Trend Micro Incorporated™ reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, review the readme files, release notes, and the latest version of the Getting Started Guide, which are available on Trend Micro’s Web site at: http://www.trendmicro.com/download/documentation/ NOTE: A license to Trend Micro antivirus software includes the right to receive pattern file updates and product updates and technical support for one (1) year. Thereafter, you must renew Maintenance on an annual basis by paying Trend Micro’s then-current Maintenance fees to have the right to continue receiving product updates, pattern updates and basic technical support. To order renewal Maintenance, you may download and complete the Trend Micro Maintenance Agreement at the following site: http://www.trendmicro.com/license Trend Micro, InterScan, VirusWall, eManager, MacroTrap and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in certain jurisdictions. Copyright © 2001 Check Point Software Technologies Ltd. All rights reserved. Check Point™, OPSEC™, AMON™, and FireWall-1® are trademarks of Check Point Software Technologies Ltd. or its affiliates.The products described in this document are protected by U.S. Patent No. 5,606,668 and 5,835,726 and may be protected by other U.S. patents, foreign patents or pending applications. This product includes software developed by the Apache Software Foundation (http://www.apache.org/). For more information, see the online help system in the InterScan MSS Web-based Management Console. Copyright © 2002 The Apache Software Foundation. All rights reserved. ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE
Copyright © 1995-2001 International Business Machines Corporation and others. All rights reserved. Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
This product uses code from the DMC TextFilter Ver. 3.2 Copyright 1999-2002 Antenna House, Inc. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Copyright © 1998 - 2002 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Document Part No. MSEM51328/21216 Release Date: January 2003 Protected by U.S. Patent No. 5,951,698 and 5,623,600 The Getting Started Guide for Trend Micro™ InterScan™ Messaging Security Suite is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and online SolutionBank at Trend Micro’s Web site. At Trend Micro, we are always seeking to improve our documentation. If you have questions, comments, or suggestions about this, or any Trend Micro documents, contact us at [email protected]. Your feedback is always welcome. You can evaluate this documentation at: http://www.trendmicro.com/download/documentation/rating.asp .
Standards References InterScan MSS is built on and is compatible with the following Internet standards: SMTP : 2821, 2822, 2505, 1869, 1870, 1891, 1652 MIME: 2045, 2046, 2047, 2048, 2049 POP: 1939, 1734, 2449
4 Table of Contents
Chapter 1: InterScan™ MSS Key Features ...... 1-1 Documentation ...... 1-4
Chapter 2: Installation Planning Choosing Your Installation Server ...... 2-2 Installation Scenarios ...... 2-2 No Firewall ...... 2-3 In Front of the Firewall ...... 2-3 Behind the Firewall ...... 2-4 On a Former SMTP Gateway ...... 2-6 In the DMZ ...... 2-7 Default Configuration for Postfix and InterScan MSS Scanning Daemon ...... 2-8 The Sandwich Configuration ...... 2-10 Configuring Multiple InterScan MSS Daemons on the Same Machine ...... 2-13 Sendmail Daemons and InterScan MSS on a Server ...... 2-16 Recommended System Requirements ...... 2-19
Chapter 3: Installation Installation Methods ...... 3-2 Interactive ...... 3-2 Silent Installation ...... 3-3 Removing InterScan MSS ...... 3-5 The Control Manager Agent ...... 3-5 Installing the Agent ...... 3-6 Viewing the Agent ...... 3-7 Removing the Agent ...... 3-11 Opening the Web-based Console ...... 3-11
i Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Post Installation Configuration ...... 3-12 Control the Message Relay ...... 3-12 Modify the Message Routing Table ...... 3-12 Update InterScan MSS ...... 3-13 Configure Scheduled Update ...... 3-13 Viewing the Management Console Using SSL ...... 3-13 Upgrading the Trial Version ...... 3-13 Saving Your Customized Settings ...... 3-14
Chapter 4: Configuration Opening the Web-Based Management Console ...... 4-2 Using Online Help ...... 4-2 Applying Configuration Changes ...... 4-3 Settings Applied Automatically After Saving ...... 4-3 The Apply Now Button ...... 4-4 Services ...... 4-5 Enabling or Disabling Adaptors ...... 4-5 Postfix ...... 4-6 Processing Queue ...... 4-6 Receiver Settings ...... 4-6 Domain-Based Delivery ...... 4-9 Message Limits ...... 4-10 POP3 Mail Scanning ...... 4-10 Connections ...... 4-12 Manually Configuring Email Clients ...... 4-14 Directories ...... 4-16 Event Monitoring ...... 4-17 Update ...... 4-20 Verifying Downloaded Pattern Files ...... 4-21 Update Now ...... 4-23 Scheduled Update ...... 4-23 Rolling Back an Update ...... 4-24 Configuring Proxy Settings ...... 4-24 Logs ...... 4-25 Log Level Details ...... 4-25 ii Viewing Logs ...... 4-25 Log Maintenance ...... 4-26 General Settings ...... 4-26 Management Console Password ...... 4-27 Registration ...... 4-27
Chapter 5: Policy Management How Policy Manager Works ...... 5-2 Viewing Installed Filters ...... 5-3 Address Groups ...... 5-3 Managing Address Groups ...... 5-4 Importing an Address Group from a File ...... 5-5 Using Filter Actions ...... 5-6 Predefined Filter Actions ...... 5-6 Parts of a Filter Action ...... 5-7 Managing Filter Actions ...... 5-8 Exception Handling ...... 5-12 Quarantine Area ...... 5-13 Using Quarantine Areas ...... 5-13 Querying Quarantine Areas ...... 5-16 Scanning Limits ...... 5-16 The Global Policy ...... 5-18 Overruling a Filter ...... 5-19 Filter Type ...... 5-19 Filter Availability and Status ...... 5-19 Filters Available for Sub-Policies ...... 5-21 Virus Filter ...... 5-21 eManager™ Filters ...... 5-21 Creating Sub-Policies ...... 5-22 Create the Policy ...... 5-22 Policy and Address Matching ...... 5-24 Define the Route ...... 5-25 Add a User-Defined Filter ...... 5-27 Add Filters to the Sub-Policy ...... 5-28 Order of Filter Execution ...... 5-28
iii Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Execute the Virus Filter First ...... 5-29
Chapter 6: The Virus Filter Selecting Message Attachments to Scan ...... 6-2 Attachment ...... 6-3 Virus Actions ...... 6-4 Recipient Notification ...... 6-4 The Filter Action ...... 6-5 Uncleanable Files ...... 6-7 Infected Messages to Multiple Recipients ...... 6-7 Testing your Virus Detection ...... 6-7
Chapter 7: The InterScan™eManager™ Filter Using the eManager Filters ...... 7-2 Advanced Content Filter ...... 7-2 Regular Expression Syntax ...... 7-10 Complex Keyword Expression Syntax ...... 7-11 Separator Characters ...... 7-11 Operators ...... 7-12 Expression Examples ...... 7-13 Complex Expression Example ...... 7-18 Scenario ...... 7-18 Writing the Expression ...... 7-18 The Final Expression ...... 7-19 Evaluating Expressions ...... 7-19 Rules ...... 7-19 Using Reserved Words as Operators ...... 7-21 Other Content Management Filters ...... 7-22 Message Attachment Filter ...... 7-23 General Content Filter ...... 7-28 Message Size Filter ...... 7-29 Anti-Spam Filter ...... 7-32
Chapter 8: Troubleshooting and Contact Information Troubleshooting ...... 8-2 iv Notification-Related ...... 8-2 Obtaining a Serial Number ...... 8-2 Trial Version ...... 8-2 Registering Your Product ...... 8-3 Trend Micro™ Security Information ...... 8-3 Technical Support ...... 8-3 HouseCall™ ...... 8-4 SolutionBank ...... 8-5
Chapter 9: Case Studies Case Study #1 ...... 9-1 Introduction ...... 9-1 Configuring the Global Policy ...... 9-2 Creating Sub-Policies ...... 9-4 Conclusion ...... 9-17 Case Study #2 ...... 9-17 Separating Message Notifications ...... 9-17
Appendix A:Reference Information Default Directory Locations ...... A-1 eManager, Virus and Program Logs ...... A-1 Default Quarantine Area ...... A-2 Temporary Directory ...... A-2 Delivery Pickup Directory ...... A-2 Scan Pickup Directory ...... A-2 Notification Pickup Directory ...... A-3 Using Tokens in Notification Messages ...... A-3 Notification Message Tokens ...... A-3 Virus Filter Tokens ...... A-4 How Policies are Matched ...... A-5
Appendix B:Outbreak Prevention Services Benefits of Outbreak Prevention Services ...... B-2
Appendix C:Data Backup and Replication
v Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Appendix D:Advanced Settings Process Settings ...... D-1 Pre-spawned Child Processes ...... D-1 Maximum Child Processes ...... D-1 Minimum Child Processes ...... D-2 Child Process Regeneration ...... D-2 Busy Rate ...... D-2 Increase Rate ...... D-2 Process Control Interval ...... D-2 Parent Process Maintain Interval ...... D-3 SysMonitor ...... D-3 Hidden Parameters ...... D-3 EMail Scan ...... D-3
Appendix E: AMON™ Setup for InterScan™ MSS Overview ...... E-1 AMON Installation ...... E-2 Setting up the InterScan MSS AMON Application ...... E-2 Verify That the AMON Server is Working ...... E-5 InterScan MSS Data Model ...... E-6
Appendix F: InterScan eManager™ Migration During an InterScan MSS Installation ...... F-2 Using the InterScan MSS Migration Tool ...... F-2 Policy View ...... F-2 Filter-Specific Migration Information ...... F-3 InterScan eManager Migration Limitations ...... F-5
Appendix G:Understanding InterScan MSS Daemons InterScan MSS Daemon Relationships ...... G-2 Web Interface-Related Daemons ...... G-3 Scanning Daemon ...... G-4 Regserver Daemon ...... G-5 System Monitor Watchdog Daemon ...... G-5 Content Scanning Flow Chart ...... G-6 vi Appendix H:Modifying Your XML File
Appendix I: Uninstalling Postfix
Appendix J: Error Codes
Index
vii Figures Figure 2-1: No Firewall...... 2-3 Figure 2-2: In Front of the Firewall ...... 2-3 Figure 2-3: Behind a Firewall ...... 2-4 Figure 2-4: Installation Scenario: On a Former SMTP Gateway...... 2-6 Figure 2-5: Installation Scenario: In the DMZ...... 2-7 Figure 2-6: Postfix-InterScan MSS Daemon Configuration...... 2-8 Figure 2-7: Sandwich Configuration...... 2-10 Figure 2-8: Sendmail Daemons and IMSS on One Server ...... 2-16 Figure 3-1: Trend Micro Control Manager Agent Console ...... 3-8 Figure 3-2: Deployment Screen in Control Manager...... 3-9 Figure 3-3: Command Details Screen...... 3-10 Figure 3-4: Agent Event Log Query Screen ...... 3-11 Figure 4-1: How POP3 Scanning Works ...... 4-10 Figure 4-2: POP3 Settings Configuration Screen ...... 4-11 Figure 4-3: Editing POP3 Settings...... 4-13 Figure 4-4: Example of Dedicated POP3 Connection ...... 4-15 Figure 4-5: Events to be Monitored and Notification Methods ...... 4-17 Figure 4-6: Mail Notification Message Configuration Screen...... 4-18 Figure 4-7: Email and SNMP Trap Settings ...... 4-19 Figure 4-8: Scheduled Update Configuration Screen ...... 4-23 Figure 5-1: Simplified Policy Manager Process Flow ...... 5-2 Figure 5-2: Choosing the Type of Filter Action...... 5-8 Figure 5-3: New Filter Action Screen...... 5-9 Figure 5-4: Filter Action—Processing Action ...... 5-9 Figure 5-5: Filter Action—Archive ...... 5-10 Figure 5-6: Filter Action—Notification...... 5-11 Figure 6-1: Configuring File Types to Scan ...... 6-2 Figure 6-2: Virus Filter Disclaimer Configuration ...... 6-5 Figure 6-3: Configuring Filter Action for Virus Filter...... 6-5 Figure 7-1: Advanced Content Filter—Message Parts to Filter...... 7-4 Figure 7-2: Advanced Content Filter—Expression List ...... 7-4 Figure 7-3: Advanced Content Filter—Defining an Expression...... 7-5 Figure 7-4: Advanced Content Filter—Choosing Synonyms ...... 7-6 Figure 7-5: Advanced Content Filter—Advanced Settings ...... 7-7 Figure 7-6: Advanced Content Filter—Assigning Severity Values...... 7-9
1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Figure 7-7: Attachment File Type Screen...... 7-25 Figure 7-8: Message Attachment Filter—MIME Content-type...... 7-26 Figure 7-9: General Content Filter...... 7-28 Figure 7-10: Message Size Filter—Activation Schedule...... 7-30 Figure 7-11: Disclaimer Manager ...... 7-31 Figure 8-1: Quarantine Area ...... 9-3 Figure 10-2: Complex Filtering Expression...... 9-3 Figure 10-3: Blocking Mass-Mailing Viruses Though Content Filtering...... 9-5 Figure 10-4: Forward Message When Filter is Triggered...... 9-6 Figure 10-5: Advanced Content Filter to Route Chinese Language Messages.. 9-7 Figure 10-6: Defining the Route for Email Abusers...... 9-8 Figure 10-7: Multimedia Attachment and MIME Content-Type Filtering...... 9-9 Figure 10-8: Activation Schedule ...... 9-10 Figure 10-9: User-Defined Address Groups ...... 9-11 Figure 10-10: Configuring the Route for the “Nivlac Disclaimer”...... 9-12 Figure 10-11: Configuring the Disclaimer Manager Filter ...... 9-12 Figure 10-12: Configuring the Route for the Archive Messages Sub-Policy .. 9-13 Figure 10-13: Sending Notification When Filter is Triggered...... 9-15 Figure 10-14: Sending Notification to Message Sender ...... 9-16 Figure 10-15: Configuring the Route for the Block Daniel Sub-Policy ...... 9-16 Figure E-1: OPSEC™ Application Properties Screen ...... E-3 Figure E-2: Check Point™ Status Manager Screen ...... E-5 Figure F-1: InterScan eManager Migration During Installation ...... F-2 Figure G-1: Daemon Relationships...... G-2 Figure G-2: Scanning Daemon Overview...... G-4 Figure G-3: Content Scanning Data Flow...... G-6
2 Tables Table 7-1. Calculating Proximity Values for the .NEAR. Operator ...... 7-8 Table 7-2. Separators for Tokenizing Expressions ...... 7-12 Table 7-3. Operator Categories ...... 7-12 Table 7-4. Operator Priority ...... 7-13 Table 7-5. Grouping Operator [better .AND. faster .OR. cheaper] ...... 7-14 Table 7-6. Grouping Operator [better .AND. .(. faster .OR. cheaper .).] ...... 7-14 Table 7-7. Decorating Operator [.WILD. This * message] ...... 7-14 Table 7-8. Decorating Operator [.WILD. *ed] ...... 7-15 Table 7-9. Logical Operator [High .AND. Low] ...... 7-15 Table 7-10. Logical Operator [High .OR. Low] ...... 7-16 Table 7-11. Logical Operator [.NOT. Happy] ...... 7-16 Table 7-12. Limiting Operator [.OCCUR. coming soon] ...... 7-17 Table 7-13. Relational Operator [High .NEAR. Sky Diving] ...... 7-18 Table 7-14. Examples of Valid and Invalid Expressions ...... 7-21 Table 7-15. MIME Content-type Blocking Filter ...... 7-27 Table A-1. Calculating Weights for Email Addresses ...... A-6 Table A-2. MIME Content Types by Email Clients ...... A-8 Table A-3. MIME Content Types by Web-based Email Providers ...... A-8 Table J-1. Error Codes for the Installation/Uninstallation Program ...... J-2
1 Chapter 1 InterScan™ MSS
InterScan Messaging Security Suite (InterScan MSS) protects your network from viruses through the SMTP gateway. It is a functional SMTP server that analyzes message content as an intermediate step before sending messages to their final destination. In addition to SMTP traffic, InterScan MSS can scan POP3 messages, at the gateway, as they are retrieved by clients in your network. This version supports Solaris and Linux (for additional information, see Recommended System Requirements starting on page 2-19). InterScan MSS also offers InterScan™ eManager™, which filters content at your SMTP gateway and enables you to intelligently manage message content to ensure the integrity of your messaging system. This chapter provides a high-level overview of the major product features (Key Features on page 1-1) and benefits of InterScan MSS. Also discussed is the product documentation set (Documentation on page 1-4) to help improve your understanding of the product .
Key Features
Using a secure, Web-based Management Console, InterScan MSS enables you to provide customized policy-based management, which means that multiple virus and content filtering policies can be customized on a single InterScan MSS server to enforce your company’s email usage guidelines. For additional information on policy management, see Policy Management starting on page 5-1.
1-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
InterScan MSS provides the following key features: • Proactive virus outbreak safeguards • Intelligent content filtering • Policy-based management • Centralized management • Intelligent message delivery and routing restrictions • System health monitoring Some of the benefits offered by InterScan MSS include:
Mass Mailing Virus Containment Email-borne viruses that automatically spread bogus messages through a company’s messaging system can be expensive to clean and causes panic. Therefore, when InterScan MSS detects a mass-mailing virus, the action taken against this virus can be different than the actions against other types of viruses. The identities of known mass-mailing viruses are in the Mass Mailing Pattern that is updated using TrendLabs™’s Active Update Servers. You can save resources, avoid help desk calls from concerned employees, and eliminate post-outbreak cleanup work by choosing to automatically delete these types of viruses and their email containers. For example, if InterScan MSS detects a mass-mailing virus, the program can automatically delete the entire message to avoid using server resources to scan, quarantine, or process messages and files that have no redeeming value.
Content Management InterScan MSS analyzes messages and attachments for appropriate content travelling to and from your network. Content that you deem inappropriate, such as spam, personal communication, large attachments, etc., can be blocked or deferred with InterScan MSS. For additional information on InterScan eManager, see The InterScan™eManager™ Filter starting on page 7-1.
Virus Protection Virus detection is performed using Trend Micro’s 32-bit scan engine and a process called pattern matching. The scan engine uses the virus pattern file to compare the files travelling through your gateway with the binary patterns of known viruses. If a
1-2 InterScan™ MSS
virus is detected, the scan engine attempts to clean (remove) the virus code from the file. As new viruses are detected, Trend Micro releases new virus pattern files. For additional information on the Virus Filter, see The Virus Filter starting on page 6-1.
Protection From Email Threats InterScan MSS protects your company’s messaging system from the following threats: • Denial of Service Attacks By flooding a mail server with large attachments, or sending messages that contain multiple viruses or recursively compressed files, malicious individuals can disrupt your company’s mail processing. InterScan MSS includes security features that allow you to configure the types of messages that you want to stop at the SMTP gateway. • Malicious Email Content Many types of file attachments, such as executable programs and documents with embedded macros, can harbor viruses. In addition, messages with HTML script files, HTML links or Java applets can harm your network. InterScan MSS allows you to configure the types of messages that are allowed to pass through the SMTP gateway. • Degradation of Services Non-business-related email traffic has become a problem for most organizations. Spam messages consume network bandwidth and disrupt employees. Some employees use their company’s messaging system to send personal messages, transfer large multimedia files or conduct personal business during working hours. Many companies have acceptable usage policies for their messaging system—InterScan MSS allows you to enforce and ensure compliance with these existing policies. • Business Integrity and Legal Liability Email can also put a company at risk of legal liability. Dishonest employees use their company’s messaging system to leak confidential information or victimize others with sexual/racial harassment. When inappropriate messages originate from a company’s mail server, the company’s reputation can be damaged, even if the opinions expressed in the message are not consistent with those of the company.
1-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
• Monitoring the SMTP Gateway InterScan MSS’s System Monitor informs administrators at the first sign of mail processing issues. Detailed logging helps administrators proactively manage these issues before they become a problem. For additional information on monitoring, see Event Monitoring starting on page 4-17.
Documentation
The documentation for InterScan MSS includes the following: • The Getting Started Guide • The online help • The readme file • SolutionBank™
Getting Started Guide This Guide provides contextual, high-level product information. As the title suggests, this manual helps you get “up and running” with InterScan MSS by providing a broad view of the product and a basic feature set. The latest version of the Guide is available from: http://www.trendmicro.com/download/documentation/ For more detailed information, we recommend you examine the online help.
Online Help The context-sensitive online help can be viewed by clicking at the top-right corner of the help screens. The online help provides additional details about individual screens at the field and parameter levels. To view the online help’s table of contents, click the Help link at the bottom of the screen. For the most current information on a product, we recommend that you read the readme file.
Readme File The readme file contains breaking news about InterScan MSS and its features. You can also read about installation requirements, known configuration issues, and other general issues.
1-4 InterScan™ MSS
The latest readme.txt file is available from: http://www.trendmicro.com/download/documentation/ If the information you are looking for cannot be found in any of these sources, we recommend looking in SolutionBank.
SolutionBank SolutionBank, is Trend Micro’s online, searchable Knowledge Database of tech support solutions. There, you will find troubleshooting information on specific issues. For additional information on SolutionBank, see SolutionBank starting on page 8-5. To access SolutionBank, go to: //solutionbank.trendmicro.com/solutions/solutionsearch.asp
1-5 Chapter 2 Installation Planning
This chapter explains InterScan MSS installation procedures and requirements, including: • Choosing your installation server • Installation scenarios • Postfix-InterScan MSS daemon configuration • Configuring Postfix on a Perimeter Gateway • Upgrading from InterScan™ VirusWall™ • Software and hardware requirements For planning purposes, this chapter provides the following installation scenarios: • No Firewall starting on page 2-3 • In Front of the Firewall starting on page 2-3 • Behind the Firewall starting on page 2-4 • On a Former SMTP Gateway starting on page 2-6 • In the DMZ starting on page 2-7
2-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Choosing Your Installation Server
For optimal performance, install InterScan MSS on a dedicated machine that is not running other applications. It should have a similar configuration to the machine that is running your existing SMTP server. Provided that InterScan MSS is installed on a server with a capacity similar to that of the mail transfer agent (MTA), we recommend that you install a dedicated InterScan MSS instance for that MTA. Apart from meeting the system requirements (see Recommended System Requirements starting on page 2-19) there are no other special requirements.
Installation Scenarios
InterScan MSS is an antivirus and content security solution, which is deployed into an existing messaging environment at the SMTP gateway. It provides complete access control, which allows the administrator to restrict unauthorized connections and relays. InterScan MSS’s domain-based routing capability provides flexible message delivery.
2-2 Installation Planning
No Firewall The following graphic illustrates how to deploy InterScan MSS when your network does not have a firewall:
FIGURE 2-1. No Firewall
In Front of the Firewall The following graphic illustrates the installation topology when you install InterScan MSS in front of your firewall:
FIGURE 2-2. In Front of the Firewall
2-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Incoming Traffic • InterScan MSS should be the first server to receive incoming email. Configure it to reference your SMTP gateway or firewall to reference the address of the InterScan MSS server(s). • Configure the Relay Control settings to only allow relay for local domains.
Outgoing Traffic • If there is no firewall, configure SMTP gateways to route all outgoing email to InterScan MSS. • If there is a firewall, configure the firewall (proxy-based) to route all outbound messages to InterScan MSS, so that: • Outgoing SMTP email can only go to the InterScan MSS server(s). • Incoming SMTP email can only come from the InterScan MSS server(s). • Configure InterScan MSS to allow internal SMTP gateways to relay, through InterScan MSS, to any domain.
Behind the Firewall The following graphic illustrates how InterScan MSS can be used behind a firewall:
FIGURE 2-3. Behind a Firewall
2-4 Installation Planning
Incoming Traffic • Configure your proxy-based firewall, so: • Outgoing SMTP email can only go to the InterScan MSS server(s). • Incoming SMTP email can only come from the InterScan MSS server(s). • Configure your packet-based firewall. • Configure InterScan MSS to route email destined to your local domain(s) to the SMTP gateway or your internal mail server. • Configure relay restriction to only relay for local domain(s).
Outgoing Traffic • Configure all internal SMTP gateways to forward outgoing mail to the InterScan MSS server. • If you are replacing your SMTP gateway with InterScan MSS, configure your internal mail server to forward outgoing email to the InterScan MSS server. • Configure InterScan MSS to route all outgoing email (to domains other than local), to the firewall or deliver the messages. • Configure InterScan MSS to allow internal SMTP gateways to relay, using InterScan MSS, to any domain.
2-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
On a Former SMTP Gateway The following graphic illustrates how InterScan MSS can be installed on a server that previously hosted your SMTP gateway:
FIGURE 2-4. Installation Scenario: On a Former SMTP Gateway
On the SMTP gateway: • Allocate a new TCP/IP port to route SMTP mail in the gateway. It must be a port that is not being used by any other services. • Configure the existing SMTP gateway to bind to the newly-allocated port, which frees port 25. • Install InterScan MSS, and it binds to port 25.
Incoming Traffic • Configure InterScan MSS to route incoming email to the SMTP gateway and the newly-allocated port.
2-6 Installation Planning
Outgoing Traffic • Configure the SMTP gateway to route outgoing email to the InterScan MSS server port 25. • Configure InterScan MSS to route all outgoing messages (those messages destined to domains that are not local) to the firewall or deliver them.
In the DMZ The following graphic shows how InterScan MSS can be installed to the DMZ:
FIGURE 2-5. Installation Scenario: In the DMZ
Incoming Traffic • Configure your proxy-based firewall, so that incoming and outgoing SMTP email can only go from the DMZ to the internal email servers. • Configure your packet-based firewall. • Configure InterScan MSS to route email destined to your local domain(s) to the SMTP gateway or your internal mail server.
