214
Symantec™ Mail Security for Microsoft ® Exchange Implementation Guide
Symantec™ Mail Security for Microsoft® Exchange Implementation Guide
Symantec™ Mail Security for Microsoft® Exchange Implementation Guide
Copyright © 2005 Symantec Corporation. All rights reserved.
Documentation version 5.0
Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.
Symantec, the Symantec logo, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. LiveUpdate, Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation in the United States and certain other countries. Windows is a trademark of Microsoft Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THIS DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014http://www.symantec.comPrinted in the United States of America.10 9 8 7 6 5 4 3 2 1
3
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ Telephone and Web-based support that provides rapid response and up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you use.
Contacting Technical SupportCustomers with a current maintenance agreement may access Technical Support information at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language under Global Support.
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.
4
When you contact Technical Support, please have the following information available:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language under Global Support, and then select the Licensing and Registration page.
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Information about Symantec Value License Program
■ Advice about Symantec's technical support options
5
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
■ Asia-Pacific and Japan: [email protected]
■ Europe, Middle-East, and Africa: [email protected]
■ North America and Latin America: [email protected]
Additional enterprise servicesSymantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Additional services that are available include the following:
To access more information about Enterprise Services, please visit our Web site at the following URL:
www.symantec.com
Select your country or language from the site index.
Symantec Early Warning Solutions
These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur.
Managed Security Services
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Consulting services Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.
Educational Services These services provide a full array of technical training, security education, security certification, and awareness communication programs.
Symantec Software License AgreementSymantec™ Mail Security for Microsoft® Exchange
SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE “AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE “I DO NOT AGREE” OR “NO” BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.1. License:The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License Module”) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows.
You may:A. use the number of copies of the Software as have been licensed to You by Symantec under a License Module. If the Software is part of a suite containing multiple Software titles, the number of copies You may use may not exceed the aggregate number of copies indicated in the License Module, as calculated by any combination of licensed Software titles. Your License Module shall constitute proof of Your right to make such copies. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software You are authorized to use on a single computer; B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of
Your computer and retain the original for archival purposes;C. use the Software on a network, provided that You have a licensed copy of the Software for each computer that can access the Software over that network;D. use the Software in accordance with any written agreement between You and Symantec; andE. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees in writing to the terms of this license.
You may not:A. copy the printed documentation that accompanies the Software; B. sublicense, rent, or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; C. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement;D. use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed; E. use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;F. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received permission in a License Module; nor G. use the Software in any manner not authorized by this license.
2. Content Updates:Certain Software utilize content that is updated from time to time (including but not limited to the following Software: antivirus software utilize updated virus definitions; antispam software utilize updated antispam rules; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to
designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates.
3. Limited Warranty:Symantec warrants that the media on which the Software is distributed will be free from defects for a period of thirty (30) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.
4. Disclaimer of Damages:SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The
disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.
5. U.S. Government Restricted Rights:RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items,” as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America.
6. Export Regulation:Certain Symantec products are subject to export controls by the U.S. Department of Commerce (DOC), under the Export Administration Regulations (EAR) (see www.bxa.doc.gov). Violation of U.S. law is strictly prohibited. Licensee agrees to comply with the requirements of the EAR and all applicable international, national, state, regional and local laws, and regulations, including any applicable import and use restrictions. Symantec products are currently prohibited for export or re-export to Cuba, North Korea, Iran, Iraq, Libya, Syria and Sudan or to any country subject to applicable trade sanctions. Licensee agrees not to export, or re-export, directly or indirectly, any product to any country outlined in the EAR, nor to any person or entity on the DOC Denied Persons, Entities and Unverified Lists, the U.S. Department of State's Debarred List, or on the U.S. Department of Treasury's lists of Specially Designated Nationals, Specially Designated Narcotics Traffickers, or Specially Designated Terrorists. Furthermore, Licensee agrees not to export, or re-export, Symantec products to any military entity not approved under the EAR, or to any other entity for any military purpose, nor will it sell any Symantec product for use in connection with chemical, biological, or nuclear weapons or missiles capable of delivering such weapons.
7. General:If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Customer Service Center, PO BOX 5689, Dublin 15, Ireland, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.
8. Additional Uses and Restrictions:A. If the Software You have licensed is Symantec Mail Security for a corresponding third party product or platform, You may only use that Software for the corresponding product or platform. You may only use the Software for the number of users set forth in the License Module.B. If the Software You have licensed is Symantec Premium AntiSpam, the following terms and conditions apply:1.You may use the Software in the quantity licensed to You by Symantec under a License Module until the end date indicated on the License Module (“the End Date”), solely on computing devices owned by you, to filter incoming email sent to Your End Users on Your Email Service;2.You must have a license for each End User for whom you use the Software to filter email. “End User” means an employee, contractor or other agent authorized by You as a user of an email mailbox account or an email address hosted by Your Email Service. “Email Service” means Your email services provided to End Users for the purposes of conducting Your internal business and which are enabled via Your mail transfer agent;
3.You may copy the Software onto Your computing devices as necessary to exercise the rights granted in Section B.1, above; and4.You may not use the Software after the End Date.C. If the Software You have licensed is Symantec Premium AntiSpam, the following additional terms apply to Jikes, a third party technology associated with the Software: 1.Licensee is entitled to a copy of the source code for Jikes from http://www-124.ibm.com/developerworks/downloads/detail.php?group_id=10&what=rele&id=501. The use of Jikes is governed by the IBM Public License, the full text of which can be found at http://www-124.ibm.com/developerworks/opensource/license10.html (the “IBM License”). 2.OTHER THAN AS PROVIDED IN THIS AGREEMENT, THE CONTRIBUTORS (AS DEFINED IN THE IBM LICENSE) MAKE NO REPRESENATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY (EITHER IN FACT OR BY OPERATION OF LAW), AND EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, INCLUDING WITHOUT LIMITATION, WARRANTIES OF TILTE AND NON-INFRINGEMENT, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3.Other than as otherwise provided in this Agreement, in no event will any of the Contributors be liable for damages, including direct, indirect, special, incidental and consequential damages, such as lost profits.4.Any provisions in this License Agreement that differ from the IBM License are offered by Symantec alone and not by any other party.
Contents
Technical Support
Chapter 1 Introducing Symantec Mail Security for Microsoft ExchangeAbout Symantec Mail Security for Microsoft Exchange ............................... 15
Types of mail security threats and risks .................................................. 16What’s new in Symantec Mail Security ............................................................ 20Components of Symantec Mail Security .......................................................... 22What you can do with Symantec Mail Security .............................................. 23
Protect against computer viruses ............................................................. 23Protect against security risks .................................................................... 24Safeguard the email security system ........................................................ 24Filter undesirable message content .......................................................... 24Manage virus outbreaks .............................................................................. 25Quarantine infected message bodies and attachments ......................... 25Keep virus protection up-to-date .............................................................. 26Gather statistics and event data ................................................................ 27Send notifications when a threat or violation is detected ..................... 27Manage single and multiple Exchange Servers ...................................... 27
How Symantec Mail Security works ................................................................. 28What happens during a scan ...................................................................... 28How Symantec Mail Security monitors events ....................................... 28Types of scanning ........................................................................................ 29About policies ............................................................................................... 29Filtering features ......................................................................................... 30
Using Symantec Mail Security with other Symantec products .................... 30Where to get more information about Symantec Mail Security .................. 31
Chapter 2 Installing Symantec Mail Security for Microsoft ExchangeBefore you install ................................................................................................. 34
Software component locations .................................................................. 35Start menu shortcut .................................................................................... 37Preventing conflicts with other antivirus software ............................... 37
System requirements .......................................................................................... 38Security and access permissions ....................................................................... 40
User group assignments and setup ........................................................... 41
10 Contents
Installing on a single server ............................................................................... 41Installing on multiple servers ........................................................................... 44
Installing Symantec Mail Security on remote servers ........................... 44Customizing the installation of remote servers ..................................... 45Installing or renewing license files ........................................................... 46Upgrading from a previous version .......................................................... 49
Installing to Exchange Servers with Microsoft Clustering Service ............. 50Installing Symantec Mail Security on a cluster with one or more
passive nodes ........................................................................................ 51Configuring the cluster resource .............................................................. 52Installing Symantec Mail Security on an active/active cluster ............ 53Managing Symantec Mail Security on all cluster nodes ........................ 54
Installing the user interface separately ........................................................... 54Uninstalling Symantec Mail Security ....................................................... 55
Implementing SSL ............................................................................................... 55After you install ................................................................................................... 56
Chapter 3 Configuring Symantec Mail Security for Microsoft ExchangeAbout configuring Symantec Mail Security .................................................... 57
Configuration settings ................................................................................ 58Symantec Mail Security user interface components ............................. 60
Securing your network ....................................................................................... 63Protecting against denial-of-service attacks ........................................... 63Protecting against viruses .......................................................................... 64Setting scanning threads and number of scan processes ..................... 70
Configuring notifications and alerts ................................................................ 70Keeping your protection updated automatically ............................................ 71Quarantining message bodies and attachments ............................................. 72Configuring data report settings ....................................................................... 75
Resetting Auto-Protect statistics or spam statistics .............................. 76Configuring content enforcement .................................................................... 76
Blocking by attachment file names and types ........................................ 77Configuring content filtering rules ........................................................... 77Determining inbound/outbound settings ................................................ 86Configuring file filtering rules ................................................................... 87
Configuring exception settings ......................................................................... 89
11Contents
Chapter 4 Configuring spam detectionProtecting your organization from spam (without Symantec Premium
AntiSpam) ..................................................................................................... 91Blocking spam using real-time blacklists ................................................ 92Assigning a spam confidence level (SCL) ................................................. 92Understanding how the Store Action Threshold (SAT) works with an
SCL value ............................................................................................... 96Bypassing RBL blocking and spam detection for sender and
recipient whitelists .............................................................................. 98Protecting your organization from spam (with Symantec Premium
AntiSpam) ..................................................................................................... 99Enabling Symantec Premium AntiSpam ................................................101Registering Symantec Premium AntiSpam through an ISA server ...101Downloading Symantec Premium AntiSpam updates through a proxy
server ...................................................................................................102Configuring Symantec Premium AntiSpam to identify spam ............103Configuring Symantec Premium AntiSpam to handle spam ..............104
Chapter 5 Managing multiple server installationsAccessing the Symantec Mail Security user interface .................................111
Making selections ......................................................................................112About the user interface display .....................................................................112
About the Global server group .................................................................112About user-defined server groups ...........................................................112About group settings .................................................................................112
Managing servers and server groups .............................................................113Creating a server group ............................................................................113Adding servers to a group ........................................................................114Moving a server to another group ...........................................................115Changing the Transmission Control Protocol (TCP) port and using
Secure Sockets Layer (SSL) ...............................................................116Sending group settings to a server .........................................................116Restoring default settings to a server or group ....................................117Removing a server group ..........................................................................117Updating servers in a server group .........................................................117Removing a server from group management ........................................118
Installing Symantec Mail Security to remote servers ..................................118Updating and distributing virus definitions .................................................119
12 Contents
Chapter 6 Performing scansHow scans work .................................................................................................121
About policies and scanning ....................................................................122Working with policies .......................................................................................122
About the General policy ..........................................................................123About the Antivirus Policy .......................................................................125About the Antispam Policy ......................................................................126About the Content Enforcement Policy .................................................126
Working with matchlist settings .....................................................................135About Outbreak Triggered Attachment Names and Subject Lines
matchlist options .......................................................................................137Configuring and running scans .......................................................................138
Configuring Auto-Protect scanning ........................................................138Running Manual scans ..............................................................................139Scheduling a scan ......................................................................................141
Chapter 7 Maintaining virus protectionHow Symantec Mail Security detects and prevents viruses .......................143
About virus definition files ......................................................................144Configuring your Internet connection for virus definition updates .........145Keeping your virus protection current ..........................................................145
Updating virus definitions for a single server ......................................145Updating virus definitions for multiple servers ...................................147
Setting up your own LiveUpdate server .........................................................149
Chapter 8 Managing outbreaksAbout outbreak management ..........................................................................151About outbreak triggers ...................................................................................151
Enabling outbreak management .............................................................152Clearing outbreak notifications ...............................................................152Enabling and disabling outbreak triggers ..............................................153Enabling or disabling content enforcement rules ................................153Configuring outbreak notifications ........................................................154
About defining what constitutes an outbreak ...............................................154Adjusting time parameters to define outbreaks ...................................155
Chapter 9 Using Symantec Mail Security dataViewing server status ........................................................................................157Working with event data ..................................................................................158
Viewing event data ....................................................................................158
13Contents
Working with report data .................................................................................159About report templates .............................................................................159Generating and viewing reports ..............................................................178Saving report data .....................................................................................179
Viewing events in the Windows Event Log ....................................................179
Appendix A Automatically sending spam to a spam folderAbout the Symantec Spam Folder Agent for Exchange ...............................181
How spam foldering works .......................................................................182About the supported configurations for the spam foldering agent ...182Installing the Symantec Spam Folder Agent for Exchange ................183Creating a service account for the Symantec Spam Folder Agent
for Exchange .......................................................................................185About the Symantec Spam Plug-in for Outlook ............................................187
Symantec Spam Plug-in system requirements .....................................188Installing the Symantec Spam Plug-in for Outlook .............................188
Appendix B Integrating Symantec Mail Security with SESAAbout SESA .........................................................................................................195Interpreting Symantec Mail Security events in SESA .................................197Configuring logging to SESA ...........................................................................197
Configuring SESA 2.1 to recognize Symantec Mail Security ..............198Configuring SESA 2.5 to recognize Symantec Mail Security ..............199Installing the local SESA Agent using the Agent Installer .................201Configuring Symantec Mail Security to log events to SESA ...............202
Uninstalling SESA .............................................................................................202Uninstalling the SESA Agent ...................................................................203
Appendix C Auxiliary executables and batch files and recognized file typesAbout auxiliary executables and batch files ..................................................205File types recognized by the Executable and Multimedia File Rules .........206
Index
14 Contents
Chapter
1Introducing Symantec Mail Security for Microsoft Exchange
This chapter includes the following topics:
■ About Symantec Mail Security for Microsoft Exchange
■ What’s new in Symantec Mail Security
■ Components of Symantec Mail Security
■ What you can do with Symantec Mail Security
■ How Symantec Mail Security works
■ Using Symantec Mail Security with other Symantec products
■ Where to get more information about Symantec Mail Security
About Symantec Mail Security for Microsoft Exchange
Symantec™ Mail Security for Microsoft® Exchange protects your Exchange mail servers and messages from viruses, inappropriate message content, spam, spyware, adware, and denial-of-service attacks. It lets you create and save criteria to identify threats and violations, and it lets you specify the actions to take (and notifications and alerts to issue) when a threat or violation is detected. You can configure the Symantec Mail Security to manage one or more Exchange Servers.
16 Introducing Symantec Mail Security for Microsoft ExchangeAbout Symantec Mail Security for Microsoft Exchange
The Exchange environment is only one avenue by which a virus can penetrate a network. For complete virus protection, ensure that every computer and workstation is protected by an antivirus solution.
Types of mail security threats and risksSymantec Mail Security protects your Exchange Server from the following threats and risks.
AdwareAdware applies to programs that facilitate delivery of advertising content to the user through their own window, or by utilizing another program's interface. In some cases, these programs may gather information from the user's computer, including information related to Internet browser usage or other computing habits, and relay this information back to a remote computer or other location in cyberspace.
Adware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger adware by accepting an End User License Agreement from a software program linked to the adware or from visiting a Web site that downloads the adware with or without an End User License Agreement.
DialersDialers are programs that use a computer or modem to dial out to a toll number or Internet site, typically to accrue charges. Dialers can be installed with or without a user’s explicit knowledge and may perform their dialing activity without a user’s specific consent prior to dialing.
Hack toolsHack tools can be used by a hacker or unauthorized user to attack, gain unwelcome access to, or perform identification or fingerprinting of your computer. While some hack tools may also be valid for legitimate purposes, their ability to facilitate unwanted access makes them a risk. Hack tools also generally:
■ Attempt to gain information on or access hosts surreptitiously, utilizing methods that circumvent or bypass obvious security mechanisms inherent to the system it is installed on, and/or
■ Facilitate an attempt at disabling a target computer, preventing its normal use
17Introducing Symantec Mail Security for Microsoft ExchangeAbout Symantec Mail Security for Microsoft Exchange
One example of a hack tool is a keystroke logger — a program that tracks and records individual keystrokes and can send this information back to the hacker. This term also applies to programs that facilitate attacks on third-party computers as part of a direct or distributed denial-of-service attempt.
Joke programsJoke programs alter or interrupt the normal behavior of your computer, creating a general distraction or nuisance. Joke programs generally do not themselves engage in the practice of gathering or distributing information from the user's computer.
Remote access programsRemote access programs allow one computer to access another computer (or facilitate such access) without explicit authorization when an access attempt is made. Once access is gained, usually over the Internet or by direct dial access, the remote access program can attack or alter the other computer. It may also have the ability to gather personal information, or infect or delete files. They may also create the risk that third-party programs can exploit its presence to obtain access. Such remote access programs generally:
■ Attempt to remain unnoticed, either by actively hiding or simply not making their presence on a system known to the user, and/or
■ Attempt to hide any evidence of their being accessed remotely over a network or Internet
Means by which these programs provide access may include notifying a remote host of the machine by sending its address or location, or employing functionality that wholly or partially automates access to the computer on which the program is installed.
SpywareSpyware programs have the ability to scan systems or monitor activity and relay information to other computers or locations in cyberspace. The information that may be actively or passively gathered and disseminated by Spyware includes passwords, log-in details, account numbers, personal information, individual files or other personal documents. Spyware may also gather and distribute information related to the user's computer, applications running on the computer, Internet browser usage or other computing habits.
Spyware frequently attempts to remain unnoticed, either by actively hiding or by simply not making its presence on a system known to the user. Spyware can be downloaded from Web sites (typically in shareware or freeware), email
18 Introducing Symantec Mail Security for Microsoft ExchangeAbout Symantec Mail Security for Microsoft Exchange
messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger spyware by accepting an End User License Agreement from a software program linked to the spyware or from visiting a Web site that downloads the spyware with or without an End User License Agreement.
TrackwareTrackware programs track system activity, gather system information, or track user habits and relay this information to third-party organizations. The information gathered by such programs is neither personally identifiable nor confidential.
Trackware programs are installed with the user's consent and may also be packaged as part of other software installed by the user.
Viruses, worms, and Trojan horsesA virus is a program or code that replicates itself onto other files with which it comes in contact; that is, a virus can infect another program, boot sector, partition sector, or a document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though many can do damage to a computer system or a user's data as well.
A worm is a program that makes and facilitates the distribution of copies of itself; for example, from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. It may arrive through exploitation of a system vulnerability or by clicking on an infected email.
A Trojan horse portrays itself as something other than what it is at the point of execution. While it may advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan horse neither replicates nor copies itself, but causes damage or compromises the security of the computer. A Trojan horse must be sent by someone or carried by another program and may arrive in the form of a joke program or software of some sort. The malicious functionality of a Trojan horse may be anything undesirable for a computer user, including data destruction or compromising a system by providing a means for another computer to gain access, thus bypassing normal access controls.
@m Signifies that the virus or worm is a “mailer.” An example: Happy99 (W32.Ska) only sends itself by email when you send mail.
@mm Signifies that the virus or worm is a “mass-mailer.” An example: W97M.Melissa.A sends messages to every email address in your mailbox.
19Introducing Symantec Mail Security for Microsoft ExchangeAbout Symantec Mail Security for Microsoft Exchange
Inappropriate message contentSome types of email messages can be legal liabilities, contain offensive content, or be a nuisance, such as the following:
■ Inappropriate content, such as gambling Web sites or sites of an explicit sexual nature
■ Confidential company information or trade secrets, for example, the use of project code words and technology names to recipients outside of the company
■ References to topics that are currently in litigation that should not be discussed or messages with potential legal liabilities
You can create rules to filter messages for inappropriate content.
See “About the Content Enforcement Policy” on page 126.
SpamSpam is unsolicited bulk email, most often advertising messages for a product or service. It wastes productivity time and network bandwidth.
Symantec Mail Security lets you handle spam in the following ways:
■ Block by real-time blacklists (RBLs)
■ Identify suspected spam using the heuristic antispam engine or the Symantec Premium AntiSpam service
■ Create content filtering rules to identify spam
See “Protecting your organization from spam (without Symantec Premium AntiSpam)” on page 91.
See “Protecting your organization from spam (with Symantec Premium AntiSpam)” on page 99.
Denial-of-service attacksThreats to your Microsoft Exchange Servers can include attacks that hamper or disable the ability to send or receive email messages and, in some cases, completely disable the email server. These attacks are called denial-of-service attacks.
20 Introducing Symantec Mail Security for Microsoft ExchangeWhat’s new in Symantec Mail Security
Denial-of-service attacks can occur in many ways, including the following:
■ A very large number of messages from one or many locations
■ Messages that are designed to attack the email program by exploiting program weaknesses
■ Files that are designed to fill disk space on the mail servers
■ Messages with huge attachments that are distributed to everyone in the organization
This type of attack can be intentional or unintentional (such as an employee sending a message with large graphics attachments to a large distribution list).
What’s new in Symantec Mail SecurityTable 1-1 lists the new and enhanced features in Symantec Mail Security for Microsoft Exchange.
Table 1-1 New and enhanced features
Feature Description
Expanded protection from mail-based security risks
Symantec Mail Security protects your mail environment from spyware, adware, and other types of unwanted mail content.
Redesigned user interface
You can manage a single mail server or a group of servers from the same user interface. The new user interface lets you view summary information about the activities on an individual mail server or a group of servers.
Automatic discovery When you add servers to a group, Symantec Mail Security can automatically discover all of the Exchange Servers that are within your organization through the Active Directory.
In previous versions, you had to browse for or manually provide the host name or IP address of each server that you wanted to add to the group.
Ability to import and export configuration settings
You can import and export configuration settings for Symantec Mail Security from one Exchange Server to another or from one group to another, across all of your Exchange Servers.
21Introducing Symantec Mail Security for Microsoft ExchangeWhat’s new in Symantec Mail Security
User-based and group-based policies
You can select the users or group addresses to which a scanning rule applies.
You can configure the rule to apply globally to all users and Active Directory groups or to only the users or Active Directory groups that you select. You can also specify exceptions to the global scanning rules.
Ability to scan file attachments for content filtering rule violations
You can scan for content violations within file attachments.
Symantec Mail Security supports over 300 file attachment types and common file types, such as Microsoft Office documents, Adobe Acrobat PDF files, text files, RTF files, and database files.
Ability to block multimedia and executable files based on their true file type
You can block the delivery of multimedia and executable files based on an analysis of their true file type instead of relying solely on their file extensions.
This analysis protects against threats in which the file extension is changed to match a file type that is usually allowed.
Simplified content filtering settings
Symantec Mail Security simplifies the process of configuring content filtering rules with a new easy-to-use interface.
Automatically generated executive summary reports
You can automatically generate a report that contains statistics about the scanning activities that occurred on one or more mail servers. You can configure the report to be sent automatically to an email distribution list.
You can also view some of this same data in the Symantec Mail Security Home page.
Improved support for cluster environments
Symantec Mail Security is now cluster-aware. In a clustering environment, multiple nodes on the network operate like a single system to ensure high availability.
Symantec Mail Security is installed as a cluster resource. It is designed to detect and interact with the nodes that are within the cluster environment.
Improved spam foldering
You can forward spam to a specified folder.
Table 1-1 New and enhanced features (Continued)
Feature Description
22 Introducing Symantec Mail Security for Microsoft ExchangeComponents of Symantec Mail Security
Components of Symantec Mail SecurityTable 1-2 lists the components of Symantec Mail Security.
Save to folder In heuristic antispam, Symantec Premium AntiSpam, and all filtering rules, you can save affected messages to a specified folder. If you enable this feature and specify a folder, Symantec Mail Security will create the folder for you. If you specify an absolute path (with ':'), the folder will be created as specified. If you specify a relative path (without ':'), the folder will be created as a subfolder underneath the “SavedMessages” folder in the server installation directory.
Table 1-1 New and enhanced features (Continued)
Feature Description
Table 1-2 Software components
Component Description
Symantec Mail Security for Microsoft Exchange
This is the software that you install to protect your Exchange Servers. It protects your servers from viruses, messages that overload the system, inappropriate message content, spam, and denial-of-service attacks.
Outlook Plug-in As a part of the premium antispam service, this is the software that lets you submit missed spam and false positives to Symantec. It lets you administer lists for allowed senders and blocked senders and block email messages based on language identification.
Symantec Spam Folder Agent for Exchange
As a part of the premium antispam service, this is the software that lets you automatically route unwanted messages to a spam folder in each user’s mailbox. This agent is available only for Microsoft Exchange 2000 installations.
LiveUpdate Administrator Utility (optional)
LiveUpdate lets Symantec products download program and virus definition files updates directly from Symantec or from an intranet LiveUpdate server. With the LiveUpdate Administration Utility, you can configure one or more intranet FTP, HTTP, or LAN servers to act as internal LiveUpdate servers.
For more information, see the LiveUpdate Administrator’s Guide on the CD.
SESA Integration Package (SIP)(optional)
This is the software configuration package that must be installed on each computer that runs a SESA Manager. The SIP extends SESA functionality to include Symantec Mail Security event data.
23Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Symantec Mail Security
What you can do with Symantec Mail SecuritySymantec Mail Security for Microsoft Exchange secures your Exchange Servers in the following ways:
■ Protect against computer viruses
■ Protect against security risks
■ Safeguard the email security system
■ Filter undesirable message content
■ Manage virus outbreaks
■ Quarantine infected message bodies and attachments
■ Keep virus protection up-to-date
■ Gather statistics and event data
■ Send notifications when a threat or violation is detected
■ Manage single and multiple Exchange Servers
Protect against computer virusesSymantec Mail Security scans message bodies and attachments that are sent to mailboxes and public folders on Exchange Servers, including files in compressed and encoded formats, such as MIME and Zip.
The Auto-Protect feature detects viruses in real time as email messages are routed through the Exchange Server.
You can configure Symantec Mail Security to handle viruses as follows:
■ Repair infected attachments to eliminate viruses automatically on detection.
■ Delete the entire message.
■ Delete message bodies and attachments and replace with text.
■ Quarantine infected message parts (body or attachment) for administrator review.
■ Log the detection.
See “Protecting against viruses” on page 64.
24 Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Symantec Mail Security
Protect against security risksSymantec Mail Security protects against security risks such as adware and spyware using the same technology it uses to protect against viruses.
See “Security Risk Rule” on page 126.
Safeguard the email security systemSymantec Mail Security protects against denial-of-service attacks by isolating the scanning process and running it separately. If a scan is unsuccessful or takes longer than a specified time limit, the scan quits and the file is considered unscannable.
See “Performing scans” on page 121.
Filter undesirable message contentSymantec Mail Security lets you filter undesirable content with the following:
■ Matchlists
To filter content that applies to a specific situation, you can create a matchlist that includes words and phrases that are standard for or particular to your company or industry and for which you may want to filter content. After you create a matchlist, you can define a filtering rule that specifies the matchlist. A filtering rule can refer to one or more matchlists. Matchlists can consist of literal strings to match, regular expressions, or DOS wildcard expressions.
See “Working with matchlist settings” on page 135.
■ Content filtering rules
You can create filtering rules that apply to SMTP inbound and SMTP outbound mail, in addition to the Exchange information store. The filtering rules let you filter messages for attachments, attachment content, specific words, phrases, subject lines, and senders, and take action when the specified content is found.
See “Filtering features” on page 30.
25Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Symantec Mail Security
Manage virus outbreaksA virus outbreak occurs when the number of threats to the Microsoft Exchange system that are detected over a period of time exceeds a specified limit.
Symantec Mail Security for Microsoft Exchange lets you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications and alerts when an outbreak is detected. You can also select an action to take when an outbreak is detected, such as delete the entire message, delete the attachment or message body, quarantine the attachment or message body, or log the event.
You can set rules to define an outbreak based on event (same virus occurs a specified number of times, total number of viruses, or number of unrepairable viruses), occurrences (the number of times that the event occurs), attachment name and subject line, and time period (the number of minutes, hours, or days within which the event and occurrences happen). You can configure Symantec Mail Security to send notifications and alerts in the case of an outbreak.
Once an outbreak based on subject line or attachment name is detected, a rule can be created to prevent the same mail from clogging the system.
See “About outbreak management” on page 151.
Quarantine infected message bodies and attachmentsSymantec Mail Security for Microsoft Exchange includes a Quarantine that stores infected message bodies and attachments that are detected during scans.
Message bodies and attachments are placed in the Quarantine under the following circumstances:
■ A filtering rule is configured to quarantine message parts (body or attachment) that match specific content.
■ A virus is detected in a message body or attachment, and your scan is configured to quarantine the message part rather than let Symantec Mail Security for Microsoft Exchange repair or delete the infected part.
■ Your scan is configured to let Symantec Mail Security for Microsoft Exchange repair infected bodies and attachments, and Quarantine is selected for the message part that cannot be repaired. Sometimes message parts cannot be properly repaired because they are corrupted or damaged by a virus that causes irreversible damage.
■ If a message part cannot be scanned, it is quarantined by default. This includes files with multiple layers of compression. These files are designed to defeat mail security by overwhelming the scanner.
26 Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Symantec Mail Security
Quarantined items can also be forwarded to the Symantec Central Quarantine if it is installed. The Symantec Central Quarantine setup program is available on the Symantec Mail Security for Microsoft Exchange CD.
For more information, see the Symantec Central Quarantine documentation.
See “Quarantining message bodies and attachments” on page 72.
Keep virus protection up-to-dateSymantec Mail Security for Microsoft Exchange relies on up-to-date information to detect and eliminate viruses. One of the most common reasons that virus problems occur is that virus definition files are not updated regularly. Symantec regularly supplies updated virus definition files that contain information about all newly discovered viruses.
You have the following virus definition update options:
■ Rapid Release definitions provide the fastest response to emerging threats and are updated approximately every hour. Rapid Release definitions are delivered by FTP and provide reliable first-line protection.
■ LiveUpdate certified definitions are updated less frequently, as the certified definitions undergo more stringent testing.
Either method lets you connect automatically to a Symantec Web site that determines if the virus definitions for your Symantec products need to be updated and if so, downloads the files to the proper location and installs them.
If your organization has both front-end and back-end Exchange Servers, you may want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and certified Live Update definitions on the back-end mailbox servers.
Note: If you have Symantec AntiVirus™ Corporate Edition installed on the same computer as Symantec Mail Security, you must configure only one product to perform virus updates. Since Symantec AntiVirus can share virus definitions with Symantec Mail Security, you should disable virus updates in Symantec Mail Security.
See “Updating virus definitions for a single server” on page 145.
See “Updating virus definitions for multiple servers” on page 147.
See “Keeping your virus protection current” on page 145.
27Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Symantec Mail Security
Gather statistics and event dataSymantec Mail Security collects and saves scan data on your Exchange Servers. You can create reports from the data, which gives you a history of virus activity and rule violations. You can download the raw data files that are generated by Symantec Mail Security for Microsoft Exchange for use with third-party reporting tools.
See “Working with report data” on page 159.
Symantec Mail Security logs virus, configuration, and server events. It also logs content violations, spam violations (if enabled), and outbreaks. You can customize the event log by specifying date ranges and classes of events.
See “Working with event data” on page 158.
Send notifications when a threat or violation is detectedSymantec Mail Security for Microsoft Exchange supplies several options for notifying administrators and email senders of threats. You can also create secondary, follow-up notifications.
See “Configuring notifications and alerts” on page 70.
