Microsoft Antigen for Exchange User Guide

Microsoft Antigen for Exchange Version 9

Microsoft Corporation Published: July 2010 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, ActiveX, Excel, Internet Explorer, Outlook, PowerPoint, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Privacy policy

Review the "Microsoft Antigen Privacy Statement" at the Microsoft Antigen Web site. Contents

Chapter 1 - Introducing Microsoft Antigen for Exchange...... 10 Consideration when using a third-party file-level antivirus program...... 10 Antigen scanning order overview...... 11 Antigen documentation...... 12

Chapter 2 - Installing Microsoft Antigen for Exchange...... 12 System requirements...... 13 Minimum server requirements...... 13 Minimum workstation requirements...... 14 Installing Antigen on a local server...... 14 Installing Antigen on a remote server...... 16 Administrator-only installation...... 17 Post-Installation security consideration...... 18 Installing to multiple servers...... 19 Uninstalling Antigen...... 19 Migrating and upgrading...... 19 Applying Exchange and Antigen service packs and rollups...... 20 Relocating Antigen's data files...... 21 Using the evaluation version...... 21 Product licensing information...... 21

Chapter 3 - Antigen services overview...... 22 About services...... 22 AntigenService service...... 22 AntigenMonitor service...... 23 AntigenStore service...... 23 AntigenIMC service...... 23 AntigenRealtime service...... 23 AntigenInternet service...... 23 AntigenStatisticsService service...... 23 AntigenStoreEvent service...... 23 Disabling the Antigen scan jobs...... 23 Recycling the Antigen services...... 24 Securing the service from unauthorized use...... 24

Chapter 4 - Using the Antigen Administrator...... 25 Enabling the Antigen Administrator...... 25 Running the Antigen Administrator...... 26 Connecting to a server...... 26 Connecting to a different server...... 27 Running in read-only mode...... 27 Antigen Administrator overview...... 28 General Options...... 29 Diagnostics section...... 29 Logging section...... 30 Scanner Updates section...... 31 Scanning section...... 33 VSAPI section...... 45 Exchange 2003 UCE Settings...... 47 Central Management...... 47

Chapter 5 - Using multiple scan engines...... 48 About engine rankings...... 48 Setting the bias...... 49 About bias settings...... 49 Configuring the Bias...... 50 Cleaning infected files...... 51

Chapter 6 - Configuring Manual Scan Jobs...... 51 Configuring the Manual Scan Job...... 51 About mailboxes and public folders...... 52 Configuring the antivirus scanners and job action...... 53 Running the Manual Scan Job...... 54 Checking results and status...... 54 Scheduling the Manual Scan Job...... 55 Performing a quick scan...... 55 Checking results and status...... 56 Scanning files by type...... 57

Chapter 7 - Configuring Realtime Scan Jobs...... 57 About multiple Realtime processes...... 57 Configuring the Realtime Scan Job...... 58 About mailboxes and public folders...... 58 Configuring the antivirus scanners and job action...... 59 Controlling the Realtime Scan Job...... 60 Checking results and status...... 61 About Realtime Scan recovery...... 61 Scanning files by type...... 62

Chapter 8 - Configuring SMTP Scan Jobs...... 62 About multiple Internet processes...... 62 Configuring the SMTP Scan Job...... 63 Adding outbound disclaimers...... 64 Configuring the antivirus scanners and job action...... 65 Controlling the SMTP Scan Job...... 66 Checking results and status...... 66 About SMTP Scan recovery...... 67 Scanning nested compressed files...... 67 Scanning files by type...... 67

Chapter 9 - Configuring MTA Scan Jobs...... 68 Configuring the MTA Scan Job...... 68 Configuring the antivirus scanners and job action...... 69 Scanning nested compressed files...... 70 Controlling the MTA Scan Job...... 70 Checking results and status...... 71

Chapter 10 - Performing background and on-access scans...... 71 On-access scanning...... 71 Configuring on-access scanning...... 71 Background scanning...... 72 Reporting incidents...... 73

Chapter 11 - Using templates...... 73 Template uses...... 73 Creating a named template...... 74 Renaming or deleting a named template...... 75 Modifying templates...... 75 Modifying default file scanner update templates...... 76 Modifying notification templates...... 76 Using named templates...... 77 Deploying templates during a remote installation...... 77 Deploying named templates...... 77 Deploying schedule job templates...... 79

Chapter 12 - Using file filtering...... 79 Mechanics of file filtering...... 79 Filtering by file type...... 79 Filtering by extension...... 80 Filtering by name...... 80 Configuring the file filter...... 80 Action...... 82 About file names buttons...... 84 Matching patterns in the file name with wildcard characters...... 85 Using directional file filters...... 86 Filtering container files...... 87 Excluding the contents of a container file from file filtering...... 87 Using file filtering to block most file types...... 88 Using filter set templates...... 89 About international character sets...... 89 About statistics logging...... 89

Chapter 13 - Using content filtering...... 90 Configuring sender-domains filtering...... 90 Configuring subject line filtering...... 91 Action...... 94 Creating content filter lists...... 95 Importing new items into a filter list...... 96 Exporting sender-domains filters, file filters, and subject line filters...... 97 Filtering mail from all users in a domain except for specific users...... 97 Using directional content filters...... 98 About international character sets...... 98 About reporting...... 99 Using filter set templates...... 99 Creating a filter set template...... 99 Configuring a filter set template...... 99 Associating a filter set template with a scan job...... 100 Editing a filter set template...... 100 Deleting a filter set template...... 101 Renaming a filter set template...... 101 Distributing filter set templates to remote servers...... 101

Chapter 14 - Using mailhost filtering...... 102 About mailhosts scanning priority...... 102 Using RBL servers...... 102 Using allowed mailhosts lists...... 103 Using rejected mailhosts lists...... 104 Action...... 105 Importing new items into a filter list...... 106 About mailhost filtering notifications...... 107

Chapter 15 - Using keyword filtering...... 107 Creating new keyword lists...... 107 Action...... 108 About keyword list syntax rules...... 109 About case-sensitive filtering...... 111 Filtering e-mail messages that automatically load HTML images...... 111 Creating allowed senders lists...... 111 Importing new items into a filter list...... 112

Chapter 16 - Purging messages infected by worms...... 113 Purging by the Realtime Scanner...... 113 Purging by the Internet Scanner...... 114 Purging by the MTA Scanner...... 114 Purging by the Manual Scanner...... 114 Using file filtering to purge worm viruses...... 114 Using notifications...... 115 Enabling and disabling worm purging...... 115 Updating the worm purge list...... 115 Creating a custom worm purge list...... 115

Chapter 17 - Antigen Spam Manager overview...... 116 Configuring the anti-spam scanning settings...... 117 Configuring Cloudmark updates...... 117 Managing Cloudmark updates with FSSMC or AEM...... 118 Submitting false positives and false negatives to Cloudmark...... 119 Using the GTUBE anti-spam test file to determine whether Cloudmark is detecting spam...... 119 About the Identify: tag message action...... 119 Outlook Junk Mail folders and user Junk Mail options...... 120 Approving senders...... 122 Blocking senders...... 122 Managing rules...... 122 Purging Junk Mail...... 123

Chapter 18 - Using e-mail notifications...... 123 Sending notifications...... 123 Configuring notifications...... 124 About notification roles...... 124 Configuring Antigen for internal addresses...... 126 Enabling and disabling a notification...... 126 Editing a notification...... 127

Chapter 19 - Reporting and statistics overview...... 127 About the incidents database...... 128 About VirusLog.txt...... 129 About Antigen incidents...... 129 About event statistics...... 131 Statistics for messages...... 131 Statistics for message attachments...... 132 Resetting statistics...... 132 Exporting statistics...... 133 About quarantine...... 133 About quarantine options...... 133 About quarantine database tables...... 134 Saving database items to disk...... 135 About the Deliver button...... 135 About DeliverLog.txt...... 136 Forwarding Attachments...... 136 Forwarding Attachments Quarantined by the Virus Scanner...... 136 Forwarding Attachments Quarantined by the File Filter...... 136 Forwarding Attachments and Manual Scans...... 136 Using the ExtractFiles utility...... 137 Using the ExtractFiles tool for fast mail recovery...... 137 Maintaining the databases...... 138 Clearing the databases...... 138 Clearing the incidents database...... 138 Clearing the quarantine database...... 139 Exporting database items...... 139 Purging database items...... 139 Filtering database views...... 140 Moving the databases...... 140 Changing the database compaction time...... 141 About Windows Event Viewer...... 142 About Performance Monitor...... 142 Reinstalling Antigen performance counters...... 142

Chapter 20 - File scanner updating overview...... 142 About automatic file scanner updating...... 143 Scheduling an update...... 143 Update Now...... 145 Update on load...... 145 About scanner information...... 145 About Manifest.cab...... 146 Distributing updates...... 146 Configuring servers to distribute and receive updates...... 146 Notifications following engine updates...... 147 Putting the new file scanner to use...... 148 Updating the file scanner through a proxy...... 148 Adding and deprecating scan engines...... 148 Adding new scan engines...... 149 Deprecating scan engines...... 149

Chapter 21 - Troubleshooting overview...... 149 Getting help...... 149 Using diagnostics...... 149 Antigen installation failure...... 150 Antigen services do not start when you start the computer...... 150 Submitting malicious software files to Microsoft for analysis...... 151 Submitting files through the Microsoft Malware Protection Center Portal...... 151 Preparing files for submission...... 151 About the response message...... 152 Submitting files through Microsoft Customer Support Services...... 152 No Realtime scanning occurs on the Exchange store after installing Antigen...... 152 Attaching a disclaimer message that includes non-US-ASCII characters...... 153 Exchange cannot deliver e-mail messages to certain domains after you configure an e-mail disclaimer...... 154 Rebuilding scan engines...... 154

Appendix A - Using the Antigen utility...... 156 Enabling and disabling Antigen...... 156

Appendix B - Setting registry values...... 157

Appendix C - Using keyword substitution macros...... 165

Appendix D - Using the Antigen diagnostic utility...... 168 Running the Antigen diagnostic utility...... 168

Appendix E - File types list overview...... 169

Appendix F - Using multiple disclaimers...... 174 Disclaimer hierarchy...... 184 Additional sample disclaimer text...... 184

Appendix G - Backing up and restoring Microsoft Antigen for Exchange...... 185 About backups...... 185 Preparing files for backup...... 185 Backing up data files...... 187 Restoring data files...... 187

Appendix H - Antigen security and configuration updates overview...... 189 Security policy changes...... 189 General Options changes...... 190 Other Antigen changes and updates...... 191 Chapter 1 - Introducing Microsoft Antigen for Exchange

In Microsoft® Exchange Server, viruses can enter the environment from file attachments to e-mail messages, e-mail bodies, and public folder posts, but traditional antivirus technology cannot monitor or scan the contents of the Exchange database or the Exchange SMTP stack. Exchange environments require an antivirus solution that can prevent the spread of viruses by scanning all messages in real-time, with minimal impact on server performance or delivery times of messages. Microsoft Antigen for Exchange Version 9 is the solution for protecting Exchange environments. Antigen is uniquely suited for the Microsoft Exchange 2000 Server and the Microsoft Exchange Server 2003 environments. Antigen uses the Exchange VSAPI to tightly integrate with the Exchange servers to provide seamless protection. Antigen provides powerful content filtering features that include:  Keyword message body filtering.  Mail host filtering with Real-Time Blackhole List (RBL) integration.  File and content filtering that includes filter lists to help administrators manage large groups of filters. Antigen also supports the optional Antigen Spam Manager. This add-on module helps administrators to minimize the number of spam e-mail messages that enter their Exchange environments. The Antigen Spam Manager enhances Antigen’s content filtering by providing:  Support for the Cloudmark anti-spam engine.  Support for Exchange 2003 anti-spam features.  Identify: Tag Message options for suspected spam message tracking and identification.  Keyword filter options.  Junk Mail folders for Microsoft Office Outlook® users. Antigen also integrates with the Microsoft Antigen Enterprise Manager (AEM). The AEM provides administrators with central installation and reporting functionality and central administration of Antigen on all servers in their environments. Antigen provides powerful protection for your messaging servers and is the antivirus solution for Exchange 2000 and 2003 environments.

Consideration when using a third-party file-level antivirus program When performing a file-level antivirus scan on a server operating system, you must omit the following program folders from the scan to prevent corruption of Antigen:  Drive:\Program Files\Sybari Software\Antigen for Exchange  Drive:\Program Files\Exchsrvr  Drive:\InetPub\Mailroot (Exchange 2003 only) The file-level antivirus scan can also cause a conflict when Antigen tries to scan e-mail messages.

Antigen scanning order overview When Antigen scans a file or an e-mail message, the following tasks are performed in the order that they appear: Allowed senders scan—If the allowed senders list functionality is enabled, Antigen compares the message sender's domain or address to the allowed senders list. If a message is from a domain or address in the allowed senders list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed. You can configure the allowed senders list functionality to bypass specific types of filters, such as keyword filters, file filters, and content filters, or you can bypass all filters. For more information about allowed senders lists, see "Creating allowed senders lists" in Chapter 15 - Using keyword filtering. Cloudmark engine scan—The Cloudmark engine compares the message contents against a database of known spam. For more information about the Cloudmark engine, see Chapter 17 - Antigen Spam Manager overview. Mailhost filtering scan—Mailhost filtering filters messages from specific IP addresses or from specific server names. Mailhost filtering consists of the following lists:  RBL servers list—Contains server names and IP addresses that are known to originate spam or are spam open relay hosts. Antigen compares the message sender to the RBL servers list to determine whether the message was sent from a spam server.  Allowed mailhosts list—Contains server names and IP addresses that are considered safe. Antigen compares the message sender to this list to determine whether the message sender is considered safe. If a message is from a server or IP address in the allowed mailhosts list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed.  Rejected mailhosts list—Contains server names and IP addresses that have been blocked. Antigen compares the message sender to the rejected mailhosts list to determine whether the message sender has been blocked. For more information about mailhost filtering, see Chapter 14 - Using mailhost filtering. Content filtering scan—Content filtering includes the following filters:  Sender-domains filtering—When sender-domain filtering is enabled, Antigen compares the message sender to the senders and domains that are in the sender-domains filter list.  Subject line filtering—When subject line filtering is enabled, Antigen compares the contents of the message's subject line to the words in the subject line filter list. For more information about content filtering, see Chapter 13 - Using content filtering. Keyword filtering scan—When keyword filtering is enabled, Antigen compares the contents of the message to any keyword filter lists that have been created. For more information about keyword filtering, see Chapter 15 - Using keyword filtering. Attachment scan—If the e-mail message has an attachment, Antigen scans it for worms and viruses:  Worm purge—The worm purge tool maintains the WormPrge.dat file, which contains a list of known worms. This list is regularly updated and maintained by Antigen. The contents of the message are compared to the list of known worms. For more information about worm purging, see Chapter 16 - Purging messages infected by worms.  File filtering—When file filtering is enabled, Antigen compares the contents of the message to the file filter list. The file filter list provides you with the ability to search for attachments with a specific name, type, and size within an e-mail message. For more information about file filtering, see Chapter 12 - Using file filtering.  Virus cleaning—Antigen uses multiple virus scan engines to determine whether the attachment contains a virus. For more information about using multiple scan engines, see Chapter 5 - Using multiple scan engines. Body scan—The body of the message is compared to the worm list that is maintained in the WormPrge.dat file. If no worms are found, Antigen then scans the body of the message for viruses.

Antigen documentation The most current Microsoft Antigen for Exchange documentation, including the Microsoft Antigen for Exchange Quick Start Guide, the Microsoft Antigen for Exchange Best Practices Guide, the Microsoft Antigen for Exchange Cluster Installation Guide, and the Microsoft Antigen Spam Manager Best Practices Guide, is available at the Microsoft Antigen TechNet Library.

Chapter 2 - Installing Microsoft Antigen for Exchange

Antigen supports local and remote installations on Microsoft® Exchange Server 2003, Microsoft Exchange 2000 Server, and local installations on active/passive clusters.

For the procedures necessary to install Antigen for Exchange on a clustered system, see the Microsoft Antigen for Exchange Cluster Installation Guide at the Microsoft Antigen TechNet Library. If your system is configured to run a Network Load Balancer (NLB), there are no special installation procedures for Antigen for Exchange. Simply follow the instructions in this guide for a non-clustered installation. Important:

Antigen runs in VSAPI mode only. If you are currently running an older version of Antigen in ESE mode, Antigen converts the system to VSAPI mode without confirmation from the user. In Antigen, you can use setup wizards to install the product to a local Exchange server, to a remote Exchange server, or as an Administrator Only installation to a local workstation. The following information should be gathered prior to installation:  The user account and password that has sufficient rights to administer the computer that runs Exchange (local and remote installations).  The server name of the computer running Exchange 2000 or Exchange 2003 (remote installations).

System requirements The following are the minimum server and workstation requirements for Microsoft Antigen for Exchange.

All minimum system memory and disk space requirements for Microsoft Exchange 2000/2003 must be met before installing Microsoft Antigen for Exchange.