Outgoing Traffic • Configure InterScan MSS to route all outgoing messages (destined to other than the local domains) to the firewall or deliver using InterScan MSS.
2-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
• Configure all internal SMTP gateways to forward outgoing mail to the InterScan MSS server. • Configure InterScan MSS to allow internal SMTP gateways to relay, through InterScan MSS, to any domain.
Default Configuration for Postfix and InterScan MSS Scanning Daemon One Postfix instance as the MTA and one InterScan MSS daemon running in the same machine:
Delivering Receiving on port 25
POSTFIX
Content_filter Interface
Port 10026 Port 10025
InterScan MSS for Unix Daemon
FIGURE 2-6. Postfix-InterScan MSS Daemon Configuration
This setup meets most of the needs of a small to medium-sized company. This configuration also has less impact on the networks because all the processes are running on the same box. Since they are sharing the same physical resources, however, this configuration requires a powerful machine to host Postfix and the InterScan MSS daemon. By default, InterScan MSS installation automatically sets up this configuration.
Note: For more information about Unix daemons, see the appendices.
2-8 Installation Planning
The default configuration parameters for both sides are:
In /etc/postfix/main.cf: • #IMSS:increase process limit from 50 • default_process_limit=200
• #IMSS:timeout parameters • imss_timeout=10m • imss_connect_timeout=1s
• #IMSS:content filter interface thru transport “imss” • content_filter=imss:localhost:10025 • imss_destination_recipient_limit=200 • imss_destination_concurrency_limit=20
In /etc/postfix/master.cf: • #IMSS:content filter smtp transport “imss” for IMSS • imss unix - - n - - smtp • disable_dns_lookups=yes • smtp_connect_timeout=$imss_connect_timeout • smtp_data_done_timeout=$imss_timeout
• #IMSS:content filter loop back smtpd • localhost:10026 inet n - n - 20 smtpd • content_filter= • smtpd_timeout=$imss_timeout • local_recipient_maps= • myhostname=localhost.$mydomain
2-9 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
The Sandwich Configuration In this configuration, one machine hosts a Postfix instance as an upstream MTA for receiving and a second machine hosts a Postfix instance as the downstream MTA for delivering. A third machine hosts the InterScan MSS daemon, which sits between the two Postfix boxes as a scanning proxy.
Receiving on Port 25
Machine #1 for receiving Upstream MTA (Postfix 1)
Port 10025 or any other port Machine #2 InterScan MSS for for content Unix daemon scanning
Port 10026 or any other port
Downstream MTA (Postfix 2) Machine #3 for delivering Delivering
FIGURE 2-7. Sandwich Configuration
This configuration is suitable for large corporations with heavy SMTP traffic. Each machine has its own mission and task and will not affect other machines. But, by using this type of setup, your network load will increase.
2-10 Installation Planning
This configuration is highly flexible; you can replace Postfix with any MTA as long as this MTA communicates with the SMTP protocol. But you are responsible for setting up connection control and domain relaying. Here are the configuration settings if Postfix is used as MTA: • In /etc/postfix/main.cf on machine#1, add the following to relay mail to machine #2: • relayhost=smtp:[ip_of_machine2]:10025 • default_destination_recipient_limit=100 • default_destination_concurrency_limit=50
• In /opt/trend/imss/config/imss.ini, open connection restrictions and point the downstream server IP to machine#3: • imss socket binding address • [socket] • proxy_smtp_server_ip=all • •[smtp] • smtp_allow_client_ip=127.0.0.1, ip_of_machine1 • downstream_smtp_server_addr=ip_of_machine3
• In /etc/postfix/master.cf on machine #1, modify smtpd settings to receive mail on port 10026: • 10026 inet n - n - - smtpd
2-11 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Configuring Postfix on a Perimeter Gateway This section describes how to configure a Postfix perimeter gateway to relay incoming mail using SMPT to the mail hubs that ultimately host user mailboxes. The primary goal is to prevent Denial of Service (DoS) of incoming mail delivery caused by a high volume of deferred outgoing mail. A secondary goal is to improve performance and lower latency of incoming mail delivery.
Tip: For a high volume mail server, we highly recommend that you have a separate relay transport for incoming messages, such as the configuration described below.
1. In the /etc/postfix/master.cf file, add the following: #IMSS: relay transport for parallel delivery to the same domain or user relay smtp_connect_timeout=$relay_connect_timeout 2. In the /etc/postfix/main.cf file, add the following: #IMSS: connection timeout for relay transport
Note: If multiple MX hosts are available, set relay_connect_timeout=1s
relay_connect_timeout=30s
#IMSS: “relay” transport rate control.
Note: You can raise these two limits depending on your environment, such as capability of downstream MTA or the number of perimeter hosts.
relay_destination_recipient_limit=50 relay_destination_concurrency_limit=50 Depending on your lookup table file type, set: transport_maps = dbm:$config_directory/transport 3. In the /etc/postfix/transport directory path, add your destination domain name and the hostname of the next hop with “relay” transport:
2-12 Installation Planning
Note: If MX records are not used, set the entry to relay:[nexthop] to suppress MX lookups on the nexthop hostname.
your.domain.name relay:next hop 4. Rebuild the transport lookup table and reload Postfix. #postmap /etc/postfix/transport #postifx reload
Configuring Multiple InterScan MSS Daemons on the Same Machine This section describes how to configure multiple InterScan MSS scan services on the same machine. By default, InterScan MSS is configured to run only one instance on a given box. However, if you want to run two instances of InterScan MSS on one machine, for example, one for incoming messages, the other for outgoing messages with different policy settings, you can do so with this information. To set up multiple InterScan MSS daemons: 1. Copy the InterScan MSS system installed directories (for example, /opt/trend/imss) and, for process tracking purposes, change the name of the two binaries (regserver and imssd) in the new directory. 2. Do the following: • # cp -rp /opt/trend/imss /opt/trend/imss2 • # cd /opt/trend/imss2/bin • # mv regserver regserver2 • # mv imssd imssd2 3. Open the script file /opt/trend/imss2/script/S99Reg and do the following: • Change the line IMSS_HOME=/opt/trend/imss to IMSS_HOME=/opt/trend/imss2. • Find all instances of “regserver” and change them to “regserver2”.
2-13 Installation Planning
Note: If you do not need POP3 service for the second instance of InterScan MSS daemon, turn it off by changing the following parameters: in the [pop3] section, change pop3__enable_proxy=yes to pop3_enable_proxy=no.
• In the [General-Notification] section, change NotificationSMTPAddr=127.0.0.1:10026 to NotificationSMTPAddr=xxxxxxx:xxxxx
Note: The MTA's IP/port number is responsible for notification email delivery. This value is usually the downstream MTA that handle requests for this particular instance of the InterScan MSS daemon.
6. Replace /opt/trend/imss2/config/eMan_db.xml file with policies that are different from the first instance. 7. Start the second registry server (# /opt/trend/imss2/script/S99Reg start) 8. Start the second InterScan MSS daemon service (# opt/trend/imss2/script/S99imss start)
2-15 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
4. Open the script file /opt/trend/imss2/script/S99IMSS and do the following: • Change the line IMSS_HOME=/opt/trend/imss to IMSS_HOME=/opt/trend/imss2. • Find all instances of “imssd” and change them to “imssd2”. 5. Open the config file /opt/trend/imss2/config/imss.ini and do the following: • Find all instances of “/opt/trend/imss” and change them to “/opt/trend/imss2”. • Change the following parameters: [EMANAGER_REGSERVER] EMANAGER_REGSERVER_PORT=5060 to EMANAGER_REGSERVER_PORT=5061 (or any available port number). [smtp] # downstream_smtp_server_addr=127.0.0.1 # downstream_smtp_server_port=10026 to downstream_smtp_server_addr=xxxxxxxxx downstream_smtp_server_port=xxxxxxxxx
Note: The IP/port of the downstream MTA handles requests from this particular InterScan MSS scanning daemon. It is usually the second instance of Postfix that is running on the localhost.
[socket_1] proxy_service =SMTP_SERVICE proxy_port=10025 to proxy_service=SMTP_SERVICE proxy_port=10125 (or any available port number)
Note: After you change this parameter, modify the relay port number of the upstream MTA that forwards requests to this particular InterScan MSS scanning instance. For example, in /etc/postfix/main.cf: content_filter = smtp:localhost:10125.
• In the [socket_2] section, change the proxy_service=POP3_GENERIC_SERVICE proxy_port=110 to proxy_service=POP3_GENERIC_SERVICE proxy_port=11000 (or any available port number).
2-14 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Sendmail Daemons and InterScan MSS on a Server The following illustration depicts the scenario of running two Sendmail daemons and InterScan MSS on the same Unix box.
Hostname: box_1
Sendmail #1 Internet • Port: 25 • Anti-relay enabled
IMSS • Port: 10025
Sendmail #2 Intranet • Port: 10026
FIGURE 2-8. Sendmail Daemons and IMSS on One Server
Port 10025 and 10026 are arbitrary port numbers, so replace 10025 and 10026 with free ports when completing the configuration below. (Port 25 is the standard SMTP port.) The instructions to configure Sendmail daemons for this configuration are:
Configure Sendmail #1: 1. Copy the sendmail.cf file called sendmail.cf.delivery. 2. Change the A option in sendmail.cf for Msmtp, Mesmtp, Msmtp8, and Mrelay from “IPC $h” to “IPC localhost 10025”, where 10025 is an arbitrary free port on box_1. 3. Add the “k” flag to the “F” option for Msmtp, Mesmtp, Msmtp8, and Mrelay in sendmail.cf.
2-16 Installation Planning
The changes for Msmtp (as an example) should look as follows: Msmtp Before: P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC $h Msmtp After: P=[IPC], F=kmDFMuX, S=11/31, R=21, E=\r\n, L=990, T=DNS/RFC822/SMTP, A=IPC localhost 10025 4. Replace the local mailer with [IPC] for Mlocal in sendmail.cf. 5. Change the A option to “IPC localhost 10025” for Mlocal in sendmail.cf. 6. Add the “k” flag to the “F” option for Mlocal in sendmail.cf. The changes for Mlocal look as follows: Mlocal Before: P=/usr/lib/mail.local, F=lsDFMAw5:/|@qfSmn9, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=mail.local -d $u Mlocal After: P=[IPC], F=klsDFMAw5:/|@qSmn9, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=IPC localhost 10025
Note: Make sure the “F” option of Mlocal does not include the “f’” flag. This flag is standard on the Solaris 7 distribution of Sendmail and should be removed.
2-17 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Configure Sendmail #2: 7. Change the port to listen on 10026 in sendmail.cf.delivery file. Before: #O DaemonPortOptions=Port=esmtp After: O DaemonPortOptions=Port=10026 8. Change the mail queue to a different directory in sendmail.cf.delivery. Before: O QueueDirectory=/var/spool/mqueue After: O QueueDirectory=/var/spool/mqueue1 9. Create the directory /var/spool/mqueue1 and make sure it has the same ownership and permission as the original in /var/spool/mqueue. 10. Add the "k" flag to the F option for Mlocal, Msmtp, Mesmtp, Msmtp8, and Mrelay in sendmail.cf.delivery.
Restarting Sendmail Services 11. Restart the first Sendmail daemon to handle SMTP traffic on port 25 using the following command: /usr/lib/sendmail –bd –q1h 12. Restart the second Sendmail daemon to receive SMTP traffic from InterScan MSS using the following command: /usr/lib/sendmail –bd –q1h –C/etc/mail/sendmail.cf.delivery
2-18 Installation Planning
Upgrade Information InterScan MSS’s installation script automatically upgrades previous versions of InterScan™ VirusWall™ for Unix and migrates eManager™ rules. If the script detects a previous installation of VirusWall, it: • Migrates the existing settings • Removes InterScan VirusWall’s SMTP module and retains the HTTP and FTP modules • Installs InterScan MSS For additional information on eManager migration, see InterScan eManager™ Migration. For installation information, see Installation starting on page 3-1.
Recommended System Requirements
• Sun™ Solaris™ 2.8 or 2.9 • UltraSPARC™ III processor 1GHz •1GB of RAM • 4GB of swap space
Minimum System Requirements • Sun™ Solaris™ 2.8 or 2.9 • UltraSPARC™ II processor 650MHz • 512MB of RAM • 2GB of swap space
2-19 Chapter 3 Installation
This chapter discusses the following information: • Installing InterScan™ MSS and the Trend Micro™ Control Manager™ agent • Accessing the Web-based Management Console • Post-installation configuration • Encrypting console-server communication using SSL • Upgrading the trial version Before you install InterScan MSS, do the following: 1. Install the following Solaris patches in the following order: • 108714 • 108652 • 108773 • 108921 • 112003 •111293 • 112396 • 108987 • 111111 •111310 • 108528
3-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
• 108827 • 108940 • 112472 2. Run ./postfixinstall.sh postfix.
Installation Methods
There are two ways to install InterScan MSS: • Interactive, which prompts you for input during the installation • Silent, which gets installation parameters from a predefined file
Interactive The following is a list of the key steps during an interactive installation: 1. Log in as a superuser and go the installation package directory. 2. Type ./isinst. 3. When prompted, specify the installation path (default is /opt/trend). 4. At the serial number prompt, type the serial number. if you do not enter a number and press Enter, a 30-day trial version of the product is installed.
Note: Unix is case sensitive, so ensure that the serial number is entered correctly.
5. Ensure that the memory or swap space is adequate (for additional information, see Recommended System Requirements starting on page 2-19). 6. When prompted to install the Control Manager agent, enter y or n (for additional information, see The Control Manager Agent starting on page 3-5). 7. If you have InterScan VirusWall for Unix installed, it is detected; you will be prompted for the migration option. If you choose not to migrate settings, you can continue with the InterScan MSS installation. 8. When prompted about eManager migration, enter y or n. For additional information on eManager migration, see InterScan eManager™ Migration on page F-1.
3-2 Installation
Note: For the interactive installation, there is an option that allows you to install only the UI, if you completed a previous installation, did not select the UI, and changed your mind. The option is ./isinst -installui.
Silent Installation For a silent installation, configure the parameters (listed below) in isinst.ini file with the appropriate information. When this .ini file is correctly configured, the installation process proceeds without prompting you for responses. The configuration parameters are: • install_path= This is the installation path, and the default value is /opt/trend. • serialnumber= This is the serial number you enter during the installation. • eManagerserial= This is the eManager serial number. • migration= This parameter enables you to migrate InterScan VirusWall 3.x settings, and the default value is yes. • existImssaction= This parameter allows you to remove the previous installation of InterScan MSS or exit the installation. The default value is remove. • installagent= This parameter allows you to begin the Control Manager agent installation process. The default value is no. • existAgentaction= This parameter allows you to exit the agent installation or override the existing agent. • cmserveraccount= This parameter is for the Control Manager server account information. •cmserverip= This parameter is for the Control Manager server IP address.
3-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
• mailserverdomain= • AJP12PORTNUM=8007 • AJP13PORTNUM=8009 • HTTPPORTNUM=8081 • HTTPSPORTNUM=8445 •ByPassUI= This parameter allows you to skip installation of the Web administrative interface component. • ByPassPostfixPages= Assuming you are using the Web administrative interface, this parameter allows you to manage a subset of Postfix configurations through the Web interface.
Default Sub-Policy Domain Information For a silent or an interactive installation, submit a correct mail server domain name for your organization.
Note: A correct mail server domain is extremely important when defining incoming or outgoing policies for InterScan MSS server mail traffic.
During an interactive installation, InterScan MSS gets the mailserver domain information that you provided and writes this information to the default sub-policies. During a silent installation, before you begin, ensure that the mailserverdomain value is correctly configured. If this value is empty, the script will quit the installation and prompts you to configure a mail server domain and re-install InterScan MSS.
Migration from InterScan VirusWall v.3.x If an existing InterScan VirusWall for Unix v.3.x installation is detected, you are prompted for a response at the migration option. After migration, the SMTP module is migrated, but the HTTP and FTP scanning modules remain intact.
3-4 Installation
Note: If you are going to install InterScan MSS to a machine with InterScan VirusWall 3.x and eManager 3.x, and you plan to migrate your settings, we strongly recommend that you stop InterScan VirusWall 3.x STMP, sendmail, and eManger daemons before starting the migration.
Verifying the Installation After the installation is complete, to see a list of the daemons, type the following at the command prompt: # ps -ef | grep imss Telnet to port 25 to ensure that InterScan MSS/Postfix answers.
Removing InterScan MSS To remove InterScan MSS, at the command prompt, type isinst -uninstall and press Enter. If the process is successful, you will see the following message: Removal of
The Control Manager Agent
The Trend Micro™ Control Manager™ agent is an application that is installed on a server and allows the Control Manager to manage InterScan MSS. The agent receives commands from the Control Manager server and applies these commands to InterScan MSS. The agent also collects logs from InterScan MSS and sends them to Control Manager.
3-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
The Control Manager agent in InterScan MSS is the primary interface with the Control Manager server. The agent receives commands from and sends information to the Control Manager server through a communication infrastructure called the Communicator. The Communicator is the communication backbone of Control Manager. You can manage input from the Control Manager server to the entities and status reports from the entities to the server. The Communicator handles the needs of all the agents on this server. One Communicator is installed on each machine and, if an existing Communicator is not detected, it is usually installed with the agent. If multiple products are installed to a single machine, the corresponding agents share one Communicator.
Installing the Agent In the installation script, if you typed yes at the installagent= parameter, you are prompted to install the agent.
Minimum Requirements To install the agent, you need the following: • Sun Sparc III, CPU 1G MHZ • 512MB of RAM • 50MB for agent program files The agent installation script searches for an existing agent installation. If an agent is detected, you are prompted to remove the agent or exit the installation.
Note: Each time you install InterScan MSS, the existing Control Manager agent must be removed.
You can install the agent by typing isinst -tmcmagent at the command prompt or by following the steps below. To install the agent: 1. Unregister agent from Control Manager server. 2. After the agent has been installed, you will be prompted for an entity name. The default is the host name, but this name can be modified.
3-6 Installation
3. Please enter your Control Manager server account. You need to have administrative rights to complete this step. This account number is used only to install the agent, and entering this number installs the entire agent. If this account is deleted, you cannot connect to the Control Manager server. 4. Please enter Control Manager server IP address or hostname. If you entered an incorrect IP address, you will get an error message; re-enter the correct IP address. 5. If you do not know the Control Manager IP address or hostname, use “skip” to exit the input and then use the S99IMPORTKEY script to re-register the agent. 6. If the agent installed successfully, you will see, “The Agent is installed.”
Viewing the Agent To log on to Control Manager: 1. Enter your user name and password and click Enter. 2. In the menu bar, click Products. 3. To see information about InterScan MSS, in the left frame, click New Entity. 4. Click IMSS next to the green check, and in the right frame, the following tabs are displayed: • Status • Configuration • Tasks • Logs
3-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
FIGURE 3-1. Trend Micro Control Manager Agent Console
Temp Folder The Temp folder contains a collection of shortcuts to entities, which are deleted when you log off. This collection allows you to focus on specific products, without changing the Product Directory organization. You can only add the entities to Temp if you can see them in the Product Directory. You cannot create shortcuts to products you cannot access.
Status The area under this tab is divided into the following sections: • Product Information The types of information in this section include: • Product version and latest build number • Agent version and status • Spam rule version
3-8 Installation
• Virus pattern version • Scan engine version • Operating System Information In this section, there is information on the operating system, such as the name, version, service pack, and language. • Networking Information This section includes information such as the domain name, the host name, the IP address, and the MAC address.
Configuration The Configuration screen allows you to remotely configure InterScan MSS servers. Select the InterScan MSS version. The configuration settings that you make are applied to the server or folder selected in the left frame. Choose the options and click Next, and continue through UI to configure it.
Tasks In this tab, using the pull-down menu, select one of the following tasks: • Deploy virus/pattern and spam rule • Deploy scan engine • Configuration replication (agent replication) To complete a task, select it and click Next. For example, if you select Deploy Now for virus pattern/spam rule, click Next. In the new screen, click the Virus patter/spam rule link to begin the process.
FIGURE 3-2. Deployment Screen in Control Manager
3-9 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide
Command Details The Command Details screen provides more in-depth information about the results of a command. The upper table identifies the command and summarizes its scope by showing the number of products involved and their results. Details for the individual products are shown in the lower table.
FIGURE 3-3. Command Details Screen
Command Tracking To help you monitor the progress of completed tasks, Control Manager maintains records of all executed commands. For example, Configuration replication can take several minutes to complete, so after instructing products to perform a Configuration replication, you can continue with other tasks and view Command Tracking later for the results.