Manage single and multiple Exchange ServersSymantec Mail Security for Microsoft Exchange can protect one or more Exchange Servers. If your organization has multiple Exchange Servers, you can manage all the servers from the same user interface (UI) that you use to manage a single server. By switching between server view and group view, you can manage the configuration settings for individual servers, a logical grouping of servers such as all front end servers, or all servers in a specific location.
Note: Settings made at the individual server level will be overwritten by group settings.
28 Introducing Symantec Mail Security for Microsoft ExchangeHow Symantec Mail Security works
How Symantec Mail Security worksIn a typical configuration, Symantec Mail Security scans items (message headers, bodies, and attachments) that are sent to Exchange Servers by SMTP or directly to the store (mailboxes and public folders) by MAPI. SMTP traffic is scanned first for spam (when heuristic or Symantec Premium AntiSpam settings are configured) and then for content filtering rules and viruses, based on configuration settings. When a violation is detected or if a scan error occurs, Symantec Mail Security handles the violation based on the scanning configuration settings. When you create a filtering rule and apply it to a scan, items that you specify are matched against message contents and attributes. Attributes include the message body, sender, subject, attachment content, attachment file name, and attachment file size.
What happens during a scanWhen you perform standard scans, Symantec Mail Security first decodes and decompresses files and then scans them for viruses using a virus definition file of known virus signatures. The virus definition file contains non malicious bits of code, or virus definitions, for thousands of viruses. If Symantec Mail Security finds a match, the file is considered infected, and the document is handled according to the scanning configuration settings (repair, delete, quarantine, or log and deliver).
Symantec Mail Security also uses Symantec Bloodhound™ heuristics technology to scan for viruses for which no known definitions exist. Bloodhound heuristics technology scans for unusual file behaviors, such as self-replication, to target potentially infected files.
How Symantec Mail Security monitors eventsSymantec Mail Security logs all events to the Windows application event log. You can view event data in the Event Log.
See “Viewing event data” on page 158.
You can also configure Symantec Mail Security to post events to the Symantec Enterprise Security Architecture (SESA) DataStore, an event management system that uses data collection services for events that Symantec and supported third-party products generate.
29Introducing Symantec Mail Security for Microsoft ExchangeHow Symantec Mail Security works
Symantec Mail Security sends a subset of security and application events to SESA. The events that Symantec Mail Security generates include failed virus definition updates, unscannable files, and spam events.
See “Configuring logging to SESA” on page 197.
For more information about SESA, see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator’s Guide.
Types of scanningTable 1-3 lists the categories of scans.
About policiesA policy is a set of rules for detecting and resolving security threats to your Microsoft Exchange mail system. Symantec Mail Security for Microsoft Exchange contains the following policies:
Table 1-3 Categories of scans
Category Description
Auto-Protect scan Viruses and other items that trigger violations are detected in real time as messages are routed through the Exchange Server. This function can be enabled or disabled.
Manual scan Manual scans are on-demand scans of local mailbox and public folder items.
Scheduled scan These are scans that run automatically according to a schedule. You can configure multiple scans.
General Policy Contains rules controlling scanning limits, exceptions, and outbreak management
Antivirus Policy Contains rules for detecting known viruses and messages and attachments with virus-like characteristics
Antispam Policy Contains lists of allowed senders and recipients, lists of prohibited senders, and the option to use the heuristic antispam engine or the Symantec Premium AntiSpam feature
Content Enforcement Policy Contains rules for specifying violations based on message body content, attachment name, attachment size, sender subject lines, and recipient subject lines, and for filtering undesirable and inappropriate content and security risks
30 Introducing Symantec Mail Security for Microsoft ExchangeUsing Symantec Mail Security with other Symantec products
Filtering featuresThe filtering features of Symantec Mail Security let you do the following:
■ Filter email messages based on attributes such as sender, subject, attachment size, and attachment name.
■ Filter email attachments containing multimedia and executable files.
■ Create filtering rules that apply to SMTP inbound and SMTP outbound mail, in addition to the Exchange information store.
■ Create matchlists to use in filtering content. A filtering rule can refer to one or more matchlists. Matchlists can match based on literal strings, regular expressions, or DOS wildcard expressions.
■ Content enforcement can be applied to sender and recipient groups.
Using Symantec Mail Security with other Symantec products
If you have Symantec AntiVirus Corporate Edition installed on the same computer as Symantec Mail Security, you must configure only one product to perform virus updates. The recommended choice is to allow Symantec AntiVirus to perform this function.
Certain folders must be excluded from scanning by Symantec AntiVirus. If Auto-Protect scans the Exchange directory structure or the Symantec Mail Security processing folder, it can cause false-positive virus detections, unexpected behavior on the Exchange Server, or damage to the Exchange databases. This is true of all antivirus programs that run on Exchange Servers.
Specifically, the following folders must be excluded from scanning by Symantec AntiVirus:
<drive>:\Program Files\Symantec\SMSMSE\5.0\Server\Temp<drive>:\Program Files\Symantec\SMSMSE\5.0\Server\Quarantine
31Introducing Symantec Mail Security for Microsoft ExchangeWhere to get more information about Symantec Mail Security
Where to get more information about Symantec Mail Security
Symantec Mail Security for Microsoft Exchange includes a comprehensive Help system that contains conceptual, procedural, and context-sensitive information.
Press F1 to access information about the pane in which you are working. If you want more information about features that are associated with the pane, select a Related Topics link in the Help pane, or use the Table of Contents, Index, or Search tabs in the Help viewer to locate a topic.
If there are procedures that are associated with a feature or topic, the How To folder for the Help topic is displayed. Click that folder to display the procedures.
If you are connected to the Internet, you can visit the Symantec Security Response Web site (http://securityresponse.symantec.com/) to view the Virus Encyclopedia, which contains information about all known viruses and virus hoaxes. You can also find white papers about viruses and threats in general.
32 Introducing Symantec Mail Security for Microsoft ExchangeWhere to get more information about Symantec Mail Security
Chapter
2Installing Symantec Mail Security for Microsoft Exchange
This chapter includes the following topics:
■ Before you install
■ System requirements
■ Security and access permissions
■ Installing on a single server
■ Installing on multiple servers
■ Installing to Exchange Servers with Microsoft Clustering Service
■ Installing the user interface separately
■ Implementing SSL
■ After you install
34 Installing Symantec Mail Security for Microsoft ExchangeBefore you install
Before you installYou can use Symantec Mail Security to monitor mail security on one or more Exchange Servers.
Before you install Symantec Mail Security, ensure that all preinstallation and system requirements are met. Review the information that describes where key files are located and how security is set up. In addition, ensure that you have an installation plan that best matches your organization’s needs.
See “System requirements” on page 38.
See “Software component locations” on page 35.
See “Security and access permissions” on page 40.
If you are running Symantec Brightmail™ AntiSpam on the same server on which you want to install Symantec Mail Security, you must uninstall Symantec Brightmail AntiSpam before installing Symantec Mail Security.
If you are installing Symantec Mail Security on a single Exchange Server, follow the instructions for a single-server installation.
See “Installing on a single server” on page 41.
If your organization is running multiple Exchange Servers, you can manage Symantec Mail Security from the same user interface as with a single server.
See “Installing on multiple servers” on page 44.
Note: The email tools feature of Symantec AntiVirus Corporate Edition is not compatible with Microsoft Exchange or Symantec Mail Security for Microsoft Exchange and must be uninstalled prior to installing Symantec Mail Security.
Note: To install Symantec Mail Security components correctly, you must be logged on as a Windows domain administrator.
Note: For optimal visibility, the recommended screen resolution is 1024 x 768.
35Installing Symantec Mail Security for Microsoft ExchangeBefore you install
Software component locationsTable 2-1 lists the default location in which Symantec Mail Security software components are installed.
Table 2-1 Software component locations
Component Location
Symantec Mail Security program files
C:\Program Files\Symantec\SMSMSE\5.0\Server
Quarantined items in encrypted format
Note: You should configure all antivirus file system scanners to exclude scanning of the quarantine directory. Those system scanners may try to scan and delete Symantec Mail Security files that are placed in the quarantine directory during its quarantine process.
C:\Program Files\Symantec\SMSMSE\5.0\Server\Quarantine
Reporting data C:\Program Files\Symantec\SMSMSE\5.0\Server\Reports
Data files for reports created by user
C:\Program Files\Symantec\SMSMSE\5.0\Server\Reports\<report name>
File type can be .csv, .html, xml, or image file
Report templates C:\Program Files\Symantec\SMSMSE\5.0\Server\Reports\Templates
Symantec directory that contains matchlist files
C:\Program Files\Symantec\SMSMSE\5.0\Server\MatchLists
Symantec directory that contains heuristic antispam configuration files, allowed senders files, and Symantec Premium AntiSpam configuration files
C:\Program Files\Symantec\SMSMSE\5.0\Server\SpamPrevention
36 Installing Symantec Mail Security for Microsoft ExchangeBefore you install
Location where Symantec Mail Security scans items
Note: You should configure all antivirus products that scan files to exclude scanning of the Temp directory. Those system scanners may try to scan and delete Symantec Mail Security files that are placed in the Temp directory during its scanning process.
C:\Program Files\Symantec\SMSMSE\5.0\Server\Temp
Symantec directory that contains the dynamic-link libraries for Symantec Premium AntiSpam
C:\Program Files\Symantec\SMSMSE\5.0\Server\bin
Symantec directory that contains manual scan configuration data
C:\Program Files\Symantec\SMSMSE\5.0\Server\Config
Symantec directory that contains configuration files for allowed and blocked senders for Symantec Premium AntiSpam
C:\Program Files\Symantec\SMSMSE\5.0\Server\etc
Symantec directory that contains component logs for Symantec Premium AntiSpam
C:\Program Files\Symantec\SMSMSE\5.0\Server\logs
Symantec directory that contains the rule update log file for Symantec Premium AntiSpam
C:\Program Files\Symantec\SMSMSE\5.0\Server\stats
User interface files C:\Program Files\Symantec\SMSMSE\5.0\UI
Component to update virus definitions
C:\Program Files\Symantec\LiveUpdate
Symantec directory to which new virus definitions are installed
C:\Program Files\Common Files\SymantecShared\VirusDefs
Table 2-1 Software component locations (Continued)
Component Location
37Installing Symantec Mail Security for Microsoft ExchangeBefore you install
Start menu shortcutA Symantec Mail Security shortcut is placed in the following Windows Start menu groups:
Start > Programs > Symantec Mail Security for Microsoft Exchange > Server Management Console
An icon is also placed on the desktop for easy access.
In addition, a LiveUpdate properties control panel is placed in the following Windows Control Panel group to manually configure the LiveUpdate connection method, if necessary:
Start > Settings > Control Panel > Symantec LiveUpdate
Preventing conflicts with other antivirus softwareYou must stop any other antivirus software on the server on which you want to install Symantec Mail Security. After installation, you should re-enable the antivirus protection.
Symantec directory in which license files are stored
C:\Program Files\Common Files\SymantecShared\Licenses
Symantec directory that contains the Verity content extraction component
C:\Program Files\Symantec\SMSMSE\5.0\Server\Verity\bin
Symantec directory that contains the Symantec Mail Security web service components
C:\Program Files\Symantec\SMSMSE\5.0\Server\DExLService\bin
.NET Framework 1.1 service pack 1.1
C:\Windows\Microsoft.NET\Framework
SESA agent installation files C:\Program Files\Server\AgtInst
bmi rulesets C:\Program Files\Server\
Table 2-1 Software component locations (Continued)
Component Location
38 Installing Symantec Mail Security for Microsoft ExchangeSystem requirements
If another antivirus product is installed on the Symantec Mail Security server, the competing product may try to scan and delete Symantec Mail Security for Microsoft Exchange files that are placed in the Temp and quarantine directories during its scanning process.
See “Software component locations” on page 35.
If you are running a desktop antivirus product on the server on which you want to install Symantec Mail Security, you must configure the desktop product not to scan the Temp and quarantine directories that are used by Symantec Mail Security. Scanning these directories will cause significant operational problems with the software.
You must remove Symantec AntiVirus Corporate Edition email tools prior to installing Symantec Mail Security.
You should not configure two Symantec products to update virus definitions. If you have Symantec AntiVirus Corporate Edition installed, the recommended course is to allow that product to update virus definitions.
System requirementsSymantec Mail Security runs on Microsoft Windows 2000 Server/ Server 2003 on the Intel platform. You must have domain administrator-level privileges to install Symantec Mail Security.
The server system requirements are as follows:
Operating system ■ Windows 2000 Server/Advanced Server/Data Center SP4
■ Windows Server 2003 Standard/Enterprise/Data Center (no SP required)
Exchange platform ■ Exchange 2000 Server SP3/Enterprise Server
■ Exchange Server 2003/Enterprise Server
39Installing Symantec Mail Security for Microsoft ExchangeSystem requirements
If you install Symantec Mail Security on a Windows 2000 Server Domain Controller that does not allow impersonation, you will have difficulty changing settings in group view or from a remote user interface. You should run Microsoft Exchange on a computer that is not a Domain Controller. If this is not feasible, set the computer to allow impersonation by configuring the “Impersonate a client after authentication” policy for the IWAM account.
Separate user interface installationYou can install the user interface (UI) on a computer that doesn't have an Exchange Server. This lets you manage Symantec Mail Security from a convenient location. For example, if the servers are in a computer room, you can manage Symantec Mail Security from a computer in your office. The requirements for a separate installation are as follows:
Minimum system requirements ■ Intel® Server class 32-bit processor
■ 1 GB RAM
■ 650 MB available disk space
■ .NET Framework version 1.1 SP1 Required for the Symantec Mail Security for Microsoft Exchange Console to function properly. You must ensure that .NET Framework version 1.1 SP1 is installed for your language prior to installing Symantec Mail Security for Microsoft Exchange.
■ MDAC 2.6 or higher (will install with installation if not already installed)
■ DirectX 8.01 or higher (will install DirectX 9 with installation if not already installed)
Operating system ■ Windows 2000 SP4
■ Windows 2003 (no SP required)
■ Windows XP SP1
40 Installing Symantec Mail Security for Microsoft ExchangeSecurity and access permissions
Security and access permissionsBy default, Symantec Mail Security creates the following user groups in Active Directory and assigns them access rights:
These user groups are domain-wide for Active Directory. Use the Active Directory Users and Computers MMC snap-in to change membership in these groups.
During the security set-up process, security is set for the Symantec Mail Security registry key and file folders.
Note: For the security setup to succeed, you must have administrator access to the local servers and domain administrator rights.
Minimum system requirements ■ Intel Server class 32-bit processor
■ 512 MB RAM
■ 250 MB available disk space
■ .NET Framework version 1.1 SP1 Required for the Symantec Mail Security for Microsoft Exchange Console to function properly. You must ensure that .NET Framework version 1.1 SP1 is installed for your language prior to installing Symantec Mail Security for Microsoft Exchange.
■ DirectX 8.01 or higher (will install DirectX 9 with installation if not already installed)
SMSMSE Admins Provides read and write access to all Symantec Mail Security components and features.
Users in this group can change settings for Symantec Mail Security through the user interface. A Windows 2000 Server/Server 2003 administrator-level account is not necessary for an SMSMSE Admins account.
SMSMSE Viewers Provides read-only access to Symantec Mail Security components and features.
Users in this group cannot change settings for Symantec Mail Security but can run reports, view event logs, and view settings through the user interface.
41Installing Symantec Mail Security for Microsoft ExchangeInstalling on a single server
User group assignments and setupYou are automatically added to the SMSMSE Admins group when you set up a single Symantec Mail Security server. If you do not already belong to the SMSMSE Admins group, you are not automatically added to SMSMSE Admins when you install remote servers in a multiserver environment. Use the Active Directory Users and Computers MMC snap-in to verify and add membership to SMSMSE Admins if necessary.
Installing on a single serverYou can install Symantec Mail Security on a single Microsoft Exchange Server. Before you begin, you should review the pre-installation information.
See “Before you install” on page 34.
Note: You are prompted whether to retain existing settings or to use default settings when you upgrade Symantec Mail Security 4.0/4.5/4.6 to Symantec Mail Security 5.0.
To perform the initial setup
1 Start the Symantec Mail Security Setup program (Setup.exe).
This file is located in the SMSMSE\Install folder on the product CD.
2 In the InstallShield Welcome panel, click Next.
3 In the first Symantec Mail Security Setup Preview panel, click Next.
4 In the second Symantec Mail Security Setup Preview panel, click Next.
5 In the Software License Agreement panel, click I accept the terms in the license agreement, and then click Next.
You must accept the terms of the license agreement for the installation to continue.
6 If the Existing Settings panel appears, click Restore default settings or Retain existing settings, and then click Next.
7 In the Destination Folder panel, do one of the following:
■ Verify that the default destination directory is appropriate
The default destination directory is as follows:
C:\Program Files\Symantec\SMSMSE\5.0\Server
■ Click Change, and then select a different destination directory.
42 Installing Symantec Mail Security for Microsoft ExchangeInstalling on a single server
8 In the Setup Type panel, click Complete (recommended) or Custom, and then click Next.
If you select Custom, do all of the following:
■ Select Symantec Mail Security for Microsoft Exchange (full installation) or Server management console (user interface installation).
■ Continue to step 9.
See “Installing the user interface separately” on page 54.
9 Click OK.
To configure external interfaces
1 In the IIS Reset Options panel, select whether to stop IIS during installation, and then click Next.
2 In the Web Service Setup panel, accept the following values or type new data.
3 Click Next.
4 In the Notification E-mail Address panel, accept the default or type a new originator email address, and then click Next.
5 In the Symantec Enterprise Security Architecture panel, select whether to enable logging to SESA.
You should only select Yes if you have a SESA server. If you select Yes, type the SESA IP address, and then click Next. If you do not have a SESA server or select No, you can manually configure the SESA agent at another time.
See “Integrating Symantec Mail Security with SESA” on page 195.
6 In the Setup Summary panel, review the information. If any changes are needed, click Back to return to the appropriate panel to make the changes.
IP/Name By default, the computer name resolves to the primary external network identification card (NIC). Alternatively, an IP address can be used.
The IP address can be used to validate the availability of the port.
Port # Port 8081 is the default port number for the Web service that is used by Symantec Mail Security. If port 8081 is being used by another application, a different default port number appears.
If you change the port number, do not use a port number that is used by another application, and do not use port 80. Port 80 is the port number that is used by the default Web service, which is hosted by Microsoft Internet Information Services (IIS).
43Installing Symantec Mail Security for Microsoft ExchangeInstalling on a single server
7 Click Next.
8 Click Install.
After installing the product on a server, you can install the UI separately on a remote computer, add the server to the UI, and specify the port number to access Symantec Mail Security.
See “Installing the user interface separately” on page 54.
To install content licenses
1 In the Install Content License File panel, do one of the following:
■ Type the fully qualified path to the license file, and then click Install.
A dialog box will confirm installation of the license. Click OK to close the dialog box, and then click Next.
If the license file is located on another computer, you can specify a mapped drive or UNC path.
■ Click Browse, select the license file, and then click Install.
If the license file is located on another computer, you can locate the file using My Network Places.
■ Click Skip to skip file selection and add the license information later.
You can install the virus content and the Symantec Premium AntiSpam license one after the other.
See “Installing on multiple servers” on page 44.
2 After installing the license or licenses, click Next on the Install Content License File screen.
3 In the LiveUpdate screen, click Yes or No, and then click Next.
If you click No, proceed to step 7.
4 In the Welcome to LiveUpdate screen, click Next.
5 In the Options screen, click Next.
6 When the Thank you message appears, click Finish.
7 In the Setup Complete panel, select whether to view the Readme file, and then click Finish.
The Readme file contains information that is not available in the product documentation.
44 Installing Symantec Mail Security for Microsoft ExchangeInstalling on multiple servers
Installing on multiple serversOnce you have installed Symantec Mail Security on a single server or the UI on a suitable computer, you can install Symantec Mail Security on multiple Exchange Servers by doing the following:
■ Installing Symantec Mail Security on remote servers
■ Customizing the installation of remote servers
Installing Symantec Mail Security on remote serversYou can install the Symantec Mail Security server component on remote servers. This should not be done when installing the product in a cluster environment.
See “Installing to Exchange Servers with Microsoft Clustering Service” on page 50.
Remote servers are installed with default installation settings. By default, vpremote.dat retains settings if Symantec Mail Security is already installed on a remote server. If you want to customize the installation settings and apply them to a remote server, add the custom features to the vpremote.dat file.
See “Customizing the installation of remote servers” on page 45.
See “Upgrading from a previous version” on page 49.
You must be logged on as a member of the administrator group on the local computer and have domain administrator privileges on all remote computers on which you want to install Symantec Mail Security.
Note: It is not recommended to install Symantec Mail Security on remote servers in a cluster environment.
To install Symantec Mail Security on remote servers
1 Review preinstallation information.
See “System requirements” on page 38.
See “Software component locations” on page 35.
See “Before you install” on page 34.
2 On the main menu bar, select Tasks > Manage Assets.
3 In the Asset Management window, in the sidebar, click Install to server(s).
4 Under Servers to install to, in the Servers and server groups box, select the server or servers on which you want to install Symantec Mail Security.
45Installing Symantec Mail Security for Microsoft ExchangeInstalling on multiple servers
5 Click the >> button to select the server(s). The name or the IP address of the selected server(s) appears in the Selected Servers box.
You can select individual servers, or groups, or a combination.
6 To deselect a server or servers, select it in the Selected Servers box and click the << button.
7 Optionally, under Server options, check Keep installation files on server(s) if you do not want the installation files to be deleted when the installation finishes.
8 Optionally, check Send group settings to deploy the settings of the group or groups to which the servers belong when the installation finishes.
9 Click OK.
Customizing the installation of remote serversThere may be cases in which you want to customize the installation of Symantec Mail Security on a remote Exchange Server. For example, you may need to change the following settings:
■ Installation location
■ Default email address for notifications
■ Stop/Start of IIS
Table 2-2 lists the remote customization options.
Table 2-2 Remote customization options
Property Description Default value Optional value
EMAILADDRESS= Address of the domain administrator. This will be used for the Notification/Alert settings-Address of sender and Administrator and other to notify.
N/A (Email address of domain administrator)
EXISTINGSETTINGGROUP= Controls whether to retain a previous version’s setting or restore the default settings of the new version.
Retain Restore
IIS_RESET= Controls whether or not to stop and restart the IIS.
Yes No
INSTALL_SESA= Determines whether or not to install SESA. No Yes
INSTALLDIR= The “drive:\path” to install SMSME product.
[drive]:\ program files\symantec\ smsmse\5.0\
(Any valid path)
46 Installing Symantec Mail Security for Microsoft ExchangeInstalling on multiple servers
To customize the installation of remote servers
1 Locate the folder [installation folder]\SMSMSE\5.0\UI\remote install files.
2 Using WordPad or a similar tool, open the following file:
vpremote.dat.
3 Insert one or more of properties by doing the following:
■ Type a space after the previous or existing entry inside the quotation marks.
■ Type the new property.
The property portion of each entry is case sensitive.
■ Type the value immediately after the = sign with no space.
The values are not case sensitive.
For example, specify a silent installation as follows:
{setup.exe /s /v"/qn NOT_FROM_ARP=1 REMOTEINSTALL=1”}
Note: Do not edit the entry {setup.exe /s /v"/qn NOT_FROM_ARP=1”}. This entry must remain as is.
See Table 2-2, “Remote customization options,” on page 45.
Installing or renewing license files You must install a license file on each server that is running Symantec Mail Security in order to receive the latest virus definition updates or to activate Symantec Premium AntiSpam. To install an antivirus content license, you must have the serial number that is required for activation. The serial number is listed on your purchase certificate. The purchase certificate is mailed separately (or sent by email, if you requested that method when you purchased your software). It arrives in the same time frame as your software. The serial number
PORTNUMBER= The port used by the product for Web services.
8081 (Any valid port)
REMOTEINSTALL Used to control the user interfaces from appearing during the installation. Set to 1 if a silent installation is desired.
0 1 to hide user interfaces
SESAIP= The IP address of the SESA server. N/A (A valid SESA IP number)
Table 2-2 Remote customization options (Continued)
Property Description Default value Optional value
47Installing Symantec Mail Security for Microsoft ExchangeInstalling on multiple servers
is used to request a license file and to register for support. The format of a serial number is a letter followed by 10 digits, for example, F2430482013.
If you purchased Symantec Premium AntiSpam, a second serial number is listed on the purchase certificate. This serial number is needed to receive the latest spam definition updates for the premium antispam service. If only Symantec Premium AntiSpam is purchased, only that serial number is listed.
After you install the license files for antivirus content and Symantec Premium AntiSpam, content and premium spam updating are enabled for the duration of your maintenance contract. When a content license expires, a new license must be installed to renew the subscription. When no license is installed, virus and spam definitions that are needed to keep protection current are not used.
If you have questions about licensing, contact Symantec Customer Service at 800-721-3934 or your reseller to check the status of your order.
You must install the license file on each server on which Symantec Mail Security is installed, regardless of whether the computer is partitioned or is a cluster node. The same license file supports all servers that are covered by the content license.
You must install one license file on each member of an Exchange cluster. You cannot replicate a license file like you can virus definition updates.
To install or renew a license file to a single server
1 Open Symantec Mail Security.
2 Select the Admin tab.
3 Click Licensing.
4 If necessary, follow steps 1 and 2 of the Licensing panel to request a license file from Symantec.
5 In step 3 of the Licensing panel, do one of the following:
■ Type the fully qualified path to the license file.
If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file.
■ Click Browse, select the license file, and then click Open.
If the license file does not reside on the same computer, you can locate the file using My Network Places.
6 Click Install to install the license file to the server.
You can install the virus content license and Symantec Premium AntiSpam license one after the other.
48 Installing Symantec Mail Security for Microsoft ExchangeInstalling on multiple servers
Installing licenses to remote serversYou can install a license file for a remote server group or for a single remote server.
To install a license file to a remote server group
1 Select the Admin tab.
2 At the top of the window, click Change next to the Server/group panel.
3 Select Global Group or a specific server group from the menu.
4 Click Select.
5 If necessary, follow steps 1 and 2 of the Licensing panel to request a license file from Symantec.
6 In step 3 of the Licensing panel, do one of the following:
■ Type the fully qualified path to the license file.
If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file.
■ Click Browse, select the license file, and then click Open.
If the license file does not reside on the same computer, you can locate the file using My Network Places.
7 Click Install to install the license file to the server group.
If a server within the server group is already licensed, the license file is reapplied. The license file with the latest expiration date is applied.
To install a license file to a single remote server
1 Select the Admin tab.
2 At the top of the window, click Change next to the Server/group panel.
3 Select a specific server from the menu.
4 Click Select.
5 If necessary, follow steps 1 and 2 of the Licensing panel to request a license file from Symantec.
49Installing Symantec Mail Security for Microsoft ExchangeInstalling on multiple servers
6 In step 3 of the Licensing panel, do one of the following:
■ Type the fully qualified path to the license file.
If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file.
■ Click Browse, select the license file, and then click Open.
If the license file does not reside on the same computer, you can locate the file using My Network Places.
7 Click Install to install the license file to the server.
Upgrading from a previous versionIf you are upgrading from a previous version, note that there is no longer a separate multiserver console. Single and multiple servers are all administered from the same user interface. Console settings will not migrate to the new version.
Custom policies, content filtering rules, and report templates will not migrate to the new version.
Table 2-3 lists the data and settings that will migrate to the new version.
Table 2-3 Migration of upgrade settings
Category Migration status
Auto-protect Policy in use migrates to the new version as the standard policy
Auto-protect statistics Migrates as is
Mass-Mailer Rule Enable/disable setting only
Basic Virus Rule Migrates as is
Virus subpolicy Enable/disable setting only
Filtering subpolicy Policy currently in use migrates to the new version as the standard policy
Enable/disable setting migrates
Exception subpolicy All existing exceptions rules and settings migrate
Cert and License files including registry keys
Migrates as is
Quarantine files Migrates as is
Quarantine settings Migrates as is
50 Installing Symantec Mail Security for Microsoft ExchangeInstalling to Exchange Servers with Microsoft Clustering Service
To upgrade from a previous version
1 Launch the SMSMSE 5.0 Console.
2 Add existing servers to be upgraded to an asset group of your choice (for example, Global).
3 Use the Upgrade Servers link to upgrade the selected server.
4 Once all of the servers are upgraded, you may uninstall the previous console using the Add/Remove Programs control panel.
Installing to Exchange Servers with Microsoft Clustering Service
You can install Symantec Mail Security in a Microsoft Cluster. Symantec supports active/active configurations, but recommends configurations with one or more passive nodes. The two configuration types have different installation requirements.
When installing Symantec Mail Security in a cluster environment, the product should be installed individually on each node of the cluster. The remote installation feature should not be used.
Spam settings Migrates as is
“Clear” outbreak settings Migrates as is
Alerting/Notification settings
All except AMS and Messenger settings
LiveUpdate/Rapid Release settings
All settings migrate
Matchlists Migrates as is
Report settings Migrates as is
Saved Reports Existing reports (that is, .csv and .html files) migrate if code already exists to do this
Report and Statistics Data Migrates as is
Spam XML file Migrates as is
Table 2-3 Migration of upgrade settings (Continued)
Category Migration status
51Installing Symantec Mail Security for Microsoft ExchangeInstalling to Exchange Servers with Microsoft Clustering Service
Installing Symantec Mail Security on a cluster with one or more passive nodes
You can install Symantec Mail Security to Exchange Servers that are running Microsoft Clustering Service with one or more passive nodes.
For Symantec Mail Security to support a cluster environment, the Symantec Web site must be accessible from all active and passive nodes of the cluster to ensure that settings can be retrieved and changed. Symantec Mail Security settings are stored in the registry and local hard drive of each individual server. Every time settings are changed, the settings are duplicated on the hard drive of the shared storage that is used as a dependency for the Symantec Mail Security resource. Any time the active node goes down and control transfers to the passive node, the passive node checks for settings on the shared hard disk storage. The settings are then downloaded to the passive node (which is now active) and applied.
The Symantec Mail Security service is Microsoft cluster aware and does not require any specific settings prior to installing on a cluster with one or more passive nodes. Symantec Mail Security requires its own cluster resource.
You must use IP addresses or names of the Exchange Virtual Server (EVS) nodes instead of the server IP addresses or names for managing Symantec Mail Security through the UI.
When the EVS group and Symantec Mail Security cluster resource move from one node to another, the following items will not be transferred:
■ Quarantine contents
■ Virus definitions and spam rules
■ Report database and generated reports
■ Spam statistics
■ Mailbox and public folder lists
See “Configuring the cluster resource” on page 52.
Preinstallation requirementsBefore installing the Symantec Mail Security product on an Exchange cluster with one or more passive nodes, ensure that the following requirements are met:
■ Symantec Mail Security must be installed to all active and passive nodes of a cluster.
■ Only one Exchange Virtual Server (EVS) may run on any cluster node at any time. If two EVSs attempt to run on the same node, the results are undefined.
52 Installing Symantec Mail Security for Microsoft ExchangeInstalling to Exchange Servers with Microsoft Clustering Service
■ There must always be available passive node(s) to fail to. Multiple failovers are supported only if multiple passive nodes are available.
■ Symantec Mail Security must be identically installed in the same locations on all nodes of the cluster.
During install, Symantec Mail Security checks for presence of a cluster environment. If the install is running in a cluster environment, you will be prompted to register a cluster resource DLL (SMSMSEClusterResource.dll). This DLL must be registered only on one of the cluster nodes.
Once the install is completed, Symantec Mail Security service will be running on all the nodes. It should be running on all the nodes (even passive) immediately after installation. After the first instance of the cluster resource is configured, the service will run only on the active node or nodes.
