner assigns a stamp to the header of the emailmessage. This prevents the email message from being re-scanned by Microsoft Virus Scanning API(VSAPI). The remaining features are the same as that of Exchange Server 2003.

Task

1 Click Settings & Diagnostics | On-Access Settings. The On-Access Settings page appears.

2 From General, choose Allow Through or Remove for On Scan Failure depending on whether you want to allowthe email message through or delete it, if scanning fails.

3 From Microsoft Virus Scanning API (VSAPI), you can use:

• Enabled — To specify whether VSAPI is enabled or not. If disabled, the following options alsobecomes inactive.

• Proactive Scanning — To scan when messages and files are written to the Store.

• Outbox Scanning — To scan outbound messages in the Outbox folder.

• Lower Age Limit (seconds) — To specify whether to scan all emails or only those that are not olderthan the date/time mentioned in the setting. This is useful in a scenario where the customersuspects an outbreak/infection of emails that came only in the last 2 days. This will also help infinishing the background scanning faster and hence result in lesser load on the server. Thedefault value is 86,400 seconds.

• Scan Timeout (seconds) — To specify the length of time to wait for a scan before timing out. Thedefault value is 180 seconds.

• Number of Scan Threads — To specify the maximum number of scan threads for various processes.You can select the Default option if you don't want to specify the number of scan threads.

Settings and DiagnosticsOn-Access settings 5


4 From Background Scan Settings, you can use:

• Enable — To specify whether background scanning should be enabled or not. You can use Enable Atand Disable At to schedule the background scanning.

• Only Messages With Attachments — To enable background scanning for only email messages that hasattachments.

• Only Un-Scanned Items — To enable background scanning only to those messages that have notbeen scanned yet.

• Force Scan All — To scan items irrespective of whether the item has a scan stamp or not. If anitem has a scan stamp, it means that the item is scanned and up to date.

• Update Scan Stamp — To perform background scanning up to date. When you deselect this option,do not update stamp. This feature is useful if the vendor wants to access the messages but notnecessarily virus scan them.

• From Date and To Date — To schedule the scan stamp update.

5 From Transport Scan Settings, you can select:

• Enable — To enable transport scanning.

• Transport Scan Stamp — To reduce redundant scanning whenever possible and to benefitbi-directional SMTP scanning control.

6 From Direction Based Scanning, you can select:

• Scan Inbound Mails — To scan messages coming from an external server (for example,Internet-based email messages). If this is selected and the other two options are deselected,then a mail going to a different domain is not scanned.

• Scan Outbound Mails — To scan any email that leaves your Exchange server or Exchangeorganization. Email messages are designated as outbound if at least one recipient has anexternal address.

• Scan Internal Mails — To scan email messages that are being routed from one location inside yourdomain to another location inside your domain. Email messages are designated as Internal ifthey originate from inside your domain and ALL the recipients are located inside your domain.

Configuring Mailbox Exclusion settingsUse this task to configure mailboxes that are to be excluded from a VSAPI scan. The mailbox selectedand configured will not be subjected to a VSAPI scan.

Task

1 Click Settings & Diagnostics | Mailbox Exclusion Settings. The Mailbox Exclusion Settings page appears.

2 From the left pane displaying Available mailboxes, select a mailbox, then click >>.

3 The selected mailbox is moved to the right pane Mailboxes to exclude. Repeat step two for all mailboxesthat are to be excluded from a VSAPI scan.

To remove a mailbox from the exclusion list, select a mailbox in the right pane Mailboxes to exclude,then click << to move the mailbox to the list of Available mailboxes.

4 Click Apply to save the settings.

McAfee does not recommend excluding any mailbox from VSAPI scanning.

5 Settings and DiagnosticsConfiguring Mailbox Exclusion settings


Notifications settingsNotification settings allows you to configure the content and SMTP address for the administrator tosend email notifications.

Configuring notificationsUse this task to configure the notifications sent from McAfee Security for Microsoft Exchange.

Task

1 Click Settings & Diagnostics | Notifications. The Notifications page appears.

2 Under Notifications, in General, type the Administrator E-mail address, to notify the administrator emailaccount of that Exchange server.

3 Type the Sender E-mail to notify using the sender email address.

4 Select Enable Task results notification to send emails with on-demand scan and update tasks results. Theemail is in HTML format and has the same data and format as Task Result window in the userinterface. This feature can be enabled/disabled through this option. By default, this feature isdisabled.

5 In Template, select a template from the drop-down list.

6 Type the Subject of the notification.

7 Click Edit to change the notification text that should be included in the body of the message.


9 In Product Health Alerts, select Enable to activate alerts regarding products when certain events occur.

10 Select Alert ePolicy Orchestrator or Alert Administrator or both. An alert message is sent accordingly.

11 Select an event, when a notification should be sent. You can select Immediate to send a notificationimmediately, or Daily and enter the time when the notification should be sent on a daily basis.