Logs In this screen, you can view Event Logs and Security Logs. To view a log, click the appropriate link. For example, to examine the Event Log, click this link. For additional details on a log, click View Logs. To return to the previous screen, click < 3-10 Installation FIGURE 3-4. Agent Event Log Query Screen Removing the Agent To remove the agent, at the command prompt, type isinst -uninstallagent. Opening the Web-based Console The InterScan MSS Web console can be viewed with a Web browser from the machine where the program was installed or remotely across the network. To view the console in a browser, go to: • http:// 3-11 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Post Installation Configuration When you finish installing the software, you may have to perform the following configuration tasks using the InterScan MSS Management Console. Control the Message Relay InterScan MSS’s server can be used to relay messages to mail hosts in your intranet and to mail hosts on the Internet. The default relay configuration after an installation ensures that the program is not set up for open relay. This means that: • Servers outside your intranet can only relay messages that are destined for the domain you provided during installation. • Internal mail servers cannot relay messages to the Internet. To change the default anti-relay settings, in the left frame, choose Configuration > Postfix > Receiver > Relay Control. For more information, see Relay Control starting on page 4-9. Note: If you want InterScan MSS to protect multiple domains, add these additional domains to the Allowed Relay Destinations list. Modify the Message Routing Table The delivery method used after messages are processed is governed by the message routing table and the domain shown in the message’s destination address. The InterScan MSS installation program creates a basic routing table based on the domain name destination of email messages. This table routes all messages destined for the domain using SmartHost (a way to route mail to separate destinations), depending on the delivery method you specified during installation. Messages destined to all other domains use a built-in MTA to resolve the destination address. To modify your Postfix Domain-Based Delivery settings, in the left frame, choose Configuration > Postfix > Domain-Based Delivery. For more information see Domain-Based Delivery starting on page 4-10. 3-12 Installation Update InterScan MSS Trend Micro frequently updates the virus pattern file (sometimes several times a week) in response to newly released viruses. The scan engine is updated less frequently as changes are made that enhance its functionality and performance. To update your software, in the left frame, choose Configuration > Update > Update Now. For more information about on-demand program updates, see Update Now starting on page 4-22. Configure Scheduled Update InterScan MSS can automatically check Trend Micro’s update server at a user-configured interval. To configure an update schedule, in the left frame, choose Configuration > Update > Scheduled Update. For more information, see Scheduled Update starting on page 4-23. Note: If the InterScan MSS server connects to the Internet using a proxy server, enter the proxy settings before attempting an update. Viewing the Management Console Using SSL The InterScan MSS Management Console supports encrypted communication using SSL. By default, after installing CCGI, the SSL should work because CCGI contains a default certificate. If you want to use your own certificate, run the following: Upgrading the Trial Version If, during the installation process, you did not type valid serial numbers, a 30-day trial of the software is installed. You can upgrade from the trial to the registered version by entering valid serial numbers in the Web-based Management Console. 3-13 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide To enter serial numbers: 1. Open the InterScan MSS Web console. 2. In the left frame, choose Configuration > General > Registration > Product Registration. 3. Enter the InterScan MSS and eManager serial numbers in the appropriate fields and click Register. Note: Enter the InterScan MSS serial number before entering the eManager serial number to ensure a successful upgrade. If the 30-day trial of InterScan MSS has elapsed, restart your server after entering the serial number because its service will not be running. If upgrading eManager, click Apply Now, which restarts Postfix and InterScan MSS. Saving Your Customized Settings If you are installing multiple instances of InterScan MSS for clustered servers, you can save your customized settings. These settings are stored in .ini, *.dat files, and daemon entries. If you want to uninstall InterScan MSS and move it to a new server, you can save these settings and apply them to the new installation. To save your settings, backup the following files: 1. /opt/trend/imss/config/eMan_db.xml (the eManager policy database) 2. /opt/trend/imss/config/imss.ini (the main configuration file) Restoring Settings To restore your previous settings, copy them to the /opt/trend/imss of the target server. 3-14 Chapter 4 Configuration This chapter explains important configuration tasks to perform after installation. Topics include customizing your InterScan™ MSS configuration settings and performing routine administrative tasks to keep your antivirus software current. The following topics are covered: • Enabling notification messages using email or an simple network management protocol (SNMP) trap • Message processing directories and queues • Your management console password • Updating your virus pattern, scan engine, and spam database • Viewing and maintaining log files • Configuring Postfix settings • Registering your software and updating a trial version to the full version For more information about configuring your virus protection, see The Virus Filter starting on page 6-1. Content filtering configuration is covered in The InterScan™eManager™ Filter starting on page 7-1. 4-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Opening the Web-Based Management Console The InterScan MSS Web console is viewed with a Web browser, either locally or remotely across the network. Note: The default password for the InterScan MSS console is blank. To prevent unauthorized access, we recommend that you configure a password immediately following installation. See Management Console Password starting on page 4-27 for more information. To view the console from another computer on the network, go to one of the following URLs: • http:// Note: If InterScan MSS is installed on a multi-homed machine that has multiple IP addresses, use the IP or FQDN of the default web server. As a security precaution, the InterScan MSS Web console times out after 20 minutes of inactivity and returns you to the password-entry screen. Using Online Help In addition to this Getting Started Guide, the InterScan MSS Web console includes online help that can be viewed from most of the console’s pages. To view context-sensitive help topics, click the help icon that appears in the top-right corner of most screens. To view the online help system’s table of contents, click Help at the bottom of each screen. If, after checking the program documentation, your questions have not been answered, see Troubleshooting and Contact Information starting on page 8-1 for additional information about accessing technical support, including Trend Micro’s Web-based Knowledge Base database. 4-2 Configuration Applying Configuration Changes When you make configuration changes in the InterScan MSS console, they are handled in one of the following ways: • Settings are updated after you click Save • Settings are applied immediately by first clicking Apply Now (clicking Apply Now restarts Postfix and the InterScan MSS daemon). Configuration settings are saved in an XML or .ini files on the server. A copy of this data is written into memory when the InterScan MSS daemon starts to speed up program performance. For the program to use the new configuration settings, InterScan MSS needs to read the updated settings from the XML or .ini files and apply them. This resource-intensive task, if done frequently, diminishes system performance. When you click Apply Now, InterScan MSS for Unix and Postfix are restarted, which applies the changes. Settings Applied Automatically After Saving The following configuration changes are applied automatically after typing them into InterScan MSS’s Web-based management console: • Changes to the InterScan MSS console password (see Management Console Password starting on page 4-27) • Scan engine, virus pattern, and spam database Update Now settings (see Update Now starting on page 4-23) and Scheduled Update settings (see Scheduled Update starting on page 4-23) • Proxy server settings (see Configuring Proxy Settings starting on page 4-24) Note: All update-related settings, including proxy server information, are also automatically applied to the InterScan MSS Scheduler. • All virus, eManager and Program Log viewing settings (see Configuring Proxy Settings starting on page 4-24) • Event Monitoring settings (see Event Monitoring starting on page 4-17) 4-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Note: When you make changes to the configurations listed above, which are applied automatically, the Apply Now button will be unavailable. The Apply Now Button Some configuration changes in the InterScan MSS console are enforced by clicking Apply Now, which restarts InterScan MSS and Postfix. The maximum amount of time that the program spends updating the settings is one minute; after this, if the update has not completed, a message indicating that there is a problem with the InterScan MSS daemon is displayed. Note: The scanning queue may grow temporarily after clicking Apply Now, because all scanning threads are suspended temporarily during the update process. The following configuration changes are enabled by clicking Apply Now: • All Policy Manager-related settings (see Policy Management starting on page 5-1) • Email and SNMP trap settings (see Management Console Password starting on page 4-27) Note: Notification settings are immediately applied to the InterScan MSS System Monitor. • Scanning Limits (see Configuring Proxy Settings starting on page 4-24) • All Postfix settings, except for the Receiver Settings IP address configuration where the InterScan MSS server is installed. These include: • Connection settings (see Connections starting on page 4-7) • Connection Control settings (see Connection Control starting on page 4-7) • Relay Control settings (see Relay Control starting on page 4-8) • Domain-based Delivery settings (see Domain-Based Delivery starting on page 4-9) • Message Limits (see Message Limits starting on page 4-10) • Exception Handling settings (see General Settings starting on page 4-26) • Registration settings (see Registration starting on page 4-27) • Updating the Receiver settings, including the InterScan MSS server’s IP address, port and greeting message (see Receiver Settings starting on page 4-6) 4-4 Configuration • Changing the Log Maintenance settings, including the logging level, the log directory or the number of days to keep log entries (see Log Maintenance starting on page 4-26) Note: If you have made any configuration changes that have not yet been applied to the program, click Apply Now. Services In the Services screen, InterScan MSS allows you to enable or disable SMTP and POP3 mail handling. This choice affects which adaptors are loaded during the initial service startup. Note: As soon as you finish installing InterScan MSS, go to Services and select the adaptor(s) that you want to use. To choose which type of mail handling you want, in the left frame, choose Configuration > Services. Select the SMTP or POP3 mail handling check box(es) and click Save. Enabling or Disabling Adaptors This section discusses the differences between disabling SMTP and POP3 adaptors. SMTP If you disable the SMTP adaptor, and restart the InterScan MSS daemon, you cannot receive SMTP mail. To enable the SMTP adaptor, select it in the Services screen and restart the InterScan MSS daemon. POP3 If you disable the POP3 adaptor, and restart the InterScan MSS daemon, you will not receive POP3 mail. If you disable POP3 scanning by choosing Configuration > POP3 > Settings, and clear Enable POP3 Scanning, InterScan MSS will receive POP3 mail but it is not scanned. For more information on POP3 scanning, see POP3 Mail Scanning starting on page 4-10. 4-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Postfix Before InterScan MSS can start scanning messages to and from your network, you need to initially configure Postfix. During installation, you are prompted about allowing InterScan MSS to manage a restricted subset of Postfix functions. If you want the subset of Postfix functions to be managed by InterScan MSS, type y at the prompt. (If you installed Postfix during installation, but would like to now remove it, see Uninstalling Postfix starting on page I-1.) Processing Queue The Processing Queue is used to save messages before they are scanned or delivered. The default path is /var/spool/postfix. Note: If you plan to modify your queue folder path, ensure that you have sufficient space in the partition to accommodate these modifications. For example, we recommend that you have 4G of space if the partition contains the Postfix mail queue (/var/spool/postfix) and InterScan MSS temp mail queue (/opt/trend/imss/queue). Receiver Settings The IP address, SMTP greeting and the port where InterScan MSS receives SMTP messages are all fully configurable. In addition, you can control from which servers InterScan MSS will receive messages, and which servers are allowed to relay messages through it. Server Identity (Settings) You need to specify the IP address and port to which InterScan MSS will bind. You can also configure the greeting message received by other SMTP servers after connection. To configure the InterScan MSS IP address and SMTP greeting: 1. In the left frame, choose Configuration > Postfix > Receiver > Settings. 2. Use the IP address pull-down menu to select the IP address of the server where InterScan MSS has been installed. 4-6 Configuration Note: By default, InterScan MSS binds to all available network interfaces for this service. You may choose to bind to a specific network interface card when you choose a specific IP address from the pull-down menu. 3. In Port, enter the port number and in SMTP server’s greeting message, type text into the associated text box. 4. Click Save. Note: To apply the new settings, restart the InterScan MSS daemon. Connections Postfix accepts messages from other SMTP servers and, after processing is complete, passes these messages on. You can configure how these connections are handled. To configure InterScan MSS’s connection settings: 1. In the left frame, choose Configuration > Postfix > Receiver > Connections. 2. In Connections, you can configure: • The disconnection timeout period • The maximum number of simultaneous connections 3. Click Save. Note: To apply the new Connections settings to your current session, click Apply Now, which restarts Postfix and the InterScan MSS daemon. Connection Control For added security, in Connection Control, you can limit which SMTP hosts are allowed to connect to the InterScan MSS server. This process is performed by adding IP addresses or IP address ranges to a list which you can allow (or deny) access to your server. For example, you can block the IP address of an organization that has previously sent spam messages to you, or if you suspect the host is an open relay being used by spam senders. 4-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide To allow (or deny) SMTP hosts to connect to InterScan MSS, select one of the following options: • Accept all, except for the following Deny Access list • Deny all, except for the following Allow Access list To set connection privileges: 1. In the left frame, choose Configuration > Postfix > Receiver > Connection Control. 2. In Connection Control, select whether you want to deny or allow access to a list of servers. 3. To configure the server lists, click the Edit link. When configuring the list, you can configure a single IP address or a range of IP addresses. Note: To apply the Postfix Receiver Connection Control settings, click Apply Now in the top-left corner of the screen; this step restarts Postfix and the InterScan MSS daemon. Relay Control You can allow (or deny) other computers to relay messages through your InterScan MSS server. Unscrupulous people who attempt to relay messages through an SMTP server are a common headache for mail administrators. Spam senders relay their messages through an unsuspecting company’s mail server to hide their identity, give the message an air of respectability, or to abuse other people’s bandwidth resources. InterScan MSS manages relay control by: • Restricting relay to specific local domains: All hosts are allowed to relay mail to a specific list of destinations (Allowed Relay Destinations). Only enter the domain names of mail hosts used by your organization. • Allowing exceptions based on: • Host only • Same subnet as the host (default) • Same IP class as the host • Specified IP addresses Only hosts that you specify (Permitted Senders of Relayed Mail) are allowed to relay messages to hosts not in the Allowed Relay Destinations list. 4-8 Configuration Essentially, using the InterScan MSS server, hosts in the Permitted Senders of Relayed Mail list can relay messages to any domain or use InterScan MSS as an open relay. Only enter the names of mail hosts that you trust to not abuse their relay privileges and send unauthorized email from internal mail servers. To set relay privileges: 1. In the left frame, choose Configuration > Postfix > Receiver > Relay Control. 2. Enter the Allowed Relay Destinations (i.e., the hosts within your intranet) 3. Select one of the options or type IP addresses as appropriate. 4. Click Save. Note: To apply the Postfix Receiver Relay Control settings, click Apply Now in the top-left corner of the screen; this step restarts Postfix and the InterScan MSS daemon. Domain-Based Delivery InterScan MSS is a gateway product. It needs to hand off messages to Postfix to resolve the final destination. You can configure how this process, based on the recipient’s domain name, is performed. InterScan MSS routes email based on the recipient’s domain. The routing method is to forward to a SmartHost. 1. In the left frame, choose Configuration > Postfix > Domain-Based Delivery. 2. The Domain-Based Delivery screen shows how messages destined for a specific domain are currently configured to be processed. To view or change a given domain’s delivery method, click View in the Details column. To create a new delivery method: 1. In the Domain-Based Delivery screen, click Add. 2. Enter the destination domain and the port number. 3. Click + or - to add (or delete) this information to the Server list. 4. Click Save. The order that server names appear in the SMTP server list dictates priority. 4-9 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Message Limits In Postfix, there are no limits to the data size per session and no limits for the number of messages per connection. But, in Message Limits, you can limit the message size or number of recipients per message. POP3 Mail Scanning In addition to SMTP traffic, InterScan MSS can scan POP3 messages, at the gateway, as they are retrieved by clients in your network. Even if your company does not use POP3 email, your employees might try to access their personal POP3 email accounts using mail clients on their workstations, which creates points of vulnerability on your network when left unscanned. How it Works The InterScan MSS POP3 scanner acts as a proxy, sitting between mail clients and POP3 servers, to scan messages as they are retrieved. FIGURE 4-1 How POP3 Scanning Works To scan POP3 traffic, configure your email clients to connect to the InterScan MSS server POP3 proxy, which connects to POP3 servers to retrieve and scan messages. 4-10 Configuration You can set up the following connection types: •A Generic connection allows you to access different POP3 servers using the same port—typically 110—the default port for POP3 traffic. • Dedicated connections access the POP3 server using a specified port. These connections can be used when the POP3 server requires you to log on using NTLM and APOP secure authentication. Requirements For InterScan MSS to scan POP3 traffic, a firewall must be installed on the network and configured to block POP3 requests from all the machines except the one where InterScan MSS is installed on your network. This configuration ensures that all POP3 traffic passes through the firewall to the InterScan MSS machine and that the POP3 data flow is scanned. Your network’s users have to manually configure a mail client; see Manually Configuring Email Clients starting on page 4-14. Settings Before InterScan MSS can begin scanning POP3 traffic, select Enable POP3 Scanning and make some initial configurations. To enable POP3 message scanning: 1. In the left frame, choose Configuration > POP3 > Settings. FIGURE 4-2 POP3 Settings Configuration Screen 4-11 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide 2. Select the Enable POP3 Scanning check box. 3. If you installed InterScan MSS on a server that has more than one network card (NIC), select the IP address of the card that you want to retrieve POP3 traffic on behalf of your mail clients. 4. If a POP3 message triggers a filter that causes the message to not be delivered, a customized Status Message Text is delivered instead. The outcome of the undelivered message depends on the policy actions associated with the filter, such as delete, forward, or quarantine. (For more information on policies, see Policy Management starting on page 5-1.) 5. Click Save. Note: POP3 scanning settings can be applied to your current InterScan MSS session by clicking Apply Now. Connections You can specify the ports on the InterScan MSS server that will be used to retrieve POP3 traffic. The default POP3 port is 110. However, if your users need to access a POP3 server through an authenticated connection, (i.e., through the APOP command or using NTLM) you may also set up a dedicated connection with a customized port assignment. To view the POP3 connections currently set up on your server: 1. In the left frame, choose Configuration > POP3 > Connections. 4-12 Configuration 2. The POP3 server and port connections that have already been set up appear in the table. Click the view link to see a specific connection’s properties. FIGURE 4-3 Editing POP3 Settings To add a new POP3 connection: 1. In the left frame, choose Configuration > POP3 > Connections. 2. Click Add. 3. Under Inbound POP3 Port, the port on the InterScan MSS server that will accept POP3 traffic for that connection is shown. Type the port that you want to use. 4. Under POP3 Server, the properties of the POP3 server are shown. You can select Any POP3 server requested by user to set up a generic connection or select a Server name under Specific POP3 server to configure a dedicated connection. 5. Click Save. Note: POP3 scanning settings can be applied to your current InterScan MSS session by clicking Apply Now in the top-left corner of the screen. To delete a POP3 connection: 1. In the left frame, choose Configuration > POP3 > Connections. 2. Select the check box next to the connection that you want to delete. 3. Click Delete. 4-13 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Manually Configuring Email Clients For virus scanning, you need to manually configure your POP3 connection settings to access your POP3 server through the InterScan MSS proxy. Generic For generic connections that support most POP3 servers, assume the following account information is provided as the current client POP configuration: • Incoming mail (POP3) server: pop.domain.com • Account name: John_Smith In addition, assume the Inbound POP3 IP Address used by InterScan MSS is 123.123.123.12. To enable POP3 mail retrieval and scanning, change the settings to the following: • Incoming mail (POP3) server: 123.123.123.12 • Account name: John_Smith#pop.domain.com Note: When trying to access a POP3 server that uses a port other than what is specified in the InterScan MSS generic connection port setting, append an extra “#” separator and add the port. For example, if the POP3 server uses port 120, when InterScan MSS is set to use 110, the account name is John_Smith#pop.domain.com#120. 4-14 Configuration Dedicated For example, a dedicated connection to a POP3 server called pop.andrew.com where InterScan MSS will listen for client connections by using port 1101 could be configured as follows: FIGURE 4-4 Example of Dedicated POP3 Connection If the actual POP3 server that you are trying to connect to is listening on a port number different from the one you entered in the Inbound POP3 Port for your clients, type this POP3 server port number into the Port number field after the server name. To use the dedicated connection, modify your mail client in the following ways: • Change the POP3 server port in your mail client’s settings to the port used by InterScan MSS as the Inbound POP3 Port. • Modify the incoming mail POP server to use the InterScan MSS proxy IP address. The account name does not change since the actual POP server is referenced in the InterScan MSS dedicated connected settings. 4-15 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Directories The following default directories are used for managing your storage availability: • Quarantine Directories • Postpone Queue • Log Directory The following queue is used to set up a storage area for messages that are postponed: • Postpone Queue: /opt/trend/imss/queue/postpone During normal operation, most of the messages to be scanned and delivered What Happens to Messages in the Old are temporarily stored in the mqueue Queue? folder. If you change the path used by the postpone To change the default path: queue, messages that are contained in the old queue are not processed. Before defining 1. In the left frame, choose the new queue, make a note of the old one and then manually copy all of its contents to Configuration > Directories. the new one . When the messages are in the new queue, the program will start processing 2. Modify the path that you want to them. use for the Postpone Queue. Note: If you plan to modify your queue folder path, ensure that you have sufficient space in the partition to accommodate these modifications. For example, if the partition that contains the Postfix mail queue (/var/spool/postfix) and InterScan MSS temp mail queue (/opt/trend/imss/queue), we recommend that you have at least 4G of space. 3. To modify the log directory or limit the log size, click Log Maintenance (see Log Maintenance starting on page 4-26 for more information). 4. Click Save. To apply the new settings, click Apply Now, which restarts Postfix and the InterScan MSS daemon. 4-16 Configuration Event Monitoring InterScan MSS can proactively notify an administrator if conditions arise that threaten to disrupt mail processing or constitute a security risk. The administrator is notified if any of the following conditions arise: • The result of a scheduled update attempt (successful or unsuccessful) • Stopped scanning service • Running out of disk space in the processing queue folder that might hamper mail processing • If the mail queue exceeds a specified number of messages. To configure events for which you want to be notified: 1. In the left frame, choose Configuration > Event Monitoring. FIGURE 4-5 Events to be Monitored and Notification Methods 2. Select the check boxes in front of the fault conditions about which you want to be notified and enter the values. 3. Select the notification method(s). 4-17 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide 4. Click the Edit messages link next to the notification method(s) that you want to use and configure the messages for the different events. FIGURE 4-6 Mail Notification Message Configuration Screen 5. Click Save. You must configure the notification settings for the method(s) that you choose to use. For more information, see Management Console Password on page 4-27. Note: Updated Event Monitoring settings are applied to the InterScan MSS System Monitor immediately after you click Save. 4-18 Configuration Notification Settings You can be notified by email or an SNMP trap when a virus is detected, a policy is updated, or the system requires attention. Note: The imssd parent process and one of child processes run as root, but all of the other child processes run as “imss”. This child process runs as root because it is playing the role of delivering the notification, and therefore, must have root permission. Configure the settings for the notification methods that you want to use. FIGURE 4-7 Email and SNMP Trap Settings 4-19 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide 1. In the left frame, choose Configuration > Event Monitoring. 2. Configure the settings for all of the notification methods that you want Can I Set my Notification Server as the to use—email or SNMP Trap. Localhost? 3. Choose Configuration > Event Since InterScan MSS is an SMTP server, you may be wondering if you can use it to Monitoring > Notification send notification messages. It’s possible, but Settings to configure how email it’s not recommended. Since the default set- tings prohibit any relay through the InterScan and SNMP trap notifications are MSS server, you need to add this server’s IP processed: address to the Permitted Senders of Relayed Mail. The risk, however, is that the System • Use a semicolon (;) to enter Monitor also uses the notification SMTP server to inform the administrator about fault multiple Administrator email conditions with your software. If the Inter- addresses. Scan MSS server is down, no notification from the System Monitor can be sent. • If email notification messages contain non-English characters, enter the Preferred charset. • Entering “0” in the Notification limit per process per hour field is the same as not setting a maximum number of notifications per hour. • Using an SNMP trap notification requires an SNMP server to receive the trap. Trap type is used to distinguish between different events. 4. Click Save when finished. Note: Always set 127.0.0.1 as your notification SMTP server if you use port 10026 for SMTP on your local host. Update InterScan MSS blocks viruses and spam email by comparing a file’s binary pattern and message content with the virus pattern file and spam database. To maintain the highest level of protection against the latest virus and content threats, InterScan MSS needs to regularly update your pattern file and spam database. Trend Micro updates its virus pattern file, often several times a week, in response to newly released viruses. In addition, Trend Micro periodically updates the scan engine, the component that compares a file’s binary structure with the virus pattern file. This engine detects suspicious virus-like behavior and cleans viruses. 4-20 Configuration You should update the components from Trend Micro’s Internet update server and use the default URL for which the product is configured. However, since the source of the update files is configurable, you can specify another URL. Some reasons why you would need to change the update path are, for example, if a technical support engineer has asked you to install a special build of the pattern file (or scan engine) or if you set up your own update server locally on your intranet. Verifying Downloaded Pattern Files The InterScan MSS update agent downloaded files are temporarily saved in the /opt/trend/imss/temp directory, which is not configurable. InterScan MSS uses a file checksum to verify the integrity of downloaded files. The update agent also loads the downloaded files with the VSAPI library to verify that these files are not corrupt. After successfully verifying the integrity of the downloaded files, the update agent copies the files to /opt/trend/imss/lib and restarts the scanning daemon, which loads the newest signature files or scan engine. If files were corrupted, no files are copied to the /opt/trend/imss/lib directory and the scanning daemon does not perform any action. If the files become corrupted after being copied to the lib directory, and the corrupt file is a virus pattern file, the scanning daemon renames this file (for example tm331.bak) and picks up the latest verified pattern file to load. If the corrupted file is a spam database file, the scanning daemon does not load this corrupt file. Instead, the latest verified file is loaded. Note: If the corrupted file is in the scan engine, scanning fails to restart. If you prefer not to copy the newly downloaded file to the lib directory and restart the scanning daemon, you can change the following parameter in the .ini file: [Update] copy_restart_daemon_after_download=no which updates the agent to only downloaded files. You can manually verify the downloaded files and copy them to /opt/trend/imss/lib and restart the daemon. You can manually verify the scan engine and virus pattern by running /opt/trend/imss/bin/vscan.sh, a script file. To manually verify the spam database, run it with the scanning daemon to see if it is corrupted. 