Configuring the cluster resource After Symantec Mail Security is installed on each node of the cluster, a new resource needs to be created. This resource provides high availability by monitoring and controlling the Symantec Mail Security service. The resource should be created in each Exchange Virtual Server group.
The Symantec Mail Security cluster resource is responsible for all of the following tasks:
■ Handling cluster events
■ Saving Symantec Mail Security settings for each Exchange Virtual Server to shared storage
■ Retrieving settings from shared storage and making them active on a given cluster node
■ Managing the Symantec Mail Security service.
To configure the cluster resource
1 On the Windows taskbar, click Start > Programs > Administrative Tools > Cluster Administrator.
2 Select an EVS group and launch the New Resource Wizard.
3 Name the resource.
You must assign a unique name to each resource.
4 Select Symantec Mail Security for Microsoft Exchange as the resource type, and then click Next.
53Installing Symantec Mail Security for Microsoft ExchangeInstalling to Exchange Servers with Microsoft Clustering Service
5 On the next screen, choose the nodes for which this resource is being created, and then click Next.
The nodes should be the same as those on which EVS can operate.
6 On the next screen, choose the dependencies for this resource.
The required dependencies are as follows:
■ Physical Disk Resource (disk on which the settings are saved)
■ EVS Network Name resource
7 Repeat steps 2 through 6 for each EVS server group.
As the Symantec Mail Security resource is created, the Symantec Mail Security service on all nodes is stopped and service startup is changed to manual. This is because the service is running under the control of the Symantec Mail Security cluster resource.
Installing Symantec Mail Security on an active/active clusterYou can install Symantec Mail Security on an active/active Microsoft Exchange cluster.
Before installing the Symantec Mail Security product on an active/active Exchange 2000 or 2003 cluster, ensure that the following requirements are met:
■ The cluster is a group of identical servers containing two nodes. An active/active cluster can contain only two nodes.
■ At least two Exchange virtual servers exist and are capable of running on either node in the cluster.
In a cluster environment, it is recommended to manage Symantec Mail Security with a UI that is installed on a computer that is not a part of the cluster rather than from one of the cluster nodes. This lets you maintain independent Symantec Mail Security settings for each Exchange Virtual Server.
To install Symantec Mail Security on an active/active cluster
1 Log on to a node using an Administrator account that is a member of the Domain and Local Admin groups.
2 Run setup.exe to Install the Symantec Mail Security product on the cluster node.
The installation directory should be on a local node (non-shared drive).
54 Installing Symantec Mail Security for Microsoft ExchangeInstalling the user interface separately
3 In the server user interface, type the IP address of the externally accessible network card of the current node (if not already present).
Do not type the Virtual Server IP address or the cluster IP address. Do not type the name of the node.
4 Repeat steps 2 and 3 to install the Symantec Mail Security product on the remaining node.
Managing Symantec Mail Security on all cluster nodesYou can manage Symantec Mail security on all cluster nodes.
See “Installing the user interface separately” on page 54.
See “Adding servers to a group” on page 114.
To manage Symantec Mail Security on all cluster nodes
1 If desired, install the Symantec Mail Security UI on a workstation on the same network as the cluster.
2 Use Asset Management to add each cluster node to a group.
Installing the user interface separatelyThe Symantec Mail Security user interface (UI) is a Windows application that lets you manage local and remote installations of Symantec Mail Security from a single computer, including one on which Symantec Mail Security is not installed.
You can use the UI to roll out installations of Symantec Mail Security to other Exchange Servers.
Before you install the UI on a computer without Microsoft Exchange, you should fully understand its purpose and have an implementation plan.
See “Separate user interface installation” on page 39.
Note: Symantec Mail Security supports upgrades from Symantec Mail Security 4.0, 4.5, and 4.6. If you are upgrading from a previous version, the active policy settings on the previous installation will be incorporated into the applicable policy on the new installation. Before you begin, you should review the pre-installation requirements. Not all settings and policies are migrated during an upgrade.
See Table 2-3, “Migration of upgrade settings,” on page 49.
55Installing Symantec Mail Security for Microsoft ExchangeImplementing SSL
To install the Symantec Mail Security user interface separately
1 Start the Symantec Mail Security Setup program (Setup.exe).
This file is located in the SMSMSE folder on the product CD.
2 In the License Agreement panel, check I accept the Terms in the license agreement, and then click Next.
3 Click Customize.
4 In the Customize panel, deselect Server.
5 In the Ready to Install the Program panel, click Install.
The installation may take several minutes.
6 Click Finish.
Uninstalling Symantec Mail SecurityYou can uninstall Symantec Mail Security through Add/Remove programs.
When you uninstall Symantec Mail Security in a clustered environment, you will be prompted to unregister the Symantec Mail Security resource DLL that was configured during install. This needs to be done only once on any of the cluster nodes.
You must delete all instances of the Symantec Mail Security resource from every EVS group before unregistering the cluster resource.
Implementing SSLYou can configure Symantec Mail Security to use Secure Sockets Layer (SSL) communications, which requires a server certificate. You can create your own server certificate using Microsoft Certificate Services 2.0 or request one from a Certificate Authority.
To implement SSL, you complete the following tasks:
■ Install Symantec Mail Security so that the Web service is created and available for modification.
■ Apply a server certificate to the Web service and require SSL.
■ Specify SSL communications and the SSL port.
See “Changing the Transmission Control Protocol (TCP) port and using Secure Sockets Layer (SSL)” on page 116.
56 Installing Symantec Mail Security for Microsoft ExchangeAfter you install
To implement SSL
1 On the computer on which Symantec Mail Security is installed, open Internet Services Manager.
2 In the server list, expand the folder for the server that is hosting Symantec Mail Security.
3 Right-click Symantec Mail Security for Exchange, and then click Properties.
4 On the Directory Security tab, under Secure communications, click Server Certificate.
5 Follow the instructions in the Web Server Certificate Wizard to install the certificate.
6 After the certificate is installed, on the Directory Security tab, under Secure communications, click Edit.
7 In the Secure Communications dialog box, check Require secure channel (SSL), and then click OK.
8 On the Web Service tab, under Web Service Identification, in the IP Address text box, type the IP address of the Symantec Mail Security server.
9 In the SSL Port text box, type the port to use for SSL communications.
The default port for SSL communications is 636.
10 Click OK to close the Symantec Mail Security Properties window.
11 After SSL is implemented, you must enable SSL and specify the SSL port for each server from the Symantec Mail Security UI.
After you installAfter you install Symantec Mail Security, you should perform the following administrative tasks:
■ Install the license file if it was not installed during setup.
See “Installing on multiple servers” on page 44.
■ Update virus definitions.
See “Keeping your virus protection current” on page 145.
■ Configure notification and alert recipients.
See “Configuring notifications and alerts” on page 70.
Some additional tasks are required if you are managing multiple servers.
See “Managing multiple server installations” on page 111.
Chapter
3Configuring Symantec Mail Security for Microsoft Exchange
This chapter includes the following topics:
■ About configuring Symantec Mail Security
■ Securing your network
■ Configuring notifications and alerts
■ Keeping your protection updated automatically
■ Quarantining message bodies and attachments
■ Configuring data report settings
■ Configuring content enforcement
■ Configuring exception settings
About configuring Symantec Mail SecurityWhen you configure Symantec Mail Security, you set product-wide values that apply to all users and across all sessions.
Although you can configure or reconfigure Symantec Mail Security at any time, you generally configure the product immediately after installation, customizing settings with values that work best for your environment.
58 Configuring Symantec Mail Security for Microsoft ExchangeAbout configuring Symantec Mail Security
Configuration settingsSymantec Mail Security supplies a basic set of product defaults that are designed to eliminate the need for regular maintenance and to minimize configuration time. These defaults are set at the individual server level. For many installations, these values do not have to be reset.
Table 3-1 lists the default configuration settings.
Table 3-1 Default configuration settings
Feature Default setting
Policies > General ■ Maximum scan time per file is 300 seconds.
■ Maximum archive scan depth (number of levels) is 10.
■ Maximum size of one extracted file is 100 MB.
■ Maximum total size of all files is 200 MB.
■ Maximum number of extracted files is 5000.
■ Outbreak management is enabled (no active default triggers).
■ Outbreaks are checked for every 2 minutes.
■ All outbreak rules are disabled.
Policies > Antivirus ■ Virus scanning is enabled.
■ Degree of Bloodhound heuristic detection is medium.
■ Mass-mailer worm detection and deletion is enabled.
■ All antivirus rules are enabled.
Policies > Antispam Blacklist and Whitelist
■ Allowed sender listing is disabled.
■ Unfiltered recipients listing is disabled.
■ Real-time blacklist blocking is disabled.
Policies > Antispam Heuristic Detection
■ Heuristic antispam engine is disabled.
■ All SCL (Spam Confidence Level) boxes are set to > (greater than) 8.
■ Text to prepend to subject line to tag spam is Spam: (colon).
Policies > Symantec Premium AntiSpam Settings
■ Symantec Premium AntiSpam is disabled.
■ Open Proxy List and Safe List are enabled.
■ Suspect List is enabled (and cannot be disabled).
■ Flag messages as suspected spam is set to No.
■ Lower spam threshold is set to 72.
■ Language identification is disabled.
59Configuring Symantec Mail Security for Microsoft ExchangeAbout configuring Symantec Mail Security
Policies > Symantec Premium AntiSpam Actions
■ All spam and suspected spam messages are accepted by the recipient SMTP server and delivered normally (no message delivery options are enabled).
■ Spam messages have an SCL value of 9 assigned.
■ Suspected spam messages (with an existing SCL value) have an SCL value of > 5 assigned.
■ Suspected spam messages (without an existing SCL value) have an SCL value of 8 assigned.
■ Logging is disabled.
Note: When Symantec Premium AntiSpam is licensed, it disables the heuristics spam detection feature.
Policies > Content Enforcement
■ Content filtering is enabled.
■ All content filtering rules are disabled.
■ All file filtering rules are disabled.
■ Sample matchlists are created by default.
Monitors > Notification/Alerts
■ Exchange administrators specify recipients and computers to notify when a rule is violated.
■ SESA alerting is disabled.
Monitors > Quarantine
■ No actions are set by default.
■ Maximum number of items is set to 1000.
■ Maximum size of quarantine is set to 500 MB.
■ Retain items in quarantine is set to 90 days.
■ Notify Administrator is selected for when a threshold is met.
■ Delete oldest items is enabled.
■ Email notification subject line text is: Administrator Alert: The Symantec Mail Security Quarantine has exceeded a set limit.
■ Email notification message body text is: You should manage the Quarantine to remove files or change the Quarantine settings.
Scans ■ Auto-protect is enabled.
■ Background scanning is disabled.
■ Force rescan on virus definition update is enabled.
■ Scan message bodies is enabled.
■ Virus scanning is enabled.
■ Virus scan messages during SMTP transport is disabled.
■ No scheduled scans are set.
Table 3-1 Default configuration settings (Continued)
Feature Default setting
60 Configuring Symantec Mail Security for Microsoft ExchangeAbout configuring Symantec Mail Security
Symantec Mail Security user interface componentsTable 3-2 describes the user interface controls and indicators across the top of the screen that you can use in addition to the menu bar.
Reports ■ Store data for 12 months is enabled.
■ Include Spam data is disabled.
Admin ■ Number of Virus Scanning Application Program Interface (VSAPI) scanning threads is figured using the equation 2xP+1 (where P is the number of processors).
■ Number of scan processes is figured using the equation 2xP+1 (where P is the number of processors).
■ Inbound/Outbound setting is disabled.
■ LiveUpdate is enabled and set to run at a specific time (default varies according to time of installation).
■ Rapid Release is disabled.
Table 3-1 Default configuration settings (Continued)
Feature Default setting
Table 3-2 UI controls and indicators
UI element Description
Change Calls up the Select Asset screen.
See “Securing your network” on page 63.
Deploy changes/Deploy all
Deploys any changes you have made to the interface.
Discard pending changes
Discards any changes that you have made and returns all settings to their previous conditions.
Service running indicator
Indicates that the Symantec Mail Security service is operational on the selected server.
Changes pending indicator
Indicates that there are changes that have not been deployed.
61Configuring Symantec Mail Security for Microsoft ExchangeAbout configuring Symantec Mail Security
Along the left side of the screen are tabs for the Home page and five management operation pages. Management operations are grouped into the following categories represented by icons on the primary navigation bar:
The Home page contains the following reports:
Policies Lets you create and configure sets of rules to be implemented by specific scans
Monitors Lets you set notification addresses and quarantine settings and monitor quarantine data and events
Scans Lets you create, schedule, and run scans and modify the Auto-Protect scan
Reports Lets you view and print data collected by Symantec Mail Security
Admin Lets you update virus definitions, configure system settings, and install licenses
Status When a group is selected, provides summary information for the selected group.
When a single server is selected, provides status information for the selected server.
In single server view, the Home screen refreshes automatically every five minutes and when the user switches views to the Home page.
In group view, the user must press F5 to populate the Server List and to refresh the page. This is because in a very large group, the process can take several minutes.
Recent Activity Provides a list of the ten most frequently encountered threats and security risks and the ten domains from which spam is most frequently received.
The time frame of these reports is controlled by Report Settings.
See “Configuring data report settings” on page 75.
62 Configuring Symantec Mail Security for Microsoft ExchangeAbout configuring Symantec Mail Security
Operation Status screenThe Operation Status screen appears when the user clicks Deploy changes/Deploy all or selects the Operation Status item from the Views menu.
Table 3-3 lists the following information on Operation Status requests per asset.
Total Violations Chart
A pie chart showing the percentages of four categories of violations for the period selected in Report Settings.
When a single server is selected, the chart provides the data for that server.
When a group is selected, there is a separate chart for each server in the group. Use the arrow buttons below the chart to select a server.
The time frame of this display is controlled by the reset functions in Report Settings.
See “Configuring data report settings” on page 75.
Activity Summary Provides activity information for the selected group or server.
The time frame is controlled by the Reset functions on the Reports Settings page.
See “Resetting Auto-Protect statistics or spam statistics” on page 76.
Table 3-3 Operation Status request per asset information
Item Description
Asset Server or group name
Time Date and time of the action
Status Waiting for response, Response received, or Completed
Result Succeeded or Failed
Error If failed, this column provides a description of the error message
63Configuring Symantec Mail Security for Microsoft ExchangeSecuring your network
Table 3-4 lists the following information on requests per setting.
Securing your networkThe following settings in Symantec Mail Security help ensure the best security for your network:
■ Protecting against denial-of-service attacks
■ Protecting against viruses
You can also control scanning speed and performance by setting the number of VSAPI scanning threads and the number of scan processes.
See “Setting scanning threads and number of scan processes” on page 70.
Protecting against denial-of-service attacksDenial-of-service attacks are associated with overly large container files that take a long time to decompose and with files that contain multiple compressed files. To protect your network from denial-of-service attacks, configure Symantec Mail Security to limit processing of large files by setting a maximum scan time and depth.
The scan time setting fixes the maximum amount of time that Symantec Mail Security scans a file. By default, the setting is 300 seconds. (You can choose to change this default to a value between 10 and 500,000 seconds.) You can adjust this setting upward, but in most cases, the default settings are sufficient.
If the maximum scan time is reached for an item, the item is treated according to the settings of the Unscannable File Rule.
The scan depth refers to the number of levels within an archive for which Symantec Mail Security completes a scan. The default value is 10 levels. If a file contains over 10 levels of archiving, the file is categorized as unscannable, and an unscannable file rule violation is triggered.
See “Configuring Scanning Limits Policies” on page 123.
Table 3-4 Operation Status request per setting information
Item Description
Setting Location of the change, for example, page or screen
Result Succeeded or Failed
Error If failed, this column provides a description of the error message
64 Configuring Symantec Mail Security for Microsoft ExchangeSecuring your network
Protecting against virusesSymantec Mail Security scans message bodies and attachments that are sent to mailboxes and public folders on Exchange Servers, including files in compressed and encoded formats, such as MIME and Zip.
You can protect against viruses by doing the following:
■ Configuring Bloodhound heuristics technology
■ Configuring the Basic Virus Rule
■ Configuring the Unrepairable Virus Rule
You can also create rules to protect against security risks, such as adware and spyware.
See “Configuring the Security Risk Rule” on page 69.
Configuring Bloodhound heuristics technologyThe standard method of detecting a virus is to scan a file and match it against existing virus definitions. For known viruses, this methodology works well. However, the standard method cannot detect unknown viruses for which definitions do not exist.
To detect unknown viruses, Symantec Mail Security uses Bloodhound heuristics technology. Heuristic methods of virus detection are designed to detect viruses for which no known definitions exist, by matching file behaviors against the behaviors that are usually exhibited by infected files.
Symantec Mail Security lets you customize your level of protection against unknown viruses. If you select a high level of protection, Symantec Mail Security alerts you to executable files that exhibit the behaviors of infected files. This increases protection of your Exchange system; however, system performance may be affected, and there is an increased likelihood of false positives. At lower levels of protection, the possibility that an unknown virus may escape detection increases, but the trade-off for system performance decreases.
Symantec Bloodhound heuristics technology copies a suspicious executable file into its own virtual computer. It then runs the file, probing for and assessing suspicious behavior, such as whether the file has replicated itself a number of times in a specified period of time. Because the problem file runs within a separate virtual computer that replicates the operating system environment, the potentially infected file cannot harm other files on the computer. Based on occurrences of suspect behaviors, the heuristic scanner assigns a score to the problem file, which indicates the probability of infection.
65Configuring Symantec Mail Security for Microsoft ExchangeSecuring your network
To configure Bloodhound scanning options
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antivirus, click Antivirus Settings.
3 In the content area, under General Settings, in the Bloodhound detection box, select a level of protection:
■ Off
■ Low
■ Medium
■ High
The higher the level is set, the greater the risk of false positives.
The Auto-Protect feature detects viruses in real-time as email messages are routed through the Exchange Server.
Configuring the Basic Virus RuleThe Basic Virus Rule detects viruses that do not have special concealment features.
Table 3-5 describes the variables that you can use in alert and notification messages.
Table 3-5 Replacement variables for alerts and notifications
Use Variable Description
Multiple notifications
%n% Starts a new line in the notification message
%server% Autofills with the name of the server on which a violation was discovered
66 Configuring Symantec Mail Security for Microsoft ExchangeSecuring your network
Rule violation notifications
%action% Autofills with the description of the action taken in response to a rule violation
%attachment% Autofills with the name of the attachment in which a rule violation has been found
%datetime% Autofills with the date and time of a violation
%information% Autofills with any general information available about the violation
%location% Autofills with the name of the location at which a violation was discovered, for example, inbox, outbox, public folder
%policy% Autofills with the name of the policy of which the violated rule is a part
%recipient% Autofills with the name of the intended recipient of a message in which a violation was discovered
%rule% Autofills with the name of the rule that was violated
%scan% Autofills with the name of the scan that discovered a violation
%sender% Autofills with the name of the sender of a message in which a violation was discovered
%subject% Autofills with the contents of the subject line
%violation% Autofills with the name of the violation detected
Outbreaks %count% Autofills with the number of messages that violate the outbreak trigger
%threshold% Autofills with the threshold level of an identified outbreak trigger
%trigger% Autofills with the name of the outbreak trigger that detected an outbreak
Table 3-5 Replacement variables for alerts and notifications (Continued)
Use Variable Description
67Configuring Symantec Mail Security for Microsoft ExchangeSecuring your network
To configure the Basic Virus Rule
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antivirus, click Antivirus Settings.
3 In the content area, at the top, ensure that Enable virus scanning is checked unless you do not want virus scanning to occur.
Unchecking this option leaves your system unprotected from viruses.
4 Under Rules, select the Basic Virus Rule line.
The Basic Virus Rule is always enabled.
5 Under Basic Virus Rule, in the Action to take box, accept the default or select a different response from the menu:
■ Repair message part
■ Delete entire message
■ Delete attachment/message body and replace with text
■ Quarantine attachment/message body and replace with text
■ Log only
6 In the Replacement text box, accept the default or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
7 Optionally, check one or more of the following:
■ Notify administrators
■ Notify internal sender
■ Notify external sender
8 If you selected notification options, click the button next to the selected option or options and do all of the following:
■ In the Subject line box, accept the default text or type new text.
■ In the Message body box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
9 Click Deploy changes/Deploy all or proceed to your next configuration task.
68 Configuring Symantec Mail Security for Microsoft ExchangeSecuring your network
Configuring the Unrepairable Virus RuleSome infected files cannot be repaired. When Symantec Mail Security encounters an unrepairable file, it can delete the message, delete the message body or attachment, quarantine the message body or attachment, or log the message.
To configure the Unrepairable Virus Rule
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antivirus, click Antivirus Settings.
3 Under Rules, select the Unrepairable Virus Rule line.
The Unrepairable Virus Rule is always enabled.
4 Under Unrepairable File Rule, in the Action to take box, accept the default or select a different response from the menu:
■ Delete entire message
■ Delete attachment/message body and replace with text
■ Quarantine attachment/message body and replace with text
■ Log only
5 In the Replacement text box, accept the default or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
6 Optionally, check one or more of the following:
■ Notify administrators
■ Notify internal sender
■ Notify external sender
7 If you selected an option, click the button next to the selected option or options and do all of the following:
■ In the Subject line box, accept the default text or type new text.
■ In the Message body box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
8 Click Deploy changes/Deploy all or proceed to your next configuration task.
69Configuring Symantec Mail Security for Microsoft ExchangeSecuring your network
Configuring the Security Risk RuleSecurity risks include adware, spyware, jokes, hack tools, remote access, trackware, and dialers. Symantec Mail Security can detect security risks and dispose of them in several ways.
To configure the Security Risk Rule
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antivirus, click Antivirus Settings.
3 In the content area, under Rules, click Security Risk Rule.
4 To enable or disable the rule, in the Enabled column, click the entry and select the Enabled or Disabled from the menu.
5 In the Action to take box, accept the default or select a response from the menu:
■ Delete entire message
■ Delete attachment/message body and replace with text
■ Quarantine attachment/message body and replace with text
■ Log Only
6 In the Replacement text box, accept the default or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
7 Optionally, check one or more of the following:
■ Notify administrators
■ Notify internal sender
■ Notify external sender
8 If you selected notification options, click the button next to the selected option or options and do all of the following:
■ In the Subject line box, accept the default text or type new text.
■ In the Message body box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
9 Click Deploy changes/Deploy all or proceed to your next configuration task.
70 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring notifications and alerts
Setting scanning threads and number of scan processesTo control scanning speed and performance, Symantec Mail Security lets you set the number of VSAPI scanning threads and the number of scan processes. The default is configured using the following formula: (number of processors) x 2 + 1. You should accept the default, unless you have a compelling reason to do otherwise.
Note: Administrators with servers using Intel Xeon processors will need to set this value using the formula based on the number of physical processors, not the number reported by the OS.
To set scanning threads and number of scan processes
1 On the primary navigation bar, click Admin.
2 On the sidebar, under Views, click System Settings.
3 In the Number of VSAPI Scanning Threads box, accept the default (3) or type the number of threads to use for VSAPI scanning.
4 In the Number of Scan Processes box, accept the default or type the number of scan processes.
The default is configured during installation using the formula 2 times the number of processors plus 1.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Configuring notifications and alertsWhen you configure notifications and alerts, you specify the administrators, users, and computers that receive email notifications when a rule violation occurs, when an outbreak trigger is activated, or when a critical service failure occurs.
Note: Email notifications are sent only to names and addresses that can be resolved against Active Directory objects.
When you set up a scan, you specify the actual text of the messages and alerts that go to those administrators, users, and computers when a rule is violated.
Symantec Mail Security provides a mechanisms for issuing alerts to administrators by Symantec Enterprise Security Architecture (SESA).
71Configuring Symantec Mail Security for Microsoft ExchangeKeeping your protection updated automatically
You should restrict the issuing of alerts to a small list of interested administrators to avoid unnecessary interruptions.
If you have installed Symantec Enterprise Security Architecture (SESA), you can enable SESA alerts. Although SESA is not part of Symantec Mail Security, it allows security information, such as virus detection and content enforcement violations, to be logged and analyzed across an entire organization. Selecting Enable SESA Logging enables the reporting of security events to the SESA Manager, where the events are sent to the SESA DataStore.
When Enable SESA Logging is selected, you specify the IP address of the SESA server, which sends events to a designated SESA Manager computer.
To configure notifications and alerts
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Notification/Alerts Settings.
3 In the content area, under Email notifications, do all of the following:
■ Under Address of sender to use in email notification, type the email address of the sender that you want to use for email notifications.
■ Under Administrators or others to notify, type the email addresses of administrators and users to notify.
Separate each entry by commas. If you are including an email address that is not within your domain, type the fully qualified email address (for example, [email protected]).
4 If desired, under SESA alerts, check Enable Logging and Alerting to SESA server.
If you enable this setting, type the IP address for the SESA server.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Keeping your protection updated automaticallyLiveUpdate automatically updates definitions from the Symantec Web site. By default, LiveUpdate is enabled with a recommended schedule. However, you can reconfigure LiveUpdate.
In a multiserver installation, each managed server in a selected group runs LiveUpdate at the scheduled date and time.
See “How Symantec Mail Security detects and prevents viruses” on page 143.
See “Updating virus definitions for multiple servers” on page 147.
72 Configuring Symantec Mail Security for Microsoft ExchangeQuarantining message bodies and attachments
You can run Rapid Release definition updates instead of or in addition to LiveUpdate updates.
If you have Symantec AntiVirus Corporate Edition installed, you must disable LiveUpdate/Rapid Release and allow Symantec AntiVirus to update definitions.
Quarantining message bodies and attachmentsSymantec Mail Security lets you quarantine problem message bodies and attachments by sending them to a quarantine directory on the local server. Quarantined message parts are those that are either unscannable or unrepairable due to viruses. Filtering rules can also quarantine message parts due to content.
Symantec Mail Security also lets you forward quarantined files to the Quarantine Server if one has been set up on your network. Quarantine Server, a component of Central Quarantine, is included with Symantec Mail Security and is installed separately. Files that are unscannable are not forwarded to the Quarantine server. They remain in the local quarantine. By forwarding the quarantined files to the Quarantine Server, you can take advantage of its features, which allow the sending of the problem files to Symantec for analysis and subsequent issuing of new virus definitions.
You can configure the Quarantine settings to do the following:
■ Forward quarantined files to the Quarantine Server.
■ Delete local quarantined items after forwarding them to the Quarantine Server.
■ Set the Quarantine thresholds.
■ Specify an action to take when a Quarantine threshold is met.
■ Add notification text to the email message that is sent when a Quarantine threshold is met.
To forward quarantined files to the Quarantine Server
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Quarantine Settings.
3 In the content area, under Quarantine Server, check Send quarantined items to Quarantine Server.
4 If desired, check Delete local quarantined items after forwarding to Quarantine Server.
5 In the Server Address box, type the IP address of the Quarantine server.
73Configuring Symantec Mail Security for Microsoft ExchangeQuarantining message bodies and attachments
6 In the Server Port box, type the port number for the Quarantine server.
7 Select which network protocol to use.
8 Click Deploy changes/Deploy all or proceed to your next configuration task.
To set thresholds for the local Quarantine
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Quarantine Settings.
3 In the content area, under Quarantine Thresholds, to limit the number of quarantined items, check Maximum number of items, and accept the default (1000) or type a number in the box.
4 To limit the maximum size of the Quarantine, check Maximum size of quarantine, accept the default (500 MB) or type a number in the box, and accept the default or select MB or GB from the list.
5 To limit how long an item may be quarantined, check Retain items in quarantine, and accept the default (90 days) or type the number of days in the box.
6 Click Deploy changes/Deploy all or proceed to your next configuration task.
To specify an action to take when a Quarantine threshold is met
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Quarantine Settings.
3 In the content area, under When a threshold is met, check Notify Administrator to send notification messages to an administrator list.
4 Check Notify others to send notification messages to a list.
5 Check Delete oldest items to remove items that have reached a specified quarantine threshold from the server.
If Delete oldest items is not checked and a Quarantine size threshold is reached, the event is logged and a notification is sent to the recipients that are specified in the Quarantine Settings page.
6 Click Deploy changes/Deploy all or proceed to your next configuration task.
To add notification text to the email message that is sent when a Quarantine threshold is met
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Quarantine Settings.
3 In the content area, under Administrator Notification, in the Subject Line box, accept the default text or type your own subject line text.
74 Configuring Symantec Mail Security for Microsoft ExchangeQuarantining message bodies and attachments
4 In the Message Body box, use the default text or type a message to send to an administrator list.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
To view quarantine results
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Quarantine.
This option is not available in group view.
3 To view detailed data for a quarantine on the upper pane, click the server’s entry.
You must also press F5 to refresh the display with the latest events.
Releasing messages from quarantine by mailYou can send quarantined files to specified destinations by email. If a message contains a virus that was not repaired, and Auto-Protect is enabled, it will detect the infected message and quarantine it again. Content filtering will not detect messages released from quarantine.
To release messages from quarantine by email
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Quarantine.
This option is not available in group view.
3 In the upper pane, select the file or files you want to release.
4 On the sidebar, under Tasks, click Release by mail.
5 On the Releasing by mail window, ensure that at least one of the checkboxes is checked. The default is Send to original recipient(s). Options are as follows:
■ Check Send to administrators to send the selected file(s) to the admininistrator(s) whose address(es) appear in the middle box.
■ Check Send to the following to send the selected file(s) to the address(es) that appear in the lower box.
6 Click OK to send the files.
75Configuring Symantec Mail Security for Microsoft ExchangeConfiguring data report settings
Releasing messages from quarantine to fileYou can move quarantined messages to a folder for review or analysis. The folder is in the following location:
program files\symantec\smsmse\5.0\server\Quarantine\Release
To release messages from quarantine to file
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Quarantine.
This option is not available in group view.
3 In the upper pane, select the file or files you want to release.
4 On the sidebar, under Tasks, click Release to file (Save).
5 On the dialog, click Yes to release or No to cancel the release.
Configuring data report settingsSymantec Mail Security stores various types of data on virus scanning, virus definitions, viruses detected, and virus-related events on a system. In addition, Symantec Mail Security generates data about violations for the different rules. You have the option of creating and saving custom reports that include subsets of this data.
You can configure Symantec Mail Security to retain this data for different periods of time. You can also manually clear all report data on an as-needed basis, if the amount of report data saved is too large or if it is no longer needed.
Symantec Mail Security lets you save report data in a comma-delimited value (.csv) format for use with external applications and reporting tools.
See “Working with report data” on page 159.
To configure data report settings
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Settings.
76 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
3 In the content area, select one of the following:
4 Optionally, check Include Spam Data.
Checking this box causes all spam-related events to be stored. This increases the time required to generate reports and affects system performance. If used, it should be for a short term (for example, a few weeks) to evaluate spam-related issues.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Resetting Auto-Protect statistics or spam statisticsResetting Auto-Protect statistics or spam statistics restarts the Activity Summary reports on Home screen.
To reset Auto-Protect and/or Spam statistics
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Settings.
3 Under Tasks, click Reset Auto-Protect statistics, Reset spam statistics, or Reset database statistics.
4 Click Reset all statistics to reset all three simultaneously.
Configuring content enforcementSymantec Mail Security lets you filter messages for inappropriate content by doing the following:
■ Blocking by attachment file names and types
■ Configuring content filtering rules
■ Determining inbound/outbound settings
■ Configuring file filtering rules
Store all data Keeps all data indefinitely.
Store no data Retains no data; reports cannot be run.
Store data for __ months
The data is cleared after the specified time period. If you choose to retain the data for a specified time period, accept the default (12 months) or type the number of months of data to store.
Only summary spam data is stored unless the Include Spam Data checkbox is checked.
77Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
Blocking by attachment file names and typesSymantec Mail Security can be configured to match words and phrases that are in a matchlist against the names of files. Names of both noncontainer files (individual files without embedded files, which may be embedded within a container file) and container files (files with embedded files) are examined.
See “Working with matchlist settings” on page 135.
If a match is found, the prohibited file is blocked. If the prohibited file is within a container file, the entire container file is blocked.
For example, if an incoming Zip file named sample.zip contains three executable files (a.exe, b.doc, and c.bat), sample.zip would be blocked if any of the following occurs:
■ Matchlist contains one of the literal strings, sample.zip, a.exe, b.doc, or c.bat
■ Matchlist contains one of the DOS wildcard expressions, *.zip, *.exe, *.doc, or *.bat
■ Matchlist contains one of the regular expressions, sample\.\w{3}, a\.\w{3}, b\.\w{3}, or c\.\w{3}
Configuring content filtering rulesTable 3-6 describes the content enforcement rules that are provided by default. You can edit these rules or create new rules.
Table 3-6 Default content enforcement rules
Rule Description
Allow-Only Attachment Rule
Detects and filters files with attachment types that are not on a list of permitted attachment types
Blank Subject and Sender Rule
Detects and filters messages with blank subject line and blank sender line
Quarantine Triggered Attachment Names Rule
Detects and filters files if attachment name matches a list of outbreak-triggered attachment names
Quarantine Triggered Subjects Rule
Detects and filters messages whose subject matches a list of outbreak-triggered subjects
Sample Antispam Rule Detects and filters messages whose subject line and message body are on the related matchlists
Sample Executable File Rule
Detects and filters executable files based on Sample Attachment Name matchlist
78 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
To enable or disable content filtering rules
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Content Filtering Rules.
3 In the content area, click the Enabled column of the rule that you want to enable or disable and select Enabled or Disabled from the menu.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
Editing content filtering rulesYou can edit content filtering rules to suit the needs of your network.
To access the rule to edit
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Content Filtering Rules.
3 In the content area, click the rule that you want to edit.
4 On the sidebar, under Tasks, click Edit rule.
5 Optionally, in the Description box, edit the description of the rule.
To modify the rule applications
1 In the Message part to scan box, accept the default or select the message part to filter:
■ Message Body
■ Subject
■ Sender
■ Attachment Name
■ Attachment Content
2 Under Apply rule to, check one or more of the following:
■ Inbound
■ Outbound
■ Internal
At least one of these boxes must be checked.
3 Under Rule Content, in the Match type box, select one of the following:
■ Literal string
■ Regular expression
■ Wild cards
79Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
4 Under Options, check one or more of the following:
■ Whole term
This option is not available when Regular expression is selected.
■ Case
This option is not available for sender and attachment name rules.
5 Under Content, accept the default in the menu box or select one of the following from the menu:
■ Equals
■ Does Not Equal
■ Contains
■ Does Not Contain
6 Under Content, select one of the following:
7 Under Content, do one of the following:
■ In the large box, type words or phrases to be filtered. Press Enter to separate each entry.
■ Click Add match list and select a matchlist from the menu.
See “Working with matchlist settings” on page 135.
8 Optionally, check Attachment size is and do all of the following:
■ In the first box, select > (greater than), or < (less than), or = (equals).
■ In the second box, type the numerical value of the attachment size.
■ In the third box, select BYTES, KB, or MB.
To define exceptions to the defined rule
1 Optionally, under Unless, accept the default in the menu box or select one of the following from the menu:
■ Equals
■ Does Not Equal
■ Contains
■ Does Not Contain
Match any term Activates the rule if any term in the text box or on the matchlist is found.
Match all terms Activates the rule only if all the terms in the text box or on the matchlist are found.
80 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
2 Optionally, under Unless, do one of the following:
■ Type words or phrases that will override the filtering of the entries in the Content to match box. Press Enter to separate each entry.
■ Click Add match list and select a matchlist from the menu.
See “Working with matchlist settings” on page 135.
3 Optionally, check Or attachment size is and do all of the following:
■ In the first box, select > (greater than), or < (less than), or = (equals).
■ In the second box, type the numerical value of the attachment size.
■ In the third box, select BYTES, KB, or MB.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
To edit users and groups
1 Click the Users tab.
2 Optionally, under Sender/recipient selection, click Sender.
3 If Sender is clicked, click one of the following:
■ Apply if the sender of the message is in the list
■ Apply if the sender of the message is NOT in the list
4 Optionally, under Sender/recipient selection, click Recipient.
5 If Recipient is clicked, click one of the following:
■ Apply if ANY of the recipients of the message are in the list
■ Apply if ANY of the recipients of the message are NOT in the list
■ Apply if ALL of the recipients of the message are in the list
■ Apply if ALL of the recipients of the message are NOT in the list
6 In the Users box, type the addresses of the users that you want to include or exclude, depending on your selection in steps 3 and 5.
Type one address per line.
7 Optionally, click Add Match List and select a matchlist to insert. You can only insert one matchlist.
You can combine a matchlist with typed addresses.
See “Working with matchlist settings” on page 135.
8 To select groups to enter in the Groups box, click Add.
9 In the Available groups box, click a selection and click the >> button.
10 To deselect a group in the Selected groups box, click a selection and click the << button.
11 Click OK.
81Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
12 To delete a group from the Groups box, click it, and then click Remove.
There must be at least one valid entry in the Users or Groups box. If both boxes are both empty, the rule will have no effect.
13 Click Deploy changes/Deploy all or proceed to your next configuration task.
To edit notifications
1 Click the Notifications tab.
2 Under Email Notification, optionally, check one or more of the following:
■ Notify administrators
■ Notify internal sender
■ Notify external sender
3 If you selected notification options, click the button next to the selected option or options and do all of the following:
■ In the Subject line box, accept the default text or type new text.
■ In the Message body box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
Creating content filtering rulesYou can create content filtering rules to suit your work environment.
To define the rule
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Content Filtering Rules.
3 On the sidebar, under Tasks, click Add new rule.
4 In the Name box, type the name of the new rule.
This is a required entry.
5 In the Description box, type a brief description of the new rule.
This is a required entry.
82 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
To define the rule applications
1 In the Message part to scan box, accept the default or select the message part to filter:
■ Message Body
■ Subject
■ Sender
■ Attachment Name
■ Attachment Content
2 Under Apply rule to, check one or more of the following:
■ Inbound
■ Outbound
■ Internal
At least one of these boxes must be checked.
3 Under Rule Content, in the Match type box, select one of the following:
■ Literal string
■ Regular expression
■ Wild cards
4 Under Options, check one or more of the following:
■ Whole term
This option is not available when Regular expression is selected.
■ Case
This option is not available for sender and attachment name rules.
5 Under Content, accept the default in the menu box or select one of the following from the menu:
■ Equals
■ Does Not Equal
■ Contains
■ Does Not Contain
6 Under Content, select one of the following:
Match any term Activates the rule if any term in the text box or on the matchlist is found.
Match all terms Activates the rule only if all the terms in the text box or on the matchlist are found.
83Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
7 Under Content, do one of the following:
■ In the large box, type words or phrases to be filtered. Press Enter to separate each entry.
■ Click Add match list and select a matchlist from the menu.
See “Working with matchlist settings” on page 135.
8 Optionally, check Attachment size is and do all of the following:
■ In the first box, select > (greater than), or < (less than), or = (equals).
■ In the second box, type the numerical value of the attachment size.
■ In the third box, select BYTES, KB, or MB.
To define exceptions to the defined rule
1 Optionally, under Unless, accept the default in the menu box or select one of the following from the menu:
■ Equals
■ Does Not Equal
■ Contains
■ Does Not Contain
2 Optionally, under Unless, do one of the following:
■ Type words or phrases that will override the filtering of the entries in the Content to match box. Press Enter to separate each entry.
■ Click Add match list and select a matchlist from the menu.
See “Working with matchlist settings” on page 135.
3 Optionally, check Or attachment size is and do all of the following:
■ In the first box, select > (greater than), or < (less than), or = (equals).
■ In the second box, type the numerical value of the attachment size.
■ In the third box, select BYTES, KB, or MB.
To configure rule actions
1 Optionally, under Rule Action, in the When a violation occurs box, select a disposition of files that violate the rule:
■ Delete entire message
■ Delete attachment/message body and replace with text
■ Quarantine attachment/message body and replace with text
■ add tag to beginning of subject line
■ Save to folder
■ Log only
84 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
2 In the Replacement text box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
3 Click OK.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
To configure users and groups
1 Click the Users tab.
2 Optionally, under Sender/recipient selection, click Sender.
3 If Sender is clicked, click one of the following:
■ Apply if the sender of the message is in the list
■ Apply if the sender of the message is NOT in the list
4 Optionally, under Sender/recipient selection, click Recipient.
5 If Recipient is clicked, click one of the following:
■ Apply if ANY of the recipients of the message are in the list
■ Apply if ANY of the recipients of the message are NOT in the list
■ Apply if ALL of the recipients of the message are in the list
■ Apply if ALL of the recipients of the message are NOT in the list
6 In the Users box, type the addresses of the users that you want to include or exclude, depending on your selection in steps 3 and 5.
Type one address per line.
7 Optionally, click Add Match List and select a matchlist to insert.
You can only insert one matchlist. You can combine a matchlist with typed addresses.
See “Working with matchlist settings” on page 135.
8 To select groups to enter in the Groups box, click Add.
9 In the Available groups box, click a selection and then click the >> button.
10 To deselect a group in the Selected groups box, click its entry and then click the << button.
There must be at least one valid entry in the Users or Groups box. If both boxes are both empty, the rule will have no effect.
11 Click OK.
12 Click Deploy changes/Deploy all or proceed to your next configuration task.
85Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
To configure notifications
1 Click the Notifications tab.
2 Under Email Notification, optionally, check one or more of the following:
■ Notify administrators
■ Notify internal sender
■ Notify external sender
3 If you selected notification options, click the button next to the selected option or options and do all of the following:
■ In the Subject line box, accept the default text or type new text.
■ In the Message body box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
Deleting content filtering rulesYou can delete content filtering rules when they are no longer needed.
To delete a content filtering rule
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Content Filtering Rules.
3 In the content area, in the upper pane, click the rule that you want to delete.
4 On the sidebar, under Tasks, click Delete rule.
5 Click OK.
6 Click Deploy changes/Deploy all or proceed to your next configuration task.
Prioritizing content filtering rulesThe content filtering rules operate by priority. If two rules conflict, the rule with the higher priority supersedes the rule with the lower priority.
To prioritize content filtering rules
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Content Filtering Rules.
86 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
3 On the sidebar, under Tasks, click Prioritize rules.
More than one rule must be enabled to prioritize.
4 In the Order in which the filtering rules should be applied box, click a rule name to select it.
5 Click Move up or Move down until the rule is in the desired position.
6 Repeat steps 4 and 5 as desired, and then click OK.
The rules do not change positions on the main list. To view the rules in priority order, repeat steps 1 - 3.
Determining inbound/outbound settingsBy default, Inbound SMTP rules apply to messages that have at least one recipient who has a mailbox in the local store. Outbound SMTP rules apply to messages that have at least one recipient that does not have a mailbox in the local store.
This behavior can be modified by specifying domains that are to be considered local. By adding a domain to the domain list, emails with recipients for that domain are considered local even if they do not have a mailbox locally.
Note: A single message can be considered both inbound and outbound. In this case, both inbound and outbound rules are applied to the message.
To configure inbound and outbound settings
1 On the primary navigation bar, click Admin.
2 On the sidebar, under Views, click System Settings.
3 In the content area, under System Settings, check Use list to determine inbound/outbound.
4 In the List of internal domains box, type the domain or domains to use to determine if email messages are inbound or outbound.
If you type multiple domains, separate the values with commas.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
87Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
Configuring file filtering rulesThe following file filtering rules are provided by default.
Enabling or disabling file filtering rulesYou can enable or disable file filtering rules.
To enable or disable file filtering rules
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click File Filtering Rules.
3 In the content area, in the upper pane, click the Enabled column of the rule that you want to enable or disable and select Enabled or Disabled from the menu.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
Configuring responses to file filtering rule violationsYou can configure the responses to violations of any of the file filtering rules.
To configure responses to file filtering rule violations
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click File Filtering Rules.
3 In the content area, in the upper pane, click the rule whose responses you want to edit.
File Name Rule Compares attachment file names to a Match List. If the attachment is a container the subsequent files will also be compared to the Match List.
Executable File Rule Detects and filters messages containing executables (that is, *.exe) in the message body or attachment.
See “File types recognized by the Executable and Multimedia File Rules” on page 206.
Multimedia File Rule Detects and filters messages containing multimedia (for example, *.mpg, *.wav) in the message body or attachment.
See “File types recognized by the Executable and Multimedia File Rules” on page 206.
88 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring content enforcement
4 In the lower pane, in the Action to take box, accept the default or select an action from the menu:
■ Delete entire message
■ Delete attachment/message body and replace with text
■ Quarantine attachment/message body and replace with text
■ Log only
5 In the Replacement text box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
6 In the lower pane, optionally, check one or more of the following:
■ Notify administrators
■ Notify internal sender
■ Notify external sender
7 If you selected notification options, click the button next to the selected option or options and do all of the following:
■ In the Subject line box, accept the default text or type new text.
■ In the Message body box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
8 Click Deploy changes/Deploy all or proceed to your next configuration task.
Editing the File Name RuleYou can edit the File Name Rule.
See “Working with matchlist settings” on page 135.
To edit the File Name Rule
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click File Filtering Rules.
3 In the content area, in the upper pane, click the File Name Rule line.
4 In the lower pane, next to Match list for prohibited file names, click Select.
5 In the Select a match list window, select a matchlist from the left pane.
89Configuring Symantec Mail Security for Microsoft ExchangeConfiguring exception settings
6 Click OK.
7 Click Deploy changes/Deploy all or proceed to your next configuration task.
Configuring exception settingsFiles that are encrypted or unscannable, or that contain encrypted or unscannable attachments, are managed separately from other messages. you can configure the exception settings to delete the entire message, delete the affected attachment or message body, quarantine the affected attachment or message body, or log only.
To configure exception settings
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Exceptions.
3 In the content area, in the upper pane, click one of the following:
■ Unscannable File Rule
■ Encrypted File Rule
4 In the lower pane, in the Action to take box, accept the default or select an action from the menu:
■ Delete entire message
■ Delete attachment/message body and replace with text
■ Quarantine attachment/message body and replace with text
■ Log only
5 In the Replacement text box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
6 Optionally, check one or more of the following:
■ Notify administrators
■ Notify internal sender
■ Notify external sender
90 Configuring Symantec Mail Security for Microsoft ExchangeConfiguring exception settings
7 If you selected notification options, click the button next to the selected option or options and do all of the following:
■ In the Subject line box, accept the default text or type new text.
■ In the Message body box, accept the default text or type new text.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
8 Click Deploy changes/Deploy all or proceed to your next configuration task.
Chapter
4Configuring spam detection
This chapter includes the following topics:
■ Protecting your organization from spam (without Symantec Premium AntiSpam)
■ Protecting your organization from spam (with Symantec Premium AntiSpam)
Protecting your organization from spam (without Symantec Premium AntiSpam)
Symantec Mail Security can protect your organization from spam in the following ways:
■ Block by real-time blacklists (RBLs)
■ Identify suspected spam using the heuristic antispam engine
■ Create spam content filtering rules to identify spam
You can configure Symantec Mail Security to bypass RBL blocking and heuristic spam detection by enabling and configuring sender and recipient whitelists.
See “Blocking spam using real-time blacklists” on page 92.
See “Assigning a spam confidence level (SCL)” on page 92.
See “Bypassing RBL blocking and spam detection for sender and recipient whitelists” on page 98.
92 Configuring spam detectionProtecting your organization from spam (without Symantec Premium AntiSpam)
Blocking spam using real-time blacklistsOne way of preventing spam is to reject connections that come from mail servers known or believed to send spam. To limit potential spam, Symantec Mail Security supports real-time blacklist (RBL) blocking. RBL blocking works by denying mail servers access to your system if those servers have been identified as allowing spam to originate or relay through them. Symantec Mail Security refuses the connection attempt of mail servers that are identified on RBLs that you have configured the product to recognize. You must subscribe to the third-party real-time blacklist providers before configuring Symantec Mail Security to perform RBL blocking.
Note: Symantec does not provide a list of RBL providers.
To block spam using real-time blacklists
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Blacklist and Whitelist.
3 In the box under Real-time Blacklist, type the domains of the RBL providers. Press Enter after each new entry.
RBL providers are queried in the order in which you list them. The first RBL provider to return a match during an SMTP connection results in the message being rejected, and no other RBL providers are queried.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
Assigning a spam confidence level (SCL) The heuristic antispam engine is not activated by default. When activated, the engine analyzes incoming email messages, looking for key characteristics of spam. It weighs its findings against characteristics of legitimate email messages to determine a confidence level (that the message is, in fact, spam). The confidence level is used to determine actions to take for accepted messages and whether to reject or log messages.
The Symantec heuristic antispam filter engine assigns a spam confidence level (SCL) to each message. The SCL is a normalized value that indicates the likelihood that the message is spam, based on the message’s characteristics (such as the content and message header). Once the SCL is set, the heuristic antispam engine takes the specified action on any message with an SCL that exceeds the set value for that action, that is, reject it, save it to a folder, send it to an alternate recipient, add a subject tag or X-header, or log it.
93Configuring spam detectionProtecting your organization from spam (without Symantec Premium AntiSpam)
If you have Microsoft Exchange 2003 installed, you can configure Symantec Mail Security to compare the Symantec SCL to the SCL that is already provided by another mail screening tool. To have Symantec Mail Security compare its SCL to that of another screening tool, the other tool must be configured not to take action based on its SCL. For example, if the other mail-screening tool is Microsoft Intelligent Message Filter (IMF), IMF must be set to “No Action” in order for the SCL comparison to take place.
Once you enable the option to reject messages based on SCL comparison in Symantec Mail Security and you specify an SCL value, if both SCLs are greater than the value specified, the message is rejected. You can specify which SCL to use (the highest SCL, the lowest SCL, the average of the two SCLs, the Symantec SCL, or the existing SCL) when either or both SCLs do not exceed the value. By default, the higher SCL value is used.
Symantec Mail Security handles accepted messages based on how you have configured the product. The following is an example of the criteria that might be met in order for a message to be accepted, logged, and delivered:
■ Heuristic spam detection is enabled.
■ You have checked the Reject message if Symantec SCL and existing SCL are checkbox and have provided >8 as the value.
■ Either the Symantec SCL or the SCL value that is provided by another mail screening tool is not greater than 8.
■ In Symantec Mail Security, you have selected Average SCL to use when neither SCL is greater than the specified value.
■ The average of both SCLs is 8.
■ You have checked the Reject message if SCL is checkbox and have provided >8 as the value.
■ Under Action(s) to take for accepted messages, you have checked only the Log if SCL is checkbox and have provided >7 as the value.
The message would be accepted because the SCL value used for processing (average SCL) is 8, the value used for rejecting messages is >8 (but the average is only 8), and the SCL value used to determine if a message is logged is >7. (The average, 8, is greater than 7.) Because the action selected for accepted messages is Log, the message would be logged and delivered.
See “To configure the heuristic antispam engine settings” on page 94.
94 Configuring spam detectionProtecting your organization from spam (without Symantec Premium AntiSpam)
Understanding Symantec SCL valuesThere are 11 Symantec SCL values. Microsoft Exchange has a special reserved value of -1. The heuristic antispam engine assigns a value of 0 to messages that are not spam. Messages that are determined to be spam are assigned a value in the range of 1 (extremely low likelihood that the message is spam) to 9 (extremely high likelihood that the message is spam).
Some messages are exceptions to the rule and fall under the N/A category. A message will be put under the N/A category under the following circumstances:
■ The message is an internal Microsoft Exchange message that has already been assigned a special reserved SCL value of -1.
■ The message was whitelisted by Symantec Mail Security on this server.
■ The message was whitelisted by some other entity (either another antispam product or Symantec Mail Security running on a different server).
■ The message was delivered by an authenticated SMTP session, and the DoAntiSpamOnAuthSessionsBool registry key is either missing or set to non-zero.
■ An internal error occurred. This can happen if the SPAM.NET or SPAM.DAT files are missing or corrupt.
Configuring heuristic antispam protectionSymantec Mail Security can be configured to use the heuristic antispam engine to detect spam. At least one of the options must be checked for heuristic spam protection to work.
When Symantec Premium AntiSpam is enabled, heuristic antispam is disabled.
See “Protecting your organization from spam (with Symantec Premium AntiSpam)” on page 99.
To configure the heuristic antispam engine settings
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Heuristic Detection.
95Configuring spam detectionProtecting your organization from spam (without Symantec Premium AntiSpam)
3 In the content area, under Heuristic Anti-Spam Settings, check Enable heuristic spam detection.
4 In the Use box, accept the default or select the desired SCL score or combination of scores as follows:
■ Highest SCL
■ Lowest SCL
■ Average SCL
■ Symantec’s SCL
■ Existing SCL
This option is not available on Exchange 2000 installations.
To configure actions to take for rejected messages
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Heuristic Detection.
3 In the content area, under Rejected Messages, to reject messages with a given combined SCL, check Reject message if Symantec’s SCL and existing SCL are and accept the default (>8) or select a value from the menu.
This option is available only for Exchange 2003 users.
4 To reject messages with a given SCL, check Reject message if SCL is and accept the default (>8) or select a value from the menu.
5 To keep a log of rejected messages, check Log rejected messages.
To configure actions to take for accepted messages
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Heuristic Detection.
3 In the content area, ensure that Enable heuristic spam detection is checked.
This option is not available on Exchange 2000 installations.
4 In the content area, under Accepted Messages, to keep the original recipients from receiving messages with a given SCL, check Prevent delivery to original recipient if SCL is and accept the default (>8) or select a value from the menu.
This option is not available on Exchange 2000 installations.
5 To save messages that are diverted from their original recipients to a folder, check Save to folder and type a folder name in the Folder name box or click the browse [...] button beside it and select a folder name from the list.
This option is only available if Prevent delivery to original recipient if SCL is is checked. A folder name is required if this option is selected.
96 Configuring spam detectionProtecting your organization from spam (without Symantec Premium AntiSpam)
6 To add an X-header to messages sent to a folder, check Add X-header and type the X-header value in the X-header value box.
This option is only available if Save to folder is checked.
7 To deliver messages with a given SCL to a different recipient, do all of the following:
■ Check Deliver to alternative recipient if SCL is and accept the default (>8) or select a value from the menu.
■ Type one or more addresses to which messages that meet the SCL criterion will be delivered in the Alternative recipient(s) box. Press Enter after each new entry.
This option is required if Deliver to alternative recipient if SCL is is checked.
8 To add a tag to the subject line of messages with a given SCL, check Add subject tag if SCL is and accept the default (>8) or select a value from the menu; and accept the default text in the Prepend subject text box or type the text that you want to prepend to the subject line of messages that are suspected of being spam.
9 To add an X-header to messages with a given SCL, check Add X-header, containing SCL value, if SCL is and accept the default (>8) or select a value from the menu.
10 To log messages with a given SCL, check Log if SCL is and accept the default (>8) or select a value from the menu.
11 Click Deploy changes/Deploy all or proceed to your next configuration task.
Understanding how the Store Action Threshold (SAT) works with an SCL value
The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with the SCL value that is stamped on an email message to determine the destination of the message. (With heuristic detection, Symantec Mail Security internally determines the SCL value of messages. With Symantec Premium AntiSpam, you specify an SCL value.)
Note: Products other than Symantec Mail Security may also set an SCL value on a message.
See “Understanding Symantec SCL values” on page 94.
When the heuristic spam detection feature of Symantec Mail Security is enabled (or when SCL assignment is enabled along with Symantec Premium AntiSpam), Symantec Mail Security stamps messages in Exchange 2003 with an SCL.
97Configuring spam detectionProtecting your organization from spam (without Symantec Premium AntiSpam)
Exchange 2003 places stamped messages in the user’s Junk-Email folder when the SCL of the message is greater than the SAT value.
By default, the SAT value is not set, and all messages with an SCL value are moved to the Junk-Email folder. If the SAT value is set and a message has an SCL value that is higher than the SAT value, Exchange puts the message in the Junk-Email folder. If the SCL value is lower than or equal to the SAT value, the message goes into the inbox normally.
Viewing the SAT settingThe SAT setting can be viewed in Windows.
To view the current SAT setting
1 Locate the SMSMSE\5.0\Server folder.
2 On the Windows taskbar, click Start > Programs > Accessories > Command Prompt.
3 In the Command Prompt window, type the following:
cd [path to Server folder]
4 Press Enter.
5 In the Command Prompt window, type the following:
SMSMSESAT
The current SAT will appear.
6 Close the Command Prompt window.
Changing the SAT settingThe SAT setting can only be changed manually in Exchange 2003 installations.
To change the SAT setting
1 Locate the SMSMSE\5.0\Server folder.
2 On the Windows taskbar, click Start > Programs > Accessories > Command Prompt.
3 In the Command Prompt window, type the following:
cd [path to Server folder]
4 Press Enter.
98 Configuring spam detectionProtecting your organization from spam (without Symantec Premium AntiSpam)
5 In the Command Prompt window, type the following:
SMSMSESAT [value for SAT, for example, 8] symantec.com
The domain name is optional
The value for SAT that you type sets the SAT in Exchange 2003.
6 Press Enter.
Bypassing RBL blocking and spam detection for sender and recipient whitelists
To minimize false positives, you can set up a list of sender domains that will not undergo RBL blocking and spam detection. You can also specify fully qualified email addresses to create a recipient whitelist. Messages that are sent to those addresses are not evaluated by the real-time blacklist or the heuristic antispam engine. If both RBL processing and sender whitelist processing are activated, the whitelist takes precedence, and all addresses that are included in the list are allowed.
To configure a sender whitelist
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Blacklist and Whitelist.
3 In the content area, under Allowed Senders, check Bypass real-time blacklist and spam detection for messages sent from the following.
4 In the Email and domain addresses box, type the domains and email addresses (one per line) for which spam processing will be bypassed.
Domain names must begin with either @ (at symbol) or an asterisk before the at symbol (for example, @mail.com or *@mail.com). You can also type domains (for example, mail.com).
You can use DOS wildcard characters.
Entering a primary domain includes all its sub domains on the list, for example, @symantec.com includes @mail.symantec.com and @finance.symantec.com.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
To configure an unfiltered recipients list
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Blacklist and Whitelist.
3 In the content area, under Unfiltered Recipients List, check Bypass heuristic and blacklist detection for messages sent to the following.
99Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
4 In the Email and domain addresses box, type the fully qualified email addresses (one per line) for which spam processing will be bypassed.
You can list up to 50 email addresses.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Protecting your organization from spam (with Symantec Premium AntiSpam)
Symantec Premium AntiSpam is an optional subscription-based spam solution that is tightly integrated into Symantec Mail Security. Symantec Premium AntiSpam leverages Symantec's antispam infrastructure every 5-10 minutes to deliver the best combination of effectiveness and accuracy in the market today, without requiring manual rule creation or administrative overhead.
In addition to providing real-time blacklisting and sender and recipient whitelisting, Symantec Premium AntiSpam uses the following to identify and handle spam:
Reputation service Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the source’s reputation value as determined by Symantec.
Symantec uses the following lists to filter your messages:
■ Open Proxy list: A list of IP addresses used by spammers to mask their identities. This includes proxy servers with open or insecure ports.
■ Safe list: A list of IP addresses from which virtually no outgoing email is spam.
■ Suspect list: A list of IP addresses from which virtually all of the outgoing email is spam.
Suspected spam threshold
Symantec calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, it is defined as spam. For more aggressive filtering, you can define a spam threshold below 90 and above 24 to identify suspected spam. You specify actions for handling spam and suspected spam separately.
Language identification
Symantec can determine the language in which a filtered message is written. When used with the optional plug-in for Microsoft Outlook software, you can use this feature to treat messages that are written in certain languages as spam.
100 Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
You can use the Reports feature to view RBL activity statistics.
See “Working with report data” on page 159.
See “Blocking spam using real-time blacklists” on page 92.
See “Bypassing RBL blocking and spam detection for sender and recipient whitelists” on page 98.
The Symantec Spam Folder Agent for Exchange creates a spam subfolder and a server-side filter in each user’s mailbox. This filter is applied to messages that Symantec Premium AntiSpam identifies as spam, routing spam into each user’s spam folder. The spam folder agents relieve users and administrators of the burden of using their mail clients to create filters.
The Symantec Spam Folder Agent for Exchange can only be used when Symantec Premium AntiSpam is installed.
See “About the Symantec Spam Folder Agent for Exchange” on page 181.
The Symantec Spam Plug-in for Outlook makes it easy for Outlook users to submit missed spam and false positives to Symantec. You can also configure the plug-in to send user submissions automatically to a local system administrator. The Symantec Spam Plug-in also gives users the option to administer their own Blocked Senders and Allowed Senders Lists and to specify languages in which they do or do not want to receive email.
See “About the Symantec Spam Plug-in for Outlook” on page 187.
Spam actions You can create spam actions to handle the following categories of messages:
■ Spam
■ Suspected spam with an existing SCL value > thresholdThis option is available only in Exchange 2003.
■ Suspected spam with no existing SCL value or <= threshold
Filters ■ URL filtering: Symantec builds its known-spammer list based on URLs that appear in spam. The list contains over 20,000 URLs.
■ Heuristic filtering: Heuristic filters scan the headers and the body of a message to test for characteristics that are usually inherent in spam, such as opt-out links, specific phrases, and forged headers.
■ Signature filtering: Messages that flow into the email security unit within Symantec Security Response are characterized using a unique signature that is added to the database of known spam. Using this signature, Symantec can group and match seemingly random messages that originated from a single attack.
101Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
Enabling Symantec Premium AntiSpamYou must license and enable Symantec Premium AntiSpam. To enable the service, you must have an active Internet connection and allow outbound secure HTTP traffic through your firewall (port 443). If your connection uses an HTTP proxy, you must manually register the service.
See “Downloading Symantec Premium AntiSpam updates through a proxy server” on page 102.
Once Symantec Premium AntiSpam is enabled and registered, spam rules are continually downloaded from Symantec. To keep your antispam service current, Symantec Mail Security checks for updates every minute and receives new rule sets every 10 - 15 minutes.
To enable Symantec Premium AntiSpam
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Settings.
3 In the content area, under Premium AntiSpam Settings, check Enable Symantec Premium Anti Spam.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
Registering Symantec Premium AntiSpam through an ISA serverSymantec Premium AntiSpam requires the ability to communicate by HTTPS (Port 443). To register Symantec Premium AntiSpam through an ISA Server that is filtering your Exchange Server's traffic, do one of the following:
■ If the ISA Server is installed on the same machine as the Exchange Server itself, you must create a Host Based protocol rule to allow “Any Request” for the HTTPS and HTTPS Server protocols.
■ If the ISA Server is installed on a different machine from the Exchange Server, you can create a Host Based protocol rule that specifically allows traffic for the IP Address of the Exchange Server for the HTTPS and HTTPS Server protocols.
102 Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
Downloading Symantec Premium AntiSpam updates through a proxy server
You can configure Symantec Mail Security to download updates to Symantec Premium AntiSpam through a proxy server.
To download Symantec Premium AntiSpam updates through a proxy server
1 License Symantec Premium AntiSpam.
See “Installing or renewing license files” on page 46.
2 Disable Symantec Premium AntiSpam.
3 Open a command window, and change directories to the SMSMSE installation directory.
The default directory is C:\Program Files\Symantec\SMSMSE\5.0\Server
4 Run register.exe
Usage: register -c config_file -l license_file
[-p proxyserver:proxyport -a proxyuser:proxypassword] [-v]
Example: register -c SpamPrevention/bmiconfig.xml -l “Spam Prevention\SPAlicense.slf” -p proxyserver:proxyport
Symantec Premium AntiSpam licenses are placed in the SpamPrevention folder.