Minimum server requirements  Windows® 2000 Server SP4 Update Rollup 1, Windows 2000 Advanced Server SP4 Update Rollup 1, Windows Server 2003, or Windows Small Business Server 2003

Antigen is supported only on 32-bit environments. If both the Exchange and SharePoint products are installed on the same server, Antigen will only be installed on Exchange.  Exchange 2000 Server SP1 or Exchange Server 2003

Antigen is not supported on Exchange 2007.  1 gigabyte (GB) of free memory, in addition to that required to run Exchange (512 MB recommended)

With each additional licensed scan engine, more memory is needed for each scanning process.  2 GB of available disk space  Intel processor, 1 gigahertz (GHz)  Internet Information Services (IIS) 4.0  Microsoft Data Access Components (MDAC) 2.7  Microsoft Jet 4.0 Service Pack 3 (SP3)  Microsoft XML Core Services (MSXML) 6.0  .NET Framework 1.1 (required only if you are using Antigen Spam Manager (ASM) Junk Mail folder processing on Exchange 2000)

Minimum workstation requirements  Windows 2000 Professional, Windows Server 2003, Windows XP, or Windows Vista  6 MB of available memory  10 MB of available disk space  Intel processor

Installing Antigen on a local server To locally install Antigen on an Exchange server, you must log on to the local computer by using an account that has administrator rights. This step is necessary for Setup to perform service registration.

To install Antigen on a local server 1. Run Setup.exe from the folder containing the Antigen installation files. You can obtain the latest installation package from the Microsoft Volume Licensing Download Center. 2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Select Local Installation, and then click Next. 3. If MDAC or Jet is not installed (Exchange 2000 only), Antigen asks if you would like the component installed on the server. Follow the onscreen instructions to complete the installation. After MDAC or Jet has been installed, you must run the installation program again to install Antigen. 4. In the Installation Type dialog box, select Server - Admin console and scanner components, and then click Next. 5. Setup checks to see whether you have the correct version of the Windows Update Agent.  If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually.  If you do have the correct version, Setup then checks to see whether Microsoft Update is enabled. If Microsoft Update is not enabled, the Use Microsoft Update dialog box appears where you can enable it. 6. In the Quarantine Security Settings dialog box, select the desired setting, and then click Next. The choices are:  Secure Mode is the default. When the value is set to this mode, all messages and attachments delivered from Quarantine are rescanned for viruses and filter matches.  Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Antigen identifies these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine. For more information about this setting, see Chapter 19 - Reporting and statistics overview. 7. In the Engine Updates Required dialog box, read the warning about engine updates and proxy information, and then click Next. 8. In the Choose Destination Location dialog box, either accept the default destination folder for the product or click Browse to select a different one. The default is: Program Files\Microsoft Antigen for Exchange 9. If you are installing Antigen Spam Manager on Exchange 2000, enter the file path to the location where Antigen should create the Junk Mail Folder application. This application is used to create user Junk Mail folders. You need to enter the file path, the Administrator Account, and the Administrator Home Server. 10. In the Select Program Folder dialog box, choose a program folder for Antigen. The default is: Microsoft Antigen for Exchange 11. In the Start Copying Files dialog box, review the data. If any changes need to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied. 12. After installation is complete, you can start or restart the SMTP services, depending on whether they were stopped or running when the installation began. For a clean installation, the services were probably still running and need to be recycled. If you are reinstalling the product, the services had to be stopped before Antigen could be uninstalled. In the Start SMTP Services dialog box, you can start the SMTP services automatically so that Antigen can become active. Click Next to have Setup perform this step, or click Skip to manually perform this step at a later time. Until the SMTP services have been started or restarted, Antigen cannot scan mail in transport. 13. If the SMTP services are being started or restarted (that is, you clicked Next on the prior dialog box), the Starting SMTP Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. 14. Depending on which services were stopped when the installation began, either the Start Exchange Information Store dialog box or the Start AntigenStore Service dialog box appears. You can start the Information Store services automatically so that Antigen can become active. Click Next to have Setup perform this step, or click Skip to manually perform this step at a later time. Until the services have been started, Antigen cannot scan mail on the Store. 15. Depending on whether the Information Store services are being started or restarted (that is, you clicked Next on the prior dialog box), the Starting Exchange Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. 16. In the InstallShield Wizard Complete dialog box, you can optionally select to View the README file before clicking Finish. If you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it.

As in most installations, Setup updates shared Microsoft files on your computer. If you are asked to restart your computer, you do not need to do this immediately, but it may be necessary for certain Antigen features to work correctly.

Installing Antigen on a remote server To remotely install Antigen on an Exchange server, you must log on to your local computer by using an account that has administrator rights to the remote computer. This step is necessary for Setup to perform service registration. The platforms of both the local computer and remote computer must be the same.

To install Antigen on a remote server 1. Run Setup.exe from the folder containing the Antigen installation files. You can obtain the latest installation package from the Microsoft Volume Licensing Download Center. 2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Select Remote Installation, and then click Next. If Antigen is already installed on the remote Exchange server, this process can automatically stop the Exchange and IIS services, and uninstall Antigen. 3. In the Remote Server Information dialog box, enter the following information, and then click Next. The parameters are:  Server Name: The name of the computer to which you are installing Antigen.  Share Directory: The temporary location that the remote installation uses while setting up Antigen. The default is: C$ 4. If MDAC or Jet is not installed (Exchange 2000 only), Antigen asks whether you would like the component installed on the remote server. When initiated, the installation of MDAC or Jet proceeds in silent mode.

Note: If a restart is required after MDAC or Jet is installed, Antigen restarts the server automatically. Once the installation is complete, Antigen continues installing Antigen on the remote server. 5. Setup checks to see whether you have the correct version of the Windows Update Agent.  If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually.  If you do have the correct version, Setup then checks to see whether Microsoft Update is enabled. If Microsoft Update is not enabled, the Use Microsoft Update dialog box appears where you can enable it. 6. In the Quarantine Security Settings dialog box, select the desired setting, and then click Next. The choices are:  Secure Mode is the default and when the value is set to this mode, all messages and attachments delivered from Quarantine are rescanned for viruses and filter matches.  Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Antigen identifies these messages by placing special tag text in the subject line of all messages delivered from Quarantine. For more information about this setting, see Chapter 19 - Reporting and statistics overview. 7. In the Remote Location dialog box, select the Destination Directory and Folder Name, and then click Next to begin installing Antigen. 8. After installation is complete, you can start or restart the SMTP services, depending on whether they were stopped or running when the installation began. For a clean installation, the services were probably still running and need to be recycled. If you are reinstalling the product, the services had to be stopped before Antigen could be uninstalled. In the Start SMTP Services dialog box, you can start the SMTP services automatically so that Antigen can become active. Click Next to have Setup perform this step, or click Skip to manually perform this step at a later time. Until the SMTP services have been started or restarted, Antigen cannot scan mail in transport. 9. If the SMTP services are being started or restarted (that is, you clicked Next on the prior dialog box), the Starting SMTP Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. 10. Depending on which services were stopped when the installation began, the Start Exchange Information Store dialog box or the Start AntigenStore Service dialog box appears. You can start the Information Store services automatically so that Antigen can become active. Click Next to have Setup perform this step, or click Skip to manually perform this step at a later time. Until the services have been started, Antigen cannot scan mail on the Store. 11. If the Information Store services are being started or restarted (that is, you clicked Next on the prior dialog box), the Starting Exchange Services dialog box appears. Wait until the status changes to All services started before clicking Next to continue. 12. After you have been informed that the installation was successful, click Next to perform another remote installation, or click Cancel to exit the installation program. If you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Note:

As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain Antigen features to work correctly.

Administrator-only installation Performing an administrator-only installation installs the Antigen Administrator onto any Windows workstation or server, which can then be used to centrally manage the Antigen Service running on remote Exchange servers. An administrator-only installation requires approximately 2.5 MB of disk space.

To perform an administrator-only installation 1. Run Setup.exe from the folder containing the Antigen installation files. You can obtain the latest installation package from the Microsoft Volume Licensing Download Center. 2. Follow the initial setup dialog boxes until you are prompted by the Installation Location dialog box. Choose Local Installation, and then click Next. 3. In the Installation Type dialog box, select Client - Admin console only, and then click Next. 4. Setup checks to see whether if you have the correct version of the Windows Update Agent.  If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually.  If you do have the correct version, Setup then checks to see whether Microsoft Update is enabled. If Microsoft Update is not enabled, the Use Microsoft Update dialog box appears where you can enable it. 5. In the Choose Destination Location dialog box, either accept the default destination folder for the product, or click Browse to select a different one. The default is: Program Files\Microsoft Antigen for Exchange 6. In the Select Program Folder dialog box, choose a program folder for Antigen. The default is: Microsoft Antigen for Exchange 7. In the Start Copying Files dialog box, review the data. If any changes need to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied. 8. In the InstallShield Wizard Complete dialog box, you can optionally select to View the README file before clicking Finish. If you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Post-Installation security consideration When you install Antigen for Exchange, it is configured to allow everyone access to the AntigenService service. To change the security settings to restrict access to AntigenService, you need to use DCOMCNFG to modify the security settings. For more information about securing access to AntigenService, see "Securing the service from unauthorized use" in Chapter 3 - Antigen services overview.

Installing to multiple servers The Microsoft Antigen Enterprise Manager (AEM) should be used to install Antigen to multiple Exchange servers. For complete installation instructions, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.

Uninstalling Antigen To uninstall Antigen, log on to the computer on which it is installed.

For information about uninstalling Antigen from a clustered server, see the Microsoft Antigen for Exchange Cluster Installation Guide at the Microsoft Antigen TechNet Library.

To uninstall Antigen for Exchange 1. Ensure that the Antigen Administrator is not running. 2. In Control Panel, open Administrative Tools, and then open Services. 3. Stop the Exchange and IIS services. 4. When all these services have stopped, close the Services dialog box. 5. In Control Panel, open Add or Remove Programs. 6. Remove Microsoft Antigen for Exchange. Click Yes to confirm the deletion. 7. On the Uninstall Complete screen, click Finish. 8. Delete the Microsoft Antigen for Exchange folder in Program Files (or, if you installed to a different folder, delete your installation folder). 9. If you are not planning to reinstall Antigen for Exchange, restart the stopped Exchange services and IIS.

Migrating and upgrading Microsoft Antigen for Exchange upgrades properly from Antigen 8.0 SR3 only by upgrading all components during the installation process. Scan job and other settings are preserved during the upgrade process. When you are upgrading Antigen, all scan jobs have their template settings configured to None to prevent users from inadvertently overwriting existing settings. To deploy templates, you need to change this setting on each server to Default or a named template. For more information on configuring scan job template settings, see Chapter 11 - Using templates.

When upgrading from Antigen 8.0 SR3, you must do an engine update immediately after installing Antigen to ensure that the engines are using the most recent signature files. After upgrading Antigen, the Microsoft Engine is not scheduled for updates. You must manually set the update schedule for the Microsoft Engine after the upgrade is complete. When upgrading Antigen on a server where NetIQ AppManager is installed, you first need to disable and shut down NetIQ prior to upgrading Antigen. This is required because the Antigen performance.dll file is registered so that the Performance Monitor monitors it. NetIQ attaches itself to this dynamic-link library (DLL) and does not release it even if the programs that use it are shut down. If this DLL is not released, it is not properly upgraded during the installation. For information about upgrading clustered servers, see the Microsoft Antigen for Exchange Cluster Installation Guide at the Microsoft Antigen TechNet Library.

Applying Exchange and Antigen service packs and rollups This section describes how to apply Exchange and Antigen service packs and rollups. For cluster installations, follow the instructions in Installing Antigen on a Cluster in the “Microsoft Antigen for Exchange Cluster Installation Guide”.

To install an Exchange service pack or rollup 1. Disable Antigen using the steps described in Appendix A - Using the Antigen utility. 2. Follow the instructions provided with the specific service pack or rollup that you are installing. 3. After the installation is complete and the Exchange services have been restarted, verify that mail is flowing. 4. Enable Antigen using the steps described in Appendix A - Using the Antigen utility.

Some Exchange service packs and rollups require you to download and install an Antigen update in order to ensure that Antigen operates correctly. For information and downloads, visit the Microsoft Web site at Microsoft Help and Support.

To install an Antigen service pack or rollup 1. Run the installer by double-clicking the service pack or rollup executable file.

Note: While the installer is running, the Exchange and Antigen services are stopped, and your mail flow is temporarily halted. 2. After the installation is complete and the Exchange and Antigen services have been restarted (this occurs automatically during the installation), verify that Antigen is working properly.

Note: Antigen service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there is no user input required. The rest of the process remains the same as when running the installer by double-clicking the executable file.

Relocating Antigen's data files Antigen stores program settings as well as scanning activity information, including the Quarantine Area, on the file system. If you want, you can relocate these files at any time after installation.

To relocate data files 1. Stop all Exchange services and any Antigen services that might still be running after Exchange is stopped. 2. Create a folder in the location where you want to move the files. 3. Move all the data files (files with the .adb extension) and the Quarantine and Engines folders. 4. Change the following registry key to reflect the new location: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange\DatabasePath. 5. Set the security for the new location. Right-click the folder of the new location, and then select Properties. On the Security tab, add a user called “Network Service” with Full Control privileges. This is necessary so that logging is performed for the SMTP Scan Job. 6. Restart the Exchange services.

Using the evaluation version Microsoft provides a fully functional version of Antigen for Exchange for a 30-day evaluation. After 30 days, the evaluation version of Antigen continues to operate and report detected files. However, it no longer cleans, deletes, or purges files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the Allowed Sender lists are disabled, and scan engines no longer update.

Note: To purchase a subscription build of Antigen, contact Microsoft Sales.

Product licensing information After you have installed a subscription build of Antigen, you can enter licensing information (which can also be obtained from Microsoft Sales). These are the reasons to license your product:  You can align the date that your product expires with the date of your license agreement (otherwise, the expiration is three years from the installation date).  You can easily renew your license by entering a new expiration date. To license Antigen, select Product License from the Help menu. The Product License Agreement and Expiration dialog box appears. Enter your 7-digit License Agreement Number, and then enter an Expiration Date. You should enter a date that corresponds to the expiration of your license agreement. This coordinates the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product License Agreement and Expiration dialog box.

Chapter 3 - Antigen services overview

The Antigen services are the components that run on the Microsoft® Exchange Server and control all back-end functionality of Antigen. The services process requests from the Antigen Administrator, control the scanning processes, generate e-mail notifications, and store virus incidents data-to-disk (which can be viewed by using the Antigen Administrator). When an Administrator-Only installation of Antigen is performed, the Antigen Services are not installed.

About services The following sections describe the services used by Antigen for Exchange.

AntigenService service The AntigenService service acts as the server component that the Antigen Administrator connects to for configuration and monitoring. AntigenService coordinates all Realtime, Manual, and SMTP scanning activities. The AntigenService startup type defaults to Manual and should not be changed. After being installed, the AntigenService becomes a dependency on the AntigenStore and AntigenIMC services. Due to other dependencies, whenever the Exchange Information Store service is started or stopped, the same action will occur with AntigenService. The Task Scheduler service becomes a dependency of AntigenService and must be operating properly in order for AntigenService to initialize. There is no benefit from starting or stopping AntigenService independently of the Exchange services. On Exchange 2000/2003, AntigenService runs under the Local System account.

Important:

If the AntigenService or AntigenMonitor is disabled, e-mail will continue to be processed without being scanned for viruses or spam.

AntigenMonitor service The AntigenMonitor service monitors the Exchange Information Store, the SMTP stack, and Antigen processes to ensure that Antigen provides continuous protection for your messaging environment.

The AntigenMonitor must run under the Local System account on Exchange 2000/2003. If it is changed to run under a different account, Antigen might not start.

AntigenStore service The AntigenStore service ensures that Antigen initializes properly with the Information Store. AntigenStore becomes a dependency on the Microsoft Information Store. AntigenStore starts and stops with the Information Store.

AntigenIMC service The AntigenIMC service connects to the SMTP stack to ensure that messages are scanned by the AntigenInternet process. AntigenIMC becomes a dependency on the Exchange SMTP service on Exchange 2000/2003.

AntigenRealtime service The AntigenRealtime service provides immediate scanning of e-mail that is sent or received by the Mailboxes and Public Folders resident on the Exchange server.

AntigenInternet service The AntigenInternet service ensures that all messages that pass through the Exchange SMTP stack are scanned prior to delivery.

AntigenStatisticsService service The AntigenStatisticsService service logs scanning statistics for all Antigen scan jobs. This information is then available for retrieval by the Microsoft Antigen Enterprise Manager. AntigenStoreEvent service The AntigenStoreEvent service handles Junk Mail when the ASM Junk Mail folders are enabled.

Disabling the Antigen scan jobs The Antigen scan jobs can be disabled by using the Enable Antigen for Exchange Scan option in the General Options pane. This selection box provides the following options:  Disable All  Enable Store Scanning  Enable Internet Scanning  Enable All To disable scanning, select Disable All and then click Save. The Antigen services must be recycled for the change to take effect.

Recycling the Antigen services The Services Control Manager is used to recycle the Antigen services.

To recycle the services 1. Stop all Antigen services. (For details, see Disabling the Antigen services.) 2. Wait for all services to finish shutting down. 3. Use the Task manager to make sure that no Antigen processes are still running. 4. Start all Antigen services.

Warning:

While the Antigen services are unavailable, e-mail will continue to be processed, but will not be scanned for viruses or spam.

Securing the service from unauthorized use The AntigenService utilizes Distributed COM (DCOM) to launch and authenticate Antigen Administrator connections. You can build an access list of authorized users who can connect to the AntigenService by using the Antigen Administrator.

To build an access list of authorized users 1. Open a Command Prompt window. 2. Type DCOMCNFG, and then press ENTER. The Component Services dialog box appears. 3. In the Console Root section, expand Component Services. 4. Expand Computers. 5. Expand My Computer. 6. Expand DCOM Config. 7. Right-click AntigenService, and then select Properties. The AntigenServices Properties dialog box opens. 8. Click the Identity tab, and then configure your user accounts. 9. Click the Security tab, and then use the permissions lists to control which user accounts have rights to launch the AntigenService, access the AntigenService, or change the DCOM configuration. 10. Click OK to exit the AntigenServices Properties dialog box.