4-21 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide The script file can be used to verify the pattern file and scan engine as follows: /opt/trend/imss/script/vscan.sh pattern_engine_path filename (Scans this file) /opt/trend/imss/script/vscan.sh pattern_engine_path (gets vscan help) Usage Examples Example (1) /opt/trend/imss/script/vscan.sh Pattern_engine_path it will scan the /tmp directory Example (2) /opt/trend/imss/script/vscan.sh /opt/trend/imss/lib /opt/trend/imss/script/S99IMSS it will scan file /opt/trend/imss/script/S99ISIMSS Example (3) /opt/trend/imss/script/vscan.sh /opt/trend/imss/lib /opt/trend/imss/script/S99IMSS | grep VSAPI it will get the vsapi version Example (4) /opt/trend/imss/script/vscan.sh /opt/trend/imss/lib /opt/trend/imss/script/S99IMSS | grep Pattern it will get virus pattern version Example (5) After you download the scan engine and pattern to /opt/trend/imss/temp, run the following command to check the libvsapi.so/pattern: /opt/trend/imss/script/vscan.sh /opt/trend/imss/temp anyexistfile | grep VSAP If the libvsapi.so/ pattern has been verified, depending on the version, the result may be: Virus Scanner v3.1, VSAPI v6.390-1008 If the libvsapi.so is corrupt, result is: ld.so.1: /opt/trend/imss/bin/vscan: fatal: ./libvsapi.so: unknown file type Killed 4-22 Configuration Note: InterScan MSS retains all old virus pattern files on the server and does not delete them after update. See Rolling Back an Update starting on page 4-24 for information about undoing a pattern update. Update Now To easily update the virus pattern and spam database: 1. In the left frame, choose Configuration > Update > Update Now. 2. Select the components that you want to update. Newer components, if present, are denoted with a red Update Now! message. 3. To update from a location other than Trend Micro’s Internet update server, select Other Internet source and type the URL in the associated text box. 4. When you have finished, click Update Now. Scheduled Update InterScan MSS can automatically download updates hourly, daily, or weekly. If your network has limited Internet bandwidth, you can configure updates for a time when network load is low. FIGURE 4-8 Scheduled Update Configuration Screen 4-23 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide To configure a scheduled update: 1. In the left frame, choose Configuration > Update > Scheduled Update. 2. Select Enable scheduled update at the top of the screen and choose the components that you want to download. 3. Configure the time and update interval. 4. Under Update Source, modify the update URL, if needed. Note: The new Scheduled Update settings are immediately applied to the InterScan MSS Scheduler after clicking Save. Rolling Back an Update After updating to a new virus pattern file, InterScan MSS keeps the old pattern files on the server. Note: The virus filter always uses the pattern file with the largest three-digit pattern file number, i.e., the pattern file’s extension. To roll back to a previous virus pattern file: 1. Note the version of the virus pattern file that you are currently using and stop the InterScan MSS for Unix daemon. 2. Delete the file /opt/trend/imss/lib/lpt$vpn.###, where ### is three digits that represents the pattern file version. 3. Verify that there is another virus pattern file in the /opt/trend/imss/lib path, where the pattern version is less than the one you deleted. 4. Restart the InterScan MSS daemon. Configuring Proxy Settings If you use a proxy server to connect to the Internet, before attempting an update, configure your server and authentication settings. 1. In the left frame, choose Configuration > Update > Proxy Settings. 2. Select Use a proxy server and enter the proxy’s name, port, and authentication information. 4-24 Configuration 3. Click Save. Note: As a security precaution, the proxy password is sent only once from the Web-based Management Console to the InterScan MSS server. When you return to the Proxy Settings screen, the Password field is blank. This is because displaying the password, even as *****, necessitates sending the proxy user name and password between the server and browser. Logs Logs retain important information about security and program events for your InterScan MSS installation. Log Level Details Under the Normal level, the following information is logged: • Parameters for general settings • Module version • Error codes that return information from the system API or module API • Child process exceptions • Creation or destruction of child processes Under the Detail level, (dynamic daemon action), the following information is logged: • File creation or deletion • Socket status Under Diagnostic level (protocol relative), the status of the SMTP and POP3 protocols is logged. Viewing Logs 1. In the left frame, choose Configuration > Logs. 2. Choose one of the following: • Virus Logs • eManager Logs 4-25 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide • Program Logs 3. Enter the log parameters for which you want to search. 4. Click View Logs. Log Maintenance You can configure the program’s logging behavior, including the level of detail, the location of the log database, the maximum size of all log files and the amount of time that log entries will be retained. Note: If you do not regularly remove old log files from your log directory, and your InterScan MSS server processes high volumes of messages, the log file will consume more and more disk space. 1. In the left frame, choose Configuration > Logs > Log Maintenance. 2. Select which log level (Normal, Detailed, or Diagnostic) you want to save to the log file. 3. In Directory to store logs, type the directory path where you want the logs kept. (The default directory is /opt/trend/imss/log.) 4. In Maximum age, type the number of days you want logs to be retained. 5. In Maximum size, type the maximum amount of space you want to allow log files of the same type to consume. When the total size of all logs of one type (such as eManager logs) exceeds this threshold, the oldest log files are deleted. If you enter a value in both the Maximum age and Maximum size fields, whichever limit is attained first applies and log deletion begins. 6. Click Save. Note: To apply the new settings, click Apply Now in the top-left corner of the screen; this restarts Postfix and InterScan MSS. General Settings The General portion of the Configuration menu provides settings that manage the password and product registration. 4-26 Configuration Management Console Password Access to the InterScan MSS management console can be restricted by using a password to prevent unauthorized changes. Note: The default InterScan MSS console password is blank. If you forget your password, contact a Trend Micro technical support engineer for instructions on resetting it. You can also remove and reinstall the software. To configure or change the management console’s password: 1. In the left frame, choose Configuration > General > Password. 2. Enter your current password. 3. Enter your new password and re-enter it in the Confirm new password field. The new password takes effect immediately after you click Save. Choose a password that is a maximum of 16 bytes long and is composed of alphanumeric characters. Registration Failing to enter valid InterScan MSS or eManager serial numbers during installation allows the program to work for 30 days. To continue using the program after 30 days, enter valid serial numbers. To enter serial numbers, in the left frame, choose Configuration > General > Registration > Product Registration. 4-27 Chapter 5 Policy Management This chapter explains how to set up policies for different individuals and groups in your organization to enforce your antivirus and content management goals. Topics include: •The Policy Manager • Default filters • Address groups • Filter actions • Quarantine Area •The Global Policy • Creating a sub-policy • Filter execution order • Testing your policies 5-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide How Policy Manager Works A policy is a set of email usage rules applied to members of your organization to enforce email usage standards. You can use InterScan MSS’s policies to filter and reduce many of the security and productivity threats to your messaging system. A policy has the following components: •The Route is the set of sender and recipient email addresses to which the policy is applied. Wildcard expressions can be used to simplify route configuration. • A policy contains one or more filters that check the message flow for viruses or prohibited content. InterScan MSS contains several predefined filters that you can use to combat common virus and content threats. In addition, you can define your own filters using the intrinsic filters. • Depending on the filter result, a filter action is performed that determines how the message is finally processed. The Virus Filter has several filter results, and each can perform a different filter action. Content management filters have two possible results—the message content triggers (or does not trigger) the filter. FIGURE 5-1. Simplified Policy Manager Process Flow Note: All policy-related settings are applied by clicking Apply Now in the top left-corner of the screen. After clicking Apply Now, InterScan MSS is restarted for the changes to take effect. 5-2 Policy Management Viewing Installed Filters Filters are tests that analyze messages and attachments for viruses or content that you want to block from your network. InterScan MSS contains seven default filters—one that uses the Virus Filter and six that use the eManager filter. To view the filters that you can use as the building blocks for your policies, in the left frame, choose Policy Manager > Policy Manager. The filters are listed in a table at the bottom of the Policy Manager screen. Address Groups An address group is a list of email addresses for individuals to whom you want your policy applied. Address groups can identify these individuals within your organization. Frequently, members of the same address group belong to the same department. For example, suppose you identify three types of content you want to block from being transmitted through your company’s email system and define the following filters (in parentheses) to detect these types of content: • Sensitive company financial data (FINANCIAL) • Job search messages (JOBSEARCH) • VBS script viruses (VBSCRIPT) Consider the following address groups in your company: • All Executives • All HR Department • All IT Development Staff The filters that you use in the policies applied to these groups would be the following: Address Groups FINANCIAL JOBSEARCH VBSCRIPT All Executives Not applied Applied Applied All HR Department Applied Not applied Applied All IT Development Staff Applied Applied Not applied 5-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Executives, HR staff, and IT developers have legitimate business reasons to send financial information, job search-related correspondence and VBS files, respectively, so you would not apply some filters to those groups. In InterScan MSS, email addresses identify the different members of your organization and determine the policies that are applied to them. Defining accurate and complete address groups ensures that the correct policies are applied to the appropriate individuals. Managing Address Groups Address groups allow you to organize the email addresses of similar individuals into a single group. You can define address groups for people to whom you want to apply the same email usage policy. Note: Wildcard usage in address groups is not valid. Defining an Address Group To define an address group: 1. In the left frame, choose Policy Manager > Policy Manager > Address Group. The Address Group screen shows the address groups that have already been defined. 2. Click Add. 3. In New Address Group, type a descriptive name for the address group and enter the email addresses of the individuals in the group. 4. Click Save. You are returned to the Address Group screen and can see your newly created group added to the list. Modifying an Address Group To modify an existing address group: 1. In the left frame, choose Policy Manager > Policy Manager > Address Group. Click the details link for the group that you want to modify. 2. To remove an address, select it in the Address group list and click . Add a new address by typing it in the Email Address field and clicking . 3. Click Save. 5-4 Policy Management Deleting an Address Group To delete an address group: 1. In the left frame, choose Policy Manager > Policy Manager > Address Group. 2. Select the check box at the right-hand side of the address group and click Delete. To delete all defined address groups, select the All check box at the top of the column and click Delete. 3. In the confirmation box, click OK. Note: If an address group has in use instead of a check box in the right-hand column, then this address group is currently being used in a route and cannot be deleted while the route exists. Importing an Address Group from a File InterScan MSS supports address imports from files, which must be in a drive local to the InterScan MSS server. Type the path from where you want to import the address information. Both comma-separated values (CSV) and LDAP Data Interchange Format (LDIF) are supported. If you select the CSV file type, it has to be in the format described in Address List Format starting on page 5-5. Providing you have the appropriate permissions, you can also add address files from a mounted drive. Note: You cannot import address list information from a remote computer. Addresses cannot be imported using HTTP upload or by typing a UNC path. The file must be on a drive local to the InterScan MSS server. Address List Format To import an address group from a text file, each line in the file must contain a single email address followed by a carriage return character. 5-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide A valid text file for importing an address list would appear as below: [email protected] [email protected] [email protected] ... Using Filter Actions The filters used by InterScan MSS’s policies perform tests on messages and their attachments. For the Virus Filter, the following results are possible: • Mass mailing virus detected • Virus(es) detected but some/all were not cleaned • Joke program attachment detected • Virus scanning aborted—message may contain viruses • Password protected file detected (not scanned) • Virus(es) detected and successfully cleaned • No virus detected For filters using the eManager filter, there are only two possible results: • Triggered • Not triggered For each possible result of the filter that you are using, define the filter action that you want to take. Predefined Filter Actions InterScan MSS provides seven default filter actions. In addition to creating filter actions, you can use the default actions in your policies. Note: In the filter actions below that notify the administrator, the notification is sent to the email address that was entered during installation. For more information about changing this address, see Management Console Password starting on page 4-26. 5-6 Policy Management They are: • Delete, which delete the message • Delete and Notify, which deletes the message and notifies the administrator • Deliver, which delivers the message normally • Deliver and Notify, which delivers the message and notifies the administrator • Postpone and Notify, which postpones the delivery of the message until after midnight and notifies the administrator • Quarantine, which sends the message to the default Quarantine Area. • Quarantine and Notify, which sends the message to the default Quarantine Area and notifies the administrator Parts of a Filter Action A filter action is composed of the following components: • Processing Action • Archive • Notification Note: A filter action can contain any number of archive and notification actions but only one (or no) processing action. If you do not configure the processing action, the message is delivered as usual. Processing Action You can alternatively postpone the delivery, quarantine the message to a directory on your local disk, delete the message, or forward the message to another email address. These four actions mean the message are not delivered to the addressee at this time. You can also choose to deliver the message normally. Archive Messages can be archived to a local directory or a mail account. You can archive the message in its original form, archive the message after it is modified by a filter, e.g., viruses cleaned from the attachment, and/or have a disclaimer added to the message body. 5-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Notification Notifications can be sent to an email address or an SNMP trap. Email notifications can be sent to the original email sender, the recipient, the administrator or any other email address that you choose. Notification is similar to Archive because you can attach the message in its original form or send the message that was modified by the Virus or eManager filters. Managing Filter Actions Filter actions are based on whether the filter is (or is not) triggered. Creating a Filter Action To create a new filter action: 1. In the left frame, choose Policy Manager > Policy Manager > Filter Action. 2. In the Filter Action screen, click New Filter Action. 3. In the name field, enter a name for the filter action and click New Item. FIGURE 5-2. Choosing the Type of Filter Action 4. In this screen (Figure 5-3), enter a short description and select Processing Action, Archive, or Notification and click Next >>. 5-8 Policy Management FIGURE 5-3. New Filter Action Screen •For Processing Action, select how you want the message to be processed. The options are Move, Postpone, Forward, Delete, or Deliver and click Next >>. FIGURE 5-4. Filter Action—Processing Action 5-9 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Note: When you configure a forward action, if you type an email address in the From sender field for the message, InterScan MSS does not validate this address. You can enter anything, provided it is accepted by your mail server and the From field does not exceed 255 bytes. •For Archive, select whether to archive the message to a local directory or a mail account. FIGURE 5-5. Filter Action—Archive •For Notification, if you want to send an email notification, in the text box under Step 3, type the text of the notification message and specify the parties who will receive the notification and the subject line of the message. You can alternatively attach the message—a copy of the original or a copy of the message after it has been modified by InterScan MSS. Notifications can also be sent to an SNMP trap. 5-10 Policy Management FIGURE 5-6. Filter Action—Notification Note: For more information about changing your notification settings, see Management Console Password starting on page 4-26. Click Next and a summary page loads displaying the parts of the filter action that you configured. To add another Processing Action, Archive or Notification to the filter action, repeat steps 3 and 4 until you have finished (see Figure 5-6). Remember that a filter action can contain at most one Processing Action, but multiple Archive and Notification items are allowed. 5-11 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Modifying a Filter Action To modify an existing filter action: 1. In the left frame, choose Policy Manager > Policy Manager > Filter Action. 2. In the Filter Action screen, click the link of the filter action you want to modify. 3. A list of Processing Action, Archive, and Notification items that are used in the filter action that you selected are shown. Click Edit for the item you want to modify. 4. Click Finish. Deleting a Filter Action To delete a filter action: 1. In the left frame, choose Policy Manager > Policy Manager > Filter Action. 2. In the Filter Action screen, select the check box next to the filter action that you want to remove and click Delete. Note: If a filter action has in use instead of a check box in the right-hand column, this filter action is currently being used by a filter and cannot be deleted while the filter exists. Exception Handling If InterScan MSS cannot successfully process a message, you can choose the action to avert the risk of a virus-infected or prohibited message being delivered to the recipient. The two types of exceptions are: • When messages fail to be processed: This exception may occur when the system is out of memory or system handles, or results from policy setting errors. Anything that prevents InterScan MSS for Unix from processing a message is categorized as a processing failure. • When messages are encrypted: Encrypted messages cannot be scanned by the filter’s antivirus scan engine or the eManager filter. For more information about filter actions, see Using Filter Actions starting on page 5-6. 5-12 Policy Management To choose an action for messages that cannot be processed: 1. In the left frame, choose Policy Manager > Filter Action > Exception Handling. 2. Choose the filter action for each condition and click Save. Note: Updated Exception Handling settings can be applied to your current session by clicking Apply Now in the top-left corner of the screen. (Clicking Apply Now restarts InterScan MSS and Postfix.) Quarantine Area Quarantine areas are directories on the InterScan MSS server where messages can be moved as the result of a processing action. Messages are quarantined to: • Reduce the chance of important messages being deleted (in case they are erroneously detected by the eManager or Virus filters). • Review messages that trigger content filters to determine the severity of the policy infraction. • Keep a record of oversized messages (if they contain important information that is urgently needed by the recipient). • Maintain, for disciplinary purposes, evidence of an employee’s continued misuse of your organization’s messaging system. Using Quarantine Areas Quarantine areas serve as storage for messages that trigger filters to facilitate further investigation. The default is: /opt/trend/imss/queue/quarantine Adding a Quarantine Area To add a Quarantine Area: 1. In the left frame, choose Policy Manager > Policy Manager > Quarantine Area. 5-13 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide 2. In the Quarantine Area screen, click Add. 3. Type a descriptive name for the Quarantine Area and type a local path to the machine on where InterScan MSS will quarantine the infected file. 4. If you want quarantined messages to be automatically deleted after a set period of time, select the check box at the bottom of the screen and type the number of days quarantine items should be kept. Note: Quarantine items can be saved up to 99 days. 5. Click Save. The Quarantine Area screen loads and displays the newly created quarantine area. Changing a Quarantine Area To change the location of a Quarantine Area: 1. In the left frame, choose Policy Manager > What Happens to Quarantined Items in the Old Folder? Policy Manager > Quarantine Area. Changing the quarantine location 2. In the Quarantine Area screen, click edit only affects items quarantined after next to the Quarantine Area that you want the change. Messages in the old to modify. quarantine directory must be manu- ally copied to the new directory or 3. Change the Name and/or Directory, or manually deleted. change the number of days that you want quarantined items to be kept. 4. Click Save. 5-14 Policy Management Managing Quarantined Messages To manage the contents of a Quarantine Area: 1. In the left frame, choose Policy Manager > Policy Manager > Quarantine Area. 2. In Quarantine Area, click view next to the Quarantine Area that you want to manage. 3. In Default Area, select one of the following options: • Reprocess messages to apply the policies that have been configured for the message’s route. You may want to reprocess messages if some of them were quarantined by a content filter that was too strict and was triggered by innocent messages. You can reprocess the messages after you have changed the content filter’s properties. • Deliver the message without further processing • Delete the message When there are internal or processing errors in the Quarantine Area, you can reprocess the mail that is causing the error or deliver the mail (without being reprocessed) by InterScan MSS. 4. When you have finished, click Return to go back to the Quarantine Area screen. Deleting a Quarantine Area To delete a Quarantine Area: 1. In the left frame, choose Policy Manager > Policy Manager > Quarantine Area. 2. In Quarantine Area, select the check box in the right-hand column for the Quarantine Area that you want to remove and click Delete. Deleting the Quarantine Area in the InterScan MSS console only prevents it from being available to the program as a quarantine area. The folder needs to be manually deleted. All quarantined messages remain in the folder. Note: If a quarantine area has in use instead of a check box in the right-hand column, is being used in a filter action and cannot be deleted. 5-15 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Querying Quarantine Areas InterScan MSS includes a search function to query a quarantine area for messages that fit your criteria. To query a quarantine area: 1. In the left frame, choose Policy Manager > Policy Manager > Quarantine > Query. In the Query screen, using the pull-down list, select the quarantine area and enter the criteria for which you want to search. Perform a case-sensitive search by selecting the Enable Case Sensitive Search check box. Note: Wildcards, i.e., “*” are not supported during a quarantine area query. 2. Click Query to Reprocess, Deliver, or Delete the displayed messages. Scanning Limits InterScan MSS includes several security-related settings that control the types of messages and attachments that are accepted for processing. Configuring the maximum layers of recursively-compressed archives, the maximum attachment and file size and the maximum number of viruses that are cleaned in a single attachment reduces your chance of having InterScan MSS becoming immobilized through a malicious DoS attack. To configure InterScan MSS’s scanning limits: 1. In the left frame, choose Policy Manager > Scanning Limits. 2. Configure the maximum limits in the appropriate fields, overwriting the default values. 3. Click Save and Apply Now. Note: To apply the scanning limits, click Apply Now, which restarts Postfix and the InterScan MSS service. 5-16 Policy Management Compressed Files Compressed files, such as .zip, .lzh, and so on, can contain other compressed files. Since compressed files must be decompressed to be opened and scanned, scanning a recursively-compressed file with many layers is resource intensive. In addition, because the scanning engine can scan up to a maximum of 20 layers, recursively-compressed files can be used to “smuggle” malicious code or inappropriate content past InterScan MSS. You can also set the maximum size of a file after decompression. This step prevents malicious parties from launching an attack against InterScan MSS for Unix using a “ZipOfDeath”. Attachment/Message Virus If a message with a large attachment arrives at the InterScan MSS server, mail flow is stopped as the the scan engine laboriously checks the message for viruses. You can set the maximum data (i.e., attachment + message) size that can be processed. A message with many file attachments could also be sent to maliciously disrupt the mail flow. If this happens, no additional messages can be processed until all of the attachments in the message have been scanned. To reduce your vulnerability, configure the maximum number of attachments per message. Multiple Virus-Infected Messages When InterScan MSS’s scan engine detects a virus, it attempts to clean the virus. The file is rescanned to confirm whether the cleaning attempt was successful. Regardless of whether the cleaning was successful, the engine continues to scan the file for additional viruses. The message is not forwarded for final delivery until scanning is finished. An attachment that contains multiple viruses can disrupt the mail flow. Because an attachment infected with many viruses is most likely a deliberate malicious attack on your network, you can configure InterScan MSS can be configured to abort scanning after a set number of viruses are detected. In addition, you can stop recording the virus infections to the log file to prevent multiple notifications about the same problem message. eManager Limits In the same way that you can abort virus scanning of large attachments, you can configure the eManager filter to abort scanning large messages. This step reduces 5-17 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide your vulnerability against large messages being sent to your network with the malicious intent to disrupt your mail processing. The Global Policy The Global Policy includes tasks that are applied to all of the messages flowing through the InterScan MSS server. In other words, the Global Policy’s route is the set of all messages from “*” and going to “*”. After installing InterScan MSS, the Global Policy contains one enabled Virus Filter, which scans all messages and message attachments using the virus pattern file. In addition, it contains the following disabled content management filters: • Anti-Spam: Compares message content with a database of expressions commonly found in spam email messages • Profanity: Filters common swear words • Racial Discrimination: Filters racist slurs • Sexual Discrimination: Filters sexist and homophobic language • Hoaxes: Filters expressions found in common hoaxes that circulate using Internet email • Chainmail: Filters chain email messages that encourage users to forward the message to everyone they know • Love Bug: Filters expressions that appear in the email message that harbors the infamous auto-spamming ILOVEYOU virus • Block HTML Script Messages: Filters HTML messages with embedded scripts, e.g, JavaScript or VBScript For each filter, there are edit buttons for the following: • Type: Allows you to view and change the filter’s properties WARNING!Most people find the keywords used in the Profanity, Racial Discrimination and Sexual Discrimination filters highly offensive. However, these words are displayed only after clicking the Filter type edit button, so that administrators can see the exact properties of the filter. 5-18 Policy Management • Availability and Status: Allows you to change whether the filter is available for a policy’s definition, whether it is active, and whether the filter can be overruled by another filter in a sub-policy. • Action: Shows the action taken, depending upon the outcome of the filter (i.e., whether a message triggers the test performed in the filter) Overruling a Filter When you create an antivirus filter in the global policy or a parent policy, this filter is inherited by the sub-policy. When the sub-policy also has a Virus Filter, in the Availability and Status column, the Overruled status is displayed. Overrule means that this inherited Virus Filter will not be executed. Rather, the Virus Filter in the sub-policy is used. Filter Type When viewing the Global Policy’s Filter List, click edit under the Type column to display the filter’s properties. •For the Virus Filter, you can select which attachment file types you want scanned. For additional information, see File Types to Scan on page 6-3. •For the Anti-Spam Filter, you can change which parts of the message are compared to the anti-spam database—the header, or the header and the body. See How Anti-Spam Filtering Works starting on page 7-32. • For the filters that use the Advanced Content Filter, you can view the filter properties, including the message parts that will be scanned and the keyword expressions that will be searched. Filter Availability and Status Every filter has a set of properties that control whether it can be used in a policy, whether it is active in the current policy, or whether the filter can be set to active or inactive by the sub-policy. These properties are called Filter Availability, Filter Status and the filter’s Override Property. 