For details on the Notification fields that you can use, see Creating a new alert.

Configuring Anti Spam settingsUse this task to configure the address of the system junk folder to filter junk mails and enable junkfolder routing.

Task

1 Click Settings & Diagnostics | Anti Spam. The Anti Spam Settings page appears.

2 In Gateway Spam Filter, type an email address to configure the System Junk Folder Address to filter thejunk emails.

3 In McAfee Global Threat Intelligence message reputation, select Enable message reputation to enable this feature.

4 In Take the following action, select the required action from the drop-down list.

Settings and DiagnosticsNotifications settings 5


5 In Message reputation threshold, type the minimum value that would trigger the corresponding policy.


If your internet bandwidth is low, it is recommended that you execute McAfee AntiSpam Add-on firstand then Global Threat Intelligence. If your internet bandwidth is high, it is recommended that yourun Global Threat Intelligence first, followed by McAfee AntiSpam Add-on.

Detected Items settingsYou can also configure communication settings for McAfee Quarantine Manager and maintenancesettings for the local quarantine database.

When McAfee Security for Microsoft Exchange detects an infected item, you can specify a localdatabase or McAfee Quarantine Manager for quarantining email messages.

Configuring detected itemsThis section provides information about configuring settings when using McAfee Quarantine Manageror the local quarantine database for quarantining detected items.

Tasks

• Quarantining data using McAfee Quarantine Manager on page 64McAfee Quarantine Manager (MQM) versions 6.0 and 7.0 can be used as a repository forquarantining infected email messages.

• Quarantining data to the local database on page 65Quarantine data can be saved in a local database on a local system.

Quarantining data using McAfee Quarantine ManagerMcAfee Quarantine Manager (MQM) versions 6.0 and 7.0 can be used as a repository for quarantininginfected email messages.

McAfee products (such as McAfee Security for Microsoft Exchange) use a pre-assigned port number tosend the detection information to McAfee Quarantine Manager. McAfee Quarantine Manager in turnuses the same port number by default, to release or send configuration information of the detectedemail messages to the McAfee product. The communication ports mentioned in the McAfee Securityfor Microsoft Exchange and McAfee Quarantine Manager user interface should be the same.

You can use McAfee Quarantine Manager to consolidate the quarantine and anti-spam managementfunctionality. It gives you a central point from which you can analyze and act upon emails and filesthat have been quarantined. Items are quarantined because they are spam, phish, contain viruses,potentially unwanted software or other undesirable content. McAfee Quarantine Manager is particularlyeffective in managing unsolicited bulk email or spam.

This guide does not provide detailed information about installing or using McAfee Quarantine Managersoftware. See McAfee Quarantine Manager v6.0 or 7.0 Product Guide for more information.

Task

1 Install McAfee Security for Microsoft Exchange on <server 1>.

2 Install McAfee Quarantine Manager version 6.0/7.0 on <server 2>.

3 Launch McAfee Security for Microsoft Exchange user interface from the <server 1>.

4 Click Settings & Diagnostics to display the Detected Items page.

5 Settings and DiagnosticsDetected Items settings


5 In McAfee Quarantine Manager, select Enabled.

6 Type the IP address of <server 2>, where you have installed McAfee Quarantine Manager.

7 Use the default values for Port and Callback port, or modify them as configured on McAfee QuarantineManager Server.


Quarantining data to the local databaseQuarantine data can be saved in a local database on a local system.

Use this task to set various parameters such as, path, maximum size, and schedule for saving thequarantine data.

Task

1 Click Settings & Diagnostics | Detected Items. The Detected Items page appears.

2 In Local Database section, select Specify location of database, select the type of Database location in the firstfield, then select a location from options available.

3 In Maximum item size (MB), specify the maximum size of an item to be stored in the database.

4 In Maximum query size (records), specify the maximum number of records that can be returned when thelocal quarantine database receives a query.

5 In Maximum item age (days), specify the maximum number of days an item will be held in the localquarantine database before being marked for deletion.

6 In Disk size check interval (Minute), type the interval in minutes when the disk space usage should bechecked. Enter an integer between 1 — 2880.

7 In Disk space warning (MB), type the threshold value at which a notification should be sent.

8 Click Edit Schedule of Purge of old items frequency to specify how frequently the old items marked fordeletion must be removed from the database.

9 Click Edit Schedule of Optimization frequency to specify how frequently the database is optimized.

10 Select an option from Once , Hours, Days, Weeks or Months, and type the corresponding values.

11 For the schedule to be saved and applied, first click Save, then Apply.

User Interface Preferences settingsIn this section you can set the preferences for various features of the user interface — Configure therefresh rate of the user interface, define the report, metric, graph and chart settings.