Chapter 4 - Using the Antigen Administrator

The Antigen Administrator is used by the administrator to configure and run Antigen locally or remotely. For the Administrator to launch successfully, the AntigenService service and the Microsoft® Exchange Server must be running on the computer to which the Administrator is connecting. Because the Administrator is the front end of the Antigen software, it can be launched and closed without affecting the back-end processes that are performed by the Antigen Services. The Antigen Administrator can also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who might need to view information provided through the user interface.

Enabling the Antigen Administrator Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use the Antigen Administrator on those operating systems, you must first enable the Administrator.

To enable the Antigen Administrator to run on Microsoft Windows XP SP2 1. Click Start, click Run, and then enter dcomcnfg. 2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and then click Properties. 3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user. 4. Add the AntigenClient application to the Windows Firewall Exceptions list, as follows: a. In Control Panel, click Windows Firewall. b. In the Windows Firewall dialog box, click the Exceptions tab. c. Click Add Program, select AntigenClient from the list, and then click OK. This adds the Antigen Administrator to the Programs and Services list. d. In the Programs and Services list, select the AntigenClient. e. Click Add Port, enter a name for the port, and enter 135 for the port number. f. Select TCP as the protocol, and then click OK.

If you are concerned about opening port 135 to all computers, you can opt for the port to open only for the servers running Antigen. When you add port 135, click Change Scope, and then select Custom List. Enter the IP addresses of all the Antigen servers that should be allowed access through port 135.

To enable the Antigen Administrator to run on Microsoft Windows Server 2003 SP2 1. Click Start, click Run, and then type dcomcnfg. 2. In Component Services, at the console root, expand Component Services, expand Computers, right-click My Computer, click Properties, and then click the COM Security tab. 3. Under Access Permissions, click Edit Limits. 4. In the Access Permission dialog box, select the Add Anonymous logon account, and then select the Allow check box for Remote Access for the Anonymous Logon user.

Running the Antigen Administrator To run the Antigen Administrator, on the Start menu, point to All Programs, point to Microsoft Antigen for Exchange, and then click Antigen Administrator. You can also launch it from a command prompt.

To launch the Antigen Administrator from a command prompt 1. Open a Command Prompt window. 2. Navigate to the Antigen installation directory. The default is: \Program Files\Microsoft Antigen for Exchange 3. Type antigenclient.exe, and then press Enter.

Connecting to a server The first time that the Administrator is launched, it will prompt you to connect to the Exchange server running on the local computer. You can use the server name or local alias to connect to the local Exchange server. The Administrator can also be connected to a remote Exchange server running Antigen. This enables an administrator to use one installation of the Administrator to configure and control Antigen throughout the network. To connect to a remote server, at the Server prompt box, click the Browse button or enter the server name, IP Address, or Domain Name System (DNS) name of the remote computer. Notes:

Due to enhanced security settings in Windows 2003 SP1, DCOM settings may need to be updated when Antigen is installed on a Windows 2003 SP1 server to allow remote access. Remote administrators must have privileges enabled for both remote launch and remote activation. Because the Antigen installation includes the installation folder for both administrator-only installations and for the full product installation on the access control list (ACL), a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting. If you are having problems connecting the Antigen Administrator to the Exchange server, try using the PING command to test for server availability. If the server is available, make sure that no other Antigen Administrators are currently connected to the server.

Connecting to a different server To connect to a different server when already connected to Antigen, select Open from the Antigen Administrator File menu. The Connect to Server dialog box appears. Enter the name of another server running Antigen, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Antigen Administrator dialog box to quickly reconnect to a server.

Running in read-only mode The Antigen Administrator can be run in a read-only mode. To do so, the administrator will need to modify the NTFS permissions on the Antigen Database directory to allow modify access to only those users with permission to change Antigen settings. By default, the installation directory is: Program Files\Microsoft Antigen for Exchange To ensure proper configuration, you must first remove modify access for all users, and then set modify access only for users who are allowed to change settings in Antigen. When a user without modify access opens the UI, the UI will display ReadOnly at the top of the pane and will not allow any configuration changes.

The System Account and Exchange Service Account must have full control of the Antigen for Exchange folder, or Antigen will not run properly. Antigen Administrator overview The Antigen Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right, as shown in the following image:

The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access various work panes:

Area Description

SETTINGS The SETTINGS area enables you to configure scan jobs, antivirus settings, scanner updates, templates, General Options, and the Anti-Spam Job when the Antigen Spam Manager is enabled.

FILTERING The FILTERING area enables you to configure content filtering, file filtering, mailhost filtering, keyword filtering, allowed senders lists, and filter lists.

OPERATE The OPERATE area enables to control virus scanning, spam scanning, and filter options, schedule and run scan jobs, and perform quick scans.

REPORT The REPORT area enables you to configure Area Description

notifications, view and manage incidents, and view and manage quarantined files.

General Options General Options, accessed from the SETTINGS shuttle, provide access to a variety of system level settings for Antigen. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Antigen Enabled, Internet Process Count, and Realtime Process Count require that the Antigen services be restarted for the change to take effect. Although there are many options that can be controlled through the General Options pane, each of them has a default (Enabled, Disabled, or a value), which is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation, and you might need to change one of them from time to time. To access the General Options pane, click General Options in the SETTINGS area of the Shuttle Navigator. The General Options pane opens. The General Options pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, VSAPI, and Microsoft Exchange Server 2003 UCE Settings.

Although the Exchange 2003 UCE Settings are always visible, they are only enabled when the Antigen Spam Manager is installed on Exchange Server 2003.

Diagnostics section The following table lists and describes the settings in the Diagnostics section of General Options.

Setting Description

Additional Internet Logs every file that is scanned by the Internet scanner.

Additional Realtime Logs every file that is scanned by the Realtime scanner.

Additional Manual Logs every file that is scanned by the Manual scanner.

Notify on Startup When checked, Antigen will send a notification to all the e-mail addresses listed in the Virus Administrators list whenever the Internet Setting Description

Scanner starts.

Archive SMTP Mail Enables administrators to archive inbound and outbound SMTP e-mail (Microsoft Exchange 2000 Server and Exchange Server 2003) in two folders (named In and Out) that are located in the Antigen installation folder. Each message will be given a file name that consists of the year, day, month, time, and a three-digit number. For example: 20022009102005020.eml. Administrators have the following options for archiving: No Archive - No mail is archived. Archive Before Scan - Messages are archived prior to scanning. Archive After Scan - Messages are archived after scanning. Archive Before And After Scan - Messages are archived before and after scanning. These options are provided to help administrators and Antigen support engineers diagnose and isolate problems that users may be experiencing.

Critical Notification List Enter the e-mail addresses of administrators and others who should be notified in the event that the Exchange Store starts and Antigen is not hooked in or if the Antigen Store shuts down abnormally. Multiple e-mail addresses should be separated by semicolons. Example: [email protected];[email protected].

Logging section The following table lists and describes the settings in the Logging section of General Options.

Setting Description

Enable Event Log Enables logging of Antigen events to the event log. Setting Description

Enable Antigen Program Log Enables the Antigen program log (ProgramLog.txt). The Antigen services must be restarted for a change to this value to take effect.

Enable Performance Monitor and Statistics Enables logging of Antigen performance statistics to the Performance Monitor.

Enable Antigen Virus Log Enables the Antigen Virus Log (VirusLog.txt).

Enable Incidents Logging - Realtime Enables or disables incident logging for the Realtime Scan Job.

Enable Incidents Logging - Manual Enables or disables incident logging for the Manual Scan Job.

Enable Incidents Logging - Internet Enables or disables incident logging for the Internet Scan Job. You can select from the following options:  Enable all incident logging.  Disable all incident logging.  Disable Spam/RBL incident logging – Only Spam/RBL logging will be disabled. Other incidents will still be logged.

Max Program Log Size Specifies the maximum size of the program log. Expressed in kilobytes (KB), the minimum size is 512 KB. The default is 25600 KB. A value of 0 indicates that there is no limit to the maximum size.

For more information on the log files and the Performance Monitor, see Chapter 19 - Reporting and statistics overview.

Scanner Updates section The following table lists and describes the settings in the Scanner Updates section of General Options.

Setting Description

Redistribution Server When this option is enabled, the two most recent engine update packages are saved in the engine package folder instead of the usual single engine package. Antigen will also Setting Description

download the full update package rather than perform an incremental update. The multiple engine packages enable the spoke servers to continue pulling updates from the redistribution server while a new update is being downloaded.

Perform Updates at Startup Configures Antigen to automatically perform engine updates every time Antigen is started.

Send Update Notification Configures Antigen to send a notification to the Virus Administrator each time a scan engine is updated.

Use Proxy Settings Configures Antigen to use proxy settings when retrieving antivirus scanner updates. The use of a proxy server to retrieve updates is optional.

Use UNC Credentials Configures Antigen to use Universal Naming Convention (UNC) credentials when retrieving scanner updates from a file share. The use of a UNC path to retrieve updates is optional. Note: Credentials are not supported if you are using the Antigen Enterprise Manager for redistribution. Be sure to clear this setting if you are using the AEM to manage antivirus engine updates.

Proxy Server Name/IP Address Name or IP address of the proxy server Antigen should use when retrieving antivirus scanner updates. Required, if using proxy settings.

Proxy Port Port number for the proxy server.

Proxy Username Name of a user with access rights to the proxy server, if necessary. Optional field.

Proxy Password Password for the proxy user name, if necessary. Optional field.

UNC Username Name of a user with access rights to the UNC path, if necessary. Optional field.

UNC Password Password for the UNC user name, if necessary. Optional field.

For more information on updating the scan engines, see Chapter 20 - File scanner updating overview. Scanning section The following table lists and describes the settings in the Scanning section of General Options.

Setting Description

Body Scanning - Manual Enable message body scanning for the Manual Scan Job.

Body Scanning - Realtime Enable message body scanning for the Realtime Scan Job.

Delete Corrupted Compressed Files Specifies whether corrupted compressed files will be deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for Antigen. When a corrupted compressed file is detected, Antigen reports it as a CorruptedCompressedFile virus. This option is enabled by default. Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0. Note: In addition to CorruptedCompressedFile viruses, this setting also handles these file types: UnwritableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file. UnReadableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive.

Delete Corrupted Uuencode Files Specifies whether corrupted Uuencoded files will be deleted. Typically, a Uuencoded file that Antigen is unable to parse is considered corrupted. When a corrupted compressed file is detected, Antigen will Setting Description

report it as a CorruptedCompressedUuencodeFile virus. This option is enabled by default.

Delete Encrypted Compressed Files Specifies whether encrypted compressed files with at least one encrypted item within its contents are deleted. (Encrypted files cannot be scanned by antivirus scan engines.) When an encrypted compressed file is detected, Antigen will report it as an EncryptedCompressedFile virus. This option is disabled by default.

Treat high compression ZIP files as Specifies whether ZIP archives containing highly- corrupted compressed compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message will be delivered. If a threat can be cleaned, the message will be delivered. If a threat cannot be cleaned, the message will be deleted. If the file is compressed with an unknown algorithm, it will always be treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly-compressed files will be treated as corrupted compressed).

Treat multipart RAR archives as corrupted A file within a RAR archive can be compressed compressed across multiple files or parts, thereby allowing large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed. Disabling this option enables you to receive such files. However, in this case a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default. If the archive is reported as corrupted compressed, Setting Description

and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message will be delivered. If a threat is found and can be cleaned, the message will be delivered. If a threat is found and cannot be cleaned, the message will be deleted.

Note: If you are using multipart RAR to compress files that exceed 100MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Appendix B - Setting registry values.

Treat concatenated gzips as corrupted Multiple Gnu zip (gzip) files can be concatenated compressed into a single file. Although Antigen recognizes concatenated gzips, it may not recognize individual files split across concatenated gzips. Therefore, Antigen treats concatenated gzips as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections. Disabling the treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case, a virus may escape detection.

Scan Doc Files as Containers - Manual Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information Setting Description

about OpenXML files, see Appendix E - File types list overview. Disabled by default.

Scan Doc Files as Containers - Internet Specifies that the Internet Scan Job should scan .doc files and any other files that use structured storage files and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any files embedded in the file are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see Appendix E - File types list overview. Disabled by default.

Scan Doc Files as Containers - Realtime Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage files and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any files embedded in the file are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see Appendix E - File types list overview. Disabled by default.

Skip Content Filtering for Allowed Mailhosts This setting allows Antigen to skip Content Filtering for SMTP messages when every public Mailhost in the Received MIME header field—up to the number specified in the Maximum Allowed Mailhosts Lookups General Options setting—is listed in an enabled Allowed Mailhost list. For more information, see Chapter 14 - Using mailhost filtering.

Case Sensitive Keyword Filtering This setting makes all keyword filters case sensitive. When this setting is cleared, all keyword filters are case insensitive.

Fix Bare CR or LF in Mime Headers This setting is intended to correct a discrepancy between the MIME header parsing method used by Outlook and Outlook Express and the RFC822 spec on how bare CR (0x0d) and bare LF (0x0a) are handled in MIME headers. MIME messages can be formed that allow Outlook and Outlook Setting Description

Express to improperly detect attachments in the MIME headers that are not scanned. When checked, Antigen will modify any bare carriage return (CR) or bare line feed (LF) found in the MIME headers to the CRLF combination, which removes the discrepancy in parsing methods. For more information about this setting, see “Exchange cannot deliver e-mail messages to certain domains after you configure an e-mail disclaimer” in Chapter 21 - Troubleshooting overview.

Add Disclaimers to Clear Signed Messages When this option is selected, Antigen will add disclaimers—if disclaimers are enabled—to Clear Signed Messages. If you do not want disclaimers appended to Clear Signed Messages, clear this option. A Clear Signed Message is a message that contains a digital signature and is in a readable state. If the message is modified by the addition of a disclaimer, however, the digital signature will be invalid. When a user receives the message they will be told that the digital signature is invalid. This option is enabled by default.

Enable Junk Mail Folders This setting is used to create the ASM Junk Mail folders for each Outlook mailbox when the ASM is installed on Exchange 2000. When this option is selected and saved, the Junk Mail Folder creation cycle begins immediately. The creation cycle runs again every day at 2:00 am in order to create folders for any new mailboxes that have been added. For more information about the ASM Junk Mail Folders, see Chapter 17 - Antigen Spam Manager overview. Note Junk Mail folders require certain prerequisites. If any are missing, the following grayed out option will be displayed: “Requirements for Junk folder option: W3SVC started, IIS and junk mail web folder installed, .NET installed for 200x.” W3SVC is the World Wide Web Publishing Service, which must be started. IIS must be Setting Description

installed and started. The Junk Mail homepage that is created by Antigen during the installation when the ASM is licensed must exist. For Exchange 2000, .NET Framework also must be installed. If any requirements are missing, they must be installed and started before Junk Mail folders can be enabled.

Purge Message if Message Body Deleted - Some messages carry viruses in the body of the Internet message file. When all or part of the message body is deleted to remove a virus, Antigen inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Antigen and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is checked.

Enable Antigen for Exchange Scan This setting enables Administrators to enable or disable all or selected Antigen jobs. The options are: Disable All, Enable Store Scanning, Enable Internet Scanning, and Enable All. The default value is Enable All. After changing this setting, the Antigen services must be recycled. For more information on recycling the services, see “Recycling the Antigen services” in Chapter 3 - Antigen services overview.

Internet Process Count This setting is used to change the number of Internet processes that are used by Antigen. The default value is 2. You can create up to 10 Internet processes. After changing this setting, the Antigen services must be recycled. For more information about this setting, see Chapter 8 - Configuring SMTP Scan Jobs.

Realtime Process Count This setting is used to change the number of Realtime processes that are used by Antigen. The default value is 2. You may create up to 4 Realtime processes. After changing this setting, the Antigen services must be recycled. For more information Setting Description

about this setting, see Chapter 7 - Configuring Realtime Scan Jobs.

Antigen Manual Priority This setting enables administrators to set the CPU priority of Manual Scan Jobs to Normal, Below Normal, or Low to allow more important jobs to take precedence over Manual Scan Jobs when demands on server resources are high. The default value is Normal.

Engine Error Action Sets the action that Antigen should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which will log the error to the program log; Skip, which will log the error to the program log and display an EngineError entry with the state Detected in the UI; and Delete, which will log the error to the program log, delete the file that caused the error, and display an EngineError entry with the state Removed in the UI. The file that caused the engine error will always be quarantined. The default value is Delete.

Illegal MIME Header Action - Internet If Antigen encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are headers that have multiple Content-Type, Content-Transfer Encoding, or Content-Disposition headers containing conflicting data. Messages where the Content-Disposition or Content-Type header is longer than it is supposed to be, and messages that contain multiple subject lines, are also identified as illegal MIME headers. Identified messages will be quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining.