5-19 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Filter Availability To use a filter in your policy definitions, set it as Available. Setting a filter as Disabled means Filter Availability vs. Filter Status that it is not available for use in any policy. To understand the difference, con- sider the analogy with a house’s Filter Status electrical system. Filter availability controls whether the filter can be To make a filter part of a policy, set it as Active. used in a policy (the central breaker An Inactive filter is not used in the policy. box). Filter status only controls whether the filter can be used in the All of the eManager filters in the Global Policy policy that contains it (like a room’s are inactive by default. To enable these filters, electrical switch). select Available under Filter Availability and Active under Filter Status. • Available means the filter can be used in all policies (its own policy and sub-policies) • Disabled means the filter cannot be used in any policies (including its own) • Active means the filter will take effect • Inactive means the filter will not take effect Override Property Note: The Override Property only applies to the eManager filters. When both the Global Policy and a sub-policy contain a Virus Filter, the filter in the sub-policy is always executed first. Therefore, selecting Do not allow filter to be overwritten for the Global Policy’s Virus Filter is redundant. You need to decide whether the filters in sub-policies will override the filter configuration in their parent. The options are: •The Override Property’s Allow filter to be overwritten by a sub-site option means that the available filter (created in the parent policy) can be made active or inactive in the sub-policy. •The Do not allow filter to be overwritten option means that the available filter (created in the parent policy) cannot be made active or inactive in the sub-policy. 5-20 Policy Management Filters Available for Sub-Policies InterScan MSS provides one antivirus and six content management filters that you can customize and use in your policies. Virus Filter The Virus Filter uses pattern-matching technology to scan messages and their attachments. Configuration options include the file types to scan, compressed file scanning behavior, the action if viruses are found, and inserting disclaimers into the message body. For more information about Virus Filter configuration options, see The Virus Filter starting on page 6-1. eManager™ Filters The following filters use the eManager filter’s content scanning engine. Detailed information about each filter is available from The InterScan™eManager™ Filter starting on page 7-1. Note: If you installed a 30-day trial of the eManager filter, the six related filters are shown during the trial period. If you do not upgrade to the full version, these filters disappear from the list and all eManager functionality ceases. •The Advanced Content Filter allows you to check the message header (or specific fields in the header), the body, or the attachment. It supports complex expressions and synonym checking. For detailed information, see Advanced Content Filter starting on page 7-2. •The Message Attachment Filter is used to block message attachments at the SMTP gateway, including blocking these attachments based on their MIME content-type. You can block by filename (supports wildcards), file type or MIME content-type. For more information, see Creating or Modifying Filters starting on page 7-22. •The General Content Filter is a simplified content and attachment filter that filters messages by subject line, keyword(s), attachment file size or extension. For more information, see General Content Filter starting on page 7-28. •The Message Size Filter allows precise control over attachments entering the SMTP gateway. It supports an activation schedule to block large attachments from 5-21 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide your network during business hours but allowing them to be delivered during off-peak periods. See Message Size Filter starting on page 7-29. •The Disclaimer Manager allows you to add disclaimers in messages. For more information, see Disclaimer Manager starting on page 7-31. •The Anti-Spam Filter detects spam by comparing messages with Trend Micro’s spam database. For more information, see Anti-Spam Filter starting on page 7-32. Creating Sub-Policies A sub-policy contains one or more user-defined filters. A policy-creation wizard guides you through the process. Note: Including the Global Policy, sub-policies can be defined, up to five levels. A maximum of 10 child-policies can be created under each parent, and each policy can include an unlimited number of filters to define that policy. The main steps are detailed below: 1. Create the Policy 2. Define the Route 3. Add a User-Defined Filter 4. Choose Filter Actions 5. Add Filters to the Sub-Policy Create the Policy To create a policy: a. In the left frame, choose Policy Manager > Global Policy > {Policy name}. b. Click the Sub-policies link at the top of the screen. c. Under the Sub-policies link, click the Create new sub-policy link. d. Enter a name and description for the sub-policy and click Next. e. Enter the sender or receiver’s email addresses. f. Click Finish. To change the name of the sub-policy you just created, click the Settings link. 5-22 Policy Management To determine the order in which the sub-policies are listed: 1. Click the Sub-policies link and the Manage sub-policies screen is displayed. 2. In this screen, highlight a sub-policy and click the up or down arrows. 3. Click Save. Predefined Sub-Policies By default, the InterScan MSS installation program provides the following sub-policies: • Incoming • Outgoing • POP3 message The Incoming and Outgoing policies enable virus checking on all messages that pass through the InterScan MSS server and provides a head start for applying additional policies. The Incoming Policy has the following policy condition: • Messages from * going to *@domain The Outgoing Policy has the following policy condition: • Messages from *@domain going to * InterScan MSS gets the domain name from Postfix’s mydomain setting (for additional information, see Default Sub-Policy Domain Information starting on page 3-4). These sub-policies contain an active Virus Filter, which has the following configurations: • All attachments are scanned, including compressed files. • Viruses are cleaned, and uncleanable viruses are deleted. • When a virus is cleaned, a disclaimer is added to the message before it is delivered. • If a virus cannot be cleaned, or scanning is aborted, the message is quarantined and a notification is sent. • Any mass-mailing virus is deleted. • If a joke virus is detected, the message is deleted. • If a password-protected file is detected, it is quarantined. 5-23 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide The Incoming Policy also contains some content management policies that restrict message size, for attachments that can potentially harbor viruses, and for multimedia file attachments. These filters are disabled, but you can customize and enable them. The Outgoing Policy contains an inactive Message Size Filter that you can activate and configure. By default, InterScan MSS provides a new policy, called the POP3 message policy. InterScan MSS uses the following routes for policy matching: •POP3From= •POP3To= Note: The domain must be the wildcard “*” for the To and From fields. If you accidentally delete this sub-policy, you can create another one during the match policy stage by applying the POP3 routes listed above. InterScan MSS matches all POP3 messages to the POP3 messages policy. If you do not create this POP3-only policy, the POP3 message is matched to the Global Policy. For additional information on POP3 mail scanning, see POP3 Mail Scanning starting on page 4-11. If you are modifying the route information of this POP3-only policy, remember to make the same modifications to the .ini file. Any modifications you make to the route have to be in the name part of the route (before the @), but modifications to the .ini file have to only be to the name part of the route without the @ or other illegal characters. If these conditions are not met, the policy will not work. Policy and Address Matching When InterScan MSS receives a message for processing, it executes the best match policy whose route matches the sender/receiver addresses. If an exact match is found, InterScan MSS stops searching. If an exact match cannot be found, it continues until a best match is found. For additional information on how the best match is calculated, see Priority Rules starting on page A-6. 5-24 Policy Management For example, suppose your installation has two sub-policies, Policy A and Policy B with the following incoming routes: • Policy A’s route: * to *@company.com • Policy B’s route: * to [email protected] If the recipient is [email protected], InterScan MSS stops because an exact match has been found. Define the Route What is a Route? A route is a subset of messages being processed by your InterScan MSS server. The route is determined by the email addresses you entered in the fields under the From and To columns. In other words, the route is the sub-policy’s scope. Using the “*” Wildcard In Routes • Single * Wildcard A single * wildcard matches everything, including nothing. For example, if you enter a single *, it matches all of the following: • [email protected] • nothing (some spam messages have empty From: fields when senders do not want to disclose their identity) • Using * in an expression The behavior of wildcard * differs whether it appears before or after the @ in an email address. Text that comes before the @ is treated as the name part; text that comes after @ is treated as the domain part. If no @ exists, the entire string is considered invalid. For example, strings such as “abc” or “trendmicro.com” are invalid. • Name Pattern To match the name part, you can only use a single wildcard * or the exact name. Partial matches are not allowed. The wildcard matches everything except no entry in the field. 5-25 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide For example: • *@trendmicro.com matches [email protected] • *@trendmicro.com does not match @trendmicro.com • Joe*@trendmicro.com or *[email protected] is not allowed • Domain Pattern For the domain part, the wildcard * can only occur at the beginning of the pattern, and it can match one or more subdomains. For example: • *@*.solar.com matches *@earth.solar.com • *@*.solar.com matches *@europe.earth.solar.com • *@*.solar.com does not match *@solar.com Partial matching of subdomains is not allowed. For example, *@trend*.com is an invalid format. Other incorrect patterns are: • *@trend.*.jp (wildcard occurs in the middle of the domain name) • *@trend.com.* (wildcard occurs at the end of the domain name) • *@*.*.com (second wildcard occurs in the middle of the domain name) Defining the Route To define the route: 1. In the {Policy} screen, click the Route link. 2. In the fields under the To and From columns, enter the email address of the message set for which the sub-policy will apply. Note: For a sub-policy, the email addresses you enter for the route must be a subset of the parent sub-policy. For example, the address you enter for an Incoming Policy must be a subset of the email addresses you entered for the Global Policy. 5-26 Policy Management 3. Click the select link to use an existing address group. Address groups are an efficient way to manage route definitions and ensure that a consistent policy is applied to different departments. For more information, see Managing Address Groups starting on page 5-4. 4. Click Save. Add a User-Defined Filter Click the Filters link to see the Manage filters screen and the following links: • Order filters • Create new filter In the Manager filters screen is the Filters List, which shows the filters that the sub-policy inherited from its parent (for example, the Global Policy) and the status of each of these filters. Note: A policy can only contain one Virus Filter. If both the parent and sub-policy have an Virus Filter, the filter in the sub-policy is executed. Creating a New Filter To create a filter: 1. Click the Filters link then the Create new filter link. 2. Enter a name for the filter and specify whether this filter can be overwritten by another filter in a sub-policy. 3. Select a filter from the eManager Filter group and click Next. Now, the sub-policy creation wizard displays screens that are appropriate for the filter that you have chosen to add. For more information about configuration options for each type of filter, see Filters Available for Sub-Policies starting on page 5-21. 5-27 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Choose Filter Actions For each filter result, select a filter action. Note: The filter actions must be defined before you create the filter. For more information on filter actions, see Managing Filter Actions starting on page 5-8. The Virus Filter options are: • Mass mailing virus detected • Virus(es) detected but some/all were not cleaned • Joke program attachment detected • Virus scanning aborted - message may contain viruses • Password protected file detected (not scanned) • Virus(es) detected and cleaned • No virus detected For filters that use the eManager filter, there are the following actions: • Triggered • Not triggered Add Filters to the Sub-Policy A sub-policy can contain multiple filters. After adding the first filter, choose the additional filters that you want to apply to all the messages in the route that you have defined. When you have finished adding filters to your sub-policy, you are returned to the Filter List window, which displays all of the filters that you have added. Order of Filter Execution The order of execution of filters in a sub-policy is significant because, if a Delete action is triggered, filter execution stops after the first filter. For filters that have other filter actions, processing continues. 5-28 Policy Management To determine the order of a sub-policy’s filters: 1. Click Policy Manager > Global Policy > {Policy Name}. 2. In the {Policy Name} screen, click the Filters link > Order filters link. 3. The Order filters screen shows the order that filters in the sub-policy are executed. To change the order of execution, highlight a filter in the list and click the up or down arrows. Multiple-selection is allowed. 4. When the filters are arranged in the desired order, click Save. Execute the Virus Filter First If your sub-policy contains an Virus Filter, we strongly recommend that you put it at the top of the Order filter list so that it executes first. This step prevents a virus-infected message from being quarantined and later delivered without being scanned. 5-29 Chapter 6 The Virus Filter This chapter explains how to use the Virus Filter in your policies. Topics include: • Selecting which files should be scanned for viruses • Selecting the appropriate filter action when viruses are detected • Deleting viruses and inserting disclaimers • Configuring the filter result • Managing the following: • Mass-mailing viruses • Joke programs • Password-protected files 6-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Selecting Message Attachments to Scan To configure the default Virus Filter in the Global Policy: 1. In the left frame, choose Policy Manager > Global Policy. 2. Click edit in the Virus Filter’s Type column. FIGURE 6-1 Configuring File Types to Scan 6-2 The Virus Filter The screen in Figure 6-1 is divided into the following parts: Attachment File Types to Scan • Scan all file types: This option is the safest but most resource-intensive; if this option is selected, InterScan™ MSS scans every attachment. • IntelliScan: Optimizes performance by examining file headers using true file type recognition, and scanning only file types known to potentially harbor malicious code. True file type recognition helps identify malicious code that can be disguised if using a harmless extension name • Scan specified file types by extension: These files are scanned by extension, not by true file type. More comprehensive protection is offered by true file type identification using IntelliScan or the Scan all file types option. When you select this option, the Edit button is activated. If you click Edit, the Edit Specified File Types screen is displayed and is divided into the following sections: • Default extensions • Additional Extensions • Extensions to Exclude To delimit multiple file extensions, type a semi-colon (;). Compressed Files Compressed archives such as *.zip, *.arj, *.lzh, etc. are the preferred method of transferring files through messaging systems and using HTTP/FTP downloads. Compressed files can harbor viruses. However, since the archive has to be decompressed, scanning these files is resource intensive. This issue is particularly acute when a compressed file is made up of other compressed files. If you select the Intelliscan option, by default, compressed files are scanned. For more information on IntelliScan, see File Types to Scan starting on page 6-3. Click Cancel or Save to return to the previous screen. 6-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Note: Compressed file scanning is affected by some limits. For more information, see Scanning Limits starting on page 5-16. Wildcard Usage You can use the “*” and “?” wildcard characters when configuring File Types to Scan and File Types to Exclude. The “*” stands for any number of characters, but the “?” stands for one character. Usage examples include: • Typing “*” scans all files, regardless of the extension • Typing “do?” scans files with a three-character extension that starts with “do”, e.g., .dot and .doc • Typing “e*” scans all files with extensions that start with “e”, regardless of the extension length File Types to Exclude The behavior is similar to wildcard usage. If you enter a “*”, it means that only files without extensions are scanned. Virus Actions When the scan engine detects a virus, this engine can be configured to take one of the following actions against the message attachment: • Clean, where the virus code is removed from the file Some viruses and file types cannot be cleaned; if you choose Clean, also choose a follow-up action using the pull-down menu. • Delete, where the file is permanently deleted and cannot be retrieved • Pass, where no action taken Recipient Notification InterScan MSS can add disclaimer text to messages when a virus found. Type your disclaimer text in the text box under this option. A safe stamp can be added to messages and attachments that are found to be virus free. 6-4 The Virus Filter FIGURE 6-2. Virus Filter Disclaimer Configuration The Filter Action To configure the filter action in the Global Policy’s default Virus Filter: 1. In the left frame, choose Policy Manager > Policy Manager > Global Policy. 2. Click edit under the Virus Filter’s Action column. For each result, configure a filter action (see Using Filter Actions starting on page 5-6 for more information). FIGURE 6-3. Configuring Filter Action for Virus Filter 6-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide The Virus Filter has the following possible filter results: • Mass mailing virus detected • Virus(es) detected but some/all not cleaned • Joke program attachment detected • Virus scanning aborted—message may contain viruses • Password-protected file detected • Virus(es) detected and successfully cleaned • No virus detected Note: Since encrypted messages cannot be opened, they cannot be analyzed by the scan engine. Encrypted messages are handled based on your exception handling configuration. For more information, see General Settings starting on page 4-26. Examples To understand how the filter actions process files and attachments, here are a few examples: 1. If you have the following combinations of attachments: • Password-protected file • Cleanable attachment • Non-cleanable mass-mailer attachment •Joke In this example, regardless of whether the virus can (or cannot) be cleaned, the outcome is mass mailer, because it has the highest priority. 2. If you have the following combination of attachments: • Password-protected file • Cleanable attachment •Joke The outcome in this example is Joke_VirusFound, because Jokes have the highest priority. 6-6 The Virus Filter Uncleanable Files Some application files, which can potentially harbor viruses or malicious content can be password protected. Since files have to be opened to be scanned, this step could be a backdoor for malicious content to enter your messaging system. A file cannot be scanned because it: • Violates your security settings (for additional information, see Scanning Limits starting on page 5-16) • Is password protected When InterScan MSS receives an unscannable message, although it cannot be scanned, the filter action you set is fired. For more information, see Choose Filter Actions starting on page 5-28. Execution Order of Filter Actions When the file is received by InterScan MSS, the Virus Filter determines whether the file can (or cannot) be scanned. If it cannot be scanned or cannot determine this fact, it is deemed to be unscannable, and the filter action you set for password-protected or other unscannable files is fired. If it can be scanned, the filter will determine whether it is a mass mailer, a joke, or other and take the appropriate action that you selected. Infected Messages to Multiple Recipients If a virus-infected message is sent to multiple recipients in different domains, InterScan MSS may show a record of processing one message, but virus detection is shown for each recipient. Testing your Virus Detection The European Institute of Computer Antivirus Research (EICAR) and some antivirus vendors have developed a test file that you can use to check if your system detects viruses. The file is not an actual virus; it causes no harm and does not replicate. It is a specially created file whose “signature” has been included in the Trend Micro virus pattern and can be detected by the Trend Micro scan engine. 6-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide To download this file from the Trend Micro Web site, go to: http://www.trendmicro.com/en/security/test/overview.htm If you have HTTP scanning, you may need to disable it before you download the file. To test SMTP scanning, include the test virus as an email attachment. You can also copy the following text into a text file and save it with a “.com” extension (for example, virus.com.): X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FIL E!$H+H* 6-8 Chapter 7 The InterScan™eManager™ Filter This chapter explains how you can write keyword expressions for the eManager filter, which blocks content at your SMTP gateway. Topics include: • Using the eManager filters • Keyword expression syntax, including: • Separators • Categories and priorities of operators • Expressions that evaluate sample content • Filtering of prohibited keywords for innocent usage (a case study) • The evaluation order of expressions • The seven types of valid expressions • Using reserved words in your keyword expressions • Handling MIME subtypes • Writing file extensions in expressions 7-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Using the eManager Filters The eManager filter allows you to control your email system by letting you manage Separating Keywords in Dialog Boxes spam email, message content, and mail delivery. Most of the eManager filters allow you to delimit multiple keywords with a Message content is compared to keyword semi-colon (;). But what happens if you want to search for a keyword expression expressions and other criteria that you that includes a colon, e.g., I like not only configure in the filters. Messages are dogs; but also cats? processed based on the following: To search for keyword expressions that contain a colon, you must precede the • The filter’s mail evaluation result colon with a backslash. The keyword expression above could be searched by • User-configured filter actions typing I like not only dogs\; but also cats. Advanced Content Filter The Advanced Content Filter allows you to filter all parts of a message for simple or complex expressions. You can also check for keyword synonyms using the built-in synonym list. Several of the default content filters, e.g., Profanity, Racial Discrimination, Sexual Discrimination, Hoaxes, Chainmail, Block HTML script messages filters are examples of an Advanced Content Filter. All of the default filters that use the Advanced Content Filter, i.e., Profanity, Racial Discrimination, Sexual Discrimination and Chainmail, use the period ( . ) as a separator to separate tokens during message content parsing. If customers create a new expression in these eManager filters, such as an email address ([email protected]) or a URL (http://www.domain.com) that contains this separator, the eManager filter cannot match the keywords. Other separator characters include ?, !, etc. To see an example, in the left frame, choose Policy Manager > Policy Manager > Global Policy and click edit next to any of the default filters that use the Advanced Content Filter. 7-2 The InterScan™eManager™ Filter Features The Advanced Content Filter provides the following functionality: • Filters content in the Mail: • Mail Header (Subject, From, To, CC or any other header field) • Mail Body • Mail Attachment You can scan email messages by content or file name. Also, when the severity index exceeds the threshold, the attachment can be stripped from the message. The following attachments can be scanned: •Text •HTML • Microsoft® Word • Microsoft® Excel® • Microsoft® PowerPoint® • Rich-text format (.rtf) • The configurable severity index permits the configuration of a filter’s sensitivity to keyword matches • eManager’s built-in operators that support the following complex expressions: • Keyword expression case (in)sensitivity • Optional keyword synonym matching In addition to the functionality listed above, it is important to consider keyword frequency and proximity when deciding to trigger the filter. Message Parts to Filter Messages can contain the following parts: • Mail header: You can filter the message Subject, From, To or CC fields. The Other option allows you to filter another field that commonly appears in a message header such as Received, Message-ID, Date, Reply-To, Sender, etc. Note: When typing the field name, do not type a colon that usually follows the field name in a message header. The Other field can only be used to specify a user-defined message header field. 7-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide • Mail body: The visible text in the message and any HTML tags. • Mail attachment: You can filter both the content and file names of message attachments. The eManager filter can check content in .txt, HTML, Word, Excel, PowerPoint, and .rtf files. FIGURE 7-1. Advanced Content Filter—Message Parts to Filter If the severity index scanning result exceeds the threshold, you can automatically delete the attachment before sending it to the final recipient. For more information, see Intelligent Keyword Matching on page 7-9. Expressions to be Filtered The Advanced Content Filter searches for keyword expressions that you define. The expressions that a filter contains are shown in the Expression list: FIGURE 7-2. Advanced Content Filter—Expression List 7-4 The InterScan™eManager™ Filter To Enter a New Expression 1. In the first screen of the Advanced Content Filter, scroll to the bottom and click New Expression. FIGURE 7-3. Advanced Content Filter—Defining an Expression 2. In the Expression field, type an expression that you want to filter. For more information about writing complex expressions using the eManager filter’s built-in operators, see Complex Keyword Expression Syntax on page 7-11. 3. To configure incidences of your keywords to be filtered (regardless of their case), under the Case Sensitive section, select Disable. 7-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide 4. The eManager filters include a synonym dictionary that allows you to enable the synonym filtering of your entered keywords. To detect synonyms, select Detect synonyms and click Edit. FIGURE 7-4. Advanced Content Filter—Choosing Synonyms 5. The Available Synonyms panes show the synonyms for the keywords that you have entered in your expression. Click >> or << to move entities between the panes. To select a non-contiguous range, use Ctrl+click; to select a continuous range, use Shift+click. 6. Click Done. Advanced Settings The filtering engine used by the eManager filter is highly configurable. You can write expressions that consider the proximity of keywords and the number of times the keywords occur. You can also assign a severity value to each keyword expression; the filter triggers only if the value in the Severity Threshold field is surpassed. 7-6 The InterScan™eManager™ Filter To configure advanced settings, click Advanced Settings in the main Advanced Content Filter screen. FIGURE 7-5. Advanced Content Filter—Advanced Settings Proximity Proximity is significant because the keywords that you want to filter only constitute prohibited content when they appear close to each other. Consider the following message samples: This example is from a church newsletter: ...picnic was a tremendous success. All of the children were treated to fruit punch and cookies. Following snack time, they played games until the clown showed up to distributed presents, with children laughing at his painted face and colorful clothes... This example is from a hot-headed colleague: ...be forewarned, if your bill collectors persist in calling me, I will come down to your office and punch your face into oblivion... The relational operator .NEAR. allows you to take the proximity of keywords into consideration. In an expression such as punch .NEAR. face 7-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide the Proximity value is 2. This expression triggers on the colleague’s message but not on the church newsletter. The proximity is calculated in the following fashion, where 3 - 1 = 2: punch your face 123 Table 7-1. Calculating Proximity Values for the .NEAR. Operator If you write an expression that uses the .NEAR. operator, remember to enter a value in the Proximity field. For more information about the .NEAR. operator, see Relational Operator on page 7-17. Frequency The frequency of keyword expressions is also configurable. You may want your filter to trigger only, for example, if a certain keyword expression appears several times. This step provides a few chances for your users to use the prohibited keywords, but the filter is still triggered if these words are excessively used. The limiting operator .OCCUR. can be used to consider the frequency of a keyword expression. For example, consider a filter that contains the expression: .OCCUR. free If the Frequency value is set to 5, it means that this filter triggers if “free” appears in the content sample five or more times. Separators By default, the eManager filter “tokenizes” (divides or parses into words), message content by using the space, tab, line feed and carriage return characters. Content between these characters is considered to be separate tokens and is compared to your keyword expressions. If you want other characters to be used to tokenize keywords, type them in the Separators field. 7-8 The InterScan™eManager™ Filter Intelligent Keyword Matching You can assign Advanced Content Filter expressions a severity value. Each time the Can You Assign Negative expression is detected, its value is added to a Severity? total. The filter is triggered when this total No - severity values can only be exceeds the severity threshold. positive. But if you want to ignore a keyword when it occurs with To consider severity during keyword another term, you can configure expression filtering: this kind of filter behavior by using the .AND., .OR. and .NOT. opera- 1. Select the Enable intelligent keyword tors (see Complex Expression matching check box. Example on page 7-18). 2. In the Severity threshold text box, type the severity threshold that will trigger the filter. 3. Click Edit. For each keyword expression, use the pull-down menu and assign a severity value between 1 and 10. 4. Click Done. FIGURE 7-6. Advanced Content Filter—Assigning Severity Values Calculating Severity When calculating severity, each message “entity”, i.e., header, body and attachment, is considered separately. For example, suppose you set the severity threshold to 10, and set two keywords (A and B) each with a weight value of 5. If you receive a message with a subject that contains A and the mail body that contains B, although both matched, the filter is not triggered. This is because A and B are in different entities. 7-9 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Regular Expression Syntax The regular expression feature in InterScan MSS supports matches within a word, but not across words. For example, a.*e matches advance, but not achievement made.To specify a regular expression, add an .REG. operator before that pattern (for example, .REG. a.