Configuring the user interfaceYou can use User Interface Preferences to configure user interface refresh settings, report, metric and thegraph/chart settings of McAfee Security for Microsoft Exchange.

Settings and DiagnosticsUser Interface Preferences settings 5


Tasks

• Specifying the dashboard settings on page 66Use this task to specify the settings for various features of the Dashboard and whatinformation would you like to be displayed.

• Specifying the graph and chart settings on page 66Use this task to set the parameters for generating graphical reports and charts, which aredisplayed in the Dashboard section.

Specifying the dashboard settingsUse this task to specify the settings for various features of the Dashboard and what information wouldyou like to be displayed.

Task

1 Click Settings & Diagnostics | User Interface Preferences. The User Interface Preferences page appears.

2 In Dashboard Settings tab, select Automatic refresh to specify whether the information shown on theDashboard should be refreshed automatically.

3 In Refresh rate (seconds), specify the duration (in seconds) at which the information on the dashboardshould be refreshed.

4 Select Enable reports to enable the reports of recently scanned items, recently posted virusdescriptions, and the top hoaxes on the dashboard.

5 Select Show recently scanned items to specify whether the recently scanned items should be included inthe dashboard reports.

6 In Maximum recently scanned items, specify the maximum number of recently scanned items that shouldbe included in the dashboard reports.

7 In System Metrics Settings, for Graph scale (units), type the measurement units for the scale of the graphthat must be generated.

8 In Number of hours to report for, type the report generation interval (in hours) to generate a report.


Specifying the graph and chart settingsUse this task to set the parameters for generating graphical reports and charts, which are displayed inthe Dashboard section.

Task

1 Click Settings & Diagnostics | User Interface Preferences. The User Interface Preferences page appears.

2 In the Graph and Chart Settings tab, select 3D to specify whether you want the dashboard graph to bedisplayed as a three-dimensional (3D) graph.

3 Select Draw transparent to specify whether the bars in a three-dimensional bar graph should appearsolid or transparent. A solid bar hides part of any bar behind it. A transparent bar allows you tolook through it and see other transparent bars behind it.

4 Select Anti-alias to specify whether you want to use anti-aliasing techniques when displaying piecharts. If anti-aliasing is used, pie charts have smoother curves. If anti-aliasing is not used, piechart curves appear jagged.

5 Settings and DiagnosticsUser Interface Preferences settings


5 Select Explode pie to specify whether the segments should remain within the circle of the pie chart orbe shown with some distance between each segment.

6 In Pie angle (degrees), specify the angle to use when drawing pie charts. The default value is 45.


Diagnostics settingsDiagnostics is used to collect information from the computer that can be used for debugging problemsthat are reported.

This enables customers to select event logs, product logs, trace files, etc., which are useful todevelopers to troubleshoot the issue.

You can use Diagnostics to specify the level of debug logging required, the maximum size of debug files,and where they should be saved. You can specify which events should be captured in the product logand event log by specifying the product log's location, name, size limits, and time-out settings.

Configuring diagnostics settingsThis section provides information on configuring the debug log, error reporting service, event log andproduct log settings.

Tasks

• Specifying debug log settings on page 67Use this task to set the parameters for generating logs of debugging operations.

• Specifying event log settings on page 68Use this task to define the settings for generating event logs.

• Specifying product log settings on page 68Use this task specify the required parameters to generate product logs.

• Specifying error reporting service settings on page 69Use this task to specify various parameters for the error reporting service.

Specifying debug log settingsUse this task to set the parameters for generating logs of debugging operations.

Task

1 Click Settings & Diagnostics | Diagnostics. The Diagnostics page appears.

2 Click Debug Logging tab.

3 From the Level drop-down list, specify the level of information that should be captured in the debuglog. The options are:

• None — This disables debug logging.

• Low — Only errors are recorded in the debug log file.

• Medium — Errors and warnings are recorded in the debug log file.

• High — Errors, warnings and debug messages are recorded in the debug log file.

Settings and DiagnosticsDiagnostics settings 5


4 Select Limit size of debug log files to specify if you want a size limit for the debug log files. In Maximum sizeof debug log file, specify how large (in megabytes or kilobytes) the debug log files can be.

If the debug log file exceeds the specified file size, new log entries are added to the file by deletingthe oldest log entries. The maximum size is 2000 MB.

5 Select Specify location for debug files to specify a location for debug files. Select any location from thedrop-down list and specify the location.

This feature is not activated if you select None for Level. Avoid using debug logging indiscriminatelybecause it fills up the hard disk space and affects the overall performance of the Exchange server.It should be enabled for a limited duration as advised by an authorized personnel (McAfee TechnicalSupport Engineer).


Specifying event log settingsUse this task to define the settings for generating event logs.

An event log is a report of events that have occurred in a domain which helps an administratormanage the network resources.