Internet Scan Timeout Action Indicates what to do in the event that the Setting Description

Internet/SMTP Scan Job times out while scanning a file. The options are: Ignore, Skip, and Delete. The Ignore setting will let the file pass without being scanned. The Skip setting will report in the Incidents log and Program log that the file exceeded the scan time and let it pass without being scanned. The Delete setting will also report the event and replace the contents of the file with the deletion text. A copy of the file will be stored in the Quarantine database if quarantining is enabled and Internet Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

Realtime Scan Timeout Action Indicates what to do if the Realtime Scan Job times out while scanning a file. The options are: Ignore, Skip, and Delete. The Ignore setting will let the file pass without being scanned. The Skip setting will report in the Incidents log and Program log that the file exceeded the scan time and let it pass without being scanned. The Delete setting will also report the event and replace the contents of the file with the deletion text. A copy of the file will be stored in the Quarantine database if quarantining is enabled and Realtime Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

SMTP Quarantine Messages Antigen performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters, spam filters, and file filters that are set to Purge when quarantine is enabled. When SMTP Quarantine Messages is set to Quarantine as Single EML File (only applies to the SMTP Scan Job), the quarantined message and all attachments are quarantined in an EML file format. When SMTP Quarantine Messages is set to Quarantine Message Body and Attachments Separately, Antigen will quarantine messages as separate pieces (bodies and attachments). Setting Description

For a complete description of this setting, see “About quarantine” in Chapter 19 - Reporting and statistics overview.

Note: These settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.

Deliver From Quarantine Security This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode.  Secure Mode forces all messages and attachments delivered from quarantine to be rescanned for viruses and filter matches. This is the default setting.  Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Antigen identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine. For more information about this setting, see Chapter 19 - Reporting and statistics overview.

SMTP Sender Information By default, Antigen for Exchange uses the “MIME FROM:” header sender address for the SMTP Scan Job on Exchange 2000/2003. This General Option setting allows administrators to use the MAIL FROM sender address from the SMTP protocol for the SMTP Scan Job. When Use SMTP protocol MAIL FROM is selected, the address in that field will be used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, reporting in the Administrator, and Multiple Disclaimers. The options for this setting are:  Use MIME From: Header (the default). Setting Description  Use SMTP protocol MAIL FROM.

Note: When MIME From is selected and a MIME Sender header is also present, the MIME Sender header information will be used.

Perform Reverse DNS Lookup Provides the ability to disable Reverse DNS lookups when validating an IP address or domain name against the Allowed Mailhost or Rejected Mailhost lists. If Reverse DNS lookups are disabled, the domain name found in the MIME Received header field will be used for comparisons with the Allowed Mailhost and Rejected Mailhost lists. The options for this setting are:  Enable All (the default)  Disable All  Only for Mailhost List Checking  Only for Inbound/Outbound Determination For more information about this setting, see Chapter 14 - Using mailhost filtering.

Max Container File Infections Specifies the maximum number of infections allowed in a compressed file. If this number is exceeded, the entire file is deleted and Antigen logs an incident stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case, the logged incident has the tag “Container Removed” appended to the filter match. The default value is 5 infections.

Max Container File Size Specifies the maximum container file size (in bytes) that Antigen will attempt to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Antigen reports deleted files as a LargeInfectedContainerFile virus.

Max Nested Attachments Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, Setting Description

and Uuencoded documents. The limit will include the sum of the nestings of all of these types. If the maximum number is exceeded, Antigen will block or delete the document and report that an ExceedinglyInfected virus was found. The default value is 30.

Max Nested Compressed Files Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and Antigen sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is allowed. The default value is 5.

Max Container Scan Time (msecs) - Specifies the number of milliseconds that Antigen Realtime/Internet will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. This setting is intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes).

Max Container Scan Time (msecs) - Manual Specifies the number of milliseconds that Antigen will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. This setting is intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 milliseconds (ten minutes).

Internal Address Antigen can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net; company.com) with no spaces. Any change to this value is immediately reflected in virus notifications. When entering a domain name in the Internal Address field, be aware that subdomains are covered by the entry. For example: domain.com will include subdomain.domain.com and Setting Description

subdomain2.domain.com. Alternate domains such as domain.net or domain.org must be entered individually. Values entered in Internal Address are used as a substring match of the end of an e-mail address. For example, “soft.com” would consider “[email protected]” and “[email protected]” to be internal addresses. If you have a large number of domains to be used as internal addresses, you can enter them in an external text file (leaving the Internal Address field blank). Enter all your internal domains, each on a separate line. Be aware that all subdomains must be entered individually. To use the external file, you must manually create the registry key DomainDatFilename and set its value to the full path of the external text file. For more about this key, see Appendix B - Setting registry values. (For more information about internal addresses and notifications, see Chapter 18 - Using e-mail notifications.)

SMTP External Hosts If you are using an SMTP gateway to route e-mail into your Exchange environment, you can enter the IP address of the gateway server so that Antigen will treat all mail coming from that server as inbound when determining which filters and scan jobs to use for a message. If you do not enter the IP address of your SMTP gateway, Antigen will use its internal logic to determine whether messages are inbound or internal. IP addresses should be entered as a semicolon delimited list with no spaces. Example: 123.456.78;876.543.21;000.000.00

Maximum RBL Lookups Specifies the number of hops allowed while doing RBL tests. (Only public IP addresses received in the chain are counted.) Antigen starts counting with the first public IP address and checks the IP address of each hop until the Maximum RBL Lookups is reached or a private IP address is Setting Description

encountered. The default value is 4.

Maximum Allowed Mailhost Lookups Specifies how many addresses need to be checked and matched by the Allowed Mailhost filter for content filtering to be skipped. The default value is 4.

VSAPI section The following table lists and describes the settings in the VSAPI section of General Options.

Setting Description

Scan on Scan Job Update Causes previously scanned files to be rescanned when accessed following a scan job update. This setting is disabled by default.

Note: When Scan on Scan Job Update is selected, the Mailbox server may experience increased virus scanning, which may affect server performance.

Enable Background Scan if 'Scan on Scan Job Initiates a Background Scan every time a scan Update' Enabled job setting is updated if the General Option setting Scan on Scan Job Update is enabled.

Scan on Scanner Update Causes previously scanned files to be rescanned when accessed following a scanner update. This setting applies to messages stored on a Mailbox server or a Public Folder server. This setting provides heightened security protection to rescan messages that have already been scanned. Messages will be rescanned the first time that a mailbox server “On-Access” event occurs and during every “On-Access” event after the initial one, if new virus signatures have been received since the last time the message was scanned. This setting is disabled by default.

Note: When Scan on Scanner Update is selected, the Mailbox server may Setting Description

experience increased virus scanning, which may impact server performance.

Note: Messages retrieved by Outlook 2003 or by Outlook 2007 clients running in cache mode generate an “On-Access” event only when they are originally synchronized to the client and will not be rescanned on the server when the messages are accessed on the local client and retrieved from the cache. To rescan these already retrieved messages, use the General Option setting Enable Background Scan if ‘Scan on Scanner Update’ Enabled. If a background scan detects a virus in a message and cleans or purges the message, then the next time the Outlook client resynchronizes with the server, the already-retrieved infected message will be cleaned or purged.

Enable Background Scan if 'Scan on Scanner Initiates a Background Scan every time a scan Update' Enabled engine is updated if the General Option setting Scan on Scanner Update is enabled.

Exchange 2003 UCE Settings These settings are visible in the General Options pane for all installations, but will not configure the Exchange settings unless the Antigen Spam Manager is enabled. The UCE settings are Exchange 2003 functions that help combat spam e-mail by tagging potential spam and diverting suspect messages into a Junk folder instead of a user’s inbox.

Setting Description

Enable SCL Rating Specifies whether the user wants to use the Exchange 2003 features to specify Spam Confidence Level (SCL) ratings in a message. If this option is checked, Antigen will set an SCL rating based on the results of filtering operations performed by the Spam Manager. Administrators must configure the Action Identify: Tag Message Setting Description

to Set SCL property for ratings to be appended to messages. For more information, see Chapter 17 - Antigen Spam Manager overview.

Skip Content Filtering for Authenticated Specifies whether to use the Authenticated Connections Connections property of a message. This property is added to the message by the SMTP service according to administration options available in Exchange 2003. Virus scanning, worm detection, and file filtering will still be performed even if this is enabled.

Skip Content Filtering for Safe Connections Specifies whether to use the Safe Connections property of a message. This property is added to the message by the SMTP service according to administration options available in Exchange 2003. Virus scanning, worm detection, and file filtering will still be performed even if this is enabled.

Central Management Central management of Antigen is handled through the Microsoft Antigen Enterprise Manager (AEM). The AEM enables administrators to:  Install or uninstall Antigen on local and remote servers.  Update all or individual scan engines on local and remote servers.  Run a manual scan on multiple servers simultaneously.  Check Antigen, scan engine, and virus definition versions on multiple servers.  Deploy Antigen template files.  Retrieve virus logs from multiple servers.  Retrieve quarantined files.  Retrieve the ProgramLog.txt file from single or multiple servers.  Retrieve virus incident information.  Deploy General Options settings.  Deploy Filter List templates.  Generate HTML reports.  Send outbreak alerts. For detailed instructions on using these features, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. Chapter 5 - Using multiple scan engines

Antigen provides you with the ability to implement multiple scan engines for detecting and cleaning viruses. Multiple engines provide extra security by enabling you to draw on the expertise of various virus labs to keep your environments virus-free. A virus can slip by one engine, but it is unlikely to get past three. Multiple engines also allow for a variety of scanning methods. Antigen integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor’s Web site. Links are provided at Microsoft Help and Support. All the scan engines that Antigen integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin. Multiple engines are easy to configure. You can select only the engines that you would like to use for a scan job, and then indicate the bias setting. These two settings (both on the Antivirus Settings work pane) enable Antigen’s Multiple Engine Manager (MEM) to properly control the selected engines during the scan job. MEM uses the engine results to determine the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, the MEM returns a result greater than 0. Antigen then considers the item infected and has the MEM deal with it accordingly (for more information, see Cleaning infected files).

About engine rankings MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information enables the MEM to weight each engine so that better-performing engines will be used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up to date and best-performing engines have more influence in the scanning process. If two or more engines are equally ranked, Antigen invokes them by cycling through various engine order permutations.

Setting the bias The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance. Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. In between is the number of engines that permit balanced (called neutral) performance. After you make your scan engine configurations and bias configurations, it is recommended that you reevaluate the server performance and then make any necessary adjustments. These adjustments may involve increasing or decreasing the number of scan engines, or changing the bias setting based on the needs of your organization. For best performance, it is recommended that you use no more than five engines per scan job. You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Gateway server to maximize its system performance. Then, you can use several engines on your mailbox servers.

The bias setting applies only to virus scanning. It is not used in file filtering.

About bias settings There are several possible bias settings. Each scan (other than one with a bias setting of Maximum Certainty) independently selects which engines to use:

Bias Setting Description

Maximum Performance Scans each message with only one of the selected engines. This provides the fastest performance, but the least security.

Favor Performance Fluctuates between virus scanning with one of the selected engines and half of the engines.

Neutral Scans each message with at least half of the selected engines. This setting balances security and performance. Neutral is the default value.

Favor Certainty Fluctuates between virus scanning with half of the selected engines and all of them.

Maximum Certainty Scans each message with all of the selected engines. This gives the slowest performance, but the greatest security. If an engine is not available because it is being updated, messages are queued until the engine is once again ready to scan them.

Assuming that you select five engines, the following table shows how each of the bias settings uses the engines in virus scanning:

Bias Mode Description

Maximum Performance Each item is virus-scanned by only one of the Bias Mode Description

selected engines.

Favor Performance Fluctuates between virus scanning each item with one engine and with three engines.

Neutral Each item is virus-scanned by at least three engines.

Favor Certainty Fluctuates between virus scanning each item with three and five engines.

Maximum Certainty Each item is virus-scanned by all five of the selected engines.

Configuring the Bias The bias is set on the Antivirus Settings work pane. Select Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears on the right. To configure the bias, select a scan job at the top of the work pane. Then, set its bias by using the Bias field in the lower part of the work pane. The values are those discussed in About bias settings. To find out more about the other fields on the Antivirus Settings work pane, see any of the scan job chapters. Remember to Save your choices.

Cleaning infected files The first engine that detects an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detect the infection fail to clean it, the item is deleted.

Chapter 6 - Configuring Manual Scan Jobs

Antigen enables you to customize the Manual Scan Job for the purpose of scanning mailboxes that are not covered by the Realtime Scan Job or that contain messages that predate the installation of Antigen. The Manual Scan Job is also useful for scanning with a third-party engine that is different from the engines being used by the Realtime Scan Job. It is recommended that you conduct a full manual scan after installing Antigen for the first time. The Manual Scan Job can be configured to scan message bodies, as well as attachments. The ability to scan message bodies is disabled by default on installation, but can be enabled by checking the box for Manual Body Scanning in the General Options work pane. Message body scanning increases the time that is required to perform a manual scan of a server. Configuring the Manual Scan Job When configuring the Manual Scan Job settings, select the mailboxes and public folders to be protected, and optionally specify Deletion Text.

To configure the Manual Scan Job 1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. 2. Click Manual Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs. 3. In the Scan portion of the Scan Job Settings work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders. 4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This deletion text box is used by Antigen for Exchange when the contents of an infected file are being replaced during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.

Note: Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. 5. Click Save.

About mailboxes and public folders Antigen offers flexibility in choosing what mailboxes, public folders, and items to scan in any specified scan job. You can configure the scan job to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.

Mailboxes and public folders with names that are made up entirely of back slashes (\) will not be scanned if Antigen is configured for Selected scanning. If Antigen is set to scan all mailboxes and public folders, mailboxes and public folders that use back slashes or other special characters will be scanned. In the Scan portion of the work pane, mailboxes and public folders each have three selection options:

Option Description

All Scan all existing and newly created mailboxes or public folders. Option Description

None Do not scan any mailboxes or public folders.

Selected Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options becomes active. Click this icon to change to the listing of mailboxes or public folders on the server. You can choose each mailbox or public folder to be scanned by clicking on the name. You can also use the accompanying buttons to select All or None of the mailboxes or public folders. The +/- button inverts the current selection.

Note: Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included. To return to the main scan selection window, click the arrow in the upper-right corner of the selection window.

Configuring the antivirus scanners and job action After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.

To configure antivirus settings 1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. 2. Select the Manual Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane. 3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the Manual Scan Job. 4. Select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines. 5. Select the Action that you want Antigen for Exchange to perform when a virus is detected:  Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is selected in General Options, a match to any of those conditions will cause the item to be deleted.  Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.  Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed from the message and a text file will be inserted in its place. The text file will contain, by default, a message saying that the attachment was removed because it was found to be infected with a particular virus. 6. Enable or disable e-mail notifications by using the Send Notifications box. By default, the Send Notifications box is disabled. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). 7. Enable or disable the saving of attachments detected by the file-scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable. 8. Click Save.

Running the Manual Scan Job After the scan job and the antivirus settings have been properly configured, you can run the Manual Scan Job.

To run the Manual Scan Job 1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the right. 2. Select the Manual Scan Job. 3. The Manual Scan Job can perform any combination of virus scanning, file filtering, or content filtering. Select or clear the following options: Virus Scanning, File Filtering, or Content Filtering. Any change to these settings is performed immediately, even if the job is currently running. 4. Select the Send Summary Notification check box if you would like a notification sent to the virus administrator when the scan job is complete. 5. The State for the scan job should be Stopped. Click the Start button to start the scan job. Checking results and status The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when it is no longer needed by using the Clear Log button. This does not affect the Virus Incidents log, which stores global viruses or filtered results that include every job on a particular server. A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.

If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion. Use the Export button to save the results in formatted text or delimited text formats. At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported. Antigen sends an e-mail message to the designated Virus Administrators after the completion of a manual scan if the Send Summary Notification box on the Manual Scan work pane is checked. This e-mail message includes:  Total Mailboxes Scanned  Total Physical Attachments Scanned  Total Physical Attachments Detected  Total Physical Attachments Cleaned  Total Physical Attachments Deleted  Total Logical Attachments Scanned  Total Logical Attachments Detected  Total Logical Attachments Cleaned  Total Logical Attachments Deleted

Scheduling the Manual Scan Job To schedule a Manual Scan Job, click OPERATE in the left navigation shuttle, and then click the Schedule Job icon. The Schedule Job work pane appears on the right. The top portion of the Schedule Job work pane shows the Manual Scan Job and indicates whether it is enabled or disabled. The bottom portion of the Schedule Job work pane shows the scheduling information for the Manual Scan Job. To schedule the Manual Scan Job 1. Use the calendar option to set the Date when the Manual Scan Job will activate. The red circle indicates today's date. 2. Set the run time by using the Time edit field to the right of the calendar. 3. Set the Frequency of the scheduled Manual Scan Job to control whether the job will run only once, daily, weekly, or monthly. 4. If the job is disabled, click Enable to enable it and save your changes. If the job is already enabled, just click Save.

Note: The Schedule Job work pane displays the status of the Manual Scan Job. You can also verify that the scheduled job is enabled by opening a Windows® command window and typing AT. When a scheduled job is enabled, it will appear in the AT list until it is run or disabled.

Performing a quick scan There are times when you may want to perform a scan of a single mailbox or another one-time virus scanning job. Quick Scan enables you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in one work pane. Quick Scan initially uses the default configuration (all mailboxes and public folders, the scan engines selected during installation, a bias of Neutral, an action of Skip: detect only, no notifications, and quarantining). You can make changes to any of these settings and Antigen will preserve them for the next time that you run a Quick Scan.

To perform a quick scan 1. Click OPERATE in the left navigation shuttle and then click the Quick Scan icon. The Quick Scan work pane appears. Your last Quick Scan configuration is displayed. 2. To run the Quick Scan with the same configuration, click Start. Otherwise, make changes as necessary. a. In the Scan portion of the Quick Scan work pane, select the mailboxes and public folders to be protected. For more information about the choices, see About mailboxes and public folders. b. Select the File Scanners from the list of available third-party scanners. c. Select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines. d. Select the Action that you want Antigen for Exchange to perform when a virus is detected. The choices are: Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed from the message and a text file will be inserted in its place. The text file will contain the following string: "Antigen for Exchange found a virus and deleted this file.” e. Enable or disable e-mail notifications by using the Send Notifications box. By default, it is disabled. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). f. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable. g. Click Start.