*e). The table below provides the details on using this expression: Character Description Example . This wildcard matches any character, except a new- An expression like a.c line character. matches any character between a and c; but, ab (first line) and c (new line) is not a match. ? This wildcard matches zero or one instance of the An expression like a?c preceding regular expression. means that the character a can be zero or one, so it can match characters such as c or ac * This wildcard matches zero or more of the preceed- An expression like P*K ing regular expression. matches characters such as K, PK, PPK, PPPPK, etc. + This wildcard matches one or more instance of the An expression like P+K preceding regular expression. matches characters such as PK, PPK, PPPPK [abc] This syntax matches any one of the enclosed char- An expression like b[ave]d acters. matches characters such as bad, bvd, bed [a-c] This syntax matches any one of the enclosed range An expression like b[a-c]d of characters; but, the character in this syntax can matches characters such be only letters and numbers (for example, [a-c], as bad, bbd, bcd [A-E], [0-9]). Specifying any other range is unsafe and is not allowed. [^a-b] This syntax matches any character that is not in the An expression like [^a-z] specified range. matches characters such as 1, H, K, but not f, g, j... 7-10 The InterScan™eManager™ Filter Character Description Example {n, m} This syntax matches a range of occurrences of the An expression like 0 {5} character that precedes it; The preceding character matches characters such can also be a regular expression. For example, {n} as five zeroes in a row. matches at least “n” occurrences, and {n,m} matches any number between “n” and “m”. The backslash character “\” is used as the escape character. The first and last character of the regular expression should match the boundary of a token; no substring match is allowed. You can perform case sensitive matches, and the expression is evaluated from left to right. More complex examples include: • B.*V, which matches BV, BAV, BFFFV, B1232V • B[\*\+]V, which matches B*V, B+V • [AB][123]?, which matches A1, B, B3 Complex Keyword Expression Syntax A legal keyword expression is composed of tokens, which is the smallest unit used to match the expression to the content. A legal token can be an operator, a logical symbol, or the operand (i.e., the argument or the value on which the operator acts). Legal operators include .AND., .OR., .NOT., .NEAR., .OCCUR., .WILD., “.(.” and “ .).” . The operand and the operator must be separated by a space, and an operand can contain several tokens. Separator Characters The eManager filter uses several characters to parse the keyword expression into tokens. Words between these characters (known as separators), become a token. The eManager filter uses the following separators to tokenize keyword expressions: Character Space space \t tab \n linefeed 7-11 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Character Space \r carriage return Table 7-2. Separators for Tokenizing Expressions Note: A space between the operand and the operator is significant to how the expression is tokenized. For example, the expression “High .AND. Low” is tokenized as two operands (“High”, “Low”) and one operator “.AND.”. The expression “High.AND.Low” is tokenized as one operand (“High.AND.Low”). Operators Categories of Operators The operators used by the eManager filter can be categorized into five groups. All operators are reserved words and cannot be used as keyword tokens to match content. Category Operators Functionality Grouping operator .(. and .). Used to change the evaluation order. The expression within these operators is evalu- ated first. Decorating operator .WILD. Will match if the content contains the oper- and. Wildcard character (*) can be used as an operand of .WILD. Logical operator .AND., .OR., Performs specific logical operations on .NOT. operands Limiting operator .OCCUR. If the number of occurrences of the oper- and is greater than the preset number, this condition will be triggered. Relational operator .NEAR. If the token count between the last token of the first operand and the last token of the second operand is less than the preset number, the condition is triggered. Table 7-3. Operator Categories 7-12 The InterScan™eManager™ Filter Priority of Operators When evaluating an expression, the following priority levels are used (1 is the highest and 5 is the lowest): Operator Priority .(. * .). * .WILD. 1 .OCCUR. 2 .NOT. 2 .NEAR. 3 .AND. 4 .OR. 5 Table 7-4. Operator Priority Expression Examples The following examples show expressions that use the operators and how these operators evaluate sample text. Grouping Operators better .AND. faster .OR. cheaper This expression matches content that contains “better” and “faster”. It also matches content that contains “cheaper”. Content Result ...analysts agree that the 2002 model is a better, faster Match and more economical vehicle than its predecessors... ...many young families have found that buying houses in Match the East Bay suburbs is cheaper than living in the Penin- sula communities... 7-13 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Content Result ...broadband Internet access can be up to 50 times faster No match than dial-up connections, and rates are expected to... Table 7-5. Grouping Operator [better .AND. faster .OR. cheaper] better .AND. .(. faster .OR. cheaper .). This expression matches content that contains “better” and any instances of “faster” or “cheaper. Content Result ...analysts agree that the 2002 model is a better, faster Match and more economical vehicle than its predecessors... ...many young families have found that buying houses in Match the suburbs is cheaper and offers a better quality of life... ...broadband Internet access can be up to 50 times faster No match than dial-up connections, and cheaper rates are on the... Table 7-6. Grouping Operator [better .AND. .(. faster .OR. cheaper .).] Decorating Operator (.WILD.) .WILD. This * message This expression matches content when “message” follows “This”. There can be any number of words between “This” and “message”. Content Result ...This message is being sent to you because you signed Match up for our free email newsletter... ...This is to inform you that I will be on holidays until Match 10/12. You can leave a message at 408-555-1212... ...This is arguably the most exciting software that I have... No match Table 7-7. Decorating Operator [.WILD. This * message] 7-14 The InterScan™eManager™ Filter .WILD. *ed This expression matches any content that ends with “ed”. Content Result ...that movie has been edited for TV broadcast... Match ...this program is followed by an infomercial... Match ...The editor sent the manuscript for final proofreading... No match Table 7-8. Decorating Operator [.WILD. *ed] Logical Operator (.AND., .OR., .NOT.) High .AND. Low This expression matches content when “High” and “Low” are present. Content Result ...High today in the interior is 87. Low tonight will be 53 Match near the coast... ...His favorite movies are “High Noon” and “Eject at Low Match Level and Live”... ...she plans to attend Central High next fall... No match Table 7-9. Logical Operator [High .AND. Low] 7-15 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide High .OR. Low This expression matches content when “High” or “Low” are present (also matches content when both words are present). Content Result ...High tide will be at 9:00 PM. Low tide will be at 7:00 AM... Match ...she’s planning to move to High Street in July... Match ...please turn the heater to Low - I’m sweating... Match Table 7-10. Logical Operator [High .OR. Low] .NOT. Happy A value configured with the .NOT. operand makes a content match only when the value is absent from the subject, the body, and any attachments as well. For example: Subject Content Body Content Result ...Happy Birthday to you... Have a great birthday dinner tonight! No match ... Hanukkah Greetings... Happy Hanukkah! from Dr. Bob No match ...I’m So Happy... Happy Anniversary Sweetheart! No match ...Merry Christmas... Wishing you the joys of the season! Match Table 7-11. Logical Operator [.NOT. Happy] How Expressions Using .NOT. are Evaluated Messages contain many entities—the subject, body, attachment, MIME content, etc. An expression using the .NOT. operator is delivered only if all entities in the message contain the expression. For example, the following message would be valid when the .NOT. Confidential operand is used. Subject: Confidential financial report Body: The attached is Confidential - for internal use only. Attachment: A spreadsheet entitled “Confidential - Preliminary Annual Report.” 7-16 The InterScan™eManager™ Filter In other words, all of a message’s entities must trigger an expression for the message to trigger an expression. Each entity is evaluated against the expression using .NOT., and their results are combined. Tip: When you configure the mail format in some email clients to be HTML, the resulting message has MIME content-type “multipart/alternative”, with a “text/plain” mail body entity and a “text/html” mail body in the same message. This may “break” the body of the message into “parts”. If the value associated with the .NOT. operand (such as Happy or Confidential as shown in the above examples) does not appear in all of these “parts,” the message is not delivered.You may be able to work around this issue by combining the .NOT. operand with other operands.0 Limiting Operator (.OCCUR.) .OCCUR. coming soon This expression matches content and evaluates as true if “coming soon” occurs more than or equal to the preset number of times. The following are some examples if the preset number is 2. Content Result ...her birthday is coming soon, and I’ll buy her a cake... No match ...her birthday is coming soon, and Thanksgiving is also Match coming soon... ...her birthday is coming soon, Thanksgiving is coming Match soon, and a hurricane is coming soon...... Table 7-12. Limiting Operator [.OCCUR. coming soon] Relational Operator High .NEAR. Sky Diving (.NEAR.) This expression matches content and evaluates as true if the number of tokens between “High” and “Diving” is less than the preset number. Note that “Sky” counts 7-17 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide as one token between “High” and “Diving”. If the preset number is 1, the condition is never triggered. The following are some examples if the preset number is 3. Tokens Content Result Between ...High Danger Extreme Mountain Sky Diving... No match 5 ...High Danger Mountain Sky Diving... No match 4 ...High School Sky Diving... Match 3 Table 7-13. Relational Operator [High .NEAR. Sky Diving] Complex Expression Example You may, for example, want the eManager filter to detect tokens, except when they appear with other words. This example shows you how to write an expression that can filter successfully under those circumstances. Scenario As part of a policy designed to detect suggestive email content, you want to filter for the keyword “breast”. However, you want to exclude legitimate occurrences of this keyword, such as “breast cancer”. Likewise, you may want to filter for the keyword “breasts” but exclude occurrences of “chicken breasts”. The requirements of this expression are: 1. Detect “breast” but ignore when part of the expression “breast cancer”. 2. Detect “breasts” but ignore when part of the expression “chicken breasts”. Writing the Expression Requirement #1 can be checked by the expression: breast .AND. .NOT. breast cancer Requirement #2 can be checked by the expression: breasts .AND. .NOT. chicken breasts 7-18 The InterScan™eManager™ Filter These two expressions could have also been written as: breast .AND. .(..NOT. breast cancer.) and breasts .AND. .(..NOT. chicken breasts.) respectively. Note: We do not have to use parentheses in the above expressions because the .NOT operator is evaluated before the .AND. operator. For more information, see Priority of Operators on page 7-13. The Final Expression Since we want to detect occurrences of “breast” or “breasts”, we combine the two expressions into one using the .OR. operator. The final expression is: .(.breast .AND. .NOT. breast cancer.). .OR. .(.breasts .AND. .NOT. chicken breasts.). Note: The .(. and .). operators are required in the final expression because the .OR. operator has the lowest priority of operation. The evaluation order is not correct if the .(. or .). operators are omitted. Evaluating Expressions Rules Expression evaluation rules can be summarized as follows: 1. The expression must be valid. 2. Contents in parentheses are evaluated. 3. Contents are evaluated from left to right. 4. Contents are evaluated based on the operators’ precedence. 7-19 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Valid Expressions The following is a list of the valid expression types: Type 1 Operand-only expression (i.e, no operator), such as: keyword Type 2 .WILD. Note: Due to performance issues, the first token and the last token after the operator “.WILD.” cannot consist only of “*”, e.g., .WILD. * , .WILD. * Birthday and .WILD. Happy * are all invalid expressions. Type 3 .NOT. Type 4 .OCCUR. Type 5 Type 6 7-20 The InterScan™eManager™ Filter Type 7 .(. Note: If an expression does not comply with one of the above seven types, it is treated as invalid. Examples Expression Validity Explanation .OCCUR. .(. High .AND. Low .). Invalid .OCCUR. cannot appear before Type (7) expression .NOT. High .NEAR. Low Invalid .NEAR only can apply to Type (1) and Type (2). .NOT. High is Type 3 .NOT. .(. High .NEAR. Low .). Valid Complies with Type 3 .WILD. better * faster .NEAR. coming soon Valid Complies with Type 6 .WILD. * Invalid The first token, which follows “.WILD.” is “*" .WILD. Hello, every **** Invalid The last token, which follows ".WILD." is all '*' Table 7-14. Examples of Valid and Invalid Expressions Using Reserved Words as Operators To match some reserved keywords (for example, those that use text that resembles an operator in an operand), add an escape character “\”. For example, if you want to match keyword “AAA .AND. BBB”, the expression that you can use is “AAA \.AND. BBB”. You have to add an escape character on “.AND.”, because “.AND.” is an operator. If you want to match keyword “\”, you have to use expression “\\”. Note: The escape character is not character-, but token-, based. That is, the escape covers the entire token, not just the character. Also, it does not escape the special character asterisk (*) in the expression that follows the .WILD. operator. 7-21 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Other Content Management Filters In addition to the Advanced Content Filter, there are five other predefined eManager filters that you can use in your policies. These are available when you create a new filter. Creating or Modifying Filters To create a new filter or modify an existing one, first follow the instructions below. Next, proceed to the detailed instructions under each filter section. To create a new filter: 1. In a policy screen, click the Create new filter link. 2. In New Filter, complete steps 1-3 and click Next >>. 3. Proceed to the appropriate filter section for more detailed information: • Features on page 7-23 • General Content Filter on page 7-28 • Message Size Filter on page 7-29 • Disclaimer Manager on page 7-31 • Anti-Spam Filter on page 7-32 7-22 The InterScan™eManager™ Filter To modify a filter: 1. Go to the appropriate policy screen. 2. To modify the filter’s parameters, click edit next to the filter under one of the following columns: • Type • Availability and Status • Action 3. Go to the appropriate filter section in this chapter for more detailed information. Message Attachment Filter This filter blocks message attachments or MIME content-types at the SMTP gateway. Features • Checks messages by attachment: • Name (supports wildcard usage) • Types (from the MIME content-type field in the message header) • File type from a binary analysis of the attachment • Optionally allows automatic deletion when a filter is triggered. Creating or Modifying the Filter To create or modify a Message Attachment Filter: 1. Click Edit under the Type column. 2. Under Filtering Criteria, select which of the following attachment types you want to filter. • Attachment file extension and/or name: Enter a complete file name (readme.exe) or a wildcard expression (*.mp3). • Message MIME content-type: To select specific MIME content-types, click Edit. In the MIME content-type screen, select the file types and click Done. For additional information, on the MIME content-type, see Message MIME Content-Type on page 7-25. 7-23 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide • Attachment file type: To select a specific attachment file type, click Edit. In the Attachment file type Will Changing the Attachment's screen, select the file type(s) and click File Extension Avoid Attachment Done (see Figure 7-8). Blocking? 3. Select the check box under Option to strip No. The eManager filter does not rely on a file's extension to deter- and discard the attachment when the filters’ mine the file type; an internal analy- conditions are triggered. sis of the file. 4. Select the Insert warning message into original mail if the attachment is stripped check box and type an appropriate warning message. 5. Click Save to return to the Manage filters screen. Note: When choosing to block messages by attachment file type, Java byte code refers to Java class files with the .JS, .JSE, .CLA, and .CLASS extensions. 7-24 The InterScan™eManager™ Filter FIGURE 7-7. Attachment File Type Screen Some file types in this screen include several subtypes. Under Executable: • exe includes all DOS, Windows 3.1, 32-bit Windows and OS/2 executable files • dll includes both Windows 3.1 and 32-bit Windows DLLs Under Compressed Files, the others option includes the LZW, CAB, LHA, ARC, AR, PKLITE, DIET, LZH and LZ compressed file formats Message MIME Content-Type In the main Message Attachment screen you can also choose to scan MIME content-types. Email messages with MIME content contain a Content-Type field in their header. 7-25 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide The following shows a sample email message header: Mime-Version: 1.0 Content-Type: multipart/mixed; This is a multi-part message in MIME format. Content-Type: text/plain; format=flowed Content-Type: application/msword; ... The Message Attachment Filter can detect these MIME types and perform the action that you configure. FIGURE 7-8. Message Attachment Filter—MIME Content-type The following is a mapping table that shows how the eManager filter blocks certain MIME content-type attachments.You can use this table to determine which MIME content-type is blocked by enabling the corresponding item in the screen. Click Done when you have finished. UI Text MIME content-type(s) Image file formats jpeg image/jpeg, image/pjpeg gif image/gif 7-26 The InterScan™eManager™ Filter UI Text MIME content-type(s) tif/tiff image/tiff bmp image/x-ms-bmp, image/bmp Audio file formats wav audio/x-wav, audio/wav, audio/microsoft-wave mp3 audio/x-mpeg, audio/mpeg midi x-music/x-midi, audio/mid Video file formats mpeg video/mpeg quicktime video/quicktime msvideo video/x-msvideo, video/avi, video/x-ms-asf, video/x-ms-wmv Application file formats pdf application/pdf zip application/zip, application/x-zip-compressed msword/rtf application/msword, application/rtf, text/richtext mspowerpoint application/vnd.ms-powerpoint, application/ms-powerpoint msexcel application/vnd.ms-excel, application/x-msexcel, application/ms-excel Table 7-15. MIME Content-type Blocking Filter Note: The exact wording in the message’s Content-Type field differs slightly depending on which email client sends the message. To see the terminology used by some common email clients, see MIME Content-types Used by Email Clients on page A-7. 7-27 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide General Content Filter The General Content Filter is a simple content and attachment filter that lets you filter by the: • Subject line (permits multiple subjects) • Keyword(s) in the message body • Message file size • Attachment file name (supports wildcard usage) Features This filter also supports case sensitivity. FIGURE 7-9. General Content Filter The General Content Filter cannot use complex expressions that include the built-in operators .NOT., .OCCUR., etc. If these terms are entered, they are treated as part of the keyword expression, not as operators. Note: When configuring the General Content Filter, enter a Subject line, Mail body or Attachment file name expression that includes the wildcard “*”. However, the expression cannot consist entirely of a “*”. 7-28 The InterScan™eManager™ Filter To create or modify a General Content Filter: 1. Choose from the following criteria that you want to trigger the filter: • Subject line is This option supports wildcard “*” usage in an expression. • Mail body contains This option supports wildcard “*” usage in an expression. You can use the pull-down menu to select whether you want All keywords, Any keywords, or No keywords. • Message size is This option allows you to filter attachments that are larger or smaller than the settings that you entered. • Attachment file name contains This option supports wildcard “*” usage in an expression. To block all files with a specific extension, enter a valid filename format and not just the extension. For example, to block all executable files, you must enter “*.exe” not just “exe”. 2. Click Save. You are returned to the Manage filters screen. 3. Click Edit under the Action column, and using the pull-down menu, select a filter action and click Save. You are returned to the Manage filters screen to see your filter in the list. Message Size Filter The Message Size Filter allows precise control over the types of messages that can be processed at different times of the day. You can use it to postpone the processing of large messages during peak hours. Features • Supports message filtering based on: • Message size (body + attachments) • Attachment size • Number of attachments • Message size restrictions are enforced during one-hour intervals selected from the activation schedule (Figure 7-10). 7-29 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Creating or Modifying the Filter To create or modify a Message Size Filter: 1. Choose the size of the message parts that you want to filter by selecting one of the options (see Features on page 7-23). 2. Click Activation Schedule. Select the time slots during which messages that exceed the size limits trigger the filter. As you can see in Figure 7-10, the default times when messages that trigger the filter are blocked at the SMTP gateway are Monday-Friday from 7:00 AM to 6:00 PM. FIGURE 7-10. Message Size Filter—Activation Schedule 3. Click Save to return to the Filtering criteria screen. 7-30 The InterScan™eManager™ Filter Disclaimer Manager The Disclaimer Manager allows you to add standard text in messages that you specify. Features • Adds user-configurable disclaimer text at the beginning or end of messages. • Supports complex expressions using the eManager filters. • Also adds a disclaimer to all messages (those that match and do not match) the expression. FIGURE 7-11. Disclaimer Manager 7-31 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Creating or Modifying the Filter To create or modify the Disclaimer Manager Filter: 1. Click Create new filter and complete steps 1-3. 2. Under Step 4-1, type the contents of the disclaimer. 3. Choose whether the disclaimer will be appended at the beginning or at the end of the message body. 4. Select the messages to which the disclaimer applies: • All messages • Only messages matching the listed expressions. • All except messages matching the listed expressions 5. If you chose to insert the disclaimer based on an expression, click New Expression under Step 4-3 and configure it. For more information, see Complex Keyword Expression Syntax on page 7-11. 6. Click Next and verify your settings; click Next. Note: Clicking Next saves your settings, which prevents you from returning to previous screens in the wizard. 7. In Step 5, use the pull-down menu, select the filter action and click Save. Anti-Spam Filter When using the Anti-Spam Filter, choose the message parts that you want to scan: • Enabled for message subject: This option checks the message headers using TM_Trend$SE. The processing rate is faster than checking the mail body. • Enabled for both message subject and body: This option results in a higher detection rate, at the expense of the mail processing rate. How Anti-Spam Filtering Works The Anti-Spam Filter detects spam messages by comparing message content with spam databases. You can automatically update the spam databases by choosing, in the left frame, Configuration > Update. 7-32 The InterScan™eManager™ Filter The file names for the spam databases are: • TM_Trend$SE.### (### is the database version) contains message How is the anti-spam database header characteristics, e.g., subject, developed? From and To fields, of known spam Trend Micro’s team of spam collectors add messages. identifying characteristics of spam email to • TM_AntiSpam.### contains typical the databases. Since spam senders fre- quently change their email addresses, identi- keyword expressions that have fying characteristics like Web sites or appeared in spam messages. telephone numbers are used to detect them. Keywords can be a phone number, a If you receive a suspected spam message that our filter fails to detect, forward it (includ- URL, or other keyword expressions ing all mail headers) to spam@trendmi- such as “Get rich in 30 days”. cro.com. We may add it to the database. To check the version of the spam database currently in use, in the left frame, choose Configuration > Update > Update Now. To create or modify the Anti-Spam Filter: 1. Click Create new filter, complete steps 1-3, and click Next. 2. Select one of the following options: • Enabled for message subject. • Enabled for both message subject and body. 3. Click Next. 4. Verify your filter parameters and click Next. Clicking Next saves your settings, so you cannot return to previous screens in the wizard. 5. In Step 5, use the pull-down menus, select filter actions and click Save. You are returned to the Manage filters screen where you can see your newly created filter in the list. 7-33 Chapter 8 Troubleshooting and Contact Information This chapter contains information about troubleshooting your InterScan MSS installation. In addition, the following Trend Micro’s technical support services are introduced: • Notification-related issues • Obtaining a serial number to upgrade InterScan MSS™ from the trial version • Trend Micro’s Virus Information Center • Technical support contact information • HouseCall™ • SolutionBank 8-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Troubleshooting Notification-Related Using InterScan MSS as Notification Server May Cause Message Looping If a content management filter sends an email notification with the original message attached, and InterScan MSS is used as the notification server, an infinite loop occurs. This is because the original message is attached to the notification email message and is tested by all filters when processed by InterScan MSS, which triggers the same filter again. Another notification is sent, attaching the original, and filter is triggered, etc. We recommend that you do not use the InterScan MSS server as your notification server. Obtaining a Serial Number The product serial number can be obtained: • On the product registration card included with the software • On the outside front cover of this Getting Started Guide • From a Trend Micro sales representative at: [email protected] Trial Version You can install the 30-day trial version. This version is fully functional and can be installed without entering a serial number. After 30 days, the daemons will work, but virus scanning and eManager filters will not. Upgrading to the Full Version If you decide to purchase the product, you do not need to re-install it. To upgrade, do the following: 1. In the left frame, choose Configuration > General > Registration > Product Registration. 8-2 Troubleshooting and Contact Information 2. Enter your serial numbers in the InterScan MSS and eManager fields. 3. Click Register. Registering Your Product Registering your product is important because it entitles you to: • One year of program and pattern file updates • One year of technical support • Important product information You can register through Trend Micro’s Web site or by mail. Trend Micro™ Security Information For comprehensive security information from our free Virus Information Center, go to: http://www.trendmicro.com/vinfo/default.asp Here, you can find out about the following: •Virus Map • Virus Encyclopedia • Test files • General Virus Information • White Papers • Webmaster Tools • TrendLabs™ R & D Technical Support A license to Trend Micro antivirus software includes the right to receive pattern file updates and technical support from Trend Micro or an authorized reseller, for one (1) year. Thereafter, you must renew Maintenance on an annual basis at Trend Micro’s then-current Maintenance fees to have the right to continue receiving these services. 8-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Contact Information Tech Support For tech support in the U.S. and Canada, contact us at: [email protected] For tech support outside the U.S. and Canada, contact us at: http://www.trendmicro.com/support/ U.S Contact Information In the U.S., Trend Micro representatives can be reached by phone, fax, or email. • Our main U.S. phone and fax numbers are: Toll free: +1-800-228-5651 (sales) Voice: +1-408-257-1500 (main) Fax: +1-408-257-2003 • To reach us outside the U.S., call: +1-408-257-1500 (main) • Our U.S. headquarters is located in Silicon Valley at: Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 • Our Web site is: www.trendmicro.com HouseCall™ HouseCall is Trend Micro’s free, online virus scanning service. Note: Although HouseCall detects and cleans viruses found on your hard drive, it does not provide real-time protection. 1. Go to the following Web site: //housecall.antivirus.com/housecall/start_corp.asp 2. Using the pull-down menu, select your country and follow the instructions. 8-4 Troubleshooting and Contact Information SolutionBank Trend Micro provides SolutionBank, our online Knowledge Database. You can use SolutionBank, for example, if you are having trouble receiving program file updates or if you are getting an error message. You can search SolutionBank, using the text of the message, to find out what is causing the problem and how to fix it. The contents of SolutionBank are being continuously updated, and new solutions are added daily. If you are still unable to find an answer, you can email a description of the problem to a Trend Micro support engineer who will investigate the issue and respond as soon as possible. To access Trend Micro’s SolutionBank, go to the following Web site: http://solutionbank.trendmicro.com/solutions/solutionSearch.asp 8-5 Chapter 9 Case Studies There are two case studies in this chapter. The first case study illustrates how a fictional organization uses InterScan™ MSS to manage their email traffic. Several business problems are solved through InterScan MSS’s Virus and eManager™ filters. The second case study illustrates how to separate the notifications for inbound and outbound messages. Case Study #1 Introduction AndyTech, Inc. is a U.S.-based Internet book and software retailer. Until recently, their antivirus protection has been limited to antivirus scanners on every workstation. However, AndyTech’s Messaging Administrator, Jerome, noticed that the majority of viruses enter the network through the SMTP gateway. After evaluating several solutions, he purchased and installed InterScan MSS. The remainder of this chapter details how Jerome configured policies to maintain the integrity of AndyTech’s messaging system. 