Task


2 Click Event Logging tab.

3 In Product Log section, select Write information events, Write warning events, and Write error events to includethese events into the product log.

4 In Event Log section, select Write information events, Write warning events, and Write error events to include theseevents into the event log.


Specifying product log settingsUse this task specify the required parameters to generate product logs.

Task


2 Click Product Log tab.

3 In Locations, select Specify location of database to specify whether you want to use the default location forthe product log or a different location. If deselected, the default location is used. If selected, selecta location from the drop-down list and specify the location details.

4 Select Specify filename of database to specify whether you want to use the default file name or adifferent name. If deselected, the default file name is used. The default Database filename isproductlog.bin.

5 Settings and DiagnosticsDiagnostics settings


5 In Size Limits section:

• Select Limit database size to limit the size of the product log database.

• Type the Maximum database size of the product log database. You can specify the size in eithermegabytes or kilobytes.

If product log files exceed the specified size, the older log entries are overwritten by newer logentries.

• Select Limit age of entries to specify a time after which you want the product log entries to be deleted.

• Type the Maximum age of entry to specify how many days an entry should remain in the databasebefore it is deleted.

6 In Advanced section:

• Select Specify a query timeout to limit the amount of time for answering a product log query.

• Type the Query timeout (seconds) to specify the maximum number of seconds allowed whenanswering a product log query.


Specifying error reporting service settingsUse this task to specify various parameters for the error reporting service.

You can generate reports for system crashes, or other errors in the network and send it to theadministrator as required.

Task


2 Click Error Reporting Service tab.

3 Select Enable to enable or disable the error reporting service.

4 Select Catch exceptions to capture information about exceptional events, such as system crashes.

5 Select Report exceptions to user to specify whether exceptions should be reported to the administrator.


Product Log settingsA product log is a record of all events pertaining to a particular product that have occurred during apre-defined time period.

Settings and DiagnosticsProduct Log settings 5


Using Product LogYou can use Product Log to set up search filters that help you find information in the product log andview the search results.

Task

1 Click Settings & Diagnostics | Product Log. The Product Log page appears.

2 From the Product Log section, you can use:

• ID — Type the number which identifies a specific product log entry.

• Level — Select Information, Warning or Error from the drop-down list in the second field depending onthe type of log you want to see.

• Description — Type the relevant description. For example: Service Started.

You can select up to three search filters.

3 Click All Dates to include all entries, else click Date Range and select a date range from the drop-downlist.

4 Click Search. A list of detected items matching your search criteria are displayed in the View Resultssection.

Click Clear Filter to return to the default search filter settings and click Export to CSV File to export the listof detections in .CSV format.


DAT settingsDAT files are the detection definition files, also referred to as signature files, that identify the codeanti-virus and/or anti-spyware software detects to repair viruses, trojan horses and PotentiallyUnwanted Programs (PUPs).

Configuring DAT settingsUse this task to specify the number of old DATs that can be maintained in your system.

Task

1 Click Settings & Diagnostics | DAT Settings. The DAT Settings page appears.

2 Type Maximum number of old DATs to specify the maximum number of DAT generations that shall bepreserved in the system during regular updates. The default value is 10.


Import and Export Configuration settingsYou can use Import and Export Configuration to copy the configuration of a McAfee Security for MicrosoftExchange computer to a location where it can be imported by another McAfee Security for MicrosoftExchange computer.

You can also apply the configuration of a different McAfee Security for Microsoft Exchange system andspecify the location from which automatic updates are downloaded.

5 Settings and DiagnosticsDAT settings


Exporting the existing configurationUse this task to copy the configuration of a McAfee Security for Microsoft Exchange system and save itto a location, where it can be imported by other McAfee Security for Microsoft Exchange computer(s).

Task

1 Click Settings & Diagnostics | Import and Export Configuration. The Import and Export Configurations page appears.

2 Click the Configuration tab.

3 Click Export.

4 Specify a location where to save the file.

5 Click Save. The default name of the configuration file is McAfeeConfigXML.cfg.

6 Click Restore Default to restore the default configuration which will set the product for maximumperformance. To restore the configuration settings for maximum protection, click Restore Enhanced.

Importing a configurationUse this task to import configuration settings from another system for this system where McAfeeSecurity for Microsoft Exchange has been installed.

Task


2 Click the Configuration tab.

3 From the Import Configuration section, click Browse to locate the configuration file.

4 Click Import.

Importing a Site ListA site list is a list of websites that have been defined as safe to access.

This list is maintained in an excel sheet. Use this task to import a site list, if you have already createdan alternative site list.

Task


2 Click the Site List tab.

3 From the Import Site List section, click Browse to locate the configuration file SiteList.xml. Thefollowing figure illustrates the default SiteList.xml file.