5 Create and set the following registry key to zero (0):
HKEY-LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\5.0\Licensing\
SPARunRegister
6 Enable and configure Symantec Premium AntiSpam.
103Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
Configuring Symantec Premium AntiSpam to identify spamThrough the reputation service, Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the source’s reputation value as determined by Symantec.
Symantec Premium AntiSpam incorporates source information from the following types of IP address lists:
Symantec identifies a message as spam when the antispam engine scores the message between 90 and 100. A message that scores below 25 is not considered spam.
You can specify that a message be considered suspected spam if it scores between 25 and 89. (You can modify the lower end of the range.) If a message is received that falls within the range, it is handled based on your spam action settings for suspected spam. The default value is 72.
If you use Microsoft Outlook, you can use the Symantec Plug-in for Outlook to specify that email that is written in certain languages be treated as spam.
Configure Symantec Premium AntiSpam
Once you enable the Symantec Premium AntiSpam service, you can configure it to identify spam based on the reputation service, spam scoring, and language identification.
To configure the reputation service
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Settings.
Open proxy list Contains IP addresses that are open proxies used by spammers.
Suspect list Contains IP addresses from which virtually all of the outgoing email is spam.
Safe list Contains IP addresses from which virtually no outgoing email is spam.
Email messages from addresses that are contained in the suspect list are always blocked. You can choose to have email from addresses on the open proxy list blocked and email from addresses on the safe list allowed.
104 Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
3 In the content area, under Reputation Services, check only the checkboxes for the lists that you want to use from the following:
■ Open proxy list
■ Safe list
Suspect list is enabled by default and cannot be disabled.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
To configure a spam threshold
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Settings.
3 In the content area, under Spam Scoring, select whether you want messages flagged as suspected spam.
4 Under the Spam Threshold header, in the Lower spam threshold box, accept the default (72) or type a new threshold level. You can enter a value between 25 and 89.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
To enable or disable language identification
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Settings.
3 In the content area, under Language ID, select whether or not you want to enable language identification.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
Configuring Symantec Premium AntiSpam to handle spamOnce you configure Symantec Premium AntiSpam settings, you configure actions for handling spam, suspected spam with an existing SCL value > threshold (available only with Exchange 2003), and suspected spam without an existing SCL value or <= threshold.
You must specify a spam threshold for identifying suspected spam in order to configure actions for suspected spam.
A message that is identified as spam is handled according to how you have configured Symantec Mail Security to handle spam messages.
105Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
If a message is identified as suspected spam, it is examined to determine if an SCL value exists. If so, the message is handled according to how you have configured Symantec Mail Security to handle suspected spam messages with an existing SCL value > threshold. (This option is available only with Exchange 2003.)
If a message is identified as spam and there is no existing SCL value or >= threshold, it is handled according to how you have configured Symantec Mail Security to handle suspected spam.
See “To configure a spam threshold” on page 104.
See “Understanding Symantec SCL values” on page 94.
Handling spam messagesSymantec Premium AntiSpam has multiple options for handling spam messages.
To configure Symantec Premium AntiSpam to accept or reject spam messages
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Actions.
3 In the content area, under Spam Messages and If message is Spam, click Reject the message or Accept the message.
A rejected message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. An accepted message is delivered normally.
To configure actions to take for accepted messages
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Actions.
3 In the content area, under Spam Messages and Message delivery options, to keep the original recipients from receiving spam messages, check Prevent delivery to original recipient(s).
This option is only active if Accept the message is selected.
When this option is selected, a message that is identified as spam is accepted by the SMTP server and is deleted. It is not delivered to the addressees.
4 To save spam messages to a folder, check Save to folder and type a folder name in the Folder name box or click the browse [...] button beside it and select a folder name from the list.
106 Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
5 To add an X-header to spam messages, check Add X-header and accept the defaults or type the X-header name and value in the X-header name and X-header value boxes.
6 To send spam messages to a different recipient, check Deliver to alternate recipient(s) and type one or more addresses to which spam messages will be delivered. Press Enter after each new entry.
7 To add a subject line to spam messages, check Add subject line and accept the default or type new subject line text.
8 To add an X-header to spam messages, check Add X-header and accept the defaults or type the X-header name and value in the X-header name and X-header value boxes.
9 To send spam messages to the Symantec Spam Folder Agent, check Tag for Spam Folder Agent Delivery.
You must have the Symantec Spam Folder Agent installed. An X-header will be added to allow the Agent to move the message to the user’s spam folder. You cannot modify this X-header. This option is available only on Exchange 2000 installations.
10 To assign an SCL to spam messages, check Assign SCL value to message and accept the default or select a number from the menu.
This option is available only in Exchange 2003. If the incoming message has an existing SCL value, the one you specify will replace it.
11 To log spam messages to the Windows Application event log, check Log.
12 Click Deploy changes/Deploy all or proceed to your next configuration task.
Handling suspected spam messages with SCLYou can customize how to handle suspected spam messages with SCL values.
To perform initial actions
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Actions.
3 In the content area, under Suspected Spam and SCL, in the If message is suspected spam and SCL is box, accept the default value or select a new value.
4 Click Reject the message or Accept the message.
A rejected message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. An accepted message is delivered normally.
107Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
To configure actions to take for accepted messages
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Actions.
3 In the content area, under Suspected Spam and SCL and Message delivery options, to keep the original recipients from receiving suspected spam messages, check Prevent delivery to original recipient(s).
This option is only active if Accept the message is selected.
When this option is selected, a message that is identified as spam is accepted by the SMTP server and is not delivered to the addressees.
4 To save suspected spam messages to a folder, check Save to folder and type a folder name in the Folder name box or click the browse [...] button beside it and select a folder name from the list.
5 To add an X-header to suspected spam messages sent to a folder, check Add X-header and accept the defaults or type the X-header name and value in the X-header name and X-header value boxes.
6 To send suspected spam messages to different recipients, check Deliver to alternate recipient(s) and type one or more fully qualified SMTP email addresses. Press Enter after each entry.
Each recipient will receive a copy of the message that is identified as suspected spam when an SCL value exists.
7 To add a subject line to suspected spam messages, check Add Subject Line and accept the default or type replacement text for the subject line of the suspected spam message.
8 To add an X-header to suspected spam messages, check Add X-header and accept the defaults or type the X-header name and value in the X-header name and X-header value boxes.
9 To send suspected spam messages to the Symantec Spam Folder Agent, check Tag for Spam Folder Agent Delivery.
You must have the Symantec Spam Folder Agent installed. An X-header will be added to allow the Agent to move the message to the user’s spam folder. You cannot modify this X-header. This option is available only on Exchange 2000 installations.
10 To assign an SCL to suspected spam messages, check Assign SCL value to message and accept the default or select a number from the menu.
This option is available only in Exchange 2003. If the incoming message has an existing SCL value, the one that you specify will replace it.
108 Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
11 To log suspected spam messages to the Windows Application event log, check Log.
12 Click Deploy changes/Deploy all or proceed to your next configuration task.
Handling suspected spam with no existing SCL value or <= thresholdYou can configure Symantec Premium AntiSpam to accept or reject suspected spam with no existing SCL value or <= threshold.
To perform initial actions
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Actions.
3 In the content area, under Suspected Spam and If message is Suspected Spam, click Reject the message or Accept the message.
A rejected message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. An accepted message is delivered normally.
To configure actions to take for accepted messages
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Antispam, click Premium AntiSpam Actions.
3 In the content area, under Suspected Spam and Message delivery options, to keep the original recipients from receiving suspected spam messages, check Prevent delivery to original recipient(s).
This option is only active if Accept the message is selected.
When this option is selected, a message that is identified as spam is accepted by the SMTP server and is deleted. It is not delivered to the addressees.
4 To save suspected spam messages to a folder, check Save to folder and type a folder name in the Folder name box or click the browse [...] button beside it and select a folder name from the list.
5 To add an X-header to suspected spam messages sent to a folder, check Add X-header and accept the defaults or type the X-header name and value in the X-header name and X-header value boxes.
109Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
6 To send suspected spam messages to different recipients, check Deliver to alternate recipient(s) and type one or more fully qualified SMTP email addresses. Press Enter after each entry.
Each recipient will receive a copy of the message that is identified as suspected spam when an SCL value exists.
7 To add a subject line to suspected spam messages, check Add Subject Line and accept the default or type replacement text for the subject line of the suspected spam message.
8 To add an X-header to suspected spam messages, check Add X-header and accept the defaults or type the X-header name and value in the X-header name and X-header value boxes.
9 To send suspected spam messages to the Symantec Spam Folder Agent, check Tag for Spam Folder Agent Delivery.
You must have the Symantec Spam Folder Agent installed. An X-header will be added to allow the Agent to move the message to the user’s spam folder. You cannot modify this X-header. This option is available only on Exchange 2000 installations.
10 To assign an SCL to suspected spam messages, check Assign SCL value to message and accept the default or select a number from the menu.
This option is available only in Exchange 2003. If the incoming message has an existing SCL value, the one that you specify will replace it.
11 To log suspected spam messages to the Windows Application event log, check Log.
12 Click Deploy changes/Deploy all or proceed to your next configuration task.
110 Configuring spam detectionProtecting your organization from spam (with Symantec Premium AntiSpam)
Chapter
5Managing multiple server installations
This chapter includes the following topics:
■ Accessing the Symantec Mail Security user interface
■ About the user interface display
■ Managing servers and server groups
■ Installing Symantec Mail Security to remote servers
■ Updating and distributing virus definitions
Accessing the Symantec Mail Security user interface
The management of single or multiple installations of Symantec Mail Security is done through a user interface.
See “Symantec Mail Security user interface components” on page 60.
To access the Symantec Mail Security user interface
◆ Do one of the following:
■ On the desktop, double-click SMSMSE 5.0.
■ On the Windows taskbar, click Start > Programs > Symantec Mail Security for Microsoft Exchange > Server Management Console.
112 Managing multiple server installationsAbout the user interface display
Making selectionsTo select a server or group, click the Change button and select the server or group from the pop-up menu. The name of the selected server or group appears in the Server/group panel. Any data that you observe or actions you take will relate to that server or group.
About the user interface displaySymantec Mail Security uses the same user interface to manage a single server and multiple servers.
About the Global server groupAll the servers under group control are part of the Global server group. This group includes servers that are added to user-defined groups as well as servers that are added to multiserver management control but are not assigned to a specific server group.
When you reconfigure the Global server group, changes are propagated to all servers in all groups. If you change a setting on an individual server or at the group level and subsequently change the same setting at the Global server level, the change made at the Global server level overrides the change made at the individual server or group level.
About user-defined server groupsUser-defined server groups can be created dynamically when installing servers, when adding servers to management, or at any time through the UI. A user-defined server group is a physical server grouping that simplifies server management. For example, a server group might be all mail servers that are used by a department (for example, marketing) or the physical location of a group of mail servers (for example, third floor servers in Building A).
A managed server can only belong to one user-defined group.
See “Moving a server to another group” on page 115.
About group settingsWhen you reconfigure a user-defined server group, any changes that you make are propagated to all servers that belong to that group. The reverse is not true. If you change the settings for an individual server, the changes are not recognized at the server group level or at the Global level. In that case, the information that is displayed by the screen does not reflect the changes to the individual server.
113Managing multiple server installationsManaging servers and server groups
You can view the settings on an individual server by selecting it to display its settings.
See “Making selections” on page 112.
Managing servers and server groupsYou can perform the following administration tasks with the Symantec Mail Security UI:
■ Creating a server group
■ Adding servers to a group
■ Moving a server to another group
■ Changing the Transmission Control Protocol (TCP) port and using Secure Sockets Layer (SSL)
■ Sending group settings to a server
■ Restoring default settings to a server or group
■ Removing a server group
■ Updating servers in a server group
■ Removing a server from group management
Creating a server groupThere are two general categories of server groups: the Global group and user-defined groups.
The Global group is the default server group. You can keep all of your Microsoft Exchange Servers that run Symantec Mail Security in the Global group. If your network contains a large number of Exchange Servers, you can create server groups in addition to the Global group, add servers to these groups, and administer all of your servers that run Symantec Mail Security on a group basis.
To create a server group
1 On the main menu, select Tasks > Manage Assets.
2 Under Tasks, click Add group.
3 In the Add new management group dialog box, type a name for the server group, and then click OK.
4 Click Close.
114 Managing multiple server installationsManaging servers and server groups
Adding servers to a groupIf an installation of Symantec Mail Security is not under management control, you may want to add the server to the UI. For example, your organization might have run a single-server installation of Symantec Mail Security on several Exchange Servers that you now want to manage through the UI, along with your other managed servers.
You can add servers that run Symantec Mail Security to a managed group in the following ways:
■ Add one or more servers to an existing group.
■ Create a new server group during the Add process.
Note: All servers are always added to the Global group in addition to any specified server group.
To add servers to a group
1 On the main menu, select Tasks > Manage Assets.
2 Under Tasks, click Add servers.
3 In the Add servers window, under Management group, select an existing server group (if different from the one that appears in the field) or type a name to create a new group.
4 Under Servers to add, do one of the following:
■ Highlight one or more servers from the Available servers: window and click the >> button.
■ Type the server name or IP in the Server name or IP box and click the >> button.
5 Under Server options, do all of the following:
■ Type the TCP port number for the server or group of servers that you want to add.
The port number must be the same for all servers that you want to add. Port 8081 is the default. The port number and SSL setting must be identical to that of the server in order for the UI to communicate with the server.
■ Check Send group settings.
If checked, the group settings are applied to a newly added server. If unchecked, server settings are retained. Future changes that are made to the server group, however, will be applied to the server.
■ Check any other option you want to exercise.
115Managing multiple server installationsManaging servers and server groups
6 Click OK.
7 Repeat steps 2-6 for each server that you want to add to the group.
8 Click Close.
If you add a server that is not running Symantec Mail Security 5.0 or that is running Symantec Mail Security 4.0, 4.5, or 4.6, the server is added to the group without warning. In the case of a 4.0, 4.5, or 4.6 server, although the server may be visible in the window, it cannot be managed. In either case, it is necessary to upgrade the server.
Moving a server to another groupA server that is going to be moved from one server group to another can be selected either from the Global group, which contains all managed servers, or from a server group.
Unless Send group settings to server is checked, moving a server to another group does not affect the current server settings even if its settings differ from those of its new group. Future changes made to the server group, however, will be applied to the server.
To move a server to another group
1 On the main menu, select Tasks > Manage Assets.
2 If necessary, expand the groups from and to which you intend to move the server.
3 Do one of the following:
■ Select the server you intend to move, and then under Tasks, click Move server.
■ Right-click the server you intend to move, and then on the pop-up menu, click Move server.
■ Drag and drop the server from one group to another.
After doing so, click Send group settings to server to match the server’s settings to the group, if desired.
4 In the Move Server window, select the target server group or create a new server group, and then click OK.
5 To apply the settings of the new server group to the server, click Send group settings to server.
6 Click OK, and then click Close.
116 Managing multiple server installationsManaging servers and server groups
Changing the Transmission Control Protocol (TCP) port and using Secure Sockets Layer (SSL)
After a server is added to management control, you can change the TCP port and specify whether to use SSL for communication between the UI and a server.
See “Implementing SSL” on page 55.
To change the TCP port and use SSL
1 On the main menu, select Tasks > Manage Assets.
2 In the Asset Management window, in the content area, select a server.
3 On the sidebar, under Tasks, click Server Properties.
4 To change the TCP port, type the new port number in the Port Number box.
5 To use SSL, check Use SSL.
Sending group settings to a serverSettings on a particular server might not be synchronized with its server group settings. This can occur, for example, if a server is configured both from its single-server user interface and a remote user interface.
Note: If a server is added to a server group but the group settings are not yet applied to the new server, changes to policy settings that are applied to the server group may cause operation status to report an error until the server group settings are applied to the new server.
To send group settings to a server
1 On the main menu, select Tasks > Manage Assets.
2 Select the server to which you want to sent group settings.
3 Under Tasks, click Send group settings to server.
This sends the settings of the server group to the selected server.
4 Click OK, and then click Close.
117Managing multiple server installationsManaging servers and server groups
Restoring default settings to a server or groupYou can restore all settings for a server or group to their initial, default states.
To restore default settings to a server or group
1 On the main menu, select Tasks > Manage Assets.
2 Select a server or a group.
3 Under tasks, click Reset to factory defaults.
4 Click Close.
Removing a server groupIf a user-defined server group is no longer needed, you can remove it.
If you remove a user-defined server group that contains managed servers, the servers that belong to the group are not removed from management control. The servers still exist in and can be managed through the Global group. The server group settings, however, are retained on the servers until they are updated or new settings are pushed out.
Note: You cannot remove the Global server group.
To remove a server group
1 On the main menu, select Tasks > Manage Assets.
2 Select a server group.
3 Under tasks, click Remove group.
4 In the confirmation dialog box, click OK.
5 Click OK, and then click Close.
Updating servers in a server groupIf an update of Symantec Mail Security is released, you can update all previous installations in a server group.
To update servers in a server group
1 On the main menu, select Tasks > Manage Assets.
2 Select a server group.
118 Managing multiple server installationsInstalling Symantec Mail Security to remote servers
3 Under tasks, click Update servers.
4 When the update completes, do one of the following:
■ If an error occurs, click Errors for more information.
■ Click OK, and then click Close.
Removing a server from group managementWhen a server is removed from the Symantec Mail Security UI, it is removed from group management. Symantec Mail Security protection, however, remains operational on the server itself.
To remove a server from group management
1 On the main menu, select Tasks > Manage Assets.
2 Select a server.
3 Under tasks, click Remove servers.
4 In the confirmation dialog box, click OK.
When the confirmation dialog box closes, the icon of the group to which it belongs is contracted.
5 Click OK, and then click Close.
Installing Symantec Mail Security to remote serversFrom the Symantec Mail Security UI, you can install Symantec Mail Security to remote servers that run Exchange 2000 or 2003.
There may be cases in which you want to customize the installation of Symantec Mail Security to one or more remote Exchange Servers.
See “Customizing the installation of remote servers” on page 45.
You can also upgrade existing version 4.0, 4.5, or 4.6 installations to Symantec Mail Security 5.0 using the Symantec Mail Security UI.
See “Upgrading from a previous version” on page 49.
To install Symantec Mail Security to remote servers
1 On the main menu, select Tasks > Manage Assets.
2 Under tasks, click Add servers.
3 In the Add servers window, under Management group, select an existing server group (if different from the one that appears in the field) or type a name to create a new group.
119Managing multiple server installationsUpdating and distributing virus definitions
4 Under Servers to add, do one of the following:
■ Highlight one or more servers from the Available servers window and click the >> button.
■ Type the server name or IP in the field below the Available servers window and click the >> button.
5 Under Server options, do all of the following:
■ Type the TCP port number for the server or group of servers that you want to add.
The port number must be the same for all servers that you want to add. Port 8081 is the default. The port number and SSL setting must be identical to that of the server in order for the UI to communicate with the server.
■ Check Install SMSMSE.
■ Check Send group settings to server.
If checked, the group settings are applied to a newly added server. If unchecked, server settings are retained. Future changes that are made to the server group, however, will be applied to the server.
■ Select any other option you want to exercise.
6 Click OK.
7 Install the Symantec content license file on the server.
See “Installing on multiple servers” on page 44.
8 Click Close.
Updating and distributing virus definitionsSymantec Mail Security lets you centrally administer virus definition updates. You can update virus definitions by doing the following:
■ Connecting to the LiveUpdate site and updating virus definitions on the UI
■ Updating virus definitions through Rapid Release
■ Distributing updated definitions to all Exchange Servers or to a group of managed servers
You can also schedule virus definition updates for managed servers.
See “Updating virus definitions for multiple servers” on page 147.
120 Managing multiple server installationsUpdating and distributing virus definitions
Update and distribute virus definitions
You can manually distribute LiveUpdate virus definitions from the UI to your servers. The LiveUpdate virus definition update applies to a single server, not to a server group. You cannot manually distribute Rapid Release virus definitions from the UI to your servers.
To manually distribute virus definitions to servers
1 On the primary navigation bar, click Admin.
2 In the sidebar, under Views, do one of the following:
■ In single server view, click LiveUpdate/Rapid Release Status.
This option is not available in group view.
■ In group view, click LiveUpdate Status.
This option is not available in single server view.
3 In the sidebar, under Tasks, do one of the following:
■ In single server view, click Run LiveUpdate and/or Run Rapid Release.
■ In group view, click Run LiveUpdate.
4 Under Tasks, click Run LiveUpdate.
Follow the steps in the LiveUpdate UI to run LiveUpdate.
5 Under Tasks, click Send virus definitions to servers.
Chapter
6Performing scans
This chapter includes the following topics:
■ How scans work
■ Working with policies
■ Working with matchlist settings
■ About Outbreak Triggered Attachment Names and Subject Lines matchlist options
■ Configuring and running scans
How scans workIn Symantec Mail Security, you can configure any scan and specify the content filtering rules to apply to it. All other rules, for example, threats and security risks, apply to all scans except that spam rules do not apply to manual or scheduled scans.
Every scan that runs on Symantec Mail Security belongs to one of the following categories:
Auto-Protect scans
When enabled, Auto-Protect runs constantly.
In this mode, violations are scanned and detected in real time. The policies or rules linked to the Auto-Protect scan apply to everything on the Exchange Server (items in all public folders and mailboxes and messages that are processed by the Microsoft Exchange SMTP service).
Auto-protect scanning applies to all the categories in the Policies section of the primary navigation bar except antispam.
122 Performing scansWorking with policies
About policies and scanningWhen a scan detects a mail security violation, the rule settings in effect for the scan determine which events will be triggered. For example, when a virus is detected, a specific action (such as sending the message attachment to the Quarantine or deleting the whole message), notifications, and alerts (alerts available only if SESA is in use) are triggered upon detection of the virus.
You can enable and disable rules and add and modify content filtering rules.
Working with policiesYou can use the following scanning policies to protect your Microsoft Exchange server:
■ The General Policy addresses scanning limits, exceptions, and outbreak management.
■ The Antivirus Policy addresses viruses and security risks.
■ The Antispam Policy addresses spam prevention.
■ The Content Enforcement Policy addresses undesirable or inappropriate content.
Manual scans A manual scan is an on-demand scan of public folders and mailboxes.
Manual scanning applies to all the categories in the Policies section of the primary navigation bar except antispam.
You can specify file folders and mailboxes to be covered by a manual scan.
You can specify content filtering rules to apply to a given scan.
Scheduled scans Scheduled scans run unattended, usually at off-peak periods.
Scheduled scanning applies to all the categories in the Policies section of the primary navigation bar except antispam.
You can specify file folders and mailboxes to be covered by a scheduled scan.
You can specify content filtering rules to apply to a given scan.
123Performing scansWorking with policies
About the General policy The General Policy includes the following:
■ Configuring Scanning Limits Policies
■ Configuring Exceptions Policies
Configuring Scanning Limits PoliciesTo protect your network from denial-of-service attacks, configure Symantec Mail Security to limit processing of large files by setting a maximum scan time and depth.
To configure Scanning Limits Policies
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Scanning Limits.
3 In the content area, under Maximum scan time (in seconds), accept the default (300) or type the number of seconds to run all scans.
4 Under Maximum archive scan depth (number of levels), accept the default (10) or type the number of levels to use when archiving scans.
5 Under Maximum size of one extracted file (in MB), accept the default (100) or type the maximum size of any one extracted file.
6 Under Maximum total size of all extracted files (in MB), accept the default (200) or type the maximum size of all extracted files.
7 Under Maximum number of files extracted, accept the default (5000) or type the maximum allowable number of files to be extracted.
8 Click Deploy changes/Deploy all or proceed to your next configuration task.
Configuring Exceptions PoliciesThe Exceptions Policy includes the following rules:
Unscannable File Rule
An email message or attachment may be unscannable for the following reasons:
■ The item contains too many levels of compression or embedding.
■ The item takes too long to scan.
■ The item is too large to scan.
The default (General Policy) setting for an unscannable message or attachment is to quarantine the item and replace it with a text description.
124 Performing scansWorking with policies
You can specify the action to take and whom to notify when an exception rule violation occurs.
To configure Exceptions Policies
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Exceptions.
3 In the upper pane of the content area, select the rule that you want to edit.
■ Unscannable Rule
■ Encrypted Rule
4 In the lower pane, do any of the following:
■ In the Action to take box, select the desired action from the menu.
■ In the Replacement text box, modify the text of the replacement message.
■ Check the applicable entry to notify the administrator, internal sender, or external sender of the action taken.
■ To edit the text of the message sent, click the button next to its entry and edit the text in the Subject line and Message body boxes that appear. Click the button again to close the boxes.
5 Click Deploy changes/Deploy all or proceed to your next task.
Encrypted File Rule An attachment may not be scannable due to encryption or password protection. These files may contain viruses or other malicious content. The Encrypted File rule lets you implement your organization’s policy on allowing encrypted files into the email system.
An encrypted file may be a legitimate means of securing confidentiality between the sender and recipient, or it could contain malicious code that is designed to harm your email servers or overwhelm your mail security system. Symantec Mail Security handles encrypted attachments according to the actions and notifications that you specify.
The default (General Policy) setting for an encrypted file is to log only (attachment/message body available).
125Performing scansWorking with policies
About the Antivirus PolicyThe Antivirus Policy includes the following rules:
Bloodhound Virus Rule
Bloodhound viruses are detected with Symantec Bloodhound heuristics technology. The standard method of detecting a virus is to scan a file and match a virus against an existing virus definition. Bloodhound heuristics technology copies the suspicious executable program into its own virtual computer. It then tests the program and assesses suspicious file behavior, such as whether the file has replicated itself in a period of time. You can set the Bloodhound Virus rule to Off, or to Low, Medium, or High detection level. The higher the level, the greater the chance of false positives. Viruses detected by Bloodhound are managed in the same way as all other viruses.
See “Securing your network” on page 63.
Mass-Mailer Worm Rule
Because email mass-mailer worms do not need to attach to a host file to infiltrate a network, they can spread very quickly. When activated, the Mass-Mailer Worm Rule deletes email containing a mass-mailer worm.
Basic Virus Rule The Basic Virus rule contains settings that determine which actions to take when a virus is detected. You can use the Basic Virus rule for coverage against all viruses, but it is most often used to find messages that contain known viruses.
Unrepairable Virus Rule
If the Basic Virus rule cannot repair an item and the Basic Virus rule is set to Repair the infected attachment, then the item is passed to the Unrepairable Virus rule, and the appropriate action is taken.
An email message or attachment may be unrepairable for the following reasons:
■ The virus definitions that were in use at the time the file was attacked were out-of-date.
■ Too much damage has been done to the item by a virus.
If the problem was caused by out-of-date virus definitions and the unrepairable message or attachment is important, it may be possible to restore the item from a backup and rescan it using up-to-date virus definitions. Then it may be possible to repair the file.
If a file has been severely compromised (for example, by a virus that attacks the file allocation table), it may be unrepairable. The default (Antivirus Policy) setting for an unrepairable message or attachment is to quarantine the item and replace it with text.
126 Performing scansWorking with policies
About the Antispam PolicyThe Antispam policy includes blacklists, allowed senders lists, and the Heuristic Antispam feature.
See “Protecting your organization from spam (without Symantec Premium AntiSpam)” on page 91.
Symantec Premium AntiSpam is an optional feature.
See “Protecting your organization from spam (with Symantec Premium AntiSpam)” on page 99.
About the Content Enforcement PolicyThe Content Enforcement policy consists of content filtering rules, file filtering rules, and matchlists.
Editing content filtering rulesContent filtering rules let you filter messages for specific words, phrases, subject lines, senders, attachment names, and attachment content, and take action when the specified content is found.
Symantec Mail Security lets you create filtering rules to apply to Auto-Protect scans, on-demand scans, and scheduled scans. The rules provide a front-end defense in real time against spam email messages and new or unidentified viruses. These rules expand the control that administrators have to block objectionable email messages and attachments.
You can set up, edit, or delete as many filtering rules as needed. Each rule specifies the email message part to search (for example, message body, subject, sender, attachment name, or attachment content), and defines the condition that should trigger a content violation.
For example, you can set up a rule to filter email messages with attachments that exceed 3 MB in size. Symantec Mail Security would then catch any email messages that exceed 3 MB and, like other scans, would process the email messages according to your configuration settings. You can enable or disable filtering at any time.
Security Risk Rule The Security Risk Rule detects and handles adware, spyware, jokes, hack tools, remote access, trackware, and dialers.
See “Protecting against viruses” on page 64.
127Performing scansWorking with policies
Note: When message body scanning takes place for the filtering rule and a violation occurs, in some cases, more than one rule violation may be triggered for a single message. This occurs if the mail client from which the message originated used RTF or HTML encoding. In that case, both the plain text and formatted versions of the message body are sent by the mail client to the Exchange Server. The plain text and formatted versions of the message body are scanned as separate message bodies by Symantec Mail Security.
To edit a content filtering rule
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Content Filtering Rules.
3 In the content area, ensure that Enable content filtering is checked.
4 In the content area, select the rule that you want to edit.
5 Under Tasks, click Edit rule.
6 Modify the rule settings, and then click OK.
7 In the content area, enable or disable the rule that you edited by clicking the entry in the left column and selecting Enabled or Disabled from the menu.
8 Click Deploy changes/Deploy all or proceed to your next task.
About content evaluationEmail or scanned content that matches an expression in a filtering rule might violate that rule, depending on whether the rule contains AND expressions or OR expressions. Specifically, if the rule contains AND expressions, then all expressions must evaluate to true to trigger a content violation for the entire rule. However, if the rule contains OR expressions, only one expression must evaluate to true to trigger a content violation for the rule.
See “Elements of a filtering rule” on page 128.
You can specify a filtering rule to apply to Store scanning, SMTP inbound scanning, or to SMTP outbound scanning.
Symantec Mail Security handles content violations according to the action that you configure for the rule.
128 Performing scansWorking with policies
You can select any of the following actions (one action per rule):
■ Quarantine attachment/message body, replace with text
■ Delete attachment/message body, replace with text
■ Delete entire message
■ Log only (attachment/message body available)
■ Save to folder
■ Add tag to beginning of subject (option valid only for SMTP inbound rules)
Administrators can also notify senders and others of content filtering violations by using messages with customizable text. To set up notifications, administrators must configure an alert.
See “Configuring notifications and alerts” on page 70.
Elements of a filtering ruleA filtering rule consists of one or more conditions that you define. For example, if the subject line contains one or more words from a selected subject line matchlist.
A rule can optionally contain one or more exceptions. For example, UNLESS the subject line contains the word Rochester.
This filtering rule blocks messages whose subject line contains words from the selected subject line matchlist, such as cellular, credit, debt, diploma, or phrases like “feel younger.” If the subject line contains Rochester, however, the messages are not blocked.
Symantec Mail Security evaluates a rule logically as either an OR or AND rule. By default, the entries in the Content box are OR, which means that if any of the entries are present, the rule applies. If you check All terms, it becomes an AND, which means that the rule only applies if all the items in the list are present.
Any rule can only test one part of a message. If you want to test all the parts of a message, you have to create five separate rules. However, if a rule tests an attachment, you can add an additional if/unless condition related to the attachment size.
129Performing scansWorking with policies
A rule consists of the following elements:
The supported file types include the following:
.ace, .amg, .ani, .arc, .arj, .avi, .bag, .bmp, .cab, .exe, .dll, .gho, .gif, .gz, .gzip, .hqx,
.jpeg, .lha, .lzh, .lz, .doc, .xls, .ppt, .shs, .rar, .rtf, .tar, .tga, .uue, .wav, .zip, .zoo,
.txt, .669, .aif, .aiff, .amd, .amm, .ams, .au, .far, .gdm, .it, .mid, .midi, .mod, .mtm,
.med, .png, .rmi, .stm, .stx, .s3m, and .xm.