Checking results and status At the bottom of the screen, the status of the Quick Scan job and the mailbox, folder, or file currently being scanned are reported.

Scanning files by type By default, Antigen is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)

Chapter 7 - Configuring Realtime Scan Jobs

The Antigen Realtime Scan Job runs on the Microsoft® Exchange Server to provide immediate scanning of e-mail messages that are sent or received by the mailboxes and public folders that reside on the server. This method of scanning e-mail messages in real time is the most effective method for stopping the spread of infectious file attachments. The Realtime Scan Job can be configured to scan message bodies, as well as attachments. This feature is disabled by default on installation, but can be enabled by selecting the box for Body Scanning - Realtime in the General Options work pane. Message body scanning will increase the time required to scan messages.

About multiple Realtime processes During installation, two Realtime Scan Jobs (processes) are created for each storage group (Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003) or private/public store (Microsoft Exchange Server 5.5). Administrators can create additional Realtime Scan Jobs for each storage group or private/public store by changing the value of the General Options setting, Realtime Process Count, to represent the number of Antigen Realtime processes that you want running per Storage Group or on the public/private stores. The maximum is four. When you run multiple Realtime processes, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file is scanned by the third process. Whenever possible, Antigen delivers files to the first process, if it is available. Multiple processes will increase the load on the server at startup when they are being loaded and whenever they are called on to scan a file. More than two Realtime processes should not be necessary except in high-volume environments that need the additional redundancy provided by 3 or 4 processes. As a general rule, it is recommended to enable only two Realtime Processes per processor on each server.

Configuring the Realtime Scan Job When configuring the Realtime Scan Job settings, select the mailboxes and public folders to be protected and optionally specify Deletion Text.

To configure the Realtime Scan Job 1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. 2. Click Realtime Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs. 3. In the Scan portion of the Scan Job Settings work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders. 4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This deletion text box is used by Microsoft Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.

Note: Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. 5. Click Save.

About mailboxes and public folders Antigen offers flexibility in choosing which mailboxes, public folders, and items to scan with the Realtime Scan Job. You can configure the scan job to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.

Mailboxes and public folders with names that are composed entirely of back slashes (\) will not be scanned if Antigen is configured for Selected scanning. If Antigen is set to scan all mailboxes or public folders, mailboxes or public folders that use back slashes or other special characters will be scanned. In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options:

Option Description

All Configures the scan job to include all existing and newly created mailboxes or public folders.

None Do not scan any mailboxes or public folders.

Selected Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options become active. Click this icon to change to the listing of mailboxes or public folders on the server. You can choose each mailbox or public folder to be scanned by clicking on the name. You can also use the accompanying buttons to select All or None of the mailboxes or public folders. The +/- button inverts the current selection.

Note: Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes Option Description

or public folders added after making this selection will not automatically be included. To return to the main scan selection pane, click the arrow in the upper-right corner of the mailbox or public folder selection pane.

Configuring the antivirus scanners and job action After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.

To configure antivirus settings 1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. 2. Select the Realtime Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane. 3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the Realtime Scan Job. 4. Select the bias to control how many engines should be used to provide an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines. 5. Select the Action that you want Antigen for Exchange to perform when a virus is detected:  Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.  Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text  Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed from the message and a text file will be inserted in its place. The text file will contain the following string: "Antigen for Exchange found virus and deleted this file.” 6. Enable or disable e-mail notifications by using the Send Notifications box. By default, it is disabled. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). 7. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, allowing you to recover them. However, worm-purged messages are not recoverable. 8. Click Save.

Controlling the Realtime Scan Job After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the Realtime Scan Job.

To control the Realtime Scan Job 1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears to the right. 2. Select the Realtime Scan Job. 3. If the State for the scan job is not set to Enabled, click the Enable button to enable the scan job. 4. The Realtime Scan Job can perform any combination of virus scanning, file filtering, or content filtering. Select or clear the following options: Virus Scanning, File Filtering, or Content Filtering. Any change to these settings is performed immediately, even if the job is currently running.

Checking results and status The lower half of the Run Job work pane shows the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log, which stores global viruses or filtered results that include every job on a particular server. A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.

If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion. Use the Export button to save the results in formatted text or delimited text format. At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported. About Realtime Scan recovery In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a file (default is 5 minutes or 300,000 milliseconds), the process is terminated and Antigen attempts to restart the service. If successful, real-time scanning resumes and a notification is sent to the administrator stating that the Realtime Scan Job exceeded the allotted scan time and was recovered. When the new Realtime scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Realtime Scan Timeout Action. For example, if it is set to Delete, Antigen deletes the file, replaces its contents with the Deletion Text for the Realtime Scan Job, logs the information, and quarantines and archives the file. (For more information on General Options, see Chapter 4 - Using the Antigen Administrator.) If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job stopped. In this event, real-time scanning for the particular storage group does not function, but the information store will not stop. The default time-out for message scanning can be modified by creating the DWORD registry value RealtimeTimeout and setting a new time-out. The value is in milliseconds. If you continue to have time-out problems, you can try increasing the time specified in the RealtimeTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called RealtimeTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Antigen services for the change to take effect. For more information about registry values, see Appendix B - Setting registry values.

Chapter 8 - Configuring SMTP Scan Jobs

The Antigen SMTP Scan Job (also known as the Internet Scan Job) runs on a Microsoft® Exchange Server that is running an SMTP stack for Microsoft Server Exchange 2000 or Microsoft Exchange Server 2003. It can scan, in real time, all MIME and uuencode-based e-mail that is inbound or outbound via the SMTP stack of an Exchange site or organization. The SMTP scanner scans for viruses in attachments and for embedded and HTML viruses in the message body. Antigen scans mail on all SMTP virtual servers when the SMTP Scan Job is enabled (it is enabled by default). If you do not want Antigen to scan all enabled SMTP virtual servers, you can create a string registry value named DisableSMTPVS. When the registry value is created, you must populate it with a comma delimited list of numbers 1 through 10 representing the virtual servers that you would like Antigen to skip during scanning. Example: If you have four virtual servers and want to scan only on Virtual Server 1 (VS1) and VS3, the string value would be: 2,4 (Do not use any spaces in the string.) Do not place anything other than the numbers 1 through 10 in the string or it will cause unpredictable results. The SMTP service must be recycled for the registry changes to take effect.

When running Microsoft Exchange 2000 Server pre-SP3, outgoing messages may not be scanned because outgoing messages waiting to be scanned are not blocked from being accessed by transports such as X.400, SMTP, and the Lotus Notes Connector. This is a known limitation of the Microsoft VSAPI2 in pre-SP3 builds.

About multiple Internet processes Two Internet Scan Jobs (processes) are created during installation, but administrators can create additional Internet Scan Jobs by changing the value of the General Option setting Internet Process Count to represent the number of Antigen Internet Scan Jobs that they want running on the SMTP stack. The maximum is 10. When you run multiple Internet processes, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file will be scanned by the third process. Whenever possible, Antigen delivers files to the first process, if it is available. Multiple processes increase the load on the server at startup when they are being loaded and whenever they are called upon to scan a file. More than two Internet processes should not be necessary, except in high-volume environments that need the additional redundancy provided by three or four processes. As a general rule, it is recommended to enable only two Internet processes per processor on each server.

Configuring the SMTP Scan Job When configuring the SMTP Scan Job settings, select the SMTP messages (Inbound, Outbound, or Internal) and optional features, such as Deletion Text and Tag Text.

To configure the SMTP Scan Job 1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. 2. Click SMTP Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs. 3. Select the type of message that you would like to scan: Inbound, Outbound, or Internal messages.  Selecting the Inbound check box configures Antigen to scan all e-mail messages entering the Internet Mail Service or the Internet Mail Connector (IMS or IMC). Messages are designated as inbound if the message originated from. or was relayed through, an external server. If the Exchange servers within that site or organization are not running Antigen, this is an effective way to protect them from infected e-mail messages coming from the Internet.  Selecting the Outbound check box configures Antigen to scan all outgoing e- mail that leaves your Exchange site or Exchange organization via the IMS/IMC. Messages are designated as Outbound if at least one recipient has an external address.  Selecting the Internal check box configures Antigen to scan all e-mail that is being routed from one location inside your domain to another location inside your domain. Messages are designated as internal if they originate from inside your domain and all the recipients are located inside your domain. 4. Optionally, if you are installing both Microsoft Antigen for Exchange and the Microsoft Antigen Spam Manager on a server running Exchange Server 2003, you can set the Store Action Threshold. The Store Action Threshold designates when Exchange 2003 will divert a suspected spam e-mail message to a Junk Mail folder based on the spam confidence level (SCL) rating of the message. For this feature to function properly, administrators must use the Identify: Tag Message Action to configure the Antigen Spam Manager to include the SCL rating. (For more information, see Chapter 17 - Antigen Spam Manager overview.) By default, the Store Action Threshold is set to 8 so that any message with an SCL rating higher than 8 will be diverted to the Junk Mail folder. When Antigen identifies a message as spam, it sets the SCL rating to 9. 5. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This box is used by Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.

Note: Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. 6. Optionally, if the Advanced Spam Manager is installed, you can specify Tag Text. When you click the Tag Text button, a text box appears. This text is used by Antigen for Exchange to tag the subject line or MIME header of a message when the Action for a filter is set to Identify: Tag Message. (For more information about this Action, see Chapter 17 - Antigen Spam Manager overview.) A custom message can be used by modifying this text box. 7. Optionally, if you would like to append a disclaimer to all outbound messages, select the Add Outbound Disclaimer check box. Fore more information about this feature, see Adding outbound disclaimers. 8. Click Save.

Adding outbound disclaimers The Add Disclaimer feature of Antigen enables administrators to append a disclaimer to outbound messages flowing through the SMTP stack. If the Add Outbound Disclaimer button is selected during configuration of the SMTP Scan Job, the Disclaimer Text button is enabled. Click the Disclaimer Text button to display a text input dialog box. The default disclaimer text appears. You may customize the disclaimer text by entering the message you would like to include in all outgoing messages. When enabled, the disclaimer text will be appended to the message body of all outbound messages. The disclaimer text can also be entered by using HTML tags to format the text. For example, you can create a disclaimer such as: “

Antigen supports multiple SMTP disclaimers for outgoing e-mail messages. For more information about this feature, see Appendix F - Using multiple disclaimers.

Configuring the antivirus scanners and job action After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files. To configure antivirus settings 1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. 2. Select the SMTP Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane. 3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to run filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the SMTP Scan Job. 4. Select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines. 5. Select the Action that you want Antigen for Exchange to perform when a virus is detected:  Skip: detect only – Make no attempt to clean or delete. Viruses are reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.  Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.  Delete: remove infection – Delete the attachment without attempting to clean. The infected file is removed from the attachment and a text file is inserted in its place. By default, the text file contains the following string: "Microsoft Antigen for Exchange removed %File% since it was found to be infected with %Virus% virus." 6. Enable or disable e-mail notifications by using the Send Notifications box. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications. (For more information about configuring notifications, see Chapter 18 - Using e-mail notifications.) Notifications are disabled by default. 7. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, enabling you to recover them. However, worm-purged messages are not recoverable. 8. Click Save.

Controlling the SMTP Scan Job After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the SMTP Scan Job. To control the SMTP Scan Job 1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the right. The top portion of the Run Job work pane contains a list of scan jobs. The list shows the current state of each scan job, and whether they are performing scanning or filtering operations. 2. Select the SMTP Scan Job. 3. If the State for the scan job is not set to Enabled, click the Enable button to enable the scan job. 4. Select or clear the check boxes that determine whether you can perform Virus Scanning, File Filtering, Content Filtering, Keyword Filtering, and Mailhost Filtering. If the Antigen Spam Manager is installed, you can also select or clear Spam Scanning. Any change to these settings is performed immediately, even if the scan job is currently running.

Checking results and status The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log. A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.

If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion. Use the Export button to save the results in formatted text or delimited text format.

About SMTP Scan recovery If the SMTP Scan Job takes longer than a specified amount of time to scan a message (the default is 5 minutes or 300,000 milliseconds), the process is terminated and Antigen attempts to restart the service. If successful, SMTP scanning resumes and a notification is sent to the administrator stating that the SMTP Scan Job stopped and recovered. When the new Internet scan process starts, the message that caused it to terminate is reprocessed according to the Action set in the General Option setting Internet Scan Timeout Action. For example, if it is set to Delete, Antigen deletes the file, replaces its contents with the Deletion Text for the SMTP Scan Job, logs the information, and quarantines and archives the file. (For more information on General Options, see Chapter 4 - Using the Antigen Administrator.) If the process cannot be restarted, a notification is sent to the administrator stating that the SMTP Scan job stopped. In this event, SMTP scanning will not function and the mail stream will not be scanned. If you continue to have time-out problems, you can try increasing the time specified in the InternetTimeout registry value. Because this is a hidden registry value, you will have to create a new DWORD registry value called InternetTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Antigen services for the change to take effect. For more information on registry values, see Appendix B - Setting registry values.

Scanning nested compressed files Exceedingly nested, compressed files can slow the performance of Antigen and the Exchange server. Multiple nesting is also a known denial of service attack against antivirus products. To minimize the potential impact on server performance and guard against denial of service attacks, the General Option Max Nested Compressed Files is set to 5 by default. This setting enables Antigen to search into five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion. You may change this setting as needed for your environments in the General Options work pane. For more information, see Chapter 4 - Using the Antigen Administrator.

Chapter 9 - Configuring MTA Scan Jobs

Antigen provides the scanning of messages passing through the Exchange Message Transfer Agent (MTA) on Microsoft® Exchange 2000 Server and on Microsoft Exchange Server 2003. This job scans all MTA connectors, such as X.400, MSMail, and cc:Mail. Antigen MTA scanning is enabled by default and can be run on the upgraded bridgehead server to protect the MTA access point for the organization. Note:

When running Exchange Server 2000 pre-SP3, outgoing messages cannot be scanned because outgoing messages waiting to be scanned are not blocked from being accessed by transports such as X.400, SMTP, and the Lotus Notes Connector. This is a known limitation of the Microsoft VSAPI2 in pre-SP3 builds.

Configuring the MTA Scan Job When configuring the MTA Scan Job settings, select the MTA messages (Inbound or Outbound) and optionally specify Deletion Text.

To configure the MTA Scan Job 1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right. 2. Click MTA Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs. 3. Select whether you would like to scan Inbound or Outbound messages.  Selecting the Inbound check box configures Antigen for Exchange to scan all e- mail messages that are handled by the Exchange MTA. Messages are designated as inbound if the message originated from, or was relayed through, an external server. If the Exchange servers within that site or organization are not running Antigen, this is an effective way to protect them from infected e-mail messages coming from the Internet.  Selecting the Outbound check box configures Antigen for Exchange to scan all outgoing messages that are passing through the Exchange MTA. Messages are designated as outbound if at least one recipient has an external address. 4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This box is used by Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.

Note: Antigen for Exchange provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. 5. Click Save.

Configuring the antivirus scanners and job action After you configure the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files. To configure antivirus settings 1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right. 2. Select the MTA Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane. 3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to file filtering and content filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the MTA Scan Job. 4. Select the bias to control how many engines should be used to provide an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines. 5. Select the Action that you want Antigen for Exchange to perform when a virus is detected:  Skip: detect only—Make no attempt to clean or delete. Viruses are reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.  Clean: repair document—Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the deletion text.  Delete: remove infection—Delete the attachment without attempting to clean. The infected file is removed from the attachment and a text file is inserted in its place. The text file contains the following string: "Antigen for Exchange found a virus and deleted this file." 6. Enable or disable e-mail notifications by using the Send Notifications box. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications. (For more information about configuring notifications, see Chapter 18 - Using e-mail notifications.) Notifications are disabled by default. 7. Enable or disable the saving of attachments that are detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable. 8. Click Save.

Scanning nested compressed files Exceedingly nested, compressed files can slow the performance of Antigen and the Exchange server. Multiple nesting is also a known denial-of-service attack against antivirus products. To minimize the potential impact on server performance and guard against denial-of-service attacks, the Antigen registry key MaxNestedCompressedFile is set to 5 by default. This setting enables Antigen to search up to five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion. You can change this setting as needed for your environments in the General Options work pane. For more information, see Chapter 4 - Using the Antigen Administrator.

By default, entries into the registry are hexadecimal values. This is not noticed until you enter a value that is greater than 9. If you are entering a value greater then 9, you must change the option from hexadecimal to decimal.

Controlling the MTA Scan Job After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the MTA Scan Job.

To control the MTA Scan Job 1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the right. The top portion of the Run Job work pane contains a list of scan jobs. The list shows the current state of each scan job, and whether it is performing scanning or filtering operations. 2. Select the MTA Scan Job. 3. If the State for the scan job is not set to Enabled, click Enable to enable the scan job. 4. Select or clear the check boxes that determine whether you can perform Virus Scanning, File Filtering, and Content Filtering. Any change to these settings is performed immediately, even if the scan job is currently running.

Checking results and status The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log. A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.

If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion. Use the Export button to save the results in formatted text or delimited text format.

Chapter 10 - Performing background and on- access scans

Microsoft® Exchange Server VSAPI 2 and 2.5 provide the ability to perform background scanning of all files in the information store and on-access scanning of files as they are accessed. These features enhance the functionality of Antigen by ensuring that files are scanned by using the latest engine updates and scanning configuration.