The default location of SiteList.xml file is: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework

4 Click Import. The new site list overwrites the existing site list.

5 Click Apply.

Settings and DiagnosticsImport and Export Configuration settings 5


Importing and exporting of blacklists and whitelists Use this task to import a blacklist or a whitelist from another McAfee Security for Microsoft Exchangeserver or export blacklists and whitelists to another McAfee Security for Microsoft Exchange server.

Task

1 Click Policy Manager | Gateway. The Gateway Policies page appears.

2 Click the link Master Policy. In List All Scanners, click the link Anti-Spam.

3 In View Settings, click the link Block list and allow list. The Anti-Spam Settings page appears.

4 Click the tab Mail Lists.

5 Select the required list from Blacklisted senders, Whitelisted senders, Blacklisted recipients orWhitelisted recipients.

6 To import a list, click the link Import. In the pop-up window, click Browse to navigate to therequired .cfg file, then click OK.

7 To export a list, click the link Export.

8 Click Delete to remove a list from the database.

Proxy SettingsA proxy server facilitates communications between two or more computers in a domain, and increasesthe security and privacy of a network.

The proxy can either be a dedicated server with special software or just an application running on ageneralized machine. There are many ways to configure a proxy server, and an administrator can usethem to block content, cache data to increase transfer speeds or to bypass filters.

Configuring Proxy SettingsUse this task to set the parameters that your computer would use to access a proxy computer.

Task

1 Click Settings & Diagnostics | Proxy Settings. The Proxy Settings page appears.

2 Select Use Proxy to enter details for a proxy computer.

If you do not require a proxy computer, select No Proxy. This will deactivate the Proxy Details section.

3 Type the IP Address of the computer that is the proxy computer.

4 Type the Port number of the proxy computer that would be used for communication with othercomputers in a domain.

5 In the section Authentication Details, select the required option.

• Anonymous — To access the proxy computer without any authentication details.

• NTLM — To access the proxy computer using NT LAN Manager authentication details.

• Basic Authentication — To provide a User Name and Password for the user to access the proxy computer.Repeat the password in Confirm Password.


5 Settings and DiagnosticsProxy Settings


6 Frequently Asked Questions

1. Where can I find out more about the effect of a virus?

Visit our website. See the Virus Information Library in http://vil.nai.com.

2. What should I do if I find a new virus?

If you suspect you have a file that contains a virus and the anti-virus software engine does notrecognize it, please send us a sample. For information, see WebImmune in https://www.webimmune.net/default.asp.

3. How do I contact Technical Support?

See http://www.mcafee.com/us/support/ for details.

Before calling the technical support, try to have the following information ready:

• The version of the operating system.

• The type of computer on which McAfee Security for Microsoft Exchange is installed — manufacturerand model.

• Any additional hardware that is installed.

• The browser being used and its version.

• A diagnostic report.

4. What is the recommended installation type for McAfee Security for MicrosoftExchange and why?

During the McAfee Security for Microsoft Exchange installation, select the installation type as Complete.This will install McAfee Security for Microsoft Exchange with the web user interface, Buffer OverflowProtection and the AntiSpam Add-On. (The AntiSpam Add-On evaluation version will be installed. Youneed to buy the Licensed AntiSpam Add-On component separately).

5. Can I upgrade from GroupShield for Exchange 7.0 to McAfee Security forMicrosoft Exchange?

Yes. You can upgrade to McAfee Security for Microsoft Exchange from GroupShield for Exchange 7.0.1Patch 1 and above, and GroupShield for Exchange 7.0.2. Rollup2 and above.

6. How can I upgrade the GroupShield for Exchange 7.0.1 in a cluster environmentto McAfee Security for Microsoft Exchange 7.6?

In Single Copy Cluster setup (for Microsoft Exchange 2003 & 2007), install McAfee Security forMicrosoft Exchange 7.6 on the active node. If you are upgrading from GroupShield for Exchange 7.0.1Patch1, then the Configuration and the Database will be upgraded in the shared drive provided there isa cluster resource for GroupShield for Exchange.

6


http://vil.nai.com

https://www.webimmune.net/default.asp

https://www.webimmune.net/default.asp

http://www.mcafee.com/us/support/

7. What is the process of installing McAfee Security for Microsoft Exchange 7.6 onMicrosoft Exchange 2010 DAG servers?

There is no separate process for installing McAfee Security for Microsoft Exchange on DAG servers. Youneed to follow the steps for a standalone installation. If you want to copy the configuration file,quarantine database and DATs from a McAfee Security for Microsoft Exchange installation on one DAGnode to another DAG node, use the Cluster Replication Setup program. Refer Cluster Replication Setupin the Installation Guide.

8. What are the precautions to be taken when installing or upgrading to McAfeeSecurity for Microsoft Exchange 7.6 on any type of cluster servers (like SCC, CCRor LCR)?