Message Part The part of the email message that you want to scrutinize for violations.
Message Flow You can select whether to apply the rule to any combination of Inbound, Outbound, or Internal messages. You must select at least one.
Match Whole term: Apply the message only if the exact term in the Content box or matchlist is present.
Case: Apply the rule only if the case of the term matches the term in the Content box or matchlist.
All terms: Apply the rule only if all the terms in the Content box are present.
Type Literal string: Match the exact text in the box.
Regular expression: Symbols and syntactic elements used to match patterns of text.
See “Regular expressions” on page 131.
Wildcards: wildcard style expressions provide a convenient way to specify file names.
See “DOS wildcard style expressions” on page 135.
Comparison The comparison that you want to make between the part and the value that, when matched to the part, constitutes a content violation, for example, Equals, Does Not Equal, Contains, or Does Not Contain.
Exception You can add an UNLESS to a rule, to make exceptions to the overall requirement.
Value The numeric value or alphanumeric text string that you enter as the criteria to match. The Attachment Size is a numeric value. The rest are alphanumeric text strings.
130 Performing scansWorking with policies
Table 6-1 lists the message parts with their corresponding comparisons and values.
The message part that you select determines which comparisons you can use.
The Message body, Subject, and Attachment Name parts interpret their value fields according to the user’s choice. If you chose regular expressions, even if you typed a number in the value field, Symantec Mail Security would consider it text, not a number. Text strings, because they allow for regular expressions, give you flexibility in extending your text searches to find more than just a direct match. Regular expressions include metacharacters to help you broaden the search capabilities of a given rule.
See “Regular expressions” on page 131.
Table 6-1 Message parts, comparisons, and values
Message part Comparisons Values Options
Message Body EqualsDoes Not EqualContainsDoes Not Contain
Text value
A member of matchlist
Ignore caseWhole words only
Sender EqualsDoes Not EqualContainsDoes Not Contain
Text valueA member of matchlist
Ignore caseWhole words only
Attachment Contents
EqualsDoes Not EqualContainsDoes Not Contain
Text valueA member of matchlist
Ignore caseWhole words only
Subject EqualsDoes Not EqualContainsDoes Not Contain
Text valueA member of matchlist
Ignore caseWhole words only
Attachment Name EqualsDoes Not EqualContainsDoes Not Contain
Text value
A member of matchlist
Ignore caseWhole words only
Attachment Size Greater Than (>)Less Than (<)Equals (=)
Numeric Value Bytes, KB or MB
131Performing scansWorking with policies
Regular expressionsA regular expression is a set of symbols and syntactic elements that is used to match patterns of text. Symantec Mail Security performs matching on a line-by-line basis. It does not evaluate the line feed (newline) character at the end of each input expression phrase.
You can build regular expressions using a combination of normal alphanumeric characters and metacharacters. Regular expressions let you perform pattern matching in text. For example, many email messages contain a trailing number at the end of the subject line text, as in the following sample subject line:
Here’s a hot stock pick!43234
To write a rule to match email subject lines that have trailing numbers, compare the subject against the following regular expression:
^.+![0-9]+$
This regular expression contains the normal alphanumeric characters 0-9 and the metacharacters ^, ., +, and []. By using the subject attribute, the = operator, and the regular expression as the value, you can build a content filtering rule to catch any email messages whose subject lines end with a trailing number. This is a possible sign that the message is spam.
See “Metacharacters” on page 132.
Note: For filtering only, first-level attachments refer to the outer-most file attachment. The filtering engine does not evaluate any file extension names that are inside the outer attachment, for example, the compressed files in a .zip file.
132 Performing scansWorking with policies
Metacharacters
Table 6-2 lists the metacharacters that you can use in regular expressions to build filtering rules. Some characters are not considered special unless you use them in combination with other characters.
Note: You can use metacharacters in regular expressions to search for both single-byte and multi-byte character patterns.
Table 6-2 Metacharacter descriptions
Metacharacter Description
. Period: Matches any single character of the input sequence.
^ Circumflex: Represents the beginning of the input line. For example, ^A is a regular expression that matches the letter A at the beginning of a line. The ^ character is only special at the beginning of a regular expression or after the ( or | characters.
$ Dollar sign: Represents the end of the input line. For example, A$ is a regular expression that matches the letter A at the end of a line. The $ character is only special at the end of a regular expression or before the ) or | characters.
* Asterisk: Matches zero or more instances of the string to the immediate left of the asterisk. For example, A* matches A, AA, AAA, and so on. It also matches the null string (zero occurrences of A).
? Question mark: Matches zero or one instance of the string to the immediate left of the question mark.
+ Plus sign: Matches one or more instances of the string to the immediate left of the plus sign.
\ Escape: Turns on or off the special meaning of metacharacters. For example, \. only matches a dot character. \$ matches a literal dollar sign character. Note that \\ matches a literal \ character.
| Pipe: Matches either expression on either side of the pipe. For example, exe|com|zip matches exe, com, or zip.
133Performing scansWorking with policies
The order of metacharacters, from highest to lowest precedence, is as follows:
You can link several regular expressions to form a larger one to match certain content in email.
[string] Brackets: Inside the brackets, matches a single character or collating element, as in a list. The string inside the brackets is evaluated literally, as if an escape character (\) were placed before each character in the string.
If the initial character in the bracket is a circumflex (^), then the expression matches any character or collating element except those inside the bracket expression.
If the first character after any potential circumflex (^) is a dash (-) or a closing bracket (]), then that character matches only a literal dash or closing bracket.
(string)\(string\)
Parentheses: Groups parts of regular expressions, which gives the string inside the parentheses precedence over the rest.
() Precedence override
| OR
[] List
\ Escape
^ Start with
Table 6-2 Metacharacter descriptions (Continued)
Metacharacter Description
134 Performing scansWorking with policies
Table 6-3 lists examples of regular expressions that show how pattern matching is accomplished with the use of metacharacters and alphanumeric characters.
Table 6-3 Regular expressions
Regular expression Description
abc Matches any line of text that contains the three letters abc in that order.
Your results may differ depending on the comparison that you use to create the filtering rule. For example, if you build a rule to match the word Free and use the Contains comparison, then the filtering engine will detect all words that contain the word Free instead of an exact match (for example, Freedom). However, if you use the Equal comparison, then the filtering engine will detect only exact matches of the word Free with no other surrounding text. If you use the Contains comparison with Whole words only, then the filtering engine will detect Free as a stand-alone word, even if there are other words present in the text that is being searched.
a.c Matches any string that begins with the letter a, followed by any character, followed by the letter c.
^.$ Matches any line that contains exactly one character. (The newline character is not counted.)
a(b*|c*)d Matches any string beginning with the letter a, followed by either zero or more instances of the letter b, or zero or more instances of the letter c, followed by the letter d.
.+\....\.... Matches any file name that has two, three-letter extensions (for example, Filename.gif.exe).
This regular expression is helpful in blocking email attachments with double extensions. For example:
If Attachment Name = .+\....\....
[0-9a-zA-Z]+<!--.*-->[0-9a-zA-Z]+
Matches an embedded comment in the middle of meaningful HTML text. Embedding comments within HTML text is a trick that spam senders use to bypass some pattern-matching software.
135Performing scansWorking with matchlist settings
DOS wildcard style expressionsDOS wildcard style expressions (“*”, “.”, and “?”) provide you with a convenient way to specify file names, similar to the way in which DOS wildcard characters are used. For example, matchlists of type DOS wildcard are typically used with the Attachment Name Attribute to specify file names such as *.exe. In addition, a DOS wildcard expression allows you to easily specify files without extensions.
Table 6-4 describes the DOS wildcard style expressions.
Working with matchlist settingsYou can create a matchlist that includes words, email addresses, or domains that you want to filter. Matchlists support literal strings, DOS wildcard-style expressions, or regular expressions.
After you create a matchlist, you can define a filtering rule that uses the matchlist. The rule will catch any word or phrase that is in the matchlist. Matchlists provide a way to filter content that applies to a specific situation.
Outbreak triggers are used to add a subject line or an attachment name of a possible virus to a triggered matchlist on the server. This lets you create a rule that automatically blocks suspicious subjects and file names.
See “About outbreak triggers” on page 151.
If you want to filter a specific set of extensions, you can create a matchlist of those extensions and then reference the list from the filtering rules. You can add more extensions to the matchlist. The filtering rules are updated automatically.
You can create new matchlists, add to an existing matchlist, or delete or edit words in a matchlist. After you create a matchlist, you can define a filtering rule that refers to the matchlist.
Table 6-4 DOS wildcard expressions
DOS wildcard expression
Equivalent regular expression
Description
* .* Zero or more of any character
? [^\.] Any one character except the period (.)
. \. Literal period character
*. [^\.]+\.? Does not contain a period, but can end with one
136 Performing scansWorking with matchlist settings
Create, edit, and delete matchlists
You can create, edit, and delete matchlists.
To create a matchlist
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Match Lists.
3 On the sidebar, under Tasks, click Add match list.
4 In the Match list title box, type a name for the matchlist, and then click OK.
5 In the upper right pane of the content area, in the Description box, type a description for the matchlist.
6 In the Type box, select one of the following:
■ Literal string
■ Regular expression
■ Wild cards
7 In the Filter box, type a literal string, regular expression, or DOS wildcard-style expression and press Enter. Repeat for all entries you want to add.
You can link several regular expressions to form a larger one to match certain content in email.
8 Click Deploy changes/Deploy all or proceed to your next task.
To edit a matchlist
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Match Lists.
3 In the content area, in the left pane, select the name of the list you want to edit.
4 In the Filter box, add and delete entries as desired. Press Enter after each new entry.
All entries in a matchlist must be of the same type.
You can link several regular expressions to form a larger one to match certain content in email.
5 Click Deploy changes/Deploy all or proceed to your next task.
To delete a matchlist
1 On the primary navigation bar, click Policies.
2 On the sidebar, under Content Enforcement, click Match Lists.
137Performing scansAbout Outbreak Triggered Attachment Names and Subject Lines matchlist options
3 In the content area, in the left pane, select the name of the list you want to delete.
4 On the sidebar, under Tasks, click Delete match list.
5 In the dialog box, click OK.
6 Click Deploy changes/Deploy all or proceed to your next task.
About Outbreak Triggered Attachment Names and Subject Lines matchlist options
The Outbreak Triggered Attachment Names and Outbreak Triggered Subject Lines display names and subjects that are generated from Outbreak Heuristic Triggers. Symantec Mail Security automatically adds the names of outbreak triggered attachments to the Outbreak Triggered Attachment Names matchlist. Outbreak triggered subject lines are automatically added to the Outbreak Triggered Subject Lines matchlist.
You can edit the text that is displayed under matchlist Filter, but you should leave these as literal strings.
See “Working with matchlist settings” on page 135.
Table 6-5 describes the options for Outbreak Triggered Attachment Names and Outbreak Triggered Subject Lines.
Table 6-5 Outbreak Trigger matchlist options
Option Description
Matchlist description This specifies where the Outbreak Triggered matchlist was generated:
■ Outbreak Triggered Attachment Names
■ Outbreak Triggered Subject Lines
This list contains ■ Literal strings: This is the default. You should leave these as literal strings.
■ Regular expressions
■ DOS wildcard style expressions
Matchlist filter This lists the Attachment Names or Subject Lines that are added to the by the trigger.
138 Performing scansConfiguring and running scans
Configuring and running scansScans examine messages on your Microsoft Exchange Servers for known viruses, prohibited content, and files that exhibit behaviors that are associated with viruses.
See “Configuring Auto-Protect scanning” on page 138.
See “Running Manual scans” on page 139.
See “Scheduling a scan” on page 141.
Configuring Auto-Protect scanningAuto-Protect operates continuously and automatically. When background scanning is enabled, Microsoft Exchange creates a background thread for each message database in the Exchange store. These threads run at a lower priority in order to minimize the impact on other Exchange Server actions. As each thread reads through the messages in the database, it detects the messages that have not been scanned by the latest virus definitions and scans them with Symantec Mail Security. This is useful if you have updated your virus definitions and need to re-scan the entire store with these new definitions.
When “On virus definition update, force rescan before allowing access to information store” is enabled, Microsoft Exchange will not allow access to any messages in the store until Symantec Mail Security has re-scanned them using Auto-Protect scanning and background scanning.
Note: Message body scanning is enabled by default for the highest level of protection. Do not disable it unless you have a compelling reason to do otherwise. When you uncheck this option, the Symantec Mail Security for Microsoft Exchange filtering rules for the store do not work, and viruses in message bodies are not detected. (Some viruses are found only in the message body.)
To configure Auto-Protect scanning
1 On the primary navigation bar, click Scans.
2 On the sidebar, under Views, click Auto-Protect.
139Performing scansConfiguring and running scans
3 In the content area, check the desired auto-protect options from the following:
■ Enable Auto-Protect
■ Enable background scanning
■ On virus definition update, force rescan before allowing access to information store
■ Scan message bodies
■ Virus scan messages during SMTP transport
4 Click Deploy changes/Deploy all or proceed to your next task.
Running Manual scansManual scans are useful in situations in which you want to scan messages for specific purposes. For example, you could create a rule to flag a particular category of subject-line violations that are associated with a new virus, and then run the scan immediately.
The upper pane of the Manual Scan screen shows the results of all scans in a table. To view detailed results of a scan in the lower pane, select its entry.
See “How scans work” on page 121.
To run a Manual scan
1 On the primary navigation bar, click Scans.
2 Under Views, select Manual Scan.
3 Under Tasks, click Run now.
4 Click Deploy changes/Deploy all or proceed to your next task.
Editing the Manual scanYou can edit the Manual scan to search for specific criteria or to set scan limits.
To set initial parameters
1 On the primary navigation bar, click Scans.
2 Under Views, select Manual Scan.
3 Under Tasks, click Edit manual scan.
140 Performing scansConfiguring and running scans
4 Under Scan Options, optionally, check one or more of the following:
■ Stop scanning after __ minutes.
If you select this option, accept the default (120) or type the number of minutes you want the scan to run.
■ Only scan items modified after last scan.
■ Scan message bodies.
5 Click Next.
To select scan locations
1 Under Scan Location, in the left column, click one of the following:
■ All mailboxes
■ Exclude mailboxes
■ Specific mailboxes
The Specific mailboxes option is available only when configuring a single server, not a group.
If this option is selected, select one or more mailboxes from the left pane.
2 Under Scan Location, in the right column, click one of the following:
■ All public folders
■ Exclude public folders
■ Specific public folders
The Specific public folders option is available only when configuring a single server, not a group.
If this option is selected, select one or more public folders from the right pane.
3 Click Next.
To enable Content Filtering Rules
1 Under Content Filtering rules, click a row to select it.
2 To enable or disable a rule, click the Enable column and select Enable or Disable from the menu.
3 Click Finish.
141Performing scansConfiguring and running scans
Viewing Manual scan resultsYou can view manual scan results.
To view scan results
1 On the primary navigation bar, click Scans.
2 Under Views, select Manual Scan.
In group view, if the table remains blank, press F5 to populate it. This is because in a very large group, the process can take several minutes. You must also press F5 to refresh the display with the latest events.
Scheduling a scanIn addition to Auto-Protect scanning, which is set to run by default, you can schedule scans to look for different types of rule violations than those that are covered by the Auto-Protect scan.
To schedule a scan
1 On the primary navigation bar, click Scans.
2 On the sidebar, under Views, select Scheduled Scans.
3 Under Tasks, click Add new scan.
4 In the add new scan window, type a scan name, select and customize the desired scan options, and then click Next.
5 Select the locations to include or exclude, and then click Next.
6 Enable the rules that you want to apply to the scan by clicking the entry in the left column and selecting Enable from the menu, and then click Next.
7 Select the time of day for the scheduled scan (in 24-hour format), days of the week, dates of the month, and any additional options.
The Run scan at service start option should not be used in a cluster environment.
8 Click Finish.
9 Click Deploy changes/Deploy all or proceed to your next task.
142 Performing scansConfiguring and running scans
Deleting scansYou can delete a scheduled scan when it is no longer needed.
To delete a scheduled scan
1 On the primary navigation bar, click Scans.
2 Under Views, select Scheduled Scans.
3 Select the scan that you want to delete.
4 Under Tasks, click Delete scan.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Chapter
7Maintaining virus protection
This chapter includes the following topics:
■ How Symantec Mail Security detects and prevents viruses
■ Configuring your Internet connection for virus definition updates
■ Keeping your virus protection current
■ Setting up your own LiveUpdate server
How Symantec Mail Security detects and prevents viruses
If you are using the Symantec Central Quarantine Server, you have the benefit of the Symantec Digital Immune System. The Digital Immune System is Symantec’s unique technology for automatic detection and repair of security risks. The Digital Immune System lets a computer network instantly identify potentially harmful agents or abnormal conditions and take protective measures as needed. The Digital Immune System automates the submission of potential threats and automatically delivers repairs to the problem computer or the entire enterprise.
144 Maintaining virus protectionHow Symantec Mail Security detects and prevents viruses
Symantec Mail Security works with the Digital Immune System to do the following:
■ Allow submission of unrepairable, new, and user-specified files to Symantec for analysis.
■ Automate and strip submitted messages of non-virus content (in the case of Microsoft Word and Excel).
■ Track submissions in real time using HTTPS communications between the Quarantine Server and the Digital Immune System.
■ Automatically distribute repairs (new virus definitions) to the Quarantine Server as soon as possible.
The Quarantine Server is available with Symantec Mail Security and is installed separately. If installed, virus quarantined messages can be forwarded to the central Quarantine Server for use with the Digital Immune System.
For more information, see the Symantec Quarantine Server documentation.
Note: Messages that do not contain a virus but violate policies or rules are not sent to Central Quarantine.
About virus definition filesSymantec Mail Security relies on up-to-date information to detect and eliminate viruses. One of the most common reasons that virus problems occur is that virus definition files are not updated after installation. Symantec regularly supplies updated virus definition files that contain the necessary information about all newly discovered viruses. Regular updates of that information maximize security and guard your organization’s Exchange mail system against virus infections and the downtime that is associated with a virus outbreak.
Symantec Mail Security provides two types of virus definitions as follows:
■ Rapid Release definitions provide the fastest response to emerging threats and are updated approximately every hour. Rapid Release definitions are delivered by FTP and provide reliable first-line protection.
■ LiveUpdate certified definitions are updated less frequently as the certified definitions undergo more stringent testing.
If your organization has both front-end and back-end Exchange Servers, you may want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and leverage certified Live Update definitions on the Exchange back-end mailbox servers.
145Maintaining virus protectionConfiguring your Internet connection for virus definition updates
Configuring your Internet connection for virus definition updates
LiveUpdate operation requires an Internet connection. If you need to configure an Internet connection for LiveUpdate, use the Symantec LiveUpdate option in the Windows 2000 or 2003 Control Panel. This will be necessary, for example, if you are using a proxy server.
To configure your Internet connection for virus definition updates
1 In the Windows 2000 or 2003 Control Panel, double-click Symantec LiveUpdate.
2 Modify your Internet connection settings, if necessary.
Keeping your virus protection currentSymantec Mail Security supports virus definition updates through LiveUpdate and Rapid Release.
If Symantec Mail Security is installed on only one Microsoft Exchange Server, use the single-server user interface to update virus definitions.
If Symantec Mail Security is installed on several Exchange Servers, you can use the UI in Group view to enable Rapid Release downloads on individual servers. However, the UI will download only LiveUpdate updates and will distribute only the LiveUpdate updates to the servers.
If you have Symantec AntiVirus Corporate Edition installed, you must disable LiveUpdate/Rapid Release and allow Symantec AntiVirus to update definitions.
Updating virus definitions for a single serverThe following options are available through the single-server user interface for updating virus definitions on a single server:
Manually start a LiveUpdate or Rapid Release session
Download the virus updates when the session is started.
Schedule automatic LiveUpdates for the Exchange Server
Schedule days of the week and a time to run LiveUpdate.
During installation of Symantec Mail Security, a default LiveUpdate schedule is set. You can reconfigure the LiveUpdate schedule. Once this option is saved, LiveUpdate sessions take place automatically, at the specified times, without administrator intervention.
146 Maintaining virus protectionKeeping your virus protection current
To manually update virus definitions for a single server
1 At the top of the window, click Change next to the Server/group panel.
2 In the Select Asset window, in the content area, select the server whose virus definitions you intend to update, and then click Select.
3 On the primary navigation bar, click Admin.
4 On the sidebar, under Views, click LiveUpdate/Rapid Release Status.
5 Under Tasks, click Run LiveUpdate and/or Run Rapid Release.
To schedule virus definition updates
1 At the top of the window, click Change next to the Server/group panel.
2 In the Select Asset window, in the content area, select the server whose virus definitions you intend to update, and then click Select.
3 On the primary navigation bar, click Admin.
4 On the sidebar, under Views, click LiveUpdate/Rapid Release Schedule.
5 In the content area, check Enable automatic virus definition updates.
6 Click one of the following:
■ Use Rapid Release definitions
■ Use Certified LiveUpdate definitions
7 If you have Auto-Protect enabled and also select Rapid Release updates, you should disable at least one of the following features on servers that have a message store:
■ Enable background scanning
■ On virus definition update, force rescan before allowing access to information store
When both of these options are enabled, the message store is rescanned each time the virus definitions are updated. Because Rapid Release virus definitions are updated every hour, this can impact overall mail throughput.
Enable Rapid Release for the Exchange Server
Configure and save the Rapid Release option.
Updates will occur without administrator intervention. The default interval is hourly, but you can vary the interval to up to 12 hours.
147Maintaining virus protectionKeeping your virus protection current
8 Additionally, if you have selected Rapid Release updates, you should disable the “On virus definition update, force rescan before allowing access to information store” feature for all scheduled scans. If this option is enabled in a scheduled scan, the scheduled scan will run when virus definitions are updated. Because definitions are delivered more frequently with Rapid Release definitions, the scan may not complete before new definitions are available. This can impact overall mail throughput.
Rapid Release automatically runs once every hour.
9 For LiveUpdate, under Schedule Settings, select one of the following:
■ Run every [ ] hours: Select the interval in hours that you want to run LiveUpdate.
■ Run at a Specific Time: If you select this option, type the time of day (in 24-hour format) and check the day or days of the week that you want LiveUpdate to run.
10 Click Deploy changes/Deploy all or proceed to your next task.
Updating virus definitions for multiple serversThe UI lets you update virus definitions across all of your Exchange Servers. You can run LiveUpdate immediately from the Home page if you are between scheduled LiveUpdate sessions. For example, you may learn of a new virus that attacks mail servers and want to manually distribute the latest virus definitions as soon as possible.
When virus definitions are distributed from the UI to servers, the virus definitions are always copied to the server. The server selects the latest definitions, whether they are distributed from the UI or whether they already exist on the server.
See “Keeping your protection updated automatically” on page 71.
You can use the Symantec Mail Security UI to update virus definitions across all managed servers as follows:
Configure the scheduling of LiveUpdates for all managed servers or only for servers in a specific administrative group.
When configuring the schedule for multiple Exchange Servers, LiveUpdate will run at the specified time in the local time zone of each server. For example, if you schedule a LiveUpdate session for every Saturday at 10 P.M. and push that setting from a site in Sydney to an Exchange Server in Manila and to one in San Francisco, LiveUpdate will run for the Manila server every Saturday at 10 P.M., their local time, and LiveUpdate will run for the San Francisco server every Saturday at 10 P.M., their local time.
148 Maintaining virus protectionKeeping your virus protection current
To schedule virus definition updates for all servers or servers in a group
1 At the top of the window, click Change next to the Server/group panel.
2 In the Select Asset window, in the content area, select the server whose virus definitions you intend to update, and then click Select.
3 On the primary navigation bar, click Admin.
4 On the sidebar, under Views, click LiveUpdate/Rapid Release.
5 In the content area, check Enable automatic virus definition updates.
6 Click Use Certified LiveUpdate definitions.
7 Under Schedule Settings, select one of the following:
8 Click Deploy changes/Deploy all or proceed to your next task.
To manually update virus definitions for a group of managed servers
1 On the menu bar, select Tasks > Manage Assets.
2 In the Asset Management window, in the content area, select the server group whose virus definitions you intend to update, and then click Close.
3 On the primary navigation bar, click Admin.
4 On the sidebar, click LiveUpdate Status.
This option is not available in single server view.
5 On the sidebar, under Tasks, click Run LiveUpdate.
Manually update virus definitions on the managed servers.
You can download the latest definitions to the home server, and then distribute those updates to a server group.
Note: When pushing out definitions to managed servers, the license file must be current or the definitions will not be applied to the servers.
See “Installing on multiple servers” on page 44.
Run every [ ] hours Select the interval in hours that you want to run LiveUpdate.
Run at a Specific Time
If you select this option, type the time of day (in 24-hour format) and check the day or days of the week that you want LiveUpdate to run.
149Maintaining virus protectionSetting up your own LiveUpdate server
Setting up your own LiveUpdate serverThe LiveUpdate Administration Utility, which is available on the Symantec Mail Security CD, lets you set up an intranet HTTP, FTP, or LAN server, or a directory on a standard file server to handle LiveUpdate operations for your network.
For more information, see the LiveUpdate Administrator’s Guide on the Symantec Mail Security CD.
If you set up your own LiveUpdate server, you must edit the LiveUpdate configuration for Symantec Mail Security to point to the local LiveUpdate server.
For more information, contact Symantec Service and Support.
150 Maintaining virus protectionSetting up your own LiveUpdate server
Chapter
8Managing outbreaks
This chapter includes the following topics:
■ About outbreak management
■ About outbreak triggers
■ About defining what constitutes an outbreak
About outbreak managementAn outbreak situation occurs when an excessive number of viruses or events that exhibit virus-like behavior occur on a network. When an outbreak occurs, prompt identification of the situation and notification of administrative staff is critical.
Symantec Mail Security lets you manage outbreaks by doing the following:
■ Specify the criteria for an outbreak. These criteria consist of the event being monitored and the number of times that the event must occur during a specified time interval.
■ Define the email notifications to send to administrators when the criteria for an outbreak are met.
■ End the outbreak event once the situation has been managed.
About outbreak triggersThe set of defining criteria for an outbreak is called an outbreak trigger. Each outbreak trigger only monitors one type of event and defines an outbreak as the frequency of the specified event within a given time period.
152 Managing outbreaksAbout outbreak triggers
For example, one outbreak trigger could be defined as the occurrence of 50 or more unscannable files within one hour. Another outbreak trigger could be defined as 30 or more filtering rule violations within 15 minutes.
If you have configured multiple outbreak triggers and a message is received that violates more than one of them, Symantec Mail Security goes into outbreak mode and stops looking for additional outbreaks. Only one outbreak rule will be triggered.
Outbreak triggers apply only to Auto-Protect scans.
Enabling outbreak managementOutbreak management is enabled by default. You can specify the interval during which you want to check for outbreaks. By default, the interval is set to every two minutes. At least one outbreak trigger must be enabled for outbreak management to work.
See “Enabling and disabling outbreak triggers” on page 153.
To enable outbreak management
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, check Enable Outbreak Management.
4 In the Check for Outbreaks every ___ minutes box, accept the default (2) or type the interval in minutes to wait between checks for viruses or occurrences of a specified file behavior.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Clearing outbreak notificationsYou can end outbreak notifications at any time. Otherwise, the notifications will continue until the outbreak is no longer in effect.
To clear outbreak notifications
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 Under Tasks, click Clear current outbreak.
153Managing outbreaksAbout outbreak triggers
Enabling and disabling outbreak triggersYou can enable and disable the individual outbreak triggers and set them to notify administrators of an outbreak. If you disable Outbreak Management, the trigger settings are retained.
To enable or disable an outbreak trigger
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the upper pane, in the table, select a trigger to enable or disable. Click the entry (Enabled or Disabled) in the left column and select Enabled or Disabled from the menu.
4 Check Notify Administrator if you want to notify administrators upon activation of the outbreak trigger.
For administrators to receive email notifications of an outbreak, the notification email address must be valid.
See “Configuring notifications and alerts” on page 70.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
Enabling or disabling content enforcement rulesThe Same subject and Same attachment name outbreak triggers contain content enforcement rules that you can enable and disable. You can also edit these rules.
To edit content enforcement rules, see “Configuring content enforcement” on page 76.
To enable or disable content enforcement rules
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the upper pane, in the table, in the Same subject or Same attachment name line, click View Rule to view and enable or disable the content enforcement rules associated with the trigger.
4 In the dialog box, ensure that Enable content filtering is checked.
5 In the dialog box, select the rule that you want to enable or disable. Click the entry in the Enable column and select Enabled or Disabled from the menu.
6 Check Update Match List (if available) if you want to automatically add the attachment name or subject to the Outbreak Triggered Names Matchlist or Outbreak Triggered Subjects Matchlist when a trigger is activated.
154 Managing outbreaksAbout defining what constitutes an outbreak
7 Click Close.
8 Click Deploy changes/Deploy all or proceed to your next configuration task.
Configuring outbreak notificationsOutbreak has a notification feature that can be modified to suit your organization.
To configure outbreak notifications
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the lower pane, under Initial Notification, accept the default or type new Subject Line and Message Body text to be used in the administrator notification.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
4 Under Subsequent Notifications, accept the default or type new Subject Line and Message Body text to be used in the administrator notification.
The text between percent signs (%) represents variables, which fill in automatically when the message is sent.
See Table 3-5, “Replacement variables for alerts and notifications,” on page 65.
5 Click Deploy changes/Deploy all or proceed to your next configuration task.
About defining what constitutes an outbreak When defining an outbreak, you must specify the number of occurrences of the monitored item that are necessary to trigger the outbreak and the time span within which the occurrences can take place.
Although there are no standard numbers to use when specifying frequencies, you should take into consideration the threat potential of the event category that is being monitored, the size of your mail system, the amount of mail that is typically processed, and the stringency with which you want to define an outbreak.
155Managing outbreaksAbout defining what constitutes an outbreak
As your outbreak triggers are tested, you should fine-tune the values that you use. Notifications are issued whenever an outbreak trigger is activated. The notifications are re-issued every two minutes, or at the interval you have chosen, while the outbreak condition remains. You should adjust the threshold to strike a balance between catching outbreaks and issuing notifications based on incorrect identification of an outbreak.
If a string property such as an attachment name is selected as a monitored item for an outbreak, Symantec Mail Security stores in memory every attachment name that it scans for the specified time span. Once the time span elapses, the attachment names (or other specified string property) are no longer held in memory.
Adjusting time parameters to define outbreaksYou can adjust the time period that defines a string of events as an outbreak.
To adjust outbreak time parameters
1 On the primary navigation bar, click Policies.
2 On the sidebar, under General, click Outbreak.
3 In the content area, in the upper pane, in the table, do one or more of the following:
■ To adjust the number of occurrences of an event, click the entry in the Occurrences column and type a new value in the box.
■ To adjust the time interval in which the event will occur to trigger an outbreak, click the entry in the Time column and type a new value in the box.
■ To adjust the units of time defined by the Time column, click the entry in the Unit column and select Minutes, Hours, or Days from the menu.
4 Click Deploy changes/Deploy all or proceed to your next configuration task.
156 Managing outbreaksAbout defining what constitutes an outbreak
Chapter
9Using Symantec Mail Security data
This chapter includes the following topics:
■ Viewing server status
■ Working with event data
■ Working with report data
■ Viewing events in the Windows Event Log
Viewing server statusSymantec Mail Security provides server status information on the Home screen and on the Monitors page. The Monitors page provides detailed information on a selected server.