On-access scanning On-access scanning ensures that all files being accessed will be scanned if the configuration of the antivirus software has changed since the file was originally stored.

Configuring on-access scanning On-access scanning is controlled by the following General Option settings:

Setting Description

Scan on Scan Job Update Causes previously scanned files to be rescanned when accessed following a scan job update.

Scan on Scanner Update Causes previously scanned files to be rescanned when accessed following a scanner update.

When these options are enabled, the Mailbox server may experience increased virus scanning, which can impact system performance.

Background scanning Background scanning is intended to ensure that all files are scanned using the latest updates and configurations. Background Scanning can initiate a scan of the entire information store when any change is made to the Realtime Scan Job and saved, when the Exchange Services are recycled, or when a new Storage Group is mounted. A Background Scan can also be initiated after scan engine updates if desired. Background Scanning is disabled by default since Background Scanning of large information stores can place a heavy load on the server. The Background Scan Job uses the same configuration settings as the Realtime Scan Job for respective Storage Groups.

To enable background scanning 1. Open the General Options work pane and select one or both of the following options: Enable Background Scan if ’Scan On Scan Job Update’ Enabled: When this setting is enabled, Antigen will initiate a Background Scan every time a scan job setting is updated. Enable Background Scan if ’Scan On Scanner Update’ Enabled: When this setting is enabled, Antigen will initiate a Background Scan every time a scanner setting is updated. 2. Enable the Realtime Scan Job for the Storage Groups that you want to have scanned by the Background Scanner. For more information, see Chapter 7 - Configuring Realtime Scan Jobs. 3. Enable the On-Access Scanning General Options Scan on Scan Job Update and Scan on Scanner Update.

To schedule a Background Scan Job 1. Click OPERATE in the left navigation shuttle, and then click the Schedule Job icon. The Schedule Job work pane appears on the right. 2. Select the VSAPI Background Scan Job at the top of the Schedule Job work pane. 3. Use the calendar in the Date section to set the date when the Background Scan Job will activate. The red circle indicates today's date. The date you set is highlighted in blue. 4. Set the run time using the Time edit field to the right of the calendar. 5. Indicate the Frequency of the scheduled job: run it Daily, Weekly, Monthly, or only Once (the default). 6. If the job is disabled, click Enable to enable it. 7. Click Save.

Reporting incidents Incidents detected by background scanning and on-access scanning are reported in the Realtime column in the Incidents work pane of the REPORT shuttle.

Chapter 11 - Using templates

When Antigen for Exchange is installed, it creates default templates for the various scan jobs, scan engines, and notifications. The scan jobs are configured to use the values in the default templates. Administrators can also create templates for file filter and content filter settings and additional scan job templates, as needed. (These are called named templates.) Templates are useful for controlling the configuration of Antigen on multiple servers from a central location, controlling the configuration of scan jobs and other functions at installation, and defining configuration settings for newly mounted storage groups. The Template.adb file contains the following default templates:  An Internet Scan Job template, a Realtime Scan Job template, a Manual Scan Job template, and an MTA Scan Job template.  Notification templates for each of the default notifications.  Scanner update templates for each scan engine that is installed on the current system. To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates. To view templates in the Antigen Administrator, click File, click Templates, and then click View Templates. This will cause the default and named templates to be displayed in the various work panes.

The settings for all the scan jobs are contained in the file Scanjobs.adb. If this file is not present when the Antigen Service starts, a new one is created based on the values in the Template.adb file. If the Template.adb file does not exist, a new one is created based on the values in the Scanjobs.adb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.

Template uses Templates are used for the following purposes:  Controlling configuration settings of all Antigen servers from a single location - After a Template.adb file is created, Microsoft® Antigen Enterprise Manager (AEM) can be used to copy and activate the template settings on multiple Antigen servers throughout an organization. Templates can be deployed simultaneously to multiple Antigen servers, and the settings can be applied to currently running scan jobs without the need to stop or restart any services. (For more information about using the AEM to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.)  Controlling the configuration for scan jobs during remote installations - Use templates to configure your remote servers at the time Antigen is installed.  Defining scan job settings for newly mounted storage groups - In Microsoft Exchange Server 2003, storage groups can be added to the system dynamically while both Exchange and Antigen are running. Antigen detects when a new or previously used storage group is mounted. If the storage group is new, Antigen needs to create a Realtime Scan Job and a Manual Scan Job to protect that storage group. The settings that are used for each of these scan jobs are read from their associated templates found in Template.adb. This feature enables an administrator to create default rules that will protect new storage groups as they are added to the system.

Creating a named template To use named templates, you must create them and associate them with scan jobs.

To create a named template 1. Click File, click Templates, and then click New. The New Template dialog box appears. 2. Select the Type of template you would like to create (Internet, Realtime, Manual, MTA, or Filter Set). For more information about filter set templates, see "Using filter set templates" in Chapter 13 - Using content filtering. For more information about the different types, see Using named templates. 3. Give the template a Name, and then click OK. The new template is created and then becomes a choice in the Job List in the top pane, and a choice in the Template list in the bottom pane of the Template Settings work pane. 4. Select your new template in the Job List. If the templates are not visible, you can display them by clicking File, selecting Templates, and then clicking View Templates.

Note: If you have many templates, you may want to hide them to simplify the display. 5. Click the appropriate work pane to configure the template. For example, if you have created an SMTP template, select Antivirus in the SETTINGS area of the Shuttle Navigator, and then configure the template as you would an SMTP Scan Job. Click Save when you are done. 6. For a scan job to use a template, the template must be associated with that scan job. a. Select Templates in the SETTINGS area of the Shuttle Navigator. b. Select the scan job in the list in the top pane with which to associate with the template you have just created. For example, select SMTP Scan Job. c. In the lower work pane, select the desired template from the Template list. d. Click Load From Template. e. Click Save. The selected scan job’s settings will be reconfigured to those in the selected template.

The new template can be distributed to remote servers by using the Antigen Enterprise Manager (AEM). For more information about using the AEM to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. Renaming or deleting a named template You can rename or delete a named template. You cannot rename or delete a default template.

To rename or delete a named template 1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates. 2. Select the template in the Job List. 3. Click File. 4. Select Templates. 5. Select Rename or Delete. If you choose Delete, you will be asked to confirm your choice.

Modifying templates You may want to make changes to a default template or a named template.

To modify a template 1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates. 2. Select a work pane with the template to be modified (for example, Scan Job on the SETTINGS shuttle). 3. Select the template to be modified in the Job List. 4. Configure the template as desired, using the various work panes, clicking Save on each.

If you make changes directly to a specific scan job (for example, the. SMTP Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server.

Modifying default file scanner update templates You may change the primary and secondary update path, change the updating schedule, and enable or disable automatic updates by using the scanner update templates.

To configure default file scanner update templates 1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates. 2. Select Scanner Updates from the SETTINGS shuttle. The Scanner Update Settings work pane appears. 3. Select the file scanner template that you want to update from the Job List. There should be one template for every installed engine. 4. Change the primary and secondary Network Update Path, as desired. 5. Change the date, time, frequency, and repeat interval if desired. Enable or disable updating as needed. 6. Click Save.

New templates can be deployed locally by using the AntigenStarter (for more information, see Deploying named templates) or to remote servers by using the Antigen Enterprise Manager (AEM). For more information about using the AEM to deploy templates, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. If you are using the Antigen Enterprise Manager to update Antigen’s scan engines, you should disable scheduled updates in Antigen.

Modifying notification templates Default notification templates can be used to deploy notification settings to remote servers.

To configure notification templates 1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates. 2. Select Notification in the REPORT area of the Shuttle Navigator. 3. Select the notification template you would like to modify from the Job List. 4. Edit the template in the lower work pane or use the Enable and Disable buttons to change the state of the template. 5. Click Save.

You cannot create new notification templates. You must modify the default notification template to update notification settings.

Using named templates Named templates can be used to create and manage multiple configurations in an Exchange environment. If you run different configurations on the servers in your environment, we recommend configuring each server to use a named template as the default for its configuration settings. Named templates are created as described in Creating a named template. At the time of installation or upgrade, you can configure all of the named templates that you will need for your environment. For example, if you have twenty servers divided into four groups of five, you can create named templates for each server group. These templates will contain all of the configuration information for scan jobs, filtering, notifications, and scanner update paths. Each template will have the name of the group: SMTPTemplate1 SMTPTemplate2 SMTPTemplate3 SMTPTemplate4 These names are similar for each scan job and filter set template.

Deploying templates during a remote installation To have the template.adb file distributed to all servers during a remote installation or upgrade, you must run the self-extracting file used to run the installation. You will be prompted for the path where the extracted files will be placed. Copy the template.adb file to the directory containing the extracted files. Finally, execute the setup.exe file that was extracted to that directory. (For more information about remote installations, see “Manage Jobs” in the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. When you enter the location of the Setup.exe file for the deployment job in the Enterprise Manager, specify the directory containing the extracted file.) The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise, the default template is used. You can use the Antigen Administrator to connect to the computer and make the association. (For more information, see “Connecting to a remote server” in Chapter 4 - Using the Antigen Administrator.) After you are connected to the remote server, you can associate the template with the appropriate scan job by following the steps in Creating a named template. After you have associated a named template with a scan job, the assigned template will continue to be used when there are configuration changes. It is not necessary to reassociate the scan job unless you want to switch the template that is being used.

Deploying named templates Named templates can be deployed locally by using AntigenStarter or to remote servers by using the Microsoft Antigen Enterprise Manager (AEM). Individual templates can be associated with current scan jobs in the Administrator by clicking the Load From Template button. An exception is filter list templates, which must be associated with a scan job using the AntigenStarter. The AntigenStarter can be used to activate any or all templates from a command prompt directly on the server. The AntigenStarter.exe file has the ability to activate template settings on the current server. The t parameter facilitates activating template settings. The syntax of AntigenStarter is: AntigenStarter t[c][f][l][n][p][s] The t parameter instructs AntigenStarter to read all of the settings in the Template.adb file and apply them on the current server. All filter settings, notification settings, and scanner update paths can be updated. You must insert a space between AntigenStarter and the t parameter. However, there is no space between the t parameter and the options. You can also deploy a subset of the filters by using one of the switches listed below. The switches must be used in conjunction with the t parameter. Any combination of the following options causes a subset of the template settings to be applied:

Switch Description c Update the content filter settings for each scan job. f Update the file filter settings for each scan job. The file filter settings of each scan job on the server are updated with the file filter settings found in the associated template type. For example, the file filter settings for all SMTP Scan Jobs are updated with the file filter settings found in the SMTP Scan Job template. l Update the filter lists for each scan job. n Update the notification settings with the data in the associated templates. p Update the file scanner update path, proxy server settings (if applicable), and the scanner update schedule items (date, time, frequency, and repeat interval). The update path for each file scanner is updated from the file scanner template that matches the vendor of the file scanner. s Update the scan job and antivirus settings. Each scan job on the server is updated with the settings found in the associated template type. For example, all SMTP Scan Jobs are updated with the settings found in the SMTP Scan Job template. This includes all filters.

Multiple switches should be listed without punctuation or spacing. For example: tsfn Deploying schedule job templates When deploying the default schedule job template, the Background Scan Job and all Manual Scan Jobs that are set to use the default template will be updated. This will cause all Manual Scan Jobs and the background scan to begin at the same time and could degrade server performance. To avoid this problem, use named templates for each Manual Scan Job so that you can schedule each Manual Scan Job independently of the background scan.

Chapter 12 - Using file filtering

The Antigen file filter feature gives you the ability to search for attachments with a specific name, type, and size within an e-mail message. If it finds a match, the file filter can be configured to perform actions on the attachment, such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means for detecting file attachments within e-mail messages and other Microsoft® Office Outlook® items, including Tasks and Schedules (such as meetings and appointments).

Mechanics of file filtering File filtering can be configured to assess several aspects of an attached file: the file name and extension, the actual file type, and the file size. By using these criteria, you can filter files in a variety of ways.

Filtering by file type If you want to filter certain file types, you can create the filter * and set the File Types selection to the exact file type that you want to filter. For example, you can create the filter * and set the File Types to MP3. This will ensure that all MP3 files are filtered, regardless of their file name or extension. One advantage of setting a generic * filter and associating it with a certain file type (for example, EXEFILE) is that this prevents users from bypassing the filter simply by changing the extension of a file.

Notes:

If you want to filter Microsoft Office Excel® files, you must enter *.xls or * in the File Names box, and then select both WINEXCEL1 and DOCFILE in the File Types list. Excel 1.x files are WINEXCEL1 file types, but newer versions of Excel are DOCFILE file types. For Microsoft Office 2007 documents (Word, Excel, and PowerPoint®), you should use the proper file extension in the File Names box, and then select OPENXML in the File Types list. Filtering by extension If you want to filter any file that has a certain extension, you can create a generic filter for the extension and then set the File Types selection to All Types. Filter matching is not case- sensitive. For example: Create the filter *.exe* and then set the File Types selection to All Types. This will ensure that all files with an .exe extension will be filtered.

Important:

When creating generic file filters to stop all of a certain type of file (for example, .exe files), it is recommended that you write the filter in this format: *.exe*. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter.

Filtering by name If you want to filter all files with a certain name, you can create a filter by using the file name and setting the File Types selection to All Types. Filter matching is not case-sensitive. For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This will ensure that any file named payload.doc will be filtered, regardless of the file type. Detecting file attachments by name is also useful when there is a new virus outbreak and the administrator knows the name of the file where the virus resides before the virus scanners are updated to detect it. A perfect example of this is the Melissa worm. The worm resided in a file named List.doc and could have been detected if the administrator had used file filtering before the virus scanners could detect it.

Configuring the file filter You can configure the file filter by file names, file types, or file sizes.

To configure the file filter 1. Click FILTERING in the Shuttle Navigator. 2. Select the File icon. The File Filtering pane appears on the right. 3. In the upper work pane, select the scan job for which you would like to create the file filter. 4. To detect file attachments with a particular file name, add the file name to the File Names section of the work pane by clicking Add, typing the file name that you want to detect, and pressing ENTER. Optionally, you can configure Antigen to filter files based on their size. To detect files by size, when typing the file name, specify a comparison operator (=, >, <, >=, <=) and a file size (in KB, MB, or GB) after the file name. There should be no spaces between the file name and the operator, or between the operator and the file size. Examples: *.bmp>=1.2MB all .bmp files larger than or equal to 1.2 megabytes *.com>150KB all .com files larger than 150 kilobytes *>5GB all files larger than 5 gigabytes

Note: For additional buttons that you can use when configuring file names, see About file names buttons. 5. Specify the list of File Types that can be associated with the selected File Name. You can select one or more File Types from the list, or select All Types located below the list. If the File Type that you want to associate with the selected File Name is not available in the list, then select All Types. (For a description of the file types listed in the selection box, see Appendix E - File types list overview.) The All Types selection configures Antigen to filter based only on the file name and file extension. By selecting All Types, Antigen will be configured to detect the selected file name regardless of the file type. This prevents users from bypassing the filter simply by changing the extension of a file. If you know the file type that you are searching for, Antigen will work more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, you can create the filter * and then set File Types to EXEFILE. 6. Ensure that the File Filter is set to Enabled. It is enabled by default. 7. Indicate the Action to take if there is a filter match. 8. Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). It is disabled by default. 9. Indicate whether to enable Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable. 10. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click Deletion Text.

Note: Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros. 11. Click Save. You can also create a filter list that contains multiple file filters. After you have created the list, the steps for configuring the filter list are the same as in the preceding procedure, except you must select the filter list rather than a filter name.

To create a file filter list 1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. 2. In the List Types section, select Files. 3. In the List Names section, click Add. 4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section. 5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use the dialog box to add file filters to the list. 6. In the Include In Filter section, click Add. 7. Type the file names to be included in the filter list. Press ENTER when you have finished typing. You can have as many file names as you want, but each must be entered separately The Exclude from Filter field is used to enter file names that should never be included on the relevant list. This prevents these entries from accidentally being added when importing a list from a text file. For more information on importing files, see "Importing new items into a filter list" and "Exporting sender-domains filters, file filters, and subject line filters" in Chapter 13 - Using content filtering. 8. When you are finished adding items, click OK. The file names you just entered appear, alphabetically, in the pane next to List Names. 9. Click Save.

You can change the name of a list by selecting the list in the List Names box and then pressing F2.

Action Choose the action that you want Antigen to perform when a file filter is matched.

You must set the action for each file filter that you configure. The Action setting is not global.

Action Description

Skip: Detect Only Records the number of messages that meet the filter criteria, but allows messages to route in the usual way. If, however, Delete Corrupted Action Description

Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is selected in General Options, a match to any of those conditions will cause the item to be deleted.

Delete: Remove Contents Deletes the file attachment. The detected file attachment will be removed from the message and a text file will be inserted in its place. The text file will contain the string that was configured by using the Deletion Text button. Delete: Remove Contents is the default value.

Purge: Eliminate Message Deletes the message from your mail system. When you select this option, a warning will appear informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.

Notes: If the Quarantine Files box is checked, purged messages will be quarantined and can then be recovered from the quarantine database. When running VSAPI 2.0, the Realtime Scan Job can purge only outbound messages, but the SMTP Scan Job can purge inbound and outbound messages. Inbound and outbound purging by the Realtime Scan Job is available when running VSAPI 2.5.

Identify: Tag message The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by clicking Tag Text on the Scan Job Settings work pane and then modifying the text. The same tag, however, will be used for all filters associated with the particular scan job. This action is available only for the SMTP Scan Job. When the Antigen Spam Manager is enabled and Antigen is installed on an Exchange 2003 Action Description

server, the Tag message action also enables you to set the SCL property in Exchange 2003 and move tagged messages to the ASM Junk Mail folder. For more information on these features, see Chapter 17 - Antigen Spam Manager overview.