For Cluster Continuous Replication (CCR) and Local Copy Replication (LCR), it is a standaloneinstallation of McAfee Security for Microsoft Exchange. In case of Single Copy Cluster (SCC), you haveto first install McAfee Security for Microsoft Exchange on the active node and then on a passive node,then create McAfee Security for Microsoft Exchange cluster resources. Depending on your operatingsystem, refer Adding McAfee Security for Microsoft Exchange as a resource to the cluster group onWindows 2003 (32 bit or 64 bit) or Adding McAfee Security for Microsoft Exchange as a resource tothe cluster group on Windows 2008 (64 bit).

9. How do you deploy McAfee Security for Microsoft Exchange 7.6 using ePolicyOrchestrator?

Refer Managing using ePolicy Orchestrator 4.5 and 4.6 in the Installation Guide.

10. How do you deploy McAfee Security for Microsoft Exchange 7.6 using ePolicyOrchestrator with arguments?

Refer Deploying the software using ePolicy Orchestrator 4.5 for details.

11. How do I import a configuration file?

Refer Importing a configuration in the Product Guide.

12. What is Global Threat Intelligence and how do I configure it in McAfee Securityfor Microsoft Exchange 7.6?

Global Threat Intelligence consists of two components:

• File reputation – used on Executables for viruses and malware. Refer Configuring the anti-virusscanner settings in the Product Guide.

• Email reputation – used for spam detection. Refer Configuring Anti Spam settings in the ProductGuide.

13. Can I configure a Global Threat Intelligence proxy on McAfee Security forMicrosoft Exchange 7.6? If yes, then how can it be done?

Global Threat Intelligence proxy is not supported in this release.

14. How does McAfee Global Threat Intelligence file reputation and McAfee GlobalThreat Intelligence message reputation work in McAfee Security for MicrosoftExchange 7.6?

This is done by contacting the McAfee Global Threat Intelligence servers to get the file reputation forany malware or virus. For email reputation, McAfee Global Threat Intelligence servers are contacted toget the spam reputation score of emails.



15. Is there any performance improvement in McAfee Security for MicrosoftExchange 7.6 over GroupShield for Exchange 7.0.1?

Yes there is a performance improvement, significant improvement has been observed in theOn-Demand scan feature.

16. What considerations need to be taken into account during a cluster replicationsetup?

In the case of Local Copy Replication (LCR) and Cluster Continuous Replication (CCR), it is a normalstandalone installation and the normal installation process has to be followed. In case of Single CopyCluster (SCC), you have to first install McAfee Security for Microsoft Exchange on the active node andthen on a passive node.

17. Should you configure cluster replication on all servers, more than one, or justone?

If you are using Microsoft Exchange Server 2010, it depends on whether you would like to share thepolicies across all McAfee Security for Microsoft Exchange installations on various DAG nodes. If youare managing using ePolicy Orchestrator, this is not applicable.

18. Is the replication uni or bi directional? If it is uni-directional, in which direction?

Since the cluster resources are installed as shared resources in case of Microsoft Exchange Server2007, the replication is both ways unless specifically configured using the Cluster Replication Setupprogram. The Active node makes all the required changes which will be used by a Passive node whenit becomes active in a failover situation.

Frequently Asked Questions 6




A Appendix A — Using file filtering rule andactions in a real-time scenario

This section illustrates a real-life scenario where a file filtering rule is used to delete, log, andquarantine all Microsoft PowerPoint (*.ppt) files that reach your Exchange server, and also to notifythe administrator of the detection(s).

Task


2 Click the Filter Rules tab.

3 In File Filtering Rules, click Create New. The File Filtering Rule page appears.

4 Type a unique Rule name. Give the rule a meaningful name, so that you can easily identify it andwhat it does. For example, PPT_Block.

5 Select Enable file name filtering to enable filtering files based on file names.

6 In Take action when the file name matches, specify the names of the files that must be quarantined. You canuse the * and ? wildcard characters to match multiple filenames. In this case, to filter any MicrosoftPowerPoint files, type *.ppt and click Add.


a In Take action when the file category is, specify the file types that must be quarantined.


b In File categories, select Graphics/Presentation. An asterisk symbol (*) appears next to the file type.

c In Subcategories, select one from the following from the list:

• Microsoft PowerPoint 2007

• Microsoft PowerPoint 2007 (Encrypted)

• Microsoft PowerPoint 97-2002

• Microsoft PowerPoint Dual 95/97

8 Select Extend this rule to unrecognized file categories if you want to apply file filtering rules to file categoriesnot listed under File categories and Subcategories.

9 In File size filtering, select Enable size filtering and type the file size to specify whether files should befiltered according to their size. Under Take action when the file size is type a file size for any one option:

• Greater than — To specify that the action should be applied when a file is larger than the size specified.

• Less than — To specify that the action should be applied when a file is smaller than the size specified.


10 Click Save, then Apply to return to the Shared Resources policy page.


This example uses the On-Access policy.