9-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Configuring the Global Policy After installing InterScan MSS, the Global Policy applied to all messages flowing through the InterScan MSS server includes an enabled Antivirus Filter and several disabled content filters. Since his manager insists that a minimum level of content management be applied to the entire organization, Jerome configures the Antivirus Filter settings and add some basic content filters. Customizing the Antivirus Policy To see the default antivirus settings, Jerome, chooses Policy Manager > Global Policy and for the Virus Filter, clicks edit under the Type column. This step exposes the default antivirus settings. They specify that all file attachments be scanned for viruses. Jerome feels that this is too restrictive and changes the setting to Trend Micro recommended file types. Since Jerome wants to assure his users that messages traveling through the company’s messaging system are scanned for viruses, he selects the Insert safe stamp check box and customizes the message as follows: AndyTech, Inc. scans all traffic passing through the electronic messaging system. If you have any concerns about computer viruses, please contact the IT Help Desk. Jerome saves the settings; to apply the changes to the program, he clicks Apply Now and restarts InterScan MSS. Enabling Content Filtering To ensure that all AndyTech employees enjoy a harassment-free workplace, Jerome decides to enable some of InterScan MSS’s built-in content filters. On the Global Policy main page, Jerome activates the Anti-Spam, Profanity, Racial Discrimination and Sexual Discrimination filters by clicking their edit buttons under the Availability and Status column. Additionally, under in the Type column, he clicks the Profanity filter’s edit button and adds some additional obscenities common in his region. After clicking Save, Jerome clicks Apply Now. Preventing the Filtering of Innocent Content A week after Jerome enabled the content filters in the Global Policy, he received a call from a regional sales manager who complained about being unable to receive email from a customer. Apparently, the customer had sent three messages, but none 9-2 Case Studies of them were received. When told of the customer’s location, Jerome immediately realized that some of the terms that he added to the Profanity filter were too vague. The customer was located in Climax Springs, MO and included his address in the signature of his email messages. Since Jerome had added the keyword “climax” to the Profanity filter, the messages were triggering the Profanity filter and were being quarantined. He checked the Quarantine area and the three lost messages were there: FIGURE 8-1. Quarantine Area To fix this problem, Jerome modified the keyword expression in the Profanity filter, so that it would detect all incidences of the word “climax”, except when it occurred as “Climax Springs”. His modified expression appears as follows: FIGURE 10-2. Complex Filtering Expression Releasing Messages From Quarantine After changing the expression, Jerome returned to the Quarantine Area, clicked View, checked the customer’s messages, and then clicked Reprocess. After refreshing the page, the messages did not appear in the Quarantine Area. They were 9-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide delivered to their final destination and messages from this customer would no longer erroneously trigger the filter. Creating Sub-Policies Jerome’s Global Policy configuration provides the basis of AndyTech’s email usage policy. The Antivirus Filter ensures that infected attachments are stopped at the SMTP gateway and the Anti-Spam, Profanity, Racial Discrimination and Sexual Discrimination filters check messages for prohibited content. Jerome now configures sub-policies to address specific business issues with the company’s messaging system. Protection Against Virus Outbreaks Late one night, Jerome was surfing the Internet at home before going to bed when he checked his favorite computer security Web site. There was an advisory about a new mass-mailing computer virus causing havoc to messaging systems throughout Asia and Europe. It was too early for damage estimates, but the virus description was known: • The virus was harbored in an email message with the subject line “Claim your $50 gift certificate”. • The virus was a *.vbs attachment, but the actual filename differed for each infection • After the recipient double-clicked the attachment, the running script would automate the Outlook mail client on the workstation and then automatically send the message, including the virus, to everyone in the recipient’s address book Remembering the frustration of cleaning up after the last virus outbreak, Jerome printed the description of the virus, put on his jacket and then drove 45 minutes through the night to AndyTech’s office. Adding the Sub-Policy From the InterScan MSS Web-based Management Console, Jerome opened the company’s Global Policy and added a user-defined General Content Filter called Block GiftCert. 9-4 Case Studies For the content filtering criteria, he configured: • Subject line is: “Claim your $50 gift certificate” • Attachment file name contains: *.vbs FIGURE 10-3. Blocking Mass-Mailing Viruses Though Content Filtering For the filter action, he configured all messages that trigger the filter to be deleted. Checking the Log Files Jerome arrived at work the following day, a little worse for the wear from his late night and immediately checked the eManager logs. There were 57 pages of log entries, all reporting blocking messages with the subject line “Claim your $50 gift certificate”. Had Jerome not made the special journey to the office to add the filter to AndyTech’s Global Policy, he would have most certainly had a major virus outbreak to contend with and substantial clean-up work. Jerome provided a status report to his boss that AndyTech’s network was secure and no viruses had penetrated InterScan MSS. His boss thanked him for his quick thinking and told him to take the rest of the day off to rest. Language-Based Message Routing Note: This filter uses the Advanced Content Filter. 9-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Business Problem AndyTech recently ran a marketing campaign in China, Hong Kong, and Taiwan and used the general email address [email protected] in the ads. Response has been overwhelming, but now Jerome faces the challenge of routing the messages to the reps who are responsible for the region. To complicate matters, Jerome learns that prospects in China use simplified Chinese characters, while those in Taiwan and Hong Kong use complex Chinese characters. Jerome decides to create an Advanced Content Filter that routes messages using Chinese encoding or originating from domains in the greater China region. Defining the Filter Actions Jerome wants messages sent from a China domain or using simplified Chinese encoding to be sent to AndyTech’s China representative, Mr. Hanzhao Zhang. Additionally, he wants messages that come from a Taiwan or Hong Kong domain (or use complex Chinese encoding) to be sent to another representative, Mr. Joseph Wang. Two filter actions are created, specifying that the messages be forwarded to the correct people. FIGURE 10-4. Forward Message When Filter is Triggered 9-6 Case Studies Defining the Sub-Policy Jerome creates a new sub-policy called Chinese Messages with the route from *, i.e., all incoming messages, to [email protected]. Character set information is located in the message header’s charset field. For example, simplified Chinese messages appear as: charset=”gb2312” or charset=”hz-gb-2312” Complex Chinese messages contain the following header: charset=”big5” Since Jerome also wants English messages originating from these regions to be routed to the appropriate sales representative, he decides to filter based on the two-digit country code that appears at the end of domain names: • China: *@*.cn • Taiwan and Hong Kong: *@*.tw and *@*.hk Two filters are added to the Chinese Messages policy, called Complex Chinese and Simple Chinese. Their filter actions when triggered are to forward messages to [email protected] and [email protected], respectively. FIGURE 10-5. Advanced Content Filter to Route Chinese Language Messages 9-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Note: You can find out more information about character sets at http://www.iana.org/assignments/character-sets. Information about country codes that appear at the end of domain names is available at http://www.ics.uci.edu/pub/Websoft/wwwstat/country-codes.txt. Blocking Large Multimedia Files Note: This filter uses the Message Attachment Filter. Jerome’s investigation into some recent mail delays has determined that a small number of employees have been using the company’s messaging system to transfer large audio and video files. While some employees at AndyTech have legitimate business reasons to transfer these types of files, Jerome has discovered that the individuals responsible for the bulk of the traffic are probably doing it for personal reasons. Defining an Address Group Jerome adds the email addresses of all the suspected message system abusers into a text file and then imports them when defining a new address group called Mail Abusers. Defining the Sub-Policy Jerome creates a new sub-policy and defines the following route: FIGURE 10-6. Defining the Route for Email Abusers 9-8 Case Studies He then adds a Message Attachment Filter that blocks multimedia and MIME content-type-based attachments (Figure 10-7). FIGURE 10-7. Multimedia Attachment and MIME Content-Type Filtering When the filter is triggered, he decides to delete the file as the filter action. Controlling Oversized Messages Note: This filter uses the Message Size Filter. Unfortunately, prohibiting a subset of AndyTech’s employees from transferring multimedia files has not prevented all message delays. Rather than purchasing more bandwidth, Jerome decides to create a Message Size Filter that prohibits large attachments from being transferred during business hours. When this issue was discussed at the weekly manager’s meeting, all of the managers agree with the new restrictions, except the Creative Services Manager. She explains that graphic designers frequently have to send large graphic files to advertising 9-9 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide agencies and postponing message transfer until non-peak hours would prevent them from meeting their deadlines. Jerome decides on the following compromise: •Add a Message Size Filter to the Global Policy that postpones processing of all messages larger than 2MB until non-business hours. • Create a new sub-policy that only applies to AndyTech’s Creative Services department that postpones messages larger than 5MB. Modifying the Global Policy Jerome chooses, from the left frame, Policy Manager > Global Policy and creates a new Message Size Filter. Since he knows that he will be creating another Message Size Filter for the sub-policy that applies for the graphic designers, he enables Allow task to be overwritten by a sub-policy. He configures all messages larger than 2048KB, i.e., 2MB, passing through the InterScan MSS server between 7:00 AM to 6:00 PM Monday to Friday to be postponed (filter action = Postpone and Notify): FIGURE 10-8. Activation Schedule 9-10 Case Studies Creating the Sub-Policy Jerome creates an address group called All of Creative Services and imports their email addresses from a text file. He then adds a Message Size Filter and configures the maximum message size as 5120KB, i.e., 5MB. The same activation schedule is configured as in the Global Policy, with identical filter actions. As Jerome finishes the configuration changes, he makes a mental note that if Creative Services team members cause message delays and abuse their special privileges, he can always go into the Global Policy, click edit under the Availability and Status column and change the Override Property to Do not allow filter to be overwritten. This step applies the same 2MB limit to everyone. Adding Disclaimers to Outbound Messages Note: This filter uses a Disclaimer Manager filter. AndyTech’s R&D department is currently working on a state-of-the-art, e-commerce software system code-named “Nivlac” that will revolutionize the Internet book retailing business. Upon the advice of the company’s legal counsel, he decides to append disclaimers to all email messages from employees working on the project to protect AndyTech’s intellectual property. Defining the Address Lists Jerome creates three text files containing the email addresses of all product managers, QA engineers and developers working on the project and imports them to create three address groups. FIGURE 10-9. User-Defined Address Groups 9-11 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Creating the Sub-Policy Jerome then creates a sub-policy called Nivlac Disclaimer and configures the route as below: FIGURE 10-10. Configuring the Route for the “Nivlac Disclaimer” He chooses to add a Disclaimer Manager filter that appends a legal disclaimer at the beginning of all messages: FIGURE 10-11. Configuring the Disclaimer Manager Filter Since Jerome does not want this filter to interrupt the mail flow, he chooses to deliver the message. 9-12 Case Studies Archiving Messages Note: This filter uses a General Content Filter and a user-defined archive filter action. One morning Jerome checks his email to find a request from the HR department to archive all email messages from a list of employees who are being monitored for possible disciplinary action. Later on, he gets a call from AndyTech’s CFO, John Howard, who requests that all of his email messages be archived to comply with SEC regulations. Defining an Archive Filter Action While InterScan MSS does not include default archive actions, they can be configured. Jerome chooses Policy Manager > Policy Manager > Filter Action and calls the new action Archive. He chooses to create an Archive action, configures the directory where he wants the messages kept and opts to Archive without changes. Defining the Address Group From the list of employees that HR wants monitored, Jerome creates an address group called The Watched, importing their email addresses from a text file. Creating the Sub-Policy The sub-policy is named Archive Messages and the route is set as follows: FIGURE 10-12. Configuring the Route for the Archive Messages Sub-Policy Jerome then creates a General Content Filter that triggers on all messages greater than 0 KB (which essentially means all messages). After clicking Next, he configures the Archive filter action to be performed when the filter is triggered. 9-13 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Blocking Communication With Troublemakers Note: This filter uses a General Content Filter and user-defined “delete” and “notification” filter actions. Three months ago, the then vice-president of logistics, Daniel Manning, left AndyTech to start a competing Internet-based book retailer called DanielTech. You have discovered that he has maintained close communication with his old colleagues and is now trying to hire AndyTech’s key employees for his new firm. AndyTech’s CEO instructs Jerome to stop all email traffic between the two companies and notify him of all communication. For this illustration, only outbound message to DanielTech are considered. Creating the Filter Actions Jerome wants to: 1. Delete the message (Action) 2. Notify AndyTech’s CEO (Notification) 3. Notify the sender that communication with a competitor may lead to possible disciplinary action. (Notification) 9-14 Case Studies The notification that is sent to the CEO is configured as below: FIGURE 10-13. Sending Notification When Filter is Triggered 9-15 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide The notification that is sent to the receiver is configured as below: FIGURE 10-14. Sending Notification to Message Sender Creating the Sub-Policy Jerome creates a sub-policy called Block Daniel and configures the route as all messages traveling to and from *@DanielTech.com. FIGURE 10-15. Configuring the Route for the Block Daniel Sub-Policy He adds a General Content Filter and configures it to trigger on all messages greater than 0KB. When the filter is triggered, he sets the filter action as Email to DanielTech. 9-16 Case Studies Conclusion While Jerome’s original goal when purchasing InterScan MSS was to protect the SMTP gateway against viruses, he found that its content management filters provided solutions to many content-related problems. The software allowed him to ensure that AndyTech’s messaging system would only be used for productive purposes. While viruses used to be his main security concern, InterScan MSS took care of that problem and allowed him to concentrate on more value-added work. In addition, AndyTech employees were able to work without being interrupted by frivolous non- work-related messages, and management now had a mechanism to enforce their company’s email policies. Case Study #2 Sometimes, a user may want to separate notification messages based on whether the messages are inbound or outbound. This section describes how you can configure InterScan MSS to separate notification messages. Separating Message Notifications By default, the route of the Incoming policy matches all messages from * to anyone with your company’s domain (*@company, and *@*.company). For the Outgoing policy, the route is From anyone with your company’s domain to *. To use separated and dedicated notification messages for the Incoming and Outgoing policies, configure separate filters with dedicated filter actions for the two policies. To do this, disable all of the Global policy’s filters or de-activate all of the inherited filters from the Global policy. You need to do this because inherited filters use the same filter action, rather than a dedicated filter action. For example: For virus scanning, to have different notification messages for Virus detected but successfully cleaned and also to deliver the message to original recipient, do the following: 1. Create a filter action called Incoming mail with cleaned virus. In this filter action, add an action item notification by email with the desired message. 9-17 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide 2. Create a second filter action called Outgoing mail with cleaned virus. In this filter action, add an action item notification by email with the desired message. 3. Create the following virus filters in the Incoming and Outgoing policy: •For the Incoming policy’s Virus Filter, choose Incoming mail with cleaned virus action and for the Virus detected but successfully cleaned outcome. •For Outgoing policy’s Virus Filter, choose Outgoing mail with cleaned virus action for the Virus detected but successfully cleaned outcome. Now, infected, but cleaned, mails are delivered to the original recipient, and InterScan MSS generates separate notification messages for incoming and outgoing messages. Note: Each policy can only have one active Virus Filter, and the sub-policy’s Virus Filter will overrule the inherited virus filter. This means that the inherited virus filter is ignored. eManager filters, however, will not exhibit this behavior. 9-18 Appendix A Reference Information This appendix contains reference information about InterScan MSS™, including: • Default directory locations used during mail processing • Using InterScan MSS’s built-in tokens for additional information in notification messages • Technical information about how the installation program migrates previous InterScan VirusWall and InterScan eManager™ configuration settings • A table showing the MIME content-type names used by common Windows email clients and two Web-based email providers Default Directory Locations InterScan MSS uses several directories to process messages, store log files, and quarantine messages. The default locations (in /opt/trend/imss/log) of these directories appear below. eManager, Virus and Program Logs Many modules in InterScan MSS write log information for troubleshooting purposes. The default location is: /opt/trend/imss/log For more information, see Log Maintenance starting on page 4-25. A-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Default Quarantine Area There is one default quarantine area established after program installation. In addition, multiple quarantine directories can be defined in different locations: /opt/trend/imss/queue/quarantine To change the quarantine directory, see Using Quarantine Areas starting on page 5-13. Temporary Directory Most of application-generated temporary files are stored in the following directory: /tmp Note: This directory is configurable. Delivery Pickup Directory The Quarantine Area has a feature called Deliver now. Messages selected for “deliver now” are moved to this directory. The InterScan MSS daemon has dedicated threads that pick up the messages in this directory and deliver them immediately. /opt/trend/imss/queue/deliver Note: This directory is configurable. Scan Pickup Directory Messages selected to be reprocessed from the Quarantine Area are placed in the pickup_scan directory for reprocessing. InterScan MSS has dedicated threads that pick up messages in this directory and places them in the scan queue. See Using Quarantine Areas starting on page 5-13 for more information: /opt/trend/imss/queue/reprocess Note: This directory is configurable. A-2 Reference Information Notification Pickup Directory All notification messages are put into this directory. InterScan MSS has dedicated threads to pick up messages in this directory and deliver them to a specified SMTP notification server: /opt/trend/imss/queue/notify This server can be configured in the Configuration > General > Notification screen. See Management Console Password starting on page 4-26 for more information. Note: This directory is configurable. Using Tokens in Notification Messages Notification Message Tokens The following tokens can be used in notifications to provide more information about the event that triggered the notification: • %SENDER%: Message sender • %RCPTS%: Message recipients • %SUBJECT%: Message subject • %DATE&TIME%: Date and time of incident • %MAILID%: Mail id • %RULENAME%: Name of the policy that contained the triggered filter • %FILTERNAME%: The type of filter—either Antivirus Filter, Advanced Content Filter, Message Size Filter, etc. • %TASKNAME%: The name of the filter that user entered during filter creation • %GLOBALACTION%: Current action to be taken • %DETECTED%: Current filter scan result in other task • %QUARANTINE_PATH%: Quarantine path (if quarantine action performed) • %QUARANTINE_NAME%: Quarantine name (if quarantine action performed) • %QUARANTINE_AREA%: Quarantine area (if quarantine action performed) • %ADDINFO%: Additional information from filter (currently used when the result of the Antivirus Filter is uncertain) A-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide • %CLSNAME%: Name of current filter action • %DEF_CHARSET%: Default character set of the notification message Sample Message Using Tokens For example, suppose the following notification message was configured: The “%FILTERNAME%” filter defined in InterScan MSS has detected the following message using its “%RULENAME%” rule. The message’s ID is %MAILID%. The following information describes the message that may contravene your company’s policy: Message sender: %SENDER% Message recipients: %RCPTS% Message subject: “%SUBJECT%” Incident time: %DATE&TIME% Per the configuration of your filter’s action, this message can be reviewed in the “%QUARANTINE_NAME%” quarantine area. A sample notification message in response to a virus event might appear as below: The “Detect Script Viruses” filter defined in InterScan MSS has detected the following message using its “Catch LOVELETTER” rule. The message’s ID is 12345-12345-12345-12345. The following information describes the message that may contravene your company’s policy: Message sender: [email protected] Message recipients: [email protected] Message subject: “Check out the attached Loveletter coming from me” Incident time: 10-30-2001, 6:15 PM Per the configuration of your filter’s action, this message can be reviewed in the “VirusArea1” quarantine area. Virus Filter Tokens The following tokens can be used in messages that are inserted into the body of infected email messages: • %FILENAME%: Filename of the attached file (“noname” when file name cannot be determined) A-4 Reference Information • %VIRUSNAME%: List that shows all viruses found • %ACTION%: “Pass”, “clean”, “remove”, or else defined by the process • %MAXENTITYCOUNT%: String that shows the maximum number of entities that will be scanned, e.g. “20”. This is configurable on the Configuration > Security > Settings screen. Sample Message Using Tokens For example, suppose you configured the following message to insert inside an infected message: A file that was attached to this message, %FILENAME%, was found to be infected with the “%VIRUSNAME%” computer virus. InterScan MSS has taken the following action against the message: %ACTION%. In the event a virus was detected, the text that would be inserted into the body of the email message would appear as follows: A file that was attached to this message, resume.doc, was found to be infected with the “W97M_MARKER” computer virus. InterScan MSS has taken the following action against the message: CLEAN. How Policies are Matched If the addresses of a message match more than one route, the priority of the routes is calculated to determine which policy, i.e., the one with the highest route priority, is applied to the message. If two routes (at the same level) have the same priority, we apply the one that has the highest position in the policy hierarchy. For more information about how priority is calculated, see Priority Rules starting on page A-6. InterScan MSS uses the breath-first searching algorithm to traverse the policy tree in level-order, searching the policy tree up and down one level at a time. It will first choose the best match on the top level and then continue searching its child level (if any) until no route is matched or a “leaf” is found. A-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Priority Rules There are two basic rules: 1. A fully qualified address, e.g., [email protected], has the highest priority and a fully wildcarded address, e.g., *, has the lowest priority. 2. The number of qualified terms that an address contains increases the priority. In addition, the significance of the domain versus name, and the sender versus receiver, is evaluated based on the following rules: a. An email address’ domain part is more significant than the name part. b. Both sender and receiver addresses are of equal importance. When messages are analyzed, every email address is assigned a weight. Every sender and recipient pair, i.e., a “route”, is also given a weight by adding the weights of the sender and receiver addresses. The following table lists the six types of email addresses and their corresponding weights: Name part Domain part Weight Example 1 Fully wildcarded 0 *@*, * 2 Qualified Fully wild- 1000 user@* carded 3 Wildcarded 2000 + #Q *@*.uk #Q: The number of quali- *@*.co.uk fied terms in the domain *@*.domain.co.uk part. 4 Qualified Wildcarded 3000 + #Q joy@*.uk joy@*.co.uk joy@*.domain.co.uk 5 Wildcarded Fully qualified 4000 *@domain.co.uk 6 Fully qualified 5000 [email protected] Table A-1. Calculating Weights for Email Addresses Consider the following examples: 1. The route (From: *@trendmicro.com, To: *@*) has precedence over (From: joy@*.com, To: *@*). When the recipient is the same, the weight of *@trendmicro.com is higher than joy@*.com because the domain is more significant than the name. A-6 Reference Information 2. The incoming route (From: *@*, To: *@trendmicro.com) has the same precedence as outgoing route (From: *@trendmicro.com, To: *@*) because the sender and receiver addresses are of equal importance. 3. The route (From: *@trendmicro.com, To: *@*.com) has precedence over (From: [email protected], To: joy@*). This is because the weight of the sender and receiver pair of the former route is (4000, 2001), but the latter is (5000, 1000). 4. The route (From: *@*.co.uk, To: *@*.co.uk) has precedence over (From: *@*.domain.co.uk, To: *@*). This is because the weight of the sender and receiver pair of the former route is (2002, 2002), but the latter’s is (2003, 0). MIME Content-types Used by Email Clients Windows Clients Outlook Express 6 Netscape Mail 6.1 Eudora 5.1 Jpeg/Jpg Application/octet-stream Image/jpeg Gif Image/gif Bmp Image/bmp Application/octet-stream Tif/Tiff Image/tiff Wav Audio/wav Audio/microsoft-wave Mp3 Audio/mpeg Audio/x-mpeg Audio/mpeg Midi Audio/mid Mpeg Video/mpeg Avi Video/x-msvideo Video/avi Asf Video/x-ms-asf Application/octet-stream Wmv Video/x-ms-wmv Quicktime Video/quicktime Rtf Application/msword Application/rtf Pdf Application/pdf Zip Application/x-zip-compressed Application/zip A-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Outlook Express 6 Netscape Mail 6.1 Eudora 5.1 Msword Application/msword Msexcel Application/vnd.ms-excel Application/octet-stream Mspowerpoint Application/vnd.ms-powerpoint Application/octet-stream Table A-2. MIME Content Types by Email Clients Web-Based Email Providers MSN Hotmail Yahoo Mail Jpeg/Jpg Image/pjpeg Gif Image/gif Bmp Image/bmp Tif/Tiff Application/octet-stream Image/tiff Wav Audio/wav Mp3 Audio/x-mpeg Midi Audio/mid Mpeg Video/mpeg Avi Video/avi Asf Video/x-ms-asf Wmv Video/x-ms-wmv Quicktime Video/quicktime Rtf text/richtext Pdf Application/pdf Zip Application/x-zip-compressed Msword Application/msword Msexcel Application/vnd.ms-excel Mspowerpoint Application/vnd.ms-powerpoint Table A-3. MIME Content Types by Web-based Email Providers A-8 Appendix B Outbreak Prevention Services This appendix contains introductory information about the Trend Micro™ Outbreak Prevention Services, a component of Outbreak Commander™. Outbreak Commander addresses the entire Outbreak Management Lifecycle, and Outbreak Prevention Services are the first stage of the process that receives event-triggered notifications and deploys policy recommendations. Outbreak Prevention Services are enabled within InterScan MSS™. But, to deploy Outbreak Prevention Policy to InterScan MSS, you must install Trend Micro™ Control Manager™ 2.5 or later. Note: For more information on Outbreak Prevention Services, Outbreak Commander, and Control Manager, see the Trend Micro Control Manager Getting Started Guide. Why are Outbreak Prevention Services important for providing comprehensive virus protection? There is typically a lag time between identifying a computer virus that has the potential to create a virus outbreak and having its binary pattern added to the virus pattern file that your software uses to detect viruses. Unlike pattern files, however, Outbreak Prevention Services’ technique is to help close the window of opportunity by using eManager™ filters in InterScan MSS to identify virus characteristics before the new pattern is available for release. By using the content policy management capabilities in Outbreak Commander to deploy new virus filtering rules during outbreaks, Outbreak Prevention Services B-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide reduces your network’s vulnerability to email-borne viruses and provides security during the time the virus pattern is being developed, released and, deployed. Benefits of Outbreak Prevention Services The key benefit of Outbreak Prevention Services is that, while the virus pattern file is being updated at TrendLabs™, it helps thwart the virus outbreak without impeding business productivity. The huge costs associated with a virus outbreak are diminished and the administrator does not have to frantically shut down a port, communicate instructions to multiple people in multiple areas, etc. The crisis associated with an outbreak is successfully managed because Outbreak Prevention Services guide administrators at the time they need it the most. By stopping viruses at the SMTP gateway, Outbreak Prevention Services: • Helps protect against new viruses before a pattern file is released. • Reduces calls to the IT help desk from anxious employees wondering if the suspicious message they just received is a virus. • Helps minimize any associated cleanup efforts caused by the outbreak. Outbreak Prevention Services, when managed through Control Manager, is released faster than the pattern file is developed. Control Manager checks TrendLabs for Outbreak Prevention Services policy updates at a user-defined interval. When there is a high-priority alert, the outbreak policy update is available for download by TrendLabs. Using Outbreak Commander, the policy is downloaded and can be reviewed by the administrator before being deployed to InterScan MSS and other Outbreak Prevention Services-enabled products. For more information on Control Manager and Outbreak Prevention Services, see the Trend Micro Control Manager Getting Started Guide. B-2 Appendix C Data Backup and Replication InterScan MSS can be installed in any directory. But, to complete a replication with Trend Micro™ Control Manager™, the source and destination server must be installed on the same directory (for example, /opt/trend). The replication process replicates the policy database and the imss.ini file, but the following machine-specific setting in the target machine’s imss.ini is retained: For the policy database: eManager Serial Number SPAM database file path C-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide For imss.ini: Each machine has it’s own IP address. • smtp_allow_client_ip=127.0.0.1, x.x.x.x Each machine has it’s own pattern file, scan engine, and spam database, as well as their update dates. [Update] PatternVersion= EngineVersion= SPAMDBVersion= UpdatePatternDate= UpdateEngineDate= UpdateSPAMDBDate= C-2 Appendix D Advanced Settings This