About file names buttons The following buttons below the File Names section let you edit or delete a file name from the list. You can also change the order in which file names are filtered.

Button Description

Edit Enables you to edit an existing file name from the File Names section. Select the file name that you want to edit, and then click Edit. A dialog box appears that enables you to edit the selected file name. After you have completed making the necessary edits, click Save to submit or Cancel to undo.

Delete Enables you to remove a file name from the File Names section. Select the file name that you want to delete, click Delete, and then click Save.

[Up Arrow], [Down Arrow] Enables you to change the order in which file names are filtered. In the lower pane, select the file name that you want to reorder, and then click the UP ARROW or DOWN ARROW buttons (on the same line with File Names) to change the ranking to your preference.

Matching patterns in the file name with wildcard characters Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following characters to refine your filters. Wildcard Description

* Match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage: Single: Any of these single wildcard character patterns would detect veryevil.doc: veryevil.*, very*.doc, very*, *il.doc. Multiple: Any of these multiple wildcard character patterns would detect eicar.com: e*c*r*om, ei*.*, *car.*.

Note: Use multiple asterisks to filter file attachments with multiple extensions. For example: love*.*.*

? Match any single character in a name where a single character may change. For example: virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. Note This filter would not catch virus.exe.

[set] A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set will be matched. For example: klez[a-h].exe would find kleza.exe through klezh.exe.

[^set] Exclude characters that you know are not used in the file name. For example: klez[^m-z].exe would not find klezm.exe through klezz.exe.

[range] Indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe, but not klezb.exe or klezr.exe.

\char Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The Wildcard Description

backslash is called an escape character, and it indicates that a reserved control character should be taken literally, as a text character. For example: If you enter *hello*, you would typically expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.

Note: You must use a backslash before each special character.

Using directional file filters When you use the file filter in conjunction with the SMTP Scan Job, you can configure a filter so that it checks only inbound or outbound messages. This is accomplished by adding a prefix to the file name when you enter it in the File Names work pane. (For information about the inbound, outbound, and internal designations, see Chapter 8 - Configuring SMTP Scan Jobs.)

There are no spaces between the prefix and the file name. Inbound Filtering—Prefixing the file name with the directive instructs Antigen to apply this filter only to inbound messages. filename Outbound Filtering—Prefixing the file name with the directive instructs Antigen to apply this filter only to outbound messages. filename Inbound, Outbound, and Internal Filtering—If no prefix is appended to the file name, then the filter is applied to all messages, regardless of direction. filename

Filtering container files Container files can be broadly described as complex files that can be broken down into various parts. Antigen can scan the following container files for filter matches:  PKZip (.zip)  GNU Zip (.gzip)  Self-Extracting .zip archives (.exe)  Zip Files (.zip)  Java archive (.jar)  TNEF (Winmail.dat)  Structured storage (for example, .doc, .xls, or .ppt)  Open XML (for example, .docx, .xlsx, or .pptx)  MIME (.eml)  SMIME (.eml)  Uuencode (.uue)  UNIX tape archive (.tar)  RAR archive (.rar)  MACBinary (.bin) Antigen will scan all parts of the container file, and then repack the file as necessary. For example, if you configure a file filter to delete all .exe files, Antigen will delete .exe files inside container files (replacing them with the Deletion Text), but will leave all other files in the container intact.

Antigen cannot scan password-protected files or encrypted files. Although Antigen does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.

Excluding the contents of a container file from file filtering To exclude the contents of a .zip file (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list, and then set the action to Skip. The order of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, file filters are not applied to the contents of the container. The file is, however, scanned for viruses. If you want to skip all .zip files, create the filter: *.zip, and then set the action to Skip. By default, this functionality applies only to .zip and .jar files. If you would like to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and Self-Extracting .zip archives), you can set the following DWORD registry values:

Scan job DWORD registry value

Realtime Scan Job SkipFileFilterWithinCompressedRealtime

Manual Scan Job SkipFileFilterWithinCompressedManual

Internet Scan Job SkipFileFilterWithinCompressedInternet For the location of these registry keys, see Appendix B - Setting registry values. After creating each registry value, the value should be set to 1 to disable file filtering in the specified archive type.

OPENXML files (For example, Office 2007 documents) are ZIP container files, but they are not affected by the ZIP container settings.

Using file filtering to block most file types You can use file filters to block some file types and permit others. The files permitted through in this example are Microsoft Office files. The filters in the example block all file attachments, with the exception of Office documents, for messages entering your organization from the Internet. It takes two file filters for this to work properly.

Be sure to create the file filter that permits Office documents through first, as the filters are applied, in order, from top to bottom.

To create a file filter that permits Office documents through 1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on the right. 2. Create a new filter by following these steps: a. Click Add. b. Type * as the file name, and then press ENTER. c. Clear All Types in the File Types section, and then click Yes to confirm. d. Select the DOCFILE, OPENXML, and TNEFFILE file types. (TNEFFILE is required because it is the wrapper around file attachments for internal mail.) e. Set the Action parameter to Skip: detect only. f. Clear the Quarantine Files check box. g. Click Save.

To create a file filter that blocks all types of files 1. Click FILTERING in the left navigation shuttle, and then click the File icon. The File Filtering work pane appears on the right. 2. Create a new filter by following these steps: a. Click Add. b. Type * as the file name, and then press ENTER. c. Ensure that All Types is selected in the File Types section. d. Set the action to Block or Purge, as desired. e. Select Quarantine Files. f. Select Send Notifications. g. Click Save.

Notes:

The Skip: detect only action in the first filter will generate an Incident log entry for almost every attachment that is received. If you would like this filter to apply to all e-mail messages and not solely to inbound messages, remove "" from each of the filters.

Using filter set templates Filter set templates can be created for use with any scan job. A single filter set template can be associated with any or all of the scan jobs, and you can also create multiple filter set templates for use on different servers or different scan jobs. For information on creating and configuring filter set templates, see “Using filter set templates” in Chapter 13 - Using content filtering.

About international character sets Support for file filtering by name in Antigen extends beyond the English character set. For example, messages with attachments that include Japanese characters, words, or phrases are handled in the same manner as are messages with attachments that have only English character sets.

About statistics logging The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and therefore cause the messages to which they are attached to be purged. These counters can also be found in the Performance Monitor utility.

Chapter 13 - Using content filtering

Content filtering provides another tool to help manage the flow of messages entering and exiting your business's mail stream. Content filtering enables you to filter messages by using a variety of filtering tools. These include:  Sender-domains filtering  Subject line filtering  Filter set templates (simplifies the creation and management of file and content filters on all scan jobs) You can enable inbound or outbound content filtering for the Internet Scan Job by using these registry keys:  DisableOutboundContentFiltering  DisableInboundContentFiltering Both keys are set to 0 (disabled) by default. To enable each key, set its value to 1. After changing these settings, the Microsoft® Exchange Server and Antigen services must be recycled for the changes to take effect. (For more information on Antigen registry settings, see Appendix B - Setting registry values.) If you route e-mail messages through SMTP Gateway servers in your environment and are running Antigen on your Exchange servers, you should enter the IP addresses of your Gateway servers into the SMTP External Hosts setting under General Options to ensure that all mail routed through the Gateway servers is treated as inbound mail rather than internal mail by Antigen and the Antigen Spam Manager. For more information on this setting, see Chapter 4 - Using the Antigen Administrator.

Configuring sender-domains filtering Sender-domains filtering lets you filter messages from particular senders or domains. Wildcard characters can be used to enable filters such as *@domain.com to filter all mail from a certain domain.

Sender-domains filtering applies only to the From field in a message. It cannot be used for the To field.

To configure sender-domains filtering 1. Click FILTERING in the Shuttle Navigator. 2. Select the Content icon. The Content Filtering pane appears on the right. 3. In the upper work pane, select the scan job for which you would like to create a content filter. 4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters pane. 5. A text box appears. Type the sender or domain that you would like to filter. If you want to use a generic domain name filter, you must use an * (wildcard character) before the domain name. Examples: A generic domain: *@domain.com A specific sender: [email protected] 6. Press ENTER after you have typed the sender or domain. You can add as many entries as you want, but each must be entered separately. 7. Set the Filter field to Enabled. 8. Indicate the Action to take if there is a filter match. 9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content Administrators set in the Notification Setup work pane (located under REPORT in the Shuttle Navigator) will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). 10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 11. Click Save.

Notes: The Realtime Scan Job will look at both the display name and the e-mail address of the sender to match against sender-domains filters. It will apply the filter against the display name of the mailbox first. If the display name and e-mail address are different, Antigen will also apply the filter against the e-mail address. If either matches, the filter action will be taken. If you do not want to filter against e-mail addresses, set the registry value ContentFilterSMTPAddress to zero (0). The SMTP Scan Job will use the display name of the sender to match against sender-domains filters. If there is no display name in the header, the SMTP Scan Job will fall back to use the e-mail address to match against the filter. You can also create a filter list that contains multiple sender-domains. For more information, see Creating content filter lists. You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that domain. For more information, see Filtering mail from all users in a domain except for specific users.

Configuring subject line filtering Subject line filtering lets you filter messages based on the content of the subject line of the message. Wildcard characters can be used.

To configure subject line filtering 1. Click FILTERING in the Shuttle Navigator. 2. Select the Content icon. The Content Filtering pane appears on the right. 3. In the upper work pane, select the scan job for which you would like to create a content filter. 4. Select Subject Lines in the Content Fields pane in the lower-left corner, and then click the Add button in the Content Filters pane. 5. A text box appears. Type in the content that you would like to filter. 6. Press ENTER after you have typed the content. You can add as many entries as you want, but each must be entered separately. 7. Set the Filter field to Enabled. 8. Indicate the Action to take if there is a filter match. 9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content Administrators set in the Notification Setup work pane located under REPORT in the Shuttle Navigator will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications). 10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 11. Click Save.

Note: You can also create a filter list that contains multiple subject lines. For more information, see Creating content filter lists. If you are entering a partial subject line as a filter, it is recommended that you use asterisk wildcard characters (*) at the beginning and the end of the phrase to ensure proper detection. For example:  The filter “get rich quick” will filter messages that contain only the target phrase in the subject line.  The filter “* get rich quick” will filter messages that contain the target phrase and any phrase that ends with the target phrase in the subject line.  The filter “* get rich quick *” will filter messages that contain the target phrase anywhere in the subject line.

You can use the following syntax to refine your filters:

Syntax Description

* Match any number of characters in a file name. You can use multiple asterisks. Following are some examples of usage: Single: Any of these single wildcard character patterns would detect veryevil: veryevil*, very*, *il Multiple: Any of these multiple wildcard character patterns would detect veryevil: Syntax Description

V*r*v*l, *very*, *evil*

? Match any single character, because many malicious users insert extra characters between letters to spoof filters. For example: You can filter C-O-N-T-E-S-T with the filter: C?O?N?T?E?S?T

[set] A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set will be matched. For example, the set is useful for creating a single rule to match when the number zero (0) is used instead of the letter o. Ozone and oz0ne can be filtered using oz[o0]ne.

[^set] Exclude characters that you know are not used. range Indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp] would match kleza, klezd, kleze, klezf, klezg, and klezp but not klezb or klezr.

\char Indicate that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape character, which indicates that a reserved control character should be taken literally, as a text character. For example: If you enter *hello*, you would usually expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.

Note: You must use a backslash before each special character. Action You will also need to select the action that Antigen should take when it detects a match to your filter criteria.

You must set the action for each file filter you configure. The action setting is not global.

Action Description

Skip: Detect Only Records the number of messages that meet the filter criteria, but allows messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.

Note: If you are running Microsoft Exchange 2000 Server with VSAPI 2.0, the Realtime scanner can purge only outbound messages, but the SMTP Scan Job can purge inbound and outbound messages. Inbound and outbound purging by the Realtime scanner is available when running VSAPI 2.5. If a message that matches a content filter is found in the Inbox (inbound), Antigen will delete any attachments and the message body. If there are no attachments to the message body, Antigen will take no action. In either case, the UI will report the message as Detected.

Identify: Tag message The subject line or message header of the detected message can be tagged with a Action Description

customizable word or phrase. This tag can be modified for each scan job by clicking Tag Text on the Scan Job Settings work pane and modifying the text. The same tag, however, will be used for all filters associated with the particular scan job. When the Antigen Spam Manager is enabled and Antigen is installed on an Exchange 2003 server, the Tag Message action also lets you set the SCL property in Exchange 2003 and move tagged messages to the ASM Junk Mail folder. For more information on these features, see Chapter 17 - Antigen Spam Manager overview.

Creating content filter lists You can create a content list that contains multiple content filters (sender-domains or subject lines). After you have created the list, the steps for configuring the filter list are the same as in the preceding procedures, except that you must select the filter list rather than a filter name.

To create a content filter list 1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. 2. In the List Types section, select Subject Lines or Sender-Domains. 3. In the List Names section, click Add. 4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section. 5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to add items to the list. 6. In the Include In Filter section, click Add. 7. Type the data to be included in the filter list. The type of data that you add depends on the type of filter list that you selected. For Subject Lines, add text that might appear in the subject line of a message. For Sender-Domains, add specific senders or generalized domains. Press ENTER when you have finished typing. You can have as many words or phrases as you want, but each must be entered separately. The Exclude from Filter field is used to enter data that should never be included on the relevant list. This prevents these entries from being accidentally added when importing a list from a text file. For more information on importing files, see Importing new items into a filter list. 8. When you are finished adding items, click OK. The information that you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save.

You can change the name of a list by selecting the list in the List Names box and then pressing F2.

Importing new items into a filter list Filter lists can be created offline in Notepad or in a similar text editor, and then imported into the appropriate filter list by using the Antigen Administrator.

To create and import entries into a filter list 1. Create a list and then save it as a text file. Place each filter on its own line in the file. 2. Open the Antigen Administrator and click Filter Lists on the FILTERING area of the Shuttle Navigator. 3. Select the filter list into which you will be importing data. 4. Click the Edit button. The Edit Filter List dialog box appears. 5. Click the Import button. A File Explorer window will open so that you can navigate to the text file that you created in step 1. 6. Select the file and click Open. 7. The file will be imported into the middle pane of the Import List editor so that you can select the entries that you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section, or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section. 8. When you have moved all of the desired items, click OK. 9. Click Save.

Exporting sender-domains filters, file filters, and subject line filters The command line utility ExportLists facilitates the export of sender-domains filters, file filters, and subject line filters. Exported files are saved as text files that can then be imported into Antigen using the import function.

To export files from Antigen 1. From the DOS command prompt, change directories until you are in the Antigen installation folder. 2. Enter: ExportLists [-s ServerName][-o OutputDirectory] and then press ENTER. ServerName is the name of the server from which you are exporting the files, and OutputDirectory is the directory where you would like the exported files saved. If no ServerName is entered, the utility defaults to the current server. Note that the system that this is executed on must have the same username and password as the system from which the lists are retrieved. If no OutputDirectory is entered, that field defaults to the current directory. A file will be created for each scan job and template that contains any file, sender, or subject line entries. The format of the files is as follows: scanjobname-FILES.txt templatename Template-FILES.txt Where scanjobname is the actual scan job name and templatename is the actual template name. 3. Import the text files into Antigen by using the Import function described in Importing new items into a filter list.

Filtering mail from all users in a domain except for specific users This section describes how to configure Antigen to filter mail from all users in a domain except for specific users in that domain.

To filter mail from all users in a domain except for specific users 1. Click FILTERING in the Shuttle Navigator. 2. Select the Content icon. The Content Filtering work pane appears to the right. 3. In the upper work pane, select the scan job for which you would like to create a content filter. 4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters pane. 5. Type the e-mail address of a specific user whose mail you do not want filtered. For example, type user_name@domain_name.com, and then press ENTER. 6. Set the Action to Skip: detect only.

Note: You can add multiple e-mail addresses, but each one must be entered separately. Repeat steps 5 and 6 if you want to add more e-mail addresses whose mail you do not want filtered. 7. Under Content Filters, click Add. 8. Type the name of the domain that you want filtered. When you type the domain name, include the asterisk (*) wildcard character. For example, type *@domain_name.com.

Note: Make sure that you add the filter for the domain name directly underneath the filter for the specific users whose mail you do not want filtered. Antigen works from the top of the list down. 9. Set the Action to Purge: Eliminate Message. 10. Click Save.

Using directional content filters When you are using the content filter in conjunction with the SMTP Scan Job, you can configure a filter so that it checks only inbound or outbound e-mail. This is accomplished by adding a prefix to the file name when entering it in the Filter Names work pane.

There are no spaces between the prefix and the file name. Inbound Filtering—Prefixing the file name with the directive instructs Antigen to apply the filter only to inbound messages. filename Outbound Filtering—Prefixing the file name with the directive instructs Antigen to apply the filter only to outbound messages. filename Inbound, Outbound, and Internal Filtering—If no prefix is appended to the filename, the filter is applied to all messages, regardless of direction. filename

About international character sets Support for content filtering within Antigen extends beyond the English character set. For example, messages with attachments or subject lines that include Japanese characters, words, or phrases are handled in the same manner as messages with attachments or subject lines that use only English character sets.

About reporting Messages that are filtered because of sender-domains filtering or subject line filtering will be reported in the Virus Incidents log under the Virus or Filter header. Messages filtered because of sender-domains matches will be noted as SENDER=, and subject line matches will be reported as SUBJECT=. For activity and Virus Incidents logs, no file name will be indicated. In the quarantine area, the body and each attachment will be quarantined with the sender-domains or subject line filter indicated. Using filter set templates Filter set templates can be created for use with any Antigen scan job. A single filter set template can be associated with any or all of the scan jobs. You can also create multiple filter set templates for use on different servers or different scan jobs.