12 Click a policy name to display the next page.

13 Click the File Filtering link and from Activation section, select Enable.

14 In File Filtering rules and associated actions, select the rule (PPT_Block you created in step 3) from theAvailable rules drop-down list.

15 Click the Change link of the rule to specify actions that must be taken when an attached PowerPointpresentation is detected in an email message. The File Filtering Actions page appears. In this case,select the action as Delete message and also Log, Quarantine and Notify Administrator.

16 Click Save, then Apply.

17 Send an email to your Exchange server with Microsoft PowerPoint file attached. The file filteringrule is triggered and the specified actions take place.

A Appendix A — Using file filtering rule and actions in a real-time scenario


B Appendix B — Using the McAfee Securityfor Microsoft Exchange Access Control

You can use McAfee Security for Microsoft Exchange Access Control to allow or deny access to the McAfeeSecurity for Microsoft Exchange user interface for specific users or groups.

Task

1 From the Start menu, click Programs | McAfee | Security for Microsoft Exchange | Access Control. The Permissionsfor Access dialog box appears.

Figure B-1 Permissions for Access

2 From Group or user names, select the user you want to allow or deny access to the McAfee Security forMicrosoft Exchange user interface.

3 Click OK.


B Appendix B — Using the McAfee Security for Microsoft Exchange Access Control


C Appendix C — SiteList Editor

SiteList specifies the location from where automatic updates (including DAT file and scanning engines)are downloaded.

By default, McAfee Security for Microsoft Exchange uses a site list that points to a McAfee site forautomatic updates, but you can use a site list that points to a different location. For example, you mayhave copied the automatic updates to a local repository and created a site list that points your McAfeeSecurity for Microsoft Exchange systems to that local repository.

Alternative site lists can be created using McAfee ePolicy Orchestrator software. To access the Site ListEditor:

• Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor.

Figure C-1 Edit AutoUpdate Repository List

Contents

Configuring repositories and proxy settings Adding a repository Specifying proxy settings


Configuring repositories and proxy settingsUse these tasks to configure your repository list and proxy settings for your repository.

Adding a repositoryThe Site List specifies from where automatic updates are downloaded.

By default, McAfee Security for Microsoft Exchange uses a site list that points to a McAfee site forautomatic updates, but you can use a site list that points to a different location. For example, you mayhave copied the automatic updates to a local repository and created a site list that points your McAfeeSecurity for Microsoft Exchange systems to that local repository.

Task

1 Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor. The Edit AutoUpdate Repository Listdialog box appears.

2 From the Repositories tab, click Add. The Repository Settings dialog box appears.

Figure C-2 Repository Settings

3 Select from the following options:

• Repository Description — To give a brief description of the repository.

• Retrieve files from — To specify from which type of repository to retrieve the files. The availableoptions are HTTP repository, FTP repository, UNC Path, and Local Path.

• URL — To specify the URL of the repository.

• Port — To specify the port number of the repository.

• Use Authentication — To enable user authentication to access the repository.

C Appendix C — SiteList EditorConfiguring repositories and proxy settings


4 Specify a user name and password for authentication of the repository and confirm the passwordby typing it again.

5 Click OK to add the new repository to the Repository Description list.

6 Click OK to close the Edit AutoUpdate Repository List dialog box.

Specifying proxy settingsIf a repository must be accessed via Internet, such as the McAfee update site or an internal repository,the McAfee Security for Microsoft Exchange can use proxy settings to connect to the repository.

If your organization uses proxy servers for connecting to the Internet, you can select the Proxy settingsoption.

Task

1 Click Start | Programs | McAfee | Security for Microsoft Exchange | SiteList Editor. The Edit AutoUpdate Repository Listdialog box appears.

2 Click the Proxy settings tab.

Figure C-3 Proxy settings

3 Select the Use Internet Explorer proxy settings or Manually configure the proxy settings option as required.

4 Type the IP address and port number of the HTTP or FTP server.

Appendix C — SiteList EditorSpecifying proxy settings C


5 You can use the following options:

• Use Authentication — To enable user authentication to access the proxy server.

• Username — To specify a username for authentication to access the proxy server.

• Password — To specify a password.

• Confirm Password — To reconfirm the specified password.

• Exceptions — To bypass a proxy server for specific domain(s). Click Exceptions, then select SpecifyExceptions and type the domain(s) that needs to be bypassed.