appendix discusses the major settings in the .ini file. Many of the parameter descriptions include Trend Micro recommended settings. Unless otherwise directed by technical support, we recommend that you do not change them. Process Settings The processes below are the ones that are activated immediately after the InterScan MSS daemon is started. Pre-spawned Child Processes proc_pre_spawn=10 This setting is activated once InterScan MSS daemon is started. The default is 10 child processes. This setting cannot create or spawn more than 1024 processes. Maximum Child Processes proc_max_proc=300 This setting is the maximum number of child process that can be created. The default is 300 child processes. This setting cannot create or spawn more than 1024 processes. D-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Minimum Child Processes proc_min_proc=10 This setting is the minimum number of child processes that are spawned at a time. The default is 10 child processes. This setting cannot create or spawn more than 1024 processes. Child Process Regeneration proc_max_reqs=1000 In this setting, after the default value of 1,000 requests, the current child process is killed and regenerated. If you set the value to 0, this feature is turned off. Busy Rate proc_avarage_max=80 proc_avarage_min=70 The parent process attempts to keep child process busy rate between proc_avarage_max (default is 80 percent) and proc_avarage_min (default is 70 percent) by spawning new child processes when the busy rate is greater than 80 and reducing child processes when busy rate is less than 70. Increase Rate proc_inc_rate=20 The parent process increases the number of child processes by the default value (20 percent). For example, if the current number of child processes is 10, by default, 2 child processes are created. The maximum number of child processes the parent can create at a time is 10. Process Control Interval proc_ctrl_interval=3 This setting monitors the system three times. If at the third monitoring, the resource demands are still high, additional child processes are spawned. That is, the parent will take action after proc_ctrl_interval times. This setting keeps the system from creating child processes too quickly. D-2 Advanced Settings Parent Process Maintain Interval proc_main_interval=1 This setting determines the interval between the three monitoring sessions mentioned in the previous setting description. That is, the parent process sleeps proc_main_interval seconds before a maintenance job. The default is one second. SysMonitor NotificationInterval=30 If service stops for a specified number of minutes, the System Monitor can be configured to send an email notification. This parameter can be configured so that InterScan MSS sends a notification in the specified interval. The notification units are minutes. Hidden Parameters EMail Scan BypassMessagePartial This parameter enables or disables the bypassing of chunked messages (Content-type: message/partial) • BypassMessagePartial=yes This means that the partial mail will be delivered. • BypassMessagePartial=no This means that the partial mail will be quarantined. The default setting is yes. #debug=off This setting enables you to debug the daemon in the .ini file. The default setting is “off” and is not available when InterScan MSS first runs. You can turn it on by changing the value from to “on” and restart the daemon. D-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Since all of the underlying modules also dump their debug information into this application log file, this change quickly increases the size of your application log. This increase can range from about 10 to 100 times. D-4 Appendix E AMON™ Setup for InterScan™ MSS InterScan MSS provides virus and content scanning capabilities for inbound and outbound mail to the network environment. By integrating with the Check Point™ environment by using AMON (Application Monitoring API) in OPSEC™ (the OPen Platform for Security), InterScan MSS reports scanning statistics to the Check Point System Status Viewer such as the number of viruses found, total viruses cleaned, percentage cleaned, messages processed, and messages processed per minute. AMON enables network applications to report their status to the Check Point Management server. Status information is available through the Check Point Status Monitoring application. For additional information on Check Point and OPSEC, see: http://www.checkpoint.com/index.html For additional information on AMON, see: http://www.opsec.com/intro/sdkds.html#amon Overview The topology of the AMON server and AMON client is that the AMON server waits for the AMON client’s request, produces replies, and sends them back to their initiator. E-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide InterScan MSS provides a stand-alone AMON server program; amon_server. There is a process kicked by cron job and running on the AMON server side. It collects necessary information for the AMON server from the system and virus log files. AMON Installation AMON is an optional package that is installed during the standard InterScan MSS installation process if you plan to use AMON. You are prompted as follows: Do you want to install the AMON support? [y/n] If you plan to use AMON, type Y in response to this prompt. The AMON package is installed into the .../imss/opsec/ directory. When the AMON portion of the installation is complete, the following message displays: Installation of Setting up the InterScan MSS AMON Application Check Point™ Next Generation FireWall-1® and InterScan MSS do not have to be on the same machine, but they do have to be able to communicate. 1. To set up the InterScan MSS AMON application, get the following files from the AMON folder in the setup package: • amon.conf Place this file in \imss\amon\bin. • schema.txt Place this file in the same directory as amon_import.exe, which is the Check Point program located on the FW-1/VPN-1 management station and will be in $FWDIR/bin, for example, c:\winnt\FW1\5.0\bin. 2. In the Check Point Policy Editor screen, create a new OPSEC™ application. E-2 AMON Setup for InterScan™ MSS Check that the amon_import file is in the following default location: c:\winnt\FW1\5.0\bin. 3. Import InterScan MSS’s private schema file by running amon_import schema.txt. We recommend that you place schema.txt in the same directory as amon_import. Use amon_import to import your schema file. 4. Restart the FireWall-1 service. After a successful import and restart, you should see the new default identifier, InterScan_MSS when you click the AMON Options tab in the OPSEC Application Properties window. 5. Open the newly created OPSEC application object. Click the General tab. Enter the appropriate information in the fields at the top and select AMON under Server Entities and click Communication. Note: To make the AMON Options tab visible, you have to first select AMON under Server Entities. 6. In the OPSEC Application Properties screen, click the AMON Options tab. Using the Service pull-down menu, select the service. (The default service is FW1_amon, which is port 18193.) Using the AMON identifier pull-down menu, select InterScan_MSS. Click OK. FIGURE E-1. OPSEC™ Application Properties Screen E-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide 7. In the Communication screen, enter an activation key in Activation Key; re-enter it in Confirm Activation Key and click Initialize. (The activation key is the one used in opsec_pull_cert.) 8. Install your policy. 9. Obtain the opsec_pull_cert.exe from the setup package’s amon folder and run this file on the machine that has InterScan MSS. Running opsec_pull_cert.exe generates the p12 file. To establish a “trust” internal communication, run opsec_pull_Cert -h (host) -n (amon_object) -p password. Host is the machine IP with the management console of FireWall-1 Next Generation, amon_object is the name of the newly created OPSEC application, and password is the password at initialization. 10. Return to the Communication screen to see if trust established appears in the Trust state field. 11. Open the amon.conf file and make sure the opsec_sic_name is exactly the same as the DN of the OPSEC object you just created. (Ensure that the proper case and quotes are used). To avoid mistakes, we recommend that you cut and paste the DN into the amon.conf file. Quotes are required if spaces are inserted into the opsec_sic_name. Improper case in an object (i.e. FW1object vs FW1OBJECT) causes sic failure. Note: Make sure that you put the amon.conf file in \trend\imss\isntmtp, which is also the location for the amonmainexe.exe file. 12. In the amon.conf file, check that: • The opsec_ssla_file is pointing to the correct location of the opsec.p12 file. By default, we use “sscla” authorization type. • You are using the correct port number and IP address. By default, AMON uses port 18193. If you want to use a different port, you need to modify the service used by the OPSEC application. The amon_server IP should be the machine running InterScan MSS. If you make any changes to the amon.conf file, restart the Trend Micro Interscan Messaging Security Suite for SMTP service. 13. Verify the status of this connection in the Check Point Status Manager screen. If the connection has been made, under Status, you will see the application name E-4 AMON Setup for InterScan™ MSS (Trend Micro InterScan Messaging Security Suite for SMTP) with a green check mark and OK. FIGURE E-2. Check Point™ Status Manager Screen Verify That the AMON Server is Working From the Check Point Status Manager Screen To verify that the AMON server is working, open the Check Point Status Manager screen and send messages through InterScan MSS. If the AMON server is working, the counters listed in the Details frame will increment. From the ps command on the AMON Server Side You can also verify that the AMON server is working by using the ps command on the AMON server side: Type “ps -elf | grep amon_server” on the console to see whether the AMON server is running. E-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Troubleshooting If you are having problems, check that: • The amon.conf file is correctly configured and is in the same directory as the amonmainexe.exe file. • You have successfully imported the schema.txt file. • Using the AMON identifier pull-down menu in the OPSEC Application Properties screen, you selected InterScan_MSS. • You installed the policy. • FireWall-1 can communicate with the machine on which InterScan MSS is installed. InterScan MSS Data Model For the data model, we use the same object ID (OID) tree for AMON and SNMP. The numbers below are the leaves of the OID tree. In amonmainexe.exe, two category are provided: • Performance monitor • OPSEC-defined generic status fields Performance Monitor Information This InterScan MSS proprietary information will be a prefix to the Check Point OID, 1.3.6.1.4.1.6101.35.1. The OID explanation is: •Iso (1) •Org (3) •Dod (6) •Internet (1) •Private (4) • Enterprises (1) • Trend Micro (6101) • InterScan MSS Unix (35) • AMON sub-tree (1) E-6 AMON Setup for InterScan™ MSS For example, 1.3.6.1.4.1.6101.35.1.4 may be used for messages processed per minute. Detailed information is listed in the table below. Counter Name OID Value Type Description Counter Name OID Value Type Description VirusesFound 1 Integer This is the total num- ber of virus-infected files found since the program started. MessageProcessed 2 Integer This is the total num- ber of messages that have been pro- cessed since the pro- gram was started. TotalVirusesCleaned 3 Integer This is the total num- ber of virus-infected files that have been cleaned since the pro- gram was started. MessagesProcessed- 4 Integer This is the number of PerMinute messages processed per minute since the program was started. PercentageCleaned 5 Integer This is the percentage of virus infected files that were cleanable when action on viruses is to auto- clean. Some Generic Status Fields Defined by OPSEC These generic status fields show some basic information of each product, such as the product name, program status. Their field prefix is 1.3.6.1.4.1.2620.2.1.1. The detail information description list in the table below. For example, 1.3.6.1.4.1.2620.2.1.1.4 means product name—InterScan MSS. E-7 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Value Name OID OPSEC VT Type Description Type statusOK 1 Integer OPSEC_VT_132BT 0, if the status of the application is OK; oth- erwise, non-zero. statusDescription 2 String OPSEC_VT_STRING Text description of the status of the applica- tion. opsecVendor 3 String OPSEC_VT_STRING Text description of the status of the applica- tion. opsecProduct 4 String OPSEC_VT_STRING The product name. opsecProductVersion 5 String OPSEC_VT_STRING The product version. opsecSdkVersion 6 String OPSEC_VT_STRING The OPSEC SDK Version. opsecSdkBuildNumber 7 Integer OPSEC_VT_U132BIT OPSEC SDK build number. opsecAppUpTime 8 Integer OPSEC_VT_U132BIT The number of the sessions when the content was safe. E-8 Appendix F InterScan eManager™ Migration This chapter explains how InterScan eManager settings are migrated from a previous installation of InterScan eManager to InterScan MSS™. There are two methods to migrate InterScan eManager 3.5x settings to InterScan MSS: • During an InterScan MSS installation • Using the InterScan eManager Migration Tool After the migration is complete, the following InterScan eManager configuration files are backed up: • contscan.ini • Csconfig.dat • spamrule.txt • SFRule.txt Back up copies of these files are located in the following directory in the InterScan MSS installation path: imss/lib F-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide During an InterScan MSS Installation At the end of an InterScan MSS installation, you are prompted to migrate previous InterScan InterScan eManager rules to InterScan MSS. To migrate your settings, enter y at the prompt and press Enter. FIGURE F-1. InterScan eManager Migration During Installation Using the InterScan MSS Migration Tool InterScan eManager rules can be migrated to InterScan MSS by running the S99MIGRATION script, which is located in the following InterScan for MSS directory: imss/script To start the migration, invoke S99MIGRATION eManager3 or S99MIGRATION eManager3 –u (removes the previous version). InterScan MSS will start to use the migrated rules after you click Apply Now and restart it and Postfix. Policy View InterScan eManager inbound rules will be migrated to new filters under Incoming Policy and outbound rules will be migrated to new filters under Outgoing Policy. If the InterScan eManager rule is applied to inbound and outbound policies, the rule is migrated to new filters under Incoming and Outgoing Policy. F-2 InterScan™ eManager™ Migration Filter-Specific Migration Information Anti-Spam Filter When InterScan eManager Spam rules are migrated to an InterScan MSS filter, the following naming convention is used for the filter that contains the rule’s definition: [migrate prefix]_[rule prefix]_[old action name]_[old notification name]_[field name]_[index] Where: • migrate prefix=em35x • rule prefix=spam • action=Quarantine / Archive / Delete / Deliver • notification name=the notification name that links to the old rule • field name=To / Routing/ From/ ReplyTo / Cc/ Subject/ Filename/ Image/ Video/ MIME/ Size/ Mixed • index=00-99 If there are more than 100 keyword expressions, the migrated filter is split into multiple filters. Each of these split filters will have a maximum of 100 keyword expressions. If the field name is Size or Mixed, it will be added to the index string to avoid a naming conflict. Some examples are: • em35x_spam_Archive_default_Image_00 • em35x_spam_Archive_default_Mixed_00 • em35x_spam_Archive_default_Size_00 Content Filter During InterScan eManager’s Content rule’s policy migration, one InterScan eManager content filter policy is migrated to a new Advanced Content filter in InterScan MSS: The following file naming convention is used by InterScan MSS to store the rules’ parameters: [migrate prefix]_[rule prefix]_[old policy name]_[index] Where: F-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide • migrate prefix=em35x • rule prefix=cont • policy name=old content filter policy name • index=00-99 If there are more than 100 keyword expressions, the migrated filter is split into multiple filters. Each of these filters will have at the most 100 expressions. For example: • em35x_cont_{policy name}_00 Specialized Filtering Migrating attachment filter rule is like migrating Anti-spam filter rules, but simpler. The grouping rules are the same as migrating Anti-spam filter rules. When renaming migrated rules, use the following convention: [migrate prefix]_[rule prefix]_[old action name]_[old notification name]_[field name]_[index] Where: • migrate prefix=em35x • rule prefix=attm • action=Quarantine / Archive / Delete / Deliver • notification name=the notification name that links to the old rule • field name=Filename/MIME • index=00-99 If there are are more than 100 keyword expressions, the migrated filter is split into multiple filters. Each of these filters will have at the most 100 keyword expressions numbers. For example: • em35x_attm_Delete_default_Filename_00 • em35x_attm_Archive_NotifyAdmin_Filename_00 Note: em35xMigrt.log, a log file, which logs the rules that were not migrated and the new names of InterScan eManager rules that were migrated to InterScan MSS is placed on imss/lib directory of InterScan MSS installation path. F-4 InterScan™ eManager™ Migration InterScan eManager Migration Limitations Messages in your InterScan eManager mail queues are not moved to the InterScan MSS mail queues. InterScan MSS filters has features that are different from InterScan eManager’s rules, so some InterScan eManager rules are not migrated. InterScan eManager specific-filter rules migration limitations are listed below: Anti-spam Filter • Rules with time restrictions are not migrated. • Rules with settings of more than one field of the following fields will not be migrated: •To • Route •From •Reply-to •Cc • Subject •Size The only exceptional combination is Subject and Size. If the rule has a setting in the Attachment field, it can be combined with other fields only in the following forms, or it will not be migrated: •Only Attachment (can assign MIME content-type or MIME content-type alone) • Attachment (cannot assign MIME content-type) and Subject • Attachment (cannot assign MIME content-type) and Size • Attachment (cannot assign MIME content-type), Subject, and Size F-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Content Filter • Since default policies, such as Anti-Spam, the AOL top 10 Spam List, E-Greeting Card, etc. already exist in InterScan MSS, they are not migrated. • If the InterScan eManager rule contains a keywords import file, it will be ignored. Specialized Filtering Rules that meet the following criteria are discarded: •Under Attribute, if EXCLUDE: Apply the rule when a message matches the following conditions is selected option is selected. •Under Condition, if one of the fields is not empty. F-6 Appendix G Understanding InterScan MSS Daemons This appendix discusses InterScan MSS daemons. You can configure multiple daemons on the same machine. We have also provided graphics on the following topics: • InterScan MSS relationship diagram, which illustrates the relationship between the scanning daemon, the regserver daemon, the system monitor, the UI aphost, Trend Micro Infrastructure (TMI), and CCGI. • InterScan MSS scanning daemon overview • InterScan MSS scanning data flow G-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide InterScan MSS Daemon Relationships Web Browser Eman_db.xml Web Accessing Read/Write APACHE Server + TOMCAT Server + Trend CCGI (Common CGI) RegServer G P et/S Trend TMI olicie et s Get Policies TMI Secured Channel Trend TMI SystemMonitor Watchdog UI Aphost Daemon Service Daemon IMSS Scan Daemon Monitor Parent UI Related Manage IMSS Scan Daemon Child Scan Daemon FIGURE G-1. Daemon Relationships Figure G-1 maps the relationship between the daemons that are associated with InterScan MSS. G-2 Understanding InterScan MSS Daemons Web Interface-Related Daemons The area within the dotted lines at the top right are three daemons that are part of the installation package: •APACHE server •TOMCAT server • Trend CCGI The Trend TMI helps the UI communicate with the Web server and ensures that this channel is secure. The following is the process list for the UI: root 9061 1 0 Nov 06 ? 0:37 /opt/trend/imss/bin/aphost root 8819 1 0 Nov 06 pts/18 0:00 /opt/trend/imss/TMI/CM root 8866 8819 0 Nov 06 pts/18 0:00 /opt/trend/imss/TMI/LWDMServer root 8822 8819 0 Nov 06 pts/18 0:09 mrf imss 8998 8988 0 Nov 06 ? 0:01 /opt/trend/imss/common/apache/bin/httpd -d /opt/trend/imss/common/apache -DSSL imss 18067 8988 0 Nov 12 ? 0:01 /opt/trend/imss/common/apache/bin/httpd -d /opt/trend/imss/common/apache -DSSL imss 3133 8988 0 Nov 07 ? 0:01 /opt/trend/imss/common/apache/bin/httpd -d /opt/trend/imss/common/apache -DSSL imss 3129 8988 0 Nov 07 ? 0:01 /opt/trend/imss/common/apache/bin/httpd -d /opt/trend/imss/common/apache -DSSL imss 8988 1 0 Nov 06 ? 0:00 /opt/trend/imss/common/apache/bin/httpd -d /opt/trend/imss/common/apache -DSSL imss 8997 8988 0 Nov 06 ? 0:01 /opt/trend/imss/common/apache/bin/httpd -d /opt/trend/imss/common/apache –DSSL imss 8893 1 0 Nov 06 pts/18 0:33 /opt/trend/imss/common/jre/bin/../bin/sparc/native_threads/java -Dtomcat.home=/ G-3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Scanning Daemon The following figure is a detailed view of the scanning daemon. Protocol Data (SMTP, POP3) To downstream To downstream Retrieve policy MTA (Postfix) MTA (Postfix) from RegServer Manage/Monitor Parent Process Child Processes (Root) (IMSS) Generate notification, archive, and postpone emails. Split emails by policy. Quarantine contaminated emails. One SMTP Mail Retrieve Process (Root) IMSS Daemon Service Overview Queue Directories: /opt/trend/imss/queue/deliver Connect to downstream /opt/trend/imss/queue/notify MTA/Notification mail /opt/trend/imss/queue/postpone server for delivery. /opt/trend/imss/queue/quarantine FIGURE G-2. Scanning Daemon Overview This daemon is responsible for SMTP and POP3 content scanning. • imss 29293 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29296 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29294 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29299 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29300 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29295 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • root 29292 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd G-4 Understanding InterScan MSS Daemons • imss 29302 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • root 29291 1 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29297 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29301 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd • imss 29298 29291 0 12:25:34 ? 0:00 /opt/trend/imss/bin/imssd The parent process (29291) is running as root. The first child process (29292) is also running as root, but it is responsible for delivering extra messages, such as notification messages, split messages, and postpone messages. The other child processes (29293 – 29302) are running as low-privilege user “imss” for security concern. Regserver Daemon This daemon keeps the policies. There is only one process associated with this daemon, and it can read and write to the XML file shown above in in the illustration. • root 16614 1 0 Nov 12 ? 0:29 /opt/trend/imss/bin/regserver /opt/trend/imss/config/imss.ini System Monitor Watchdog Daemon This daemon monitors the UI, the aphost daemon, and other system resources. • root 5911 1 0 18:43:35 ? 0:00 /opt/trend/imss/bin/imsssysmon G-5 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Content Scanning Flow Chart Protocol Data (SMTP, POP3) Socket Level Save cont system temporaent t o file Protocol Handler (SMTP, POP3) before sc rily anning. Adapter Interface to Modules Scan Module Message Module MIME Message Parsing Temporary Folder CLM Policy Module Write Logs Create or move emails to queue if necessary. Queue Directories FIGURE G-3. Content Scanning Data Flow This figure illustrates the flow that messages take as they are scanned. 1. At the socket level, protocol data is received by InterScan MSS. 2. The SMTP and POP3 proxies receive this data. 3. The data content is temporarily saved before it is scanned. 4. The content is passed to the scanning module. Here, the Policy and Message modules applies the relevant policies and scan the contents. 5. The content is then passed onto the adaptor interface to the modules and up to through the Protocol Handler and onto the Socket Level, where it is sent to the recipient. G-6 Appendix H Modifying Your XML File WARNING! Backup the XML file before you attempt to modify it. To manually modify your XML file: 1. Use the S99ISIMSS script to shut down the InterScan MSS daemon, aphost, and other daemons that use the regserver. 2. Backup the original XML file. If you perform a backup, you only need to backup .xml, not the .bak or .redo files. 3. There are several alternatives: a. Use the command line tool provided by Trend Micro to modify the XML file contents. Check the manpage for more information on the command line tool. b. Use a conversion tool (maybe a third-party tool) to convert the XML file to a user-familiar text format. You can then modify the text file and convert it back to the XML file. 4. Use S99ISIMSS script to start the regserver daemon. (This script is found in the InterScan MSS installation directory.) H-1 Appendix I Uninstalling Postfix If, during the installation, you installed Postfix but would now like to remove it from your system, this appendix shows you how to do this. WARNING! This is not an officially recommended procedure. postfix stop rm -rf /usr/libexec/postfix rm -rf /etc/postfix rm /usr/sbin/post* mv /usr/lib/sendmail.OFF /usr/lib/sendmail Appendix I-1 Appendix J Error Codes The following is a list of the error codes that can occur during the CCGI installation: Error Code Platform Message 0 Solaris and Linux Successful execution. 103 Solaris and Linux Failed to install CCGI. 104 Solaris and Linux Administrator rights are needed to perform this instal- lation. 106 Solaris and Linux Administrator's rights are needed to perform this unin- stallation. 107 Solaris and Linux Insufficient disk space. 121 Solaris Some patches must be installed before this installa- tion. 148 Solaris and Linux Uninstallation has been can- celled. 149 Solaris and Linux Insufficient arguments 151 Solaris and Linux Could not read the specified configuration file. 152 Solaris and Linux The configuration file is not well-formed. J-1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Error Code Platform Message 153 Solaris and Linux Bound to ports less than 1024, CCGI service must run as root. 154 Solaris and Linux Invalid options. 201 Solaris and Linux Could not create the installa- tion target directory. 202 Solaris and Linux Could not extract CCGI files. 203 Solaris and Linux Could not add group. 204 Solaris and Linux Could not add user. 205 Solaris and Linux Could not add user to this group. 206 Solaris and Linux Could not install under direc- tory / or /usr. 221 Solaris and Linux Failed to finish configuration. 249 Solaris and Linux Interruption. TABLE J-1. Error Codes for the Installation/Uninstallation Program J-2 Index severity 7-6 Index severity index 7-3 synonyms 7-6 Symbols Allow Access List 4-8 .AND. 7-13, 7-15 Anti-Spam Filter 7-32 .NEAR. 7-7, 7-17 defined 5-22 .NOT. 7-15 how it works 7-32 .OCCUR. 7-8, 7-17 Antivirus Filter .OR. 7-13, 7-15 delete options 6-5 .WILD. 7-14 APOP 4-11, 4-12 A Apply now 4-3 activation schedule 7-30 archive filter action address groups 5-3 example of 9-13 defining 5-4 C deleting 5-5 Calculating Weights for Email Ad- examples of 5-3 dresses A-6 format 5-5 compressed files 6-3 importing 5-5, 9-8 configurations CSV 5-5 automatically applied 4-3 LDIF 5-5 how applied 4-3 in use 5-5 how saved 4-3 modifying 5-4 restarting the service 4-4 Advanced Content Filter 7-2 Contacting Trend Micro choosing message parts 7-3 in the U.S. 8-4 defined 5-21 main U.S. address 8-4 entering expressions 7-4 outside the U.S. 8-4 features 7-3 D frequency 7-8 denial of service (DoS) 5-16 language-based routing 9-5 Deny Access List 4-8 mail attachment 7-4 directory locations 4-16, A-1 mail body 7-4 Disclaimer Manager Filter mail header 7-3 defined 5-22 proximity 7-6 I–1 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide example 9-11 processing action 5-7 features 7-31 predefined 5-6 E using 5-6 email threats 1-3 filters legal liability 1-3 adding 5-27 malicious content 1-3 availability 5-19, 5-20 spam 1-3 eManager 5-21 unproductive messages 1-3 examples of 5-3 eManager order of execution 5-28 filter results 5-28 overriding 5-20 innocent triggering 7-18 pre-installed 5-3 introduction 7-2 results 5-6 separators 7-8 status 5-19, 5-20 encrypted messages 6-6 types of 5-19 escape character 7-21 Virus 5-21 event monitoring 4-17 G Exception handling General Content Filter 7-28 encrypted messages 5-12 creating 9-4 message processing failure 5-12 creating/modifying 7-29 exception handling 5-12 defined 5-21 F example 9-13, 9-14 filter features 7-28 action Global Policy 5-18, 9-2 uncleanable files 6-7 default filters 5-18 filter actions modifying filters 5-18 choosing 5-28 H creating 5-8 help file 4-2 deleting 5-12 HouseCall 8-4 modifying 5-12 URL 8-4 part of 5-7 I archive 5-7 incoming policy 5-23 notifications 5-7 innocent content 9-2 I–2 Index installing message relay 3-12 before a firewall 2-3 message settings 4-10 behind a firewall 2-4 Message Size Filter choosing your server 2-2 activation schedule 7-30 in the DMZ 2-7 defined 5-21 no firewall 2-3 example 9-9 on SMTP gateway 2-6 features 7-29 restoring settings 3-14 Microsoft Office scenarios 2-2 attachments 7-4 system requirements 2-19 MIME content-types 7-25 using SSL 3-13 used by email clients A-7 intelligent keyword matching 7-9 used by Web email A-8 introduction 1-1 N K notifications 4-19 keyword expressions do not use localhost 8-2 evaluation rules 7-19 methods 4-27 using reserved words 7-21 SNMP trap 4-20 writing 7-11 using message tokens A-3 L O logs operators 7-12 directory location A-1 priority (operation order) 7-13 maintaining 4-26 Outbreak Commander B-1 viewing 4-25 Outbreak Prevention Services B-1 M benefits of B-2 mail processing 4-16 TrendLabs B-2 mass mailing viruses outgoing policy 5-23 pattern 1-2 overriding a filter Message Attachment Filter 7-22 example of 5-20 configuring 7-23 P defined 5-21 pattern matching 1-2 example 9-8 policies features 7-23 matching addresses 5-24 I–3 Trend Micro™ InterScan™ Messaging Security Suite Getting Started Guide Policy Manager attachment/message virus 5-17 how it works 5-2 compressed files 5-17 preferred charset 4-20 eManager Limits 5-17 proximity of keywords 7-6 multiple infection limits 5-17 example 7-7 Security Information Center 8-3 proxy server 4-24 separators 7-8, 7-11 blank password 4-25 serial number 3-13 settings 4-24 obtaining 8-2 Q services 4-5 quarantine areas 5-13 POP3 Adaptor 4-5 adding 5-13 SMTP Adaptor 4-5 changing 5-14 severity deleting 5-15 index 7-4 directory location A-2 using 7-9 in use 5-15 SMTP routing managing 5-15 connection control 4-7 maximum time 5-14 connections 4-7 querying 5-16 domain-based delivery 4-9 releasing messages from 9-3 greeting 4-6 setting directories 5-13 IP address 4-6 queue directories 4-16 receiver 4-6 R relay control 4-8 registration 4-27 SolutionBank benefits 8-3 support database 8-5 relay control 4-8 URL 8-5 Route what is it? 1-5, 8-5 what is it? 5-25 sub-policies wildcard usage in 5-25 creating 5-22, 9-4 S filters available 5-21 safe stamp 6-4, 9-2 maximum number of 5-22 scan engine 1-2 naming 5-22 Scanning Limits 5-16 POP3 messages 5-24 I–4 Index creating 5-24 reminder to execute first 5-29 modifying 5-24 safe stamp 6-4 pre-defined 5-23 testing 6-7 System Monitor 1-4 using tokens A-4 system requirements 2-19 virus actions 6-4 T Virus Information Center tech support URL 8-3 outside U.S. and Canada 8-4 W U.S. and Canada 8-4 Web-based console TM_Trend$SE 7-32 default password 4-2 trendmicro.com 8-3 opening 3-11, 4-2 trial version 8-2 password 4-27 upgrading to the full version 8-2 time out 4-2 U Z uninstalling ZipOfDeath 5-17 saving settings 3-14 update 4-24 considerations 4-21 rolling back 4-24 scheduled 4-23 scheduled update 4-24 source 4-21 Update Now 4-23 upgrading 2-19 from trial version 3-13 V Virus Filter choosing attachments 6-2 disclaimer messages 6-4 filter results 5-28, 6-6 Incoming/Outgoing policy 5-23 multiple recipients 6-7 I–5 Trend Micro Incorporated 10101 N. De Anza Blvd Cupertino, CA., 95014 USA www.trendmicro.com For Sales: Tel: +1-800-228-5651 (U.S. and Canada) Tel: +1-408-257-1500 (outside the U.S. and Canada) Fax: +1-408-257-2003 Item Code: MSEM51328/21216