To view server status
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Server Status.
3 To view detailed data for a server, on the upper pane, click the server’s entry.
In group view, if the table remains blank, press F5 to populate it. This is because in a very large group, the process can take several minutes.
You must also press F5 to refresh the display with the latest events.
158 Using Symantec Mail Security dataWorking with event data
Working with event dataThe Symantec Mail Security event log records all virus, configuration, rule violation, and server events. The log lists entries in chronological order with the most current event at the top. The event log displays information, warning, and error events.
You can filter event data by categories such as rule violation, virus, LiveUpdate, and quarantine. You can also select a start date from which to begin displaying event data.
The event log does not refresh automatically. You must press F5 to refresh the display with the most recent list of events.
The event log displays the most recent 5000 Symantec Mail Security events from the Windows Event Log per server. For example, if your group contains five servers, the event log can display up to 25,000 events.
Viewing event dataThe Symantec Mail Security event log lets you view and sort event data that is generated by Symantec Mail Security and written to the Windows Application Event Log.
You can also filter the Symantec Mail Security event log to view only the events in which you are interested.
To view the Symantec Mail Security event log
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Event Log.
3 To sort the list data by different criteria, click the column headers.
In group view, if the Event Log remains blank, press F5 to populate it. This is because in a very large group, the process can take several minutes.
You must also press F5 to refresh the display.
To filter the Symantec Mail Security event log
1 On the primary navigation bar, click Monitors.
2 On the sidebar, under Views, click Event Log.
3 In the Number of items per page box, accept the default or select a number from the menu.
4 In the List box, select a category on which to filter the event data.
159Using Symantec Mail Security dataWorking with report data
5 In the entries since box, select a start date from which to begin displaying event data.
6 Click Display to show the filtered data.
Working with report dataSymantec Mail Security collects extensive report data on threats, security risks, content violation, spam, and server information. You can use this data to generate summary or detailed reports based on different subsets of the data. When you define a report, you specify criteria such as the time span of the collected data, whether to show specific violations or all violations, and the format of the report itself.
The email client that you use to view reports sent by symantec Mail Security must support/allow HTML-based attachments.
If you use Outlook Express, you need to make the following settings:
■ On the Security Tab, deselect the option titled “Do not allow attachments to be saved or opened that could potentially be a virus.”
■ On the Read Tab, deselect the option titled “Read all messages in plain text.”
About report templatesReport templates let you define a subset of the raw report data that is collected by Symantec Mail Security for a single server. The goal of creating a template is to describe a set of data that summarizes threats, security risks, content violation, spam, and server information, which can be saved and used to generate on-demand or scheduled reports. Report templates can include different categories or combinations of security-related statistics. They are useful for summarizing virus, rule violation, and scanning information on a regular basis.
You can create different report templates to describe different subsets of the raw report data. Once a report template is created, the template is saved in the single-server user interface, which you can access to generate reports.
The two main categories of report templates are as follows:
■ Executive summary report template
■ Detailed report template
160 Using Symantec Mail Security dataWorking with report data
Creating an on-demand executive summary report templateAn on demand executive summary report will provide summary information when you request it.
Note: Reports cannot be generated with a new or updated report template until it is deployed to the server.
To identify the template and distribution
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Templates.
3 On the sidebar, under Tasks, click Add new template.
4 Under Report Template Options, in the Template Name box, type a name for the report template.
5 If desired, type a description of the template in the Description box.
6 Under Report Type, click Executive Summary.
7 Under Report Format, click Integrated, CSV, or HTML.
8 If desired, check Email report to following participants and type one or more addresses (separated by semicolons) to which the report will be delivered.
9 Click Next.
To configure the report time range
1 Under Report Time Range, in the Time Range box, select a time range from the menu:
■ Past Day
■ Past Week
■ Past Month
■ Past Year
■ Customized
If Customized is selected, under Customize Time Range, in the Start Time and End Time boxes, modify the dates and times for the start and end of the report time range.
2 Under Report Generation Options, click On Demand.
3 Click Next.
161Using Symantec Mail Security dataWorking with report data
To configure the report chart options
1 Under Report Chart Options, check the charts that you want to include in the report. You can leave the selections unchecked if you do not want to include any charts. Chart selections are as follows:
■ Violations pie chart
■ Virus line chart
■ Content line chart
■ Spam pie chart
2 If you selected Virus line chart or Content line chart, accept the granularity default (Week) or select a granularity from the menu. Granularity selections are as follows:
■ Day
■ Week
■ Month
■ Year
3 Click Next.
To configure report content
1 Under Executive Summary Template Options, accept the defaults (all selected) or uncheck the data that you do not want to appear in the Executive Summary report. Data selections are as follows:
Scan Summary Options
■ Show Scan Summary Summary of messages processed during the current reporting period
■ Messages Scanned by SMTP Total number of messages processed by SMTP during the current reporting period
■ Files Scanned by VSAPI Total number of files processed by VSAPI during the current reporting period
■ Files Scanned by SMTP Total number of files processed by SMTP during the current reporting period
162 Using Symantec Mail Security dataWorking with report data
2 Click Next.
Threats and Security Risks
■ Total Threats Total number of threats detected during the current reporting period
■ Top Threats Table Table of top threats during the current reporting period
■ Number to include Number of threats to include in the Top Threats Table
■ Unrepairable Threats Total number of unrepairable threats detected during the current reporting period
■ Unscannable Files Total number of unscannable files detected during the current reporting period
■ Mass Mailer Threats Number of messages in which mass-mailer threats were detected during the current reporting period
■ Total Security Risks Number of security risks detected during the current reporting period
■ Threats Repaired Number of threats repaired during the current reporting period
■ Threats Deleted Number of threats deleted during the current reporting period
■ Threats Quarantined Number of threats quarantined during the current reporting period
163Using Symantec Mail Security dataWorking with report data
3 Under Executive Summary Template Options, accept the defaults (all selected) or uncheck the data that you do not want to appear in the Executive Summary report. Data selections are as follows:
Content Violations
■ Total Content Violations
Total number of messages containing inappropriate content during the current reporting period
■ Total Attachments Blocked
Total number of attachments blocked during the current reporting period
■ Total Multimedia/EXE Attachments Blocked
Total Multimedia/Executable attachment blocked during the current reporting period
■ Total Encrypted Attachments Blocked
Total encrypted attachment blocked during the current reporting period
■ Total Encrypted Attachment Rule Violations
Total number of messages containing encrypted files during the current reporting period
■ Table of Top Content Violations
Table of top Content Violations detected during the current reporting period
■ Number to include Number of items to include in the Table of Top Content Violations
■ Table of Top Attachments Blocked
Table of top attachments blocked during the current reporting period
■ Number to include Number of items to include in the Table of Top Attachments Blocked
Spam Options
■ Table of Top Spammers Table of top spam sources identified during the current reporting period
■ Number to include Number of items to include in the Table of Top Spammers
■ Spam by Category Total number of spam categories identified during the current reporting period
■ Spam by Domain Total number of spam domains identified during the current reporting period
■ Number to include Number of domains to include in the Spam by Domain list
■ SCL for Spam Accept the default (8) or type an SCL level
164 Using Symantec Mail Security dataWorking with report data
4 Click Next.
5 Under Server Information, accept the defaults (all selected) or uncheck the data that you do not want to appear in the Executive Summary report. Data selections are as follows:
6 Click Finish.
7 Click Deploy changes/Deploy all or proceed to your next task.
■ RBL Total Checks Total number of messages checked against Realtime Black Lists
■ RBL Rejected Total number of messages rejected by Realtime Black Lists
Show Server Information
Check to enable the server information option
Machine Name Name of the server
Server Status Started or stopped
Auto-Protect Status
Started or stopped
Virus Definitions Date
Date of virus definitions in use during the reporting period
Product version Installed version of Symantec Mail Security
Service Start Time Date and time Symantec Mail Security was started
Symantec Premium AntiSpam Status
Enabled or Disabled
Virus Definition Version
Installed virus definition file
165Using Symantec Mail Security dataWorking with report data
Creating a scheduled executive summary report templateA scheduled executive summary report will provide summary information on a regular schedule.
Note: Reports cannot be generated with a new or updated report template until it is deployed to the server.
To identify the template and distribution
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Templates.
3 On the sidebar, under Tasks, click Add new template.
4 Under Report Template Options, in the Template Name box, type a name for the report template.
5 If desired, type a description of the template in the Description box.
6 Under Report Type, click Executive Summary.
7 Under Report Format, click Integrated, CSV, or HTML.
8 If desired, check Email report to following participants and type one or more addresses (separated by semicolons) to which the report will be delivered.
9 Click Next.
To configure the report time range
1 Under Report Time Range, in the Time Range box, select a time range from the menu:
■ Past Day
■ Past Week
■ Past Month
■ Past Year
■ Customized
If Customized is selected, under Customize Time Range, in the Start Time and End Time boxes, modify the dates and times for the start and end of the report time range.
2 Under Report Generation Options, click Scheduled.
3 Under Scheduling Options, in the Generate report at box, select the time of day to generate the report.
166 Using Symantec Mail Security dataWorking with report data
4 Click Daily, Weekly, or Monthly.
If Weekly or Monthly, select the day of the week or month to generate the report.
5 Click Next.
To configure the report chart options
1 Under Report Chart Options, check the charts that you want to include in the report. You can leave the selections unchecked if you do not want any charts. Chart selections are as follows:
■ Violations pie chart
■ Virus line chart
■ Content line chart
■ Spam pie chart
2 If you selected Virus line chart or Content line chart, accept the granularity default (Week) or select a granularity from the menu. Granularity selections are as follows:
■ Day
■ Week
■ Month
■ Year
3 Click Next.
To configure report content
1 Under Executive Summary Template Options, accept the defaults (all selected) or uncheck the data that you do not want to appear in the Executive Summary report. Data selections are as follows:
Scan Summary Options
■ Show Scan Summary Summary of messages processed during the current reporting period
■ Messages Scanned by SMTP Total number of messages processed by SMTP during the current reporting period
■ Files Scanned by VSAPI Total number of files processed by VSAPI during the current reporting period
■ Files Scanned by SMTP Total number of files processed by SMTP during the current reporting period
167Using Symantec Mail Security dataWorking with report data
2 Click Next.
3 Under Executive Summary Template Options, accept the defaults (all selected) or uncheck the data that you do not want to appear in the Executive Summary report. Data selections are as follows:
Threats and Security Risks
■ Total Threats Total number of threats detected during the current reporting period
■ Top Threats Table Table of top threats during the current reporting period
■ Number to include Number of threats to include in the Top Threats Table
■ Unrepairable Threats Total number of unrepairable threats detected during the current reporting period
■ Unscannable Files Total number of unscannable files detected during the current reporting period
■ Mass Mailer Threats Number of messages in which mass-mailer threats were detected during the current reporting period
■ Total Security Risks Number of security risks detected during the current reporting period
■ Threats Repaired Number of threats repaired during the current reporting period
■ Threats Deleted Number of threats deleted during the current reporting period
■ Threats Quarantined Number of threats quarantined during the current reporting period
Content Violations
■ Total Content Violations
Total number of messages containing inappropriate content during the current reporting period
■ Total Attachments Blocked
Total number of attachments blocked during the current reporting period
■ Total Multimedia/EXE Attachments Blocked
Total Multimedia/Executable attachment blocked during the current reporting period
168 Using Symantec Mail Security dataWorking with report data
4 Click Next.
■ Total Encrypted Attachments Blocked
Total encrypted attachment blocked during the current reporting period
■ Total Encrypted Attachment Rule Violations
Total number of messages containing encrypted files during the current reporting period
■ Table of Top Content Violations
Table of top Content Violations detected during the current reporting period
■ Number to include Number of items to include in the Table of Top Content Violations
■ Table of Top Attachments Blocked
Table of top attachments blocked during the current reporting period
■ Number to include Number of items to include in the Table of Top Attachments Blocked
Spam Options
■ Table of Top Spammers Table of top spam sources identified during the current reporting period
■ Number to include Number of items to include in the Table of Top Spammers
■ Spam by Category Total number of spam categories identified during the current reporting period
■ Spam by Domain Total number of spam domains identified during the current reporting period
■ Number to include Number of domains to include in the Spam by Domain list
■ SCL for Spam Accept the default (8) or type an SCL level
■ RBL Total Checks Total number of messages checked against Realtime Black Lists
■ RBL Rejected Total number of messages rejected by Realtime Black Lists
169Using Symantec Mail Security dataWorking with report data
5 Under Server Information, accept the defaults (all selected) or uncheck the data that you do not want to appear in the Executive Summary report. Data selections are as follows:
6 Click Finish.
7 Click Deploy changes/Deploy all or proceed to your next task.
Creating an on-demand detailed report templateAn on-demand detailed report will provide detailed information when you request it.
Note: Reports cannot be generated with a new or updated report template until it is deployed to the server.
To identify the template and distribution
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Templates.
3 On the sidebar, under Tasks, click Add new template.
4 Under Report Template Options, in the Template Name box, type a name for the report template.
5 If desired, type a description of the template in the Description box.
6 Under Report Type, click Detailed.
Show Server Information Check to enable the server information option
Machine Name Name of the server
Server Status Started or stopped
Auto-Protect Status Started or stopped
Virus Definitions Date Date of virus definitions in use during the reporting period
Product version Installed version of Symantec Mail Security
Service Start Time Date and time Symantec Mail Security was started
Symantec Premium AntiSpam Status
Enabled or Disabled
Virus Definition Version Installed virus definition file
170 Using Symantec Mail Security dataWorking with report data
7 Under Report Format, click Integrated, CSV, or HTML.
8 If desired, check Email report to following participants and type one or more addresses (separated by semicolons) to which the report will be delivered.
9 Click Next.
To configure the report time range
1 Under Report Time Range, in the Time Range box, select a time range from the menu:
■ Past Day
■ Past Week
■ Past Month
■ Past Year
■ Customized
If Customized is selected, under Customize Time Range, in the Start Time and End Time boxes, modify the dates and times for the start and end of the report time range.
2 Under Report Generation Options, click On Demand, and then click Next.
To configure the report chart options
1 Under Report Chart Options, check the charts that you want to include in the report. You can leave the selections unchecked if you do not want any charts. Chart selections are as follows:
■ Violations pie chart
■ Virus line chart
■ Content line chart
■ Spam pie chart
2 If you selected Virus line chart or Content line chart, accept the granularity default (Week) or select a granularity from the menu. Granularity selections are as follows:
■ Day
■ Week
■ Month
■ Year
3 Click Next.
171Using Symantec Mail Security dataWorking with report data
To configure report content
1 Under Detailed Template Options, in the Sender box, type the name of the sender. You can use the * or ? wildcard characters to search for multiple senders.
2 In the Type of Violation box, select the type of violation from the menu. Type selections are as follows:
■ All
■ Content Filtering
■ Spam
■ Threats/Security Risks
3 In the Violation Filter box, select a violation filter from the menu. Filter selections vary based on the type of violation selected in step 2 and are as follows:
All ■ All
■ Allow-only Attachment Rule
■ Basic Virus Rule
■ Blank Subject and Sender
■ Encrypted File Rule
■ Executable File Rule
■ File Name Rule
■ Heuristic Antispam
■ Mass-Mailer Virus Rule
■ Quarantine Triggered Attachment Names
■ Quarantine Triggered Subjects
■ Sample Executable File
■ Security Risk Rule
■ Symantec Premium AntiSpam
■ Unrepairable Virus Rule
■ Unscannable File Rule
■ User Defined Rule
172 Using Symantec Mail Security dataWorking with report data
4 Under Select Filter to apply, under Sender Filter, type an identifying characteristic of the sender whose messages will appear in the report. This can be the domain name or address of the sender, or a name or word, or a wildcard expression.
5 Under Select Filter to apply, under Violation Filter, accept the default (all) or select the violation the report will include from the menu as follows:
■ All
■ Allow-only Attachment Rule
■ Basic Virus Rule
■ Blank Subject and Sender
■ Encrypted File Rule
■ Executable File Rule
■ File Name Rule
■ Heuristic Antispam
■ Mass-Mailer Virus rule
■ Quarantine Triggered Attachments
■ Quarantine Triggered Subjects
■ Sample Executable File
Content Filtering
■ All
■ Allow-only Attachment Rule
■ Blank Subject and Sender
■ Multimedia File Rule
■ Encrypted File Rule
■ Executable File Rule
■ Multimedia File Rule
■ Quarantine Triggered Attachment Names
■ Quarantine Triggered Subjects
■ Sample Executable File
■ Unscannable File Rule
■ User Defined Rule
Spam ■ Heuristic Antispam
■ Symantec Premium AntiSpam
Threats/Security Risks
■ All
■ Basic Virus Rule
■ Mass-Mailer Virus Rule
■ Security Risk Rule
■ Unrepairable Virus Rule
173Using Symantec Mail Security dataWorking with report data
■ Security Risk Rule
■ Symantec Premium AntiSpam
■ Unrepairable Virus Rule
■ Unscannable File Rule
■ User Defined Rule
6 Under Select the columns that will appear in the detailed report, accept the defaults (all selected) or uncheck the data you do not want to appear in the detailed report.
■ Date
■ Sender
■ Scan Type
■ Violation Type
■ Action Taken
■ Rule Violated
■ Location
■ Affected Item
■ Additional Info
■ Server Name
7 Click Finish.
8 Click Deploy changes/Deploy all or proceed to your next task.
Creating a scheduled detailed report templateA scheduled detailed report will provide detailed information on a regular schedule.
Note: Reports cannot be generated with a new or updated report template until it is deployed to the server.
To identify the template and distribution
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Templates.
3 On the sidebar, under Tasks, click Add new template.
4 Under Report Template Options, in the Template Name box, type a name for the report template.
5 If desired, type a description of the template in the Description box.
174 Using Symantec Mail Security dataWorking with report data
6 Under Report Type, click Detailed.
7 Under Report Format, click Integrated, CSV, or HTML.
8 If desired, check Email report to following participants and type one or more addresses (separated by semicolons) to which the report will be delivered.
9 Click Next.
To configure the report time range
1 Under Report Time Range, in the Time Range box, select a time range from the menu:
■ Past Day
■ Past Week
■ Past Month
■ Past Year
■ Customized
If Customized is selected, under Customize Time Range, in the Start Time and End Time boxes, modify the dates and times for the start and end of the report time range.
2 Under Report Generation Options, click Scheduled.
3 Under Scheduling Options, in the Generate report at box, select the time of day to generate the report.
4 Click Daily, Weekly, or Monthly.
If Weekly or Monthly, select the day of the week or month to generate the report.
5 Click Next.
To configure the report chart options
1 Under Report Chart Options, check the charts that you want to include in the report. You can leave the selections unchecked if you do not want any charts. Chart selections are as follows:
■ Violations pie chart
■ Virus line chart
■ Content line chart
■ Spam pie chart
175Using Symantec Mail Security dataWorking with report data
2 If you selected Virus line chart or Content line chart, accept the granularity default (Week) or select a granularity from the menu. Granularity selections are as follows:
■ Day
■ Week
■ Month
■ Year
3 Click Next.
To configure report content
1 Under Detailed Template Options, in the Sender box, type the name of the sender. You can use the * or ? wildcard characters to search for multiple senders.
2 In the Type of Violation box, select the type of violation from the menu. Type selections are as follows:
■ All
■ Content Filtering
■ Spam
■ Threats/Security Risks
3 In the Violation Filter box, select a violation filter from the menu. Filter selections vary based on the type of violation selected in step 2 and are as follows:
All ■ All
■ Allow-only Attachment Rule
■ Basic Virus Rule
■ Blank Subject and Sender
■ Encrypted File Rule
■ Executable File Rule
■ File Name Rule
■ Heuristic Antispam
■ Mass-Mailer Virus Rule
■ Quarantine Triggered Attachment Names
■ Quarantine Triggered Subjects
■ Sample Executable File
■ Security Risk Rule
■ Symantec Premium AntiSpam
■ Unrepairable Virus Rule
■ Unscannable File Rule
■ User Defined Rule
176 Using Symantec Mail Security dataWorking with report data
4 Under Columns to Show, accept the defaults (all selected) or uncheck the data that you do not want to appear in the detailed report.
■ Date
■ Sender
■ Scan Type
■ Violation Type
■ Action Taken
■ Rule Violated
■ Location
■ Affected Item
■ Additional Info
■ Server Name
5 Click Finish.
6 Click Deploy changes/Deploy all or proceed to your next task.
Content Filtering
■ All
■ Allow-only Attachment Rule
■ Blank Subject and Sender
■ Multimedia File Rule
■ Encrypted File Rule
■ Executable File Rule
■ Multimedia File Rule
■ Quarantine Triggered Attachment Names
■ Quarantine Triggered Subjects
■ Sample Executable File
■ Unscannable File Rule
■ User Defined Rule
Spam ■ Heuristic Antispam
■ Symantec Premium AntiSpam
Threats/Security Risks
■ All
■ Basic Virus Rule
■ Mass-Mailer Virus Rule
■ Security Risk Rule
■ Unrepairable Virus Rule
177Using Symantec Mail Security dataWorking with report data
Editing and deleting report templatesYou can edit or delete report templates.
Note: Reports cannot be generated with a new or updated report template until it is deployed to the server.
To edit a report template
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Templates.
3 In the content area, select the template to edit.
4 On the sidebar, under Tasks, click Edit template.
5 Make changes to the format.
6 Click Next or Back to change screens, and click Finish when complete.
7 Click Deploy changes/Deploy all or proceed to your next task.
To delete a report template
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Templates.
3 In the content area, select the template to delete.
4 On the sidebar, under Tasks, click Delete template.
5 Click OK.
6 Click Deploy changes/Deploy all or proceed to your next task.
178 Using Symantec Mail Security dataWorking with report data
Generating and viewing reportsAfter you create a report template, you can use it to generate reports of violation information for a single server or a group. Report templates are saved by Symantec Mail Security and can be used multiple times. Symantec Mail Security automatically appends the current date and time to the name of your report template when it names the report. This lets you run the same report on different dates and compare the data. Once a report is generated, you can view it through the Symantec Mail Security interface.
See “Saving report data” on page 179.
Note: Reports can only be viewed when a single server is selected. You cannot view reports in the group view.
To generate a report
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Report Templates.
3 Select the name of a saved report template.
4 Click Generate Report.
5 When the Status entry in the Operation Status window changes to Completed, click Close.
6 On the sidebar, under Views, click Reports.
To view an existing report
1 On the primary navigation bar, click Reports.
2 On the sidebar, under Views, click Reports.
3 Select a saved report and under Tasks, click View Report.
4 In a detailed report, you can select the Sort View tab to sort the report data by any column.
This option is useful for doing research on violations.
5 You can print or save the displayed report using the buttons along the bottom of the report window.
6 You should print reports in landscape mode to prevent the data from being cut off at the right margin.
179Using Symantec Mail Security dataViewing events in the Windows Event Log
Saving report dataThe generated reports include only a subset of the report data that is available. However, you can save the entire set of available data as a comma-separated value (.csv) file.
You can use the raw data files to do the following:
■ View or print the complete report data in an application such as Microsoft Excel.
■ Import the data into a third-party reporting application to generate custom charts and reports.
The SMSMSE 5.0 folder contains a folder labeled Reports. Each generated report is in a folder in that folder. If you have Microsoft Excel on your computer, a .csv file will open automatically as an Excel spreadsheet, but you can also insert it into a different application for processing or display. An HTML file opens as an image identical to the report generated by the Generate Report function.
Viewing events in the Windows Event LogSymantec Mail Security server events are also reported in the Windows Event Log. The Event Log is accessed on the computer on which Symantec Mail Security is installed.
To view events in the Windows Event Log
1 On the computer on which Symantec Mail Security is installed, click Start > Settings > Control Panel > Administrative Tools > Event Viewer.
2 In the left pane, click Application.
3 In the right pane, in the Source column, sort events for Symantec Mail Security.
180 Using Symantec Mail Security dataViewing events in the Windows Event Log
Appendix
AAutomatically sending spam to a spam folder
This chapter includes the following topics:
■ About the Symantec Spam Folder Agent for Exchange
■ About the Symantec Spam Plug-in for Outlook
About the Symantec Spam Folder Agent for Exchange
Symantec Mail Security features the Symantec Spam Folder Agent for Exchange. The agent is installed separately from the standard Symantec Mail Security installations.
The agent creates a spam subfolder and a server-side filter in each user’s mailbox. This filter is applied to messages that Symantec Premium AntiSpam identifies as spam, routing spam into each user’s spam folder. The spam folder agents relieve users and administrators of the burden of using their mail clients to create filters.
The Symantec Spam Folder Agent for Exchange can only be used when Symantec Premium AntiSpam is installed.
The Symantec Spam Folder Agent for Exchange is available on the Symantec Mail Security installation CD. You should install the agent on the Exchange mail servers on which your mailboxes reside. This includes the server on which Symantec Mail Security is installed.
182 Automatically sending spam to a spam folderAbout the Symantec Spam Folder Agent for Exchange
The Spam Folder Agent should only be installed to Exchange 2000 servers. On Exchange Server 2003s, setting the SCL and SAT is the best method.
See “Understanding Symantec SCL values” on page 94.
See “Changing the SAT setting” on page 97.
How spam foldering worksWhen you enable the option to automatically send spam messages to the recipient’s spam folder in Symantec Mail Security (Deliver the message to the recipient's Spam folder), Symantec Premium AntiSpam adds a special X-Header (x-bmiFolder: 1) to messages identified as spam or suspected spam.
Once installed and configured on the mail server, the Symantec Spam Folder Agent for Exchange creates a server-side rule that searches for the X-Header. It also creates a spam subfolder in each user’s mailbox. During its hourly maintenance schedule, the agent sends the messages that have been identified as spam or suspected spam to the recipient’s spam folder. If the agent detects that the spam folder for the recipient has been deleted or moved, it will recreate the subfolder. The rule runs as a high sequence number (1001), which ensures that it executes after rules with lower sequence numbers or client-side rules that your users may have created.
About the supported configurations for the spam foldering agentTable A-1 describes ways that you can use the per-user spam folders.
Table A-1 Per-user spam folder uses
Mail Server/Client Configuration
Foldering Recommendation
Required Action
All of the following:
■ Symantec Mail Security with Symantec Premium AntiSpam enabled is installed on a server that is running Microsoft Exchange Server 2003.
■ Exchange Server 2003 is installed on the back-end target message store.
Use automatic foldering to take advantage of Exchange Server 2003 Spam Confidence Level (SCL) filters. If Symantec Premium AntiSpam software indicates that a message exceeds an SCL threshold, the message will be placed in the recipient’s Junk Email folder (native foldering).
None. When you choose spam foldering, mail is sent to the Junk Email folder automatically.
183Automatically sending spam to a spam folderAbout the Symantec Spam Folder Agent for Exchange
When you enable automatic foldering, Symantec Premium AntiSpam inserts a special header in all messages that are identified as spam. The header is x-bmiFolder: 1. If you have an MTA configuration that is not supported in the above matrix, you could create your own rule or application to take action based on this header.
To use native foldering (which does not require folder agents), Symantec Premium AntiSpam itself must be installed on an Exchange 2003 front-end server.
Installing the Symantec Spam Folder Agent for ExchangeThe Symantec Spam Folder Agent for Exchange is configured to run automatically as a Windows service. Before you install the agent, you should ensure that you have a service account that includes the following rights:
■ Exchange Administrator rights on the mail server on which you are installing the agent
■ Full access to a mailbox on the local server
■ Local system rights to act as part of the operating system and to run as a service
■ Valid license for Symantec Premium AntiSpam
Any Exchange Server configuration, including Exchange Server 2003, that does not meet the additional conditions above. This could include a downstream non-gateway Exchange Server on which Symantec Premium AntiSpam is not installed.
Use the Symantec Spam Folder Agent for Exchange.
Set up a Service Account on the Exchange Server as described below. Install the Symantec Spam Folder Agent for Exchange on each back-end Exchange mail server.
Table A-1 Per-user spam folder uses (Continued)
Mail Server/Client Configuration
Foldering Recommendation
Required Action
184 Automatically sending spam to a spam folderAbout the Symantec Spam Folder Agent for Exchange
To begin the installation
1 Do one of the following:
If a previous version of Symantec Spam Folder Agent for Exchange is installed, the install wizard will automatically uninstall it before installing the current version.,
2 In the introductory panel, click Next.
To configure administrative settings
1 In the Software License Agreement panel, read the license agreement, click I accept the terms of this license agreement, and then click Next.
2 In the Setup Type panel, choose a setup option, and then click Next.
3 The Complete option installs all software in a predefined set of folders and files.
The Custom option allows you to tailor installation options.
4 Under Service Account, specify an account to be used by the Symantec Spam Folder Agent for Exchange.
Type the Active Directory or NT Domain, user name, and password.
5 In the Mailbox field, type the mailbox alias of a valid mailbox for the
Symantec Spam Folder Agent for Exchange to use.
To find this alias, click Active Directory Users and Computers, right-click User properties, and then click the General tab. The account specified in the last step must have Full Access to this mailbox.
6 In the Spam folder name field, type the name of the folder in each user’s mailbox where spam will be stored.
To install from the CD-ROM
Insert the Symantec Mail Security software distribution CD-ROM in your computer’s CD-ROM drive.
If the setup program does not run automatically, open the Windows folder on the CD using Windows Explorer and double-click CDStart.exe.
To install from a downloaded Zip file
Open the Zip file, go to \ADMTOOLS\SPA\BSFA, and then double-click Setup.exe.
185Automatically sending spam to a spam folderAbout the Symantec Spam Folder Agent for Exchange
7 In the Spam expiration field, type the number of days to retain spam messages.
The default period is 30 days. You may need to adjust this setting based on the volume of spam your organization receives.
8 Click Next, and then click OK.
If the installation process is unable to verify the existence of the spam folder because you have insufficient user rights, a dialog box appears with the message that the “Act as part of the Operating System” user right is required to verify these settings.
To verify the installation
1 Click No in the dialog box, then add the administrator account that you want the agent to use to the following security policy settings:
■ Act as part of the operating system
■ Log on as a service
For more information, see the Microsoft Exchange 2000 Server documentation
2 Click Install, and then click Finish.
Creating a service account for the Symantec Spam Folder Agent for Exchange
The Symantec Spam Folder Agent for Exchange requires a service account. You can use an existing account or you can create one specifically for the agent (recommended). Before you install the Symantec Spam Folder Agent for Exchange, ensure that the following software and configuration requirements are met:
■ Windows 2000 (SP 2) or greater or Windows 2003
■ Microsoft Exchange 2000 or Microsoft Exchange 2003
■ Full access to a mailbox on the local Exchange Server (the Symantec Spam Folder Agent for Exchange does not send email to or from this mailbox)
■ Exchange Administrator permission on the local server
Note: The service account cannot be hidden from the Exchange address list.
186 Automatically sending spam to a spam folderAbout the Symantec Spam Folder Agent for Exchange
To create a user name
1 On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2 If it is not already selected, select the Users folder.
3 On the toolbar, click Create a new user.
4 In the New Object – User dialog box, type the new user’s First Name, Full Name, and User Logon Name, and then click Next.