6 Click OK.

C Appendix C — SiteList EditorSpecifying proxy settings


Index

A

about this guide 5access control 79

addrepository 82

add filter 32

add scanner 32

advanced search filters 23

alert messages 48

alert settings 48

anti spam settingsconfiguring 63

anti-spam scanner 37

anti-virus scanner settings 34

antiphish scanner settings 41

appendixfile filter rule 77

applying file filtering rulereal-time scenario 77

B

banned file messages 25

banned file types 25

C

columns to display 27

configurationreports 20

configuration export 71

configuration report 21

configuration reports 20

configuredetected items 64

filter rules 56

local quarantine database 64

McAfee Quarantine Manager software 64

proxy settings 82

repositories 82

time slots 56

configure user interface 65

configuringanti spam settings 63

DAT settings 70

configuring (continued)diagnostics settings 67

notifications 63

on-access settings 60, 61

proxy settings 83

contacttechnical support 73

content rule 39

content scanner rules 56

conventions and icons used in this guide 5core filters 33

core scanners 33

corrupt content 42

create new rule 33

creating subpolicies 31

D

Dashboard 13

dashboard settings 66

DAT Settingsconfigure 70

debug log settings 67

denial of service 23

detected items 25–27

detected items settings 64

detection name 23

detection types 25

detections report 16

diagnosticssetting 67

diagnostics settingsconfiguring 67

disclaimer text 48, 49

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

download 27

E

encrypted content 43

error reportingservice 67


error reporting service settings 69

event log settings 68

export blacklists 72

export to CSV File 27

export whitelists 72

F

faqs 73

features 8file filter rule

appendix 77

file filtering scanner settings 40

filter 32

filter rulesconfigure 56

filters 33

frequently asked questions 73

G

graph and chart settings 66

graphical reports 22

H

HTML file filter 47

I

import a configuration 71

Import and Export Configuration 70

import blacklists 72

import whitelists 72

importing a site list 71

introduction 7

L

launch dashboard 13

Licenses 15

list scanners 31

local database 65

M

mail size filter 44

master policies 10

McAfee Quarantine Manager 64

McAfee Security for Microsoft Exchangefeatures 8introducing 7

McAfee ServicePortal, accessing 6MIME 23

MIME mail 45

N

new alert 50

new content rule 39

new rule 33

notification fields 50

notificationsconfiguring 63

notifications settings 63

O

on-access settingsBackground Scanning 59

Microsoft Virus Scanning API (VSAPI) 59

Proactive Scanning 59

Transport Scanning 59

on-access settings, configuringon Exchange Server 2003 60

on Exchange Server 2007 61

on-demand scan 17

on-demand scan task 18

on-demand scan tasks 18

organizational threats 9

P

packer 23

password-protected archives 44

password-protected files 44

phish 23, 25

policiesgateway 29

on-access 29

on-demand (default) 29

on-demand (find banned content) 29

on-demand (find viruses) 29

on-demand (full scan) 29

on-demand (remove banned content) 29

on-demand (remove viruses) 29

policy filter settings 41

Policy Manager 29

policy miscellaneous settings 48

policy viewsadvanced 30

inheritance 30

potentially unwanted program 23

potentially unwanted programs 25

product health alert 52

Product Information 15

product log 70

product log settings 68

Product Log settings 69

product version 15

protected content 42

protected content filter 42

Protecting the Exchange server 11

proxysettings 83

proxy configuration 83

Index


proxy settingsconfiguring 82

specifying 83

Q

quarantinelocal database 64

McAfee Quarantine Manager software 64

quarantine data 64

R

Real-time detection 11

real-time scenarioapplying file filtering rule 77

recently scanned items 16

release 27

reportsconfiguration 20

repositoriesconfiguring 82

repositoryadding 82

repository list 82

reputation score 16

S

scanner 32

scanner control 45

scanner control filter 45

scanner optionssetting 34

scanners 31, 33

schedule configuration report 21

schedule status report 19

search filters 26

serviceerror reporting 67

ServicePortal, finding product documentation 6setting

diagnostics 67

scanner options 34

setting policies 31

settingsproxy 83

Settings and Diagnostics 59

shared alert 53

shared alerts 53

shared file filtering rule 55

shared filter rules 56

shared filters 53

shared resource 29, 52

shared scanner 53

shared scanners 53

shared time slots 57

signed content 43

signed content filter 43

simple search filters 22

site list 82

Site List 71

SiteList Editor 81

spam 25

spam score 23

specific user 33

specify dashboard settings 66

specify graph and chart settings 66

specifying event log settings 68

specifying product log settings 68

statistical information 14

status report 19

status reports 19

sub-policies 30

subject 23

submit to McAfee Labs 27

T

Technical Support, finding product information 6threats

to your organization 9ticket number 23

time slotsconfigure 56

typespolicies 29

U

unwanted content 25

Update Information 15

updates 15

user interface 65

user interface preferences 65

user interface preferences settings 65

V

view detected items 26

view results 27

viewing graphical reports 22

viewing on-demand scan tasks 18

viruses 25

W

WebImmune 73

what's in this guide 6

Index


00

Date post:	24-Apr-2015
Category:	Documents
Upload:	laljeevm
View:	66 times
Download:	0 times