5 Type a password for the service account and click Next.
6 Click Next until the dialog box with a Finish button appears.
7 Click Finish.
To add a folder agent
1 In the Users folder, right-click the new Spam Folder Agent user.
2 In the pop-up menu, click Properties.
3 In the Spam Folder Agents Properties dialog box, in the Member of tab, click Add.
4 In the text field, type domain admins, and then click OK until the properties dialog box closes.
5 On the taskbar, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
6 In the System Manager window, in the left pane, right-click the top node in the tree.
7 In the pop-up menu, click Delegate Control.
8 In the Exchange Administration Delegation Wizard welcome screen, click Next.
9 Click Add.
To delegate control of the account
1 In the Delegate Control dialog box, click Browse, and then select the name of the service account you created.
2 Be sure the Role drop-down box is set to Exchange Administrator, and then click OK.
3 Click Next, and then click Finish.
4 After reading the message in the dialog box, click OK.
187Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
About the Symantec Spam Plug-in for Outlook The Symantec Spam Plug-in for Outlook makes it easy for Outlook users to submit missed spam and false positives to Symantec. You can also configure the plug-in to send user submissions automatically to a local system administrator. The Symantec Spam Plug-in also gives users the option to administer their own Blocked Senders and Allowed Senders Lists and to specify languages in which they do or do not want to receive email.
The Symantec Spam Plug-in for Outlook is available on the Symantec Mail Security installation CD. The plug-in can be used with Outlook 2000/2002/2003/XP on Windows 98/Me/NT, Windows 2000/XP.
After installing the plug-in, users will have a new toolbar in their Outlook window.
The toolbar contains the following elements:
The following options are available from the Symantec pull-down menu:
Note: For more information on using the Symantec Spam Plug-in, see the online help that is included in the plug-in.
This is Spam Users click this button to submit the message to the email security unit within Symantec Security Response and move it from their Inbox to their Spam folder.
This is Not Spam Users click this button to submit the message to Symantec and move it from their Spam folder to their Inbox.
Empty Spam Folder Users click this button to empty their Spam folder (if configured)
Symantec By choosing an item from this pull-down menu, users can get information on using the plug-in, view a report (if configured), and administer their personal Blocked Senders and Allowed Senders Lists.
Symantec Help Launch a help page for the Symantec Spam Plug-in using your default Web browser.
Spam Report View spam statistics (if configured).
Options Set plug-in properties and administer your private Blocked Senders and Allowed Senders Lists, specify languages in which you do or do not want to receive email.
About Symantec Get information on the current version of the software.
188 Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
Symantec Spam Plug-in system requirementsTo use the Symantec Spam Plug-in, computers must meet the following requirements:
■ Outlook 2000/2002/2003
■ Windows 2000/XP/2003
Note: If you are using Symantec Spam Folder Agent for Exchange, the plug-in retrieves the name of the spam folder from the Spam Folder Agent Inbox Rule. If you are not using the Symantec Spam Folder Agent for Exchange, the plug-in retrieves the Spam Folder Name value from the Windows registry. If there is no Spam Folder Name value in the Windows registry, it creates a Spam folder during installation.
Installing the Symantec Spam Plug-in for OutlookYou can install the Symantec Spam Plug-in from a CD or a downloaded file. After the installation, you can modify the plug-in variables.
Table A-2 describes the plug-in variables.
Table A-2 Symantec Spam Plug-in Setup Variables
Variable Name Description
ADMIN_FALSE_ADDRESS The email address of the administrator to copy with false-positive submissions. The default for this is an empty string. If this value is empty, then the message will not be sent to the administrator.
ADMIN_JUNK_ADDRESS The email address of the administrator to copy with missed spam submissions. The default for this is an empty string. If this value is empty, then the message will not be sent to the administrator.
ALLOWED_CONTACTS If set to 1 (the default) or any non-zero value, treats all entries of the Outlook Contacts folder as members of the Allowed Senders List.
If set to 0, does not treat any members of the Outlook Contacts folder as members of the Allowed Senders List.
AUTO_ADD_BLOCKED When submitting a spam message to the email security unit within Symantec Security Response, adds the sender of the message to the Blocked Senders List. The default is 1.
189Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
AUTO_ADD_ALLOWED If set to 1 (the default) or any non-zero value, automatically generates the Allowed Senders list.
If set to 0, does not automatically generate the Allowed Senders list.
CHECK_ALLOWED If set to 1 (the default) or any non-zero value, moves messages directly to the Spam folder. If a message sender is in the user’s Allowed Senders List or (optionally) Outlook Contacts list, or if ANY of the message’s recipients are in the user’s Allowed Recipients List, the message is moved to the Inbox. Otherwise it stays in the Spam folder.
If set to 0, messages are delivered normally (to the Inbox).
CHECK_BLOCKED If set to 1 (the default) or any non-zero value, does not process the message. If a message sender is in the user’s Blocked Senders List or (optionally) Outlook Contacts list, or if ANY of the message’s recipients are in the user’s Blocked Senders List, the message is not processed. Otherwise it stays in the Spam folder. If set to 0, messages are delivered normally to the Inbox.
DELETE_SPAM If set to 1 or any non-zero value, spam messages will be deleted. If set to 0 (the default value), spam messages will be moved to the Spam folder.
DELETE_X_DAYS Deletes messages in the Spam folder that are more than x days old. The default is 7. Set this value to 0 to disable this feature.
DISPLAY_ARE_YOU_SURE_MSGS
Specifies whether the confirmation dialog for deleting spam is displayed after a message is submitted. If this variable is set to 1 (the default value) the confirmation message will be displayed. If this variable is set to any other value or left empty, the message will not be displayed.
DISPLAY_CONFIRMATION_MSG
Specifies whether the submission complete dialog is displayed after a message is submitted. If this variable is set to 1 (the default value) the submission complete message will be displayed. If this variable is set to any other value or left empty, the message will not be displayed.
Table A-2 Symantec Spam Plug-in Setup Variables (Continued)
Variable Name Description
190 Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
EMPTY_SPAM_FOLDER If set to 0 (the default), does not display the Empty Spam Folder button. If set to 1 or any non-zero value, display the Empty Spam Folder button. This button allows users to delete the contents of their Spam folders.
HIDE_NOT_SPAM Specifies whether the This is Not Spam button is hidden. The default is 0 (displayed). Any non-zero value, including an empty value, will cause the button to be hidden.
HIDE_SPAM Specifies whether the This is Spam button is hidden. The default is 0 (displayed). Any non-zero value, including an empty value, will cause the button to be hidden.
MANUAL_ALLOWED If set to 1 (the default) or any non-zero value, allows users to add entries to the Allowed Senders and Allowed Recipients Lists. If set to 0, does not allow users to add entries.
MANUAL_BLOCKED If set to 1 (the default) or any non-zero value, allows users to add entries to the Allowed Senders and Allowed Recipients Lists. If set to 0, does not allow users to add entries.
MARK_AS_READ If set to 1 (the default) or any non-zero value, messages are marked as Read when moved to the Spam folder. If set to 0, messages are not marked as Read when moved to the Spam folder.
MODIFY_OPTIONS If set to 1 (the default) or any non-zero value, allows users to view or edit the Submissions and Preferences tabs.
If set to 0, does not allow users to view or edit the Submissions and Preferences tabs.
MULTI_CONFIRM_MSG This option lets you edit the confirmation message for multiple successful submissions.
The default value for this string is: “Thank you for submitting messages to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.”
Table A-2 Symantec Spam Plug-in Setup Variables (Continued)
Variable Name Description
191Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
Close Outlook
◆ Close Outlook by clicking File > Exit before installing the Symantec Spam Plug-in.
If you close Outlook in any other way, Outlook may continue to run in memory and return an error.
SENDER_NOT_IN_ ALLOWED
Specifies the action to take if the message sender is not in the Allowed Senders List.
Normal (Default): Moves the message to the Inbox.
Delete: Deletes the message.
Spam Folder: Moves the message to the Spam folder.
SINGLE_CONFIRM_MSG The confirmation message for a single successful submission.
The default value for this string is: “Thank you for submitting a message to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.”
SPAM_FOLDER The name of the Spam folder. The default is Spam.
SPAM_QUARANTINE_URL If specified, this setting causes the Spam Quarantine button to appear in the toolbar. Clicking the button displays the Spam Quarantine login page in a Web browser. If unspecified (the default), the Spam Quarantine button does not appear in the toolbar (Symantec Premium AntiSpam for SMTP only).
REPORT_URL If specified, this setting causes the Spam Report button to appear in the toolbar. Clicking the button displays the Spam Report application. If unspecified (the default), the Spam Report button does not appear in the toolbar.
Table A-2 Symantec Spam Plug-in Setup Variables (Continued)
Variable Name Description
192 Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
To access the Symantec Spam Plug-in for Outlook
1 Do one of the following:
If desired, modify the setup.ini file to configure system-wide settings.
See Table A-2, “Symantec Spam Plug-in Setup Variables,” on page 188.
2 You can email your users a link to the setup.exe file in this directory or use remote distribution software to install it on your users’ computers. You can also silently install the plug-in by running setup.exe with the following switches:
/s /v"/qn"
If you run setup.exe with the command /s /v"/qn", the silent installation option ignores the changes made to setup.ini. To preserve your changes, add /qn to the end of the CmdLine attribute in setup.ini, and then run the silent install using the following:
/s
To configure system-wide settings for the Symantec Spam Plug-in
1 Open the setup.ini file for editing.
This file contains the initial settings for launching the Outlook Plug-in installation package.
2 All the required settings can be set on the CmdLine attribute in the [Startup] section at the beginning of the setup.ini file.
To install from a CD-ROM
Insert the Symantec Mail Security software distribution CD-ROM in your computer’s CD-ROM drive.
If the setup program runs automatically, click Install Outlook Plug-in and follow the on-screen instructions. If the setup-program does not run automatically, browse to your CD drive and run CDStart.exe.
To install from a downloaded zip file
Unzip the zip file and extract all the contents to a folder, then copy all of the files in the \ADMTOOLS\SPA\BMOP\ folder to a network directory that is accessible to your users.
193Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
3 Change the settings in Outlook Plug-in Setup Variables.
For example:
CmdLine=SPAM_FOLDER="Junk"ADMIN_FALSE_ADDRESS="[email protected]"
See Table A-2, “Symantec Spam Plug-in Setup Variables,” on page 188.
4 Save your changes to the setup.ini file.
These settings will be used during each installation of the Symantec Spam Plug-in to modify the Windows Registry on each user’s computer.
194 Automatically sending spam to a spam folderAbout the Symantec Spam Plug-in for Outlook
Appendix
BIntegrating Symantec Mail Security with SESA
This chapter includes the following topics:
■ About SESA
■ Interpreting Symantec Mail Security events in SESA
■ Configuring logging to SESA
■ Uninstalling SESA
About SESAIn addition to using the Symantec Mail Security Event Log, you can also log events to the Symantec Enterprise Security Architecture (SESA). SESA integrates multiple Symantec Enterprise Security products and third-party products to provide a central point of control of security within an organization. It provides a common management framework for SESA-enabled security products, such as Symantec Mail Security, that protect your IT infrastructure from malicious code, intrusions, and blended threats. SESA increases your organization’s security posture by simplifying the task of monitoring and managing the multitude of security-related events and products that exist in today’s corporate environments.
The event categories and classes include threats, security risks, content filtering, network security, spam, and systems management. The range of events varies depending on the Symantec applications that are installed and managed by SESA.
196 Integrating Symantec Mail Security with SESAAbout SESA
Table B-1 lists the versions of SESA that Symantec Mail Security supports.
Table B-1 Supported versions of SESA
Version Description
2.1 This version of SESA is a software-only solution.
You can monitor and manage security-related events through the SESA Console. The SESA Console is the common user interface that provides manageable integration of security technologies (Symantec or otherwise), Symantec Security Services, and Symantec Security Response. You can query, filter, and sort data to reduce the security-related events that you see through the SESA Console. This lets you focus on threats that require your attention. You can configure alert notifications in response to events, and generate, save, and print tabular and graphical reports of event status, based on filtered views that you create.
SESA is purchased and installed separately. SESA must be installed and working properly before you can configure Symantec Mail Security to log events to SESA.
For more information, see the SESA 2.1 documentation.
2.5 This version of SESA is a software component of the Symantec Security Information Manager 4.0 appliance.
SESA is seamlessly integrated with Symantec Incident Manager, the software component for the Symantec Security Information Manager appliance. Together, these tools provide you with an open, standards-based foundation for managing security events from Symantec clients, gateways, servers, and Web servers.
SESA Agents collect events from security products and send the events to the SESA Manager. The SESA Manager sends the events to the Correlation Manager, which uses a sophisticated set of rules to filter, aggregate, and correlate the events into security incidents. The Correlation Manager sends the incidents to Symantec Incident Manager for evaluation, tracking, and response.
Symantec Incident Manager evaluates the impact of incidents on the associated systems and assigns incident severities. A built-in Knowledge Base provides information about the vulnerabilities that are associated with the incident. The Knowledge Base also suggests tasks that you can assign to a help desk ticket for resolution.
Symantec Security Information Manager is purchased and installed separately. The appliance must be installed and working properly before you can configure Symantec Mail Security to log events to SESA.
For more information, see the Symantec Security Information Manager documentation.
197Integrating Symantec Mail Security with SESAInterpreting Symantec Mail Security events in SESA
Interpreting Symantec Mail Security events in SESASESA provides extensive event management capabilities, such as common logging of normalized event data for SESA-enabled security products like Symantec Mail Security. The event categories and classes include threats (such as viruses), security risks (such as adware and spyware), content filtering rule violations, network security, spam, and systems management.
For more information about interpreting events in SESA and on the event management capabilities of SESA, see the SESA or Symantec Security Information Manager documentation.
Configuring logging to SESAThe logging of events to SESA is in addition to logging events in the Symantec Mail Security Event Log. Logging to SESA is activated independently of the Symantec Mail Security Event Log. You can send a subset of the events that are logged by Symantec Mail Security to SESA.
To configure logging to SESA, you must complete the following steps:
Configure SESA to recognize Symantec Mail Security
For SESA to receive events from Symantec Mail Security, you must run the SESA Integration Wizard that is specific to Symantec Mail Security for Microsoft Exchange. The SESA Integration Wizard installs the appropriate integration components for identifying the individual security product (in this case, Symantec Mail Security for Microsoft Exchange) to SESA.
See “Configuring SESA 2.1 to recognize Symantec Mail Security” on page 198.
See “Configuring SESA 2.5 to recognize Symantec Mail Security” on page 199.
Install a local SESA Agent on the computer that is running Symantec Mail Security
The local SESA Agent handles the communication between Symantec Mail Security and SESA.
See “Installing the local SESA Agent using the Agent Installer” on page 201.
Configure Symantec Mail Security to send logging events to SESA
You use the user interface to configure Symantec Mail Security to communicate with the local SESA Agent and to log events to SESA.
See “Configuring Symantec Mail Security to log events to SESA” on page 202.
198 Integrating Symantec Mail Security with SESAConfiguring logging to SESA
Configuring SESA 2.1 to recognize Symantec Mail SecurityTo configure SESA to receive events from Symantec Mail Security, run the SESA Integration Wizard on each computer that is running the SESA Manager. The SESA Integration Wizard installs the appropriate integration components for identifying Symantec Mail Security to SESA. You must run the SESA Integration Wizard for each SESA Manager computer to which you are forwarding events from Symantec Mail Security.
To start the SESA 2.1 Installation Wizard
1 On the computer on which the SESA Manager is installed, create a folder for the datapackage.sip file, for example:C:\Datapackage
2 Insert the Symantec Mail Security CD into the CD-ROM drive.
3 Copy the following file to the newly created folder:ADMTOOLS\SIPI\smsmse50.sip
4 On the computer on which the SESA Manager is installed, insert the SESA CD1 - SESA Manager CD into the CD-ROM drive.
5 At the command prompt, change directories on the CD to the following location:
\SIPI
6 To start the SESA Integration Wizard, at the command prompt, type:
java -jar setup.jar
To configure SESA 2.1 to recognize Symantec Mail Security
1 In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information window.
2 In the SESA Directory Domain Administrator Information window, type the specific information about the SESA Domain Administrator and the SESA Directory.
SESA Directory Domain Administrator Name
Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain.
SESA Directory Domain Administrator Password
Type the Directory Domain Administrator password.
Log on to domain (in dotted notation)
Type the SESA administrative domain. An example of dotted notation is:
NorthAmerica.SES
199Integrating Symantec Mail Security with SESAConfiguring logging to SESA
3 In the SESA Integration Package to Install window, type or browse to the location in which the SESA Integration Package is located, and then click OK.
4 Click Next, and then follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard.
5 Repeat steps 1 through 4 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.
Configuring SESA 2.5 to recognize Symantec Mail SecurityThe Symantec Security Information Manager Web configuration interface provides a link that you can use to download and install the SESA Integration Wizard. The wizard installs SESA Integration Packages (SIPs) for Symantec Mail Security. The SIP contains the configuration settings and event schemas that SESA requires to recognize and log events from Symantec Mail Security.
You must run the SESA Integration Wizard for each Symantec Security Information Manager to which you are forwarding events from Symantec Mail Security.
Host Name or IP Address of SESA Directory
Do one of the following:
■ If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer).
■ If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer.
For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide.
Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).
200 Integrating Symantec Mail Security with SESAConfiguring logging to SESA
To download the SESA 2.5 SIP Integration Wizard
1 Insert the Symantec Mail Security CD into the CD-ROM drive.
2 Copy the following file to your local computer:ADMTOOLS\SIPI\smsmse50.sip
3 Open a Web browser, and in the address bar, type the IP address of the appliance.
4 If prompted, type the Log on name, password, and domain, and then click Log On.
5 In the Symantec Security Information Manager console, in the left pane, click Register SIPs.
6 Click Download SIP Integration Wizard.
7 In the File Download dialog box, click Save.
8 Type or browse to the location in which you want to save the SESA Integration Wizard installation file.
SIPI.zip is the file that is downloaded.
9 In the Download complete dialog box, click Close.
10 Locate the SIPI.zip file, double-click it, and unpack the file to the desired folder.
To configure SESA 2.5 to recognize Symantec Mail Security
1 In the folder where you unpacked the SIPI.zip file, double-click setup.jar.
The SESA Integration Wizard appears.
2 In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information panel.
3 In the SESA Directory Domain Administrator Information panel, type the specific information about the SESA Domain Administrator and the SESA Directory.
SESA Directory Domain Administrator Name
Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain.
SESA Directory Domain Administrator Password
Type the Directory Domain Administrator password.
Log on to domain (in dotted notation)
Type the SESA administrative domain. An example of dotted notation is:
NorthAmerica.SES
201Integrating Symantec Mail Security with SESAConfiguring logging to SESA
4 In the SESA Integration Package to Install panel, type or browse to the location in which you saved the SESA Integration Package (datapackage.sip), and then click Next.
5 Click Next and follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard.
6 Repeat steps 1 through 5 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.
Installing the local SESA Agent using the Agent InstallerThe local SESA Agent handles the communication between Symantec Mail Security and SESA and is installed on the same computer that is running Symantec Mail Security. The local SESA Agent is provided as part of the software distribution package for Symantec Mail Security. Ordinarily, the local SESA Agent is installed automatically when the user elects to enable logging and alerting to SESA. This can be done at installation or at any time afterward.
When you have more than one SESA-enabled product installed on a single computer, these products can share a local SESA Agent. However, each product must register with the Agent. Thus, even if an Agent has already been installed on the computer for another SESA-enabled security product, you must run the installer to register Symantec Mail Security for Microsoft Exchange.
Host Name or IP Address of SESA Directory
Do one of the following:
■ If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer).
■ If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer.To change the IP address, you must use the SESA console, not the Symantec Mail Security UI.
For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide.
Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).
202 Integrating Symantec Mail Security with SESAUninstalling SESA
To install the SESA Agent using the SESA Agent Installer that Symantec Mail Security provides, run the Installer on all computers on which Symantec Mail Security is installed.
You install the SESA Agent when you install Symantec Mail Security.
See “Installing on a single server” on page 41.
Configuring Symantec Mail Security to log events to SESAAfter you have installed the local SESA Agent to handle communications between Symantec Mail Security and SESA, you must ensure that logging to SESA is activated. These settings are located on the Symantec Mail Security Settings database.
After you configure Symantec Mail Security to log events to SESA, you should check the server status to confirm that logging to SESA is enabled. If it is not, you can start the SESA Agent using Windows Services.
To configure Symantec Mail Security to log events to SESA
1 On the primary navigation bar, click Monitors.
2 On the sidebar, click Notifications/Alerts Settings.
3 Under SESA Alerts, check Enable Logging and Alerting to SESA Server and type the IP address of the SESA server in the box.
4 Click Deploy changes/Deploy all.
To start the SESA Agent using the Windows Services
1 In the Windows Control Panel window, double-click Administrative Tools.
2 In the Administrative Tools window, double-click Services.
3 Under Name, right-click SESA Agent, and then click Start.
Uninstalling SESAWhen Symantec Mail Security is no longer forwarding messages to SESA, you can uninstall the SESA components.
For information on how to uninstall the SESA Integration Package, see the SESA or Symantec Security Information Manager documentation.
203Integrating Symantec Mail Security with SESAUninstalling SESA
Uninstalling the SESA AgentThe local SESA Agent is automatically uninstalled when you uninstall Symantec Mail Security. When more than one product is using the Agent, the uninstall script removes only the Symantec Mail Security for Microsoft Exchange registration and leaves the Agent in place. When no other security products are using the Agent, the uninstall script uninstalls the Agent as well.
You can uninstall the SESA Agent using the Add or Remove Programs option in the Windows Control Panel.
To uninstall the SESA Agent
1 In the Windows Control Panel window, double-click Add or Remove Programs.
2 In the Add or Remove Programs window, click SESA Agent.
3 Click Change/Remove.
4 In the Uninstall SESA Agent panel, click Uninstall.
5 In the confirmation dialog box, click Uninstall the SESA Agent.
6 Click Done.
204 Integrating Symantec Mail Security with SESAUninstalling SESA
Appendix
CAuxiliary executables and batch files and recognized file types
This chapter includes the following topics:
■ About auxiliary executables and batch files
■ File types recognized by the Executable and Multimedia File Rules
About auxiliary executables and batch filesSymantec Mail Security includes a number of auxiliary executables and batch files that perform background functions.
Table C-1 lists auxiliary executables and batch files that are part of Symantec Mail Security. This list is for information only. You should not attempt to run these manually.
Table C-1 Auxiliary executables and batch files
File Function
CABARC Used to package virus definitions to send from UI to Server and other times when it is necessary to create containers or compress data
ConsoleAppManager Used for SPA to monitor the Conduit.exe process
RapidRelease.bat Used to download Rapid Release definitions
Register.exe Used to register Symantec Mail Security with the Symantec Premium AntiSpam Server for obtaining spam definition updates
206 Auxiliary executables and batch files and recognized file typesFile types recognized by the Executable and Multimedia File Rules
File types recognized by the Executable and Multimedia File Rules
The Executable File Rule recognizes the following X86 32-bit Windows/DOS Executables:
*.EXE, *.DLL, *.COM, *.CPL
Table C-2 lists the file types recognized by the Multimedia File Rule.
RtfReader.exe Used for content filtering
SAVFMSEIIS.exe Used for IIS configuration
SAVFMSEReset.exe Used to reset Symantec Mail Security settings to factory defaults
SAVFMSEScan.exe Executable that the Windows system schedule launches for scheduled scans
SAVFMSEUpdate.exe Used to process a LiveUpdate packages
SMSMSEKicker.exe Informs Symantec Mail Security to reinitialize the premium antispam engine
Table C-1 Auxiliary executables and batch files (Continued)
File Function
Table C-2 File types recognized by the Multimedia File Rule
File type File extension
Amiga MED/OctaMED Tracker Module Sound File *.MED
AU Audio File *.AU
Audacity Audio Block *.AU
Audio Interchange File *.AIFF, *.AIFC
Audio Video Interleave File *.AVI
Graphic Interchange Format *.GIF
Impulse Tracker Music Module *.IT
JPEG/JIFF Image *.JPG
Microsoft Windows Media File *.WMV
MPEG AlbumWrap Wrapped Music File Archive *.MP3
207Auxiliary executables and batch files and recognized file typesFile types recognized by the Executable and Multimedia File Rules
See “Configuring file filtering rules” on page 87.
MPEG Movie Clip *.MPEG
MultiTracker Music Module *.MTM
Musical Instrument Digital Interface *.MIDI
Ogg Vorbis Codec Compressed WAV File *.Ogg
Portable Public Network Graphic *.PNG
QuickTime Video Clip *.QT, *.MOV
RealMedia File *.RA
Scream Tracker Music Interface Kit Song/Module *.STX
ScreamTracker v3 Sound File *.S3M
Shorten Audio Compression File *.SHN
Silicon Graphics *.RGB
Tagged Image Format File *.TIFF
Waveform Audio *.WAV
Windows Bitmap Graphics *.BMP
Windows Icon *.ICO
X Picsmap Graphic *.XPM
PC Paintbrush Bitmap Graphic *.PCX
Table C-2 File types recognized by the Multimedia File Rule (Continued)
File type File extension
208 Auxiliary executables and batch files and recognized file typesFile types recognized by the Executable and Multimedia File Rules
Index
AActivity Summary 62Admin tab 61administrative settings 184adware 126alerts 70Allow-Only Attachment Rule 77antispam engine, heuristic 92Antispam policy 29AntiSpam, Symantec Premium
about 99configuring 103enabling 101updating 102
antivirusBloodhound 65defaults 58policy 122
archived files 63Asset
adding 54management 44selecting 60
attachmentsAttachment Name 130Attachment Size 130blocking by file name 77outbreak triggers 137
automatic virus protectionconfiguration 71settings 71
Auto-Protect scans 23, 65auxiliary executables and batch files 205
Bbackground scanning 138Basic Virus Rule 67batch files, auxiliary 205Blank Subject and Sender Rule 77Bloodhound heuristics technology 28, 126Bloodhound Virus rule 126
CChanges pending indicator 60cluster environment 21component locations 35compressed files 23, 64configuration
alerts 70archive scan depth 63automatic virus protection 71notifications 70report data 75
console. See User interface 54content
evaluation 127filtering 21, 24filtering rules
editing 127prioritizing 85spam 91
Content Enforcement Policy 29, 126content license file
installing or renewing 46installing to remote servers 48post-installation task 56
control panel, Windows 37csv files 75, 179customizing installation of remote servers 45
Ddata collection 27data report settings 75defaults
antispamgeneral 58with Symantec Premium AntiSpam 58, 59without Symantec Premium AntiSpam 58
antivirus 58, 59content enforcement 59general 58Notification/Alerts 59
denial-of-service attacks 19, 22, 63
210 Index
Digital Immune System 143Discard pending changes button 60DOS wildcard style expressions 135
Eembedded files 123Encrypted File Rule 89evaluation, content 127event log data 27, 158exception settings 89Executable File Rule 87executables, auxiliary 205expressions
regular 131wildcard 135
FFile Name Rule 87, 88
GGeneral policy 29Global server group 112group settings 112, 116group view 61
HHelp system 31heuristic antispam engine 92, 94Home page components 61HTML encoding 127
IIIS 42, 45inappropriate message content 19inbound/outbound settings 86installation
in a Microsoft Clustering Service environment 51
IP address 42Microsoft Internet Information Services 42multiple servers 44on a cluster with passive nodes 51on an active/active cluster 53port number 42remote servers 44separate user interface 54
installation (continued)SESA Agent 201single server 41upgrading 49
Internet connection 145Internet connection settings 145IP address 42ISA server, registering Symantec Premium
AntiSpam through 101
LLanguage identification 99License Agreement 41license file
installing 43, 46, 56installing to remote servers 48requesting 47virus content 43
literal string 129LiveUpdate
connection 145multiple servers 147single server 145
MMass-Mailer Worm rule 126Matchlist
creating 135filtering content with 30settings 135
message content, inappropriate 19message store 182Microsoft Excel 179Microsoft Internet Information Services 42MIME format 23, 64Monitors tab 61Multimedia File Rule 87multiserver installation
about 44administration 113creating server groups 113Global server group 113reconfiguring groups 112
Nnotification/alert settings 71notifications, configuring 70
211Index
OOperation Status screen 62other Symantec products, using with 30outbreak
time parameters 155trigger settings 153triggers, defining 151
outbreak management 25, 151
Ppolicies
and scanning 122Antispam 126Antivirus 125Content Enforcement 126General 123manual scans 122Policies tab 61
port number 42primary navigation bar
about 61tabs
Admin 61Monitors 61Policies 61Reports 61Scans 61
Qquarantine
about 25, 72releasing from
by mail 74to file 75
server 26, 72Quarantine Triggered
Attachment Names Rule 77Subjects Rule 77
RRecent Activity 61register.exe 102regular expressions 131releasing from quarantine
by mail 74to file 75
remote servers 44
remote servers, customizing installation of 45replacement variables 65reports
datacollecting 159event log 158Microsoft Excel 179printing 178saving 179server status 157third-party tools 27, 179
detailed 169, 173Home screen
Activity Summary 62Recent Activity 61Status 61Total Violations Chart 62
on-demand 160, 169Reports tab 61scheduled 165, 173summary 160, 165templates
about 159creating 160, 165, 173
reputation service 99, 103risks, security 20, 24, 69RTF encoding 127rules
Allow-Only Attachment 77Basic Virus 67Blank Subject and Sender 77Bloodhound Virus 126content filtering 24elements of 129Encrypted File 89Executable File 87File Name 87Mass-Mailer Worm 126Multimedia File 87Quarantine Triggered Attachment Names 77Quarantine Triggered Subjects 77Sample Antispam 77Sample Executable File 77Security Risk 69, 126settings 122Unrepairable File 126Unrepairable Virus 68Unscannable File 123
212 Index
SSample Antispam Rule 77Sample Executable File Rule 77scans
Auto-Protect 23, 65background 138depth 63scan settings 70Scans tab 61scheduled 141
scheduled scans 141Secure Sockets Layer (SSL) 116security 143Security Risk Rule 69, 126security risks 20, 24, 69server groups
adding servers to 114creating 113deleting 117Global 112managing 113moving a server to another group 115reconfiguring 112removing from group management 118restoring default settings 117sending group settings to a server 116updating servers in 117user-defined 112
server, remote, customizing installation of 45Service running indicator 60SESA
about 195configuring event logging to 202configuring logging to 197configuring to recognize Symantec Mail
Security 198, 199installing Agent 201Integration Wizard 198, 199uninstalling 202version 2.1 196version 2.5 196versions 196
settingsadministrative 184data report 75default, restoring to a server or group 117exception 89group 112heuristic antispam engine 94
settings (continued)inbound/outbound 86Internet connection 145matchlist 135notification/alert 71of a remote server, customizing 45outbreak trigger 153rule 122scanning 70schedule, LiveUpdate 147sending group, to a server 116Symantec Premium AntiSpam 101Windows Event Log 179
single server view 61single-server user interface, installation 41Sort View 178spam
Confidence Level 92scoring 103, 104threshold 104
spyware 24Status report 61store, message 182string, literal 129Symantec Mail Security for Microsoft Exchange
about 15configuring 57more information about 31
Symantec Premium AntiSpamabout 99and proxy server 102configuring 103enabling 101manually registering 102registering through an ISA server 101settings 101updating 102
system requirementsprocessor 38separate UI installation 39
Ttabs, primary navigation bar
Admin 61Monitors 61Policies 61Reports 61Scans 61
templates, report 159
213Index
threats 15, 16threshold, spam 104Total Violations Chart 62Transmission Control Protocol (TCP) 116
Uundesirable message content 24uninstalling
SESA 202Symantec Mail Security 55
unrepairable files 126Unrepairable Virus Rule 68, 126unscannable files
about 24Unscannable File Rule 63, 123
user interface display 112user-defined server groups 112
Vvariables, replacement 65views
group 61single server 61
virus definition filesabout 144distributing 119scheduling updates for multiple servers 148updating 119updating regularly 26
virusesoutbreaks 25, 151unknown 28
Wwildcard style expressions, DOS 135Windows
2000 382003 38Control Panel 37Start menu 37
worm, mass-mailer 125
ZZip format 23, 64
214 Index