Creating a filter set template Start by creating a filter set template.

To create a filter set template 1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates. 2. Click File, select Templates, and then click New. The New Template dialog box appears. 3. Select Filter Set, enter a name for it, and then click OK. Your new filter set template now appears in the list in the top pane, ready to be configured.

Configuring a filter set template After you have created a filter set template, you must configure it.

To configure a filter set template 1. Click File or Content in the FILTERING shuttle. The File Filtering or Content Filtering work pane appears. 2. Select the name of the filter set template to be configured in the upper pane. 3. Using the Add button, add a file filter or a content filter, and then specify the criteria for that filter. You can create multiple filters within a filter set template. A filter set template can contain a combination of file filters and content filters. 4. Click Save.

Associating a filter set template with a scan job After you have created and configured a filter set template, associate it with a scan job. During scanning, Antigen will use the filter set template configuration first, and will then use any other filter setting that you have specified when setting up the scan job.

To associate a filter set template with a scan job 1. Select Templates in the SETTINGS shuttle. 2. Select a scan job in the Job List. 3. Select the filter set template that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set template with a scan job. If you are not sure about the contents of the filter set template, click View Filter Set. Click the left arrow button at the bottom of the pane when you have finished viewing the contents. 4. Click Save. The filter set template is now associated with that scan job. During scanning, Antigen will use the filter set template configuration first, and then will use any other filter settings that you specified when setting up the scan job.

To cancel the association, repeat the preceding steps, and then select None from the Filter Set list (or select a different filter set template).

Editing a filter set template You can modify the settings in a filter set template.

To edit a filter set template 1. Click File or Content in the FILTERING shuttle. The File Filtering or Content Filtering work pane appears. 2. Select the filter set template in the upper pane. 3. Select the filter whose configuration you want to modify in the lower pane. 4. Click Edit, and then make your changes. 5. Click Save.

Note: File filters that you created are displayed in the File Names section and can be modified. Filter set templates are also displayed; however, they cannot be selected for modification in the File Names section. To modify a filter set template, you must select its template in the upper pane. When a filter set template is assigned to a scan job, the contents of the filter set template will not be visible unless View Templates is selected in the File option of the menu bar.

Deleting a filter set template You can delete a filter set template.

To delete a filter set template 1. If the filter set template has been associated with a scan job, you must remove the association. Follow the directions in Associating a filter set template with a scan job, and either reset the association to None or select a different filter set template for the association. 2. Select the filter set template in the Job List of the Template Settings work pane. 3. Click File, click Templates, and then click Delete. 4. Confirm the deletion request. Renaming a filter set template You can rename a filter set template.

To rename a filter set template 1. Select the filter set template in the Job List of the Template Settings work pane. 2. Click File, click Templates, and then click Rename. The Rename Template dialog box appears. 3. Type the new name of the template. 4. Click OK.

Distributing filter set templates to remote servers Filter set templates can be distributed to remote servers by using the deploy template feature of the Antigen Enterprise Manager (AEM). For more information about using the AEM, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library. You can also use the AntigenStarter from the command prompt to manually install filter set templates on remote servers. The syntax of AntigenStarter is:

AntigenStarter t[options] [\servername] The t parameter instructs AntigenStarter to read the settings in the Template.adb file and apply them to the named server. For complete instructions about AntigenStarter, see “Deploying named templates” in Chapter 11 - Using templates. For example, to update the content filter settings on server1, you would enter:

AntigenStarter tc \server1

Chapter 14 - Using mailhost filtering

Mailhost filtering is available for use with the SMTP Scan Job. It is designed to prevent mail from specific IP addresses from entering your Exchange environment. There are three components of mailhost filtering: Allowed Mailhosts, Rejected Mailhosts, and Real-Time Block List (RBL) Servers. All three are configured by clicking Mailhost in the FILTERING area of the Shuttle Navigator. To validate domain names or IP addresses, Antigen performs a reverse DNS lookup to compare against entries in the Allowed Mailhosts or Rejected Mailhosts lists. If you prefer to have Antigen use the domain name found in the MIME Received header field of the message, you can disable reverse DNS lookups by changing the General Options setting Perform Reverse DNS Lookups. The following table describes the options for this setting: Setting Description

Enable All Use DNS lookup for mailhost and RBL filtering and outbound mail determination.

Disable All Do not use DNS lookups.

Only for Mailhost Filtering Use DNS lookups only for mailhost filtering.

Only for Outbound Determination Use DNS lookups to determine whether a message is outbound.

For more information on changing this setting, see “General Options” in Chapter 4 - Using the Antigen Administrator.

About mailhosts scanning priority The scanning priority for mailhost filtering is that RBL filtering is done first. If there is a match, the Allowed Mailhosts list is checked. If there is no match, the Rejected Mailhosts List is checked.

Using RBL servers RBL servers are third-party servers that maintain lists of known spammers or servers that maintain open relays. When these servers are enabled, Antigen uses them to perform reverse DNS lookups on the domain names of the mail servers sending mail to your environment. Domain names that appear on these lists are identified as spam. To enable this function, you must identify the RBL server that you would like Antigen to use for this function. No specific list is recommended, so you need to investigate what is available. Some lists are provided for free; others are provided for a fee. Each RBL server Web site should provide instructions for using its list and the proper address to use.

Notes:

Some RBL services are much more aggressive than others. This can result in too many false positive detections for your organization. Make sure that you test a service before activating it in your network. This is easily done by using the Skip: detect only setting, which logs spam detections without blocking the e-mails. Each additional RBL you use will cause increasingly adverse effects on system performance. It is recommended that you start with one RBL and increase the number of RBLs only if needed. Using more than three RBLs is not recommended. If you enable multiple RBL lists, Antigen checks the first server on the list. If it finds a match and the action is set to Purge: eliminate message, Antigen stops searching and sends a notification (if notifications are enabled). If the action is set to Skip: detect only, Antigen sends a notification (once again, if enabled) and continues to the next RBL server. Keep this in mind when enabling multiple RBL servers for use by Antigen. To configure an RBL service 1. In the Antigen Administrator, click FILTERING in the left navigation shuttle, and then click the Mailhost icon. The Mailhost Filtering work pane appears. 2. Select a scan job in the upper work pane (for example, the SMTP Scan Job). 3. In the Mailhosts Lists work pane, select RBL Servers, and then click the Add button. The RBL Servers work pane appears. 4. In the RBL Servers work pane, type the domain name or IP address of the RBL Server. 5. Set the Filter to Enabled. 6. Choose the Action. When first testing a new RBL service, it is recommended that you use the Skip: detect only setting. When you are satisfied that the service meets your needs, you can switch to the Purge or Identify setting, as desired. 7. Enable or disable notifications and quarantine files that are detected by this filter. 8. Click Save.

Using allowed mailhosts lists Allowed mailhosts lists provide a way to ensure that mail from safe mailhosts is not filtered by Antigen RBL filtering.

To create an allowed mailhosts list 1. Open the Filter Lists view using the Shuttle Navigator. 2. Select Allowed Mailhosts in the List Types field at the top of the work pane. 3. Click the Add button in the List Names work pane, type a name for the new list in the text box provided, press ENTER, and then click Save. 4. Click the Edit button. The Edit Filter List dialog box will appear so that you can edit the list. 5. Click the Add button to add each domain name or IP address that you would like Antigen to allow. You can enter the domain name or IP address. You should place an asterisk (*) before each domain name. The asterisk allows other characters to precede the string. Press ENTER after you enter each domain name or IP address. The Exclude from Filter field is used to enter domain names or IP addresses that should never be included on the allowed list. This will prevent these names from being added accidentally when importing a list from a text file. (Importing lists is discussed in Importing new items into a filter list.) 6. Click OK, and then click Save. After you have created your Allowed Mailhosts list, configure the Maximum Allowed Mailhosts Lookup General Option, and then enable the list. To configure and enable an allowed mailhosts list 1. In the General Options work pane, enter the appropriate number in the Maximum Allowed Mailhosts Lookup field for your organization’s messaging topology. This number should reflect the number of relay servers with public IP addresses within your organization, plus one. This ensures that the last external IP address will be checked against your Allowed Mailhosts list. For example, if your organization has two public IP addresses that an e-mail can pass through, then the Maximum Allowed Mailhosts Lookups setting should be set to 3. The internal public IP addresses can be relay servers that are located inside the perimeter network. 2. Optionally, if you want to skip content filtering as well as RBL filtering, select Skip Content Filtering for Allowed Mailhosts in the General Options work pane. 3. Click Save. 4. Open the Mailhost Filtering work pane by clicking the Mailhost icon in the FILTERING section of the Shuttle Navigator. 5. Click Allowed Mailhosts in the Mailhost List box. 6. Select the Allowed Mailhosts list that you want to enable. 7. Select Enabled in the Filter drop down box. Each Allowed Mailhosts list must be enabled individually. 8. Click Save.

Note: Entries in the Allowed Mailhosts list will not override entries in the Rejected Mailhosts list. Using rejected mailhosts lists Rejected mailhosts lists provide a way to exclude mail from mailhosts that you do not want entering your environment.

To create a rejected mailhosts list 1. Open the Filter Lists view using the Shuttle Navigator. 2. Select Rejected Mailhosts in the List Types field at the top of the work pane. 3. Click the Add button in the List Names work pane, type a name for the new list in the text box provided, press ENTER, and then click Save. 4. Click the Edit button. The Edit Filter dialog box will appear so that you can edit the list. 5. Click the Add button to add each domain name or IP address you would like Antigen to reject. You may enter the domain name or IP address. You should place an asterisk (*) in front of each domain name. The asterisk allows other characters to precede the string. Press ENTER after you enter each domain name or IP address. The Exclude from Filter field is used to enter domain names or IP addresses that should never be included on the rejected list. This will prevent these names from accidentally being added when importing a list from a text file. (Importing lists is discussed in Importing new items into a filter list.) 6. Click OK, and then click Save. After you have created a Rejected Mailhosts list, you must enable and configure it.

To enable and configure a rejected mailhosts list 1. Open the Mailhost Filtering work pane by clicking the Mailhost icon in the FILTERING section of the Shuttle Navigator. 2. Click Rejected Mailhosts in the Mailhost List box. 3. Select the Rejected Mailhosts list that you want to enable. 4. Select Enabled in the Filter drop down box. Each Allowed Mailhosts list must be enabled individually. 5. Set the Action (for more information, see Action). 6. Enable or disable notifications and quarantine files that are detected by this filter. 7. Click Save.

Action Antigen can perform the following actions when performing RBL filtering and using rejected mailhosts lists. Action Description

Skip: Detect Only Records the number of messages that meet the filter criteria, but allows messages to route in the usual way.

Purge: Eliminate Message Deletes the message from your mail system. When you select this option, a warning will appear informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue. Note: In ESE or VSAPI 2.0 mode, the Realtime scanner can purge only outbound messages, but the Internet Scan Job can purge inbound and outbound messages. Inbound and outbound purging by the Realtime scanner is available when running VSAPI 2.5.

Identify: Tag message The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by pressing the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, will be used for all filters associated with the particular scan job. When the Antigen Spam Manager is enabled and Antigen is installed on an Exchange 2003 server, the Tag Message action also enables you to set the SCL property in Exchange 2003 and move tagged messages to the ASM Junk Mail folder. For more information on these features, see Chapter 17 - Antigen Spam Manager overview.

Importing new items into a filter list Filter lists can be created offline in Notepad or in a similar text editor, and then imported into the appropriate filter list using the Antigen Administrator.

To create and import entries into a filter list 1. Create a list and save it as a text file. Place each filter on its own line in the file. 2. Open the Antigen Administrator, and then click Filter Lists in the FILTERING area of the Shuttle Navigator. 3. Select the filter list into which you will be importing data. 4. Click the Edit button. The Edit Filter List dialog box appears. 5. Click the Import button. A File Explorer window opens so that you can navigate to the text file you created in step 1. 6. Select the file, and then click Open. 7. The file will be imported into the middle pane of the Import List editor to enable you to select the entries that you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section, or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section. 8. When you have moved all the desired items, click OK. 9. Click Save.

About mailhost filtering notifications All mailhost filtering uses the Spam/RBL Administrator notification. The %filter% field in the notification will be in one of the following formats: MAILHOST=: MAILHOST=: MAILHOST=::

Chapter 15 - Using keyword filtering

Keyword filtering identifies unwanted e-mail messages by analyzing the contents of the message body as it is transported by the SMTP Scan Job. By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences.

Creating new keyword lists Antigen for Exchange comes with filter lists for profanity, racial discrimination, sexual discrimination, and spam. You will need to modify these lists to suit the needs of your organization. You can also create additional customized keyword lists, as needed, to organize your keyword filters.

To create a new keyword list 1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. 2. Select Keywords in the List Types field at the top of the work pane. 3. Click Add in the List Names work pane. 4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names work pane. 5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to add content to your filter list. 6. Click Add in the Include In Filter section. 7. Type a word or phrase to be included in the filter list. Press ENTER when you have finished typing. You can have as many words or phrases as you want, but each must be entered separately. The Exclude from Filter field is used to enter keywords or phrases that should never be included on the keyword list. This prevents those words and phrases from being added accidentally when importing a list from a text file. For more information on importing files, see Importing new items into a filter list. 8. When you are finished adding items, click OK. The list of words that you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save. Keyword lists must be enabled before you can use them. Each keyword list must be enabled separately.

To enable a keyword list 1. Select Keyword in the FILTERING shuttle. The Keyword Filtering pane appears on the right. 2. Select Message Body in the Keyword Fields box. 3. Select a Filter List to use (profanity, racial discrimination, sexual discrimination, spam, or a customized list). 4. Using the Filter field, set the filter to Enabled. 5. Set the Action as described in Action. 6. Click the General tab and select whether you would like to Send Notifications or Quarantine identified files. Also indicate what combination of Inbound, Outbound, and Internal mail should be scanned. 7. Click the Identify tab and indicate whether the filter should scan the subject line, the message header, or both. 8. Indicate the Minimum Unique Keyword Hits. This setting lets you specify how many unique keywords must be matched for the action to be taken. The default is one (1). For example, you have set the minimum unique keyword hits value to 3. The word "wonderful," which is in the list, appears three times. However, no other word in the list appears at all. The keyword filter has not been matched, because only one term in the list was matched. 9. Click Save. Action You will need to select the action that Antigen should take on detecting a match to your filter criteria.

You must set the action for each content filter that you configure. The action setting is not global. The action choices are:

Action Description

Skip: detect only Records the number of messages that meet the filter criteria, but allows messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is selected in General Options, a match to any of those conditions will cause the item to be deleted.

Identify: Tag message The subject line or message header of the detected message can be tagged with a customizable word or phrase, so that it can be identified later for processing into folders by user inboxes or for other purposes identified by the Antigen Administrator. This tag can be modified by clicking Tag Text in the Scan Job Settings work pane and modifying the text. The same tag, however, is used for all filters associated with the particular scan job.

Antigen keyword filtering scans both plain text and HTML message body content. If Antigen finds a match in both the HTML and the plain text, it will report two detections in the Virus Incidents pane and in the Quarantine database, respectively. About keyword list syntax rules The following are the syntax rules for a keyword filter list. Be careful to use the appropriate syntax because Antigen does not perform validation. If the filtering results are not what you are expecting, it is recommended that you double-check your syntax.  Each item (line of text) is considered a search query.  Queries use the OR operator. It is considered to be a positive detection if any entry is a match.  Queries are comprised of operands (keywords), which are text tokens or a string of text tokens, such as:  apple (means that the text contains “apple”)  apple juice (means that the text contains “apple juice”)  get rich quick (means that the text contains “get rich quick”)  Queries may also contain operators that precede or separate operands in an expression.  An expression may be comprised of a single operand, an operand preceded by the _NOT_ or _HAS[#]OF_ operators, or two operands joined by the _AND_, _ANDNOT_, or _WITHIN[#]OF_ operators. The following logical operators are supported in expressions. There must be a space between an operator and an operand (or another operator), represented in the examples by the • character:  _AND_ (logical AND). For example, apples•_AND_•oranges. A filter such as this would be matched if the text contains both “apples” and “oranges”.  _NOT_ (negation). For example, _NOT_•oranges. A filter such as this would be matched if the text does not contain “oranges”.  _ANDNOT_ (logical AND negation). For example, apples•_ANDNOT_•oranges. A filter such as this would be matched if the text contains “apples” but does not contain “oranges”. _ANDNOT_ is functionally equivalent to _AND_•_NOT_.  _HAS[#]OF_ (frequency). Specifies the minimum number of times that the text must appear in order for the query to be considered true. For example, _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator implicitly has a default value of 1 when it is not specified.  _WITHIN[#]OF_ (proximity). If the two terms are within a specified number of words before or after each other, there is a match. For example, free•_WITHIN[10]OF_•offer. If "free" appears within 10 words before or after "offer", this query is true. Multiple operators are permitted in a single query. The precedence of the operators is (from highest to lowest):  _WITHIN[#]OF_  _HAS[#]OF_  _NOT_, _AND_, and _ANDNOT_ (these are at the same precedence level because they are used in conjunction when part of an expression) This precedence cannot be overridden with parentheses. Other considerations are:  The logical operators must be entered in uppercase letters.  Phrases may be used as keywords. For example, apple juice or get rich quick. Quotation marks are not used.  Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, A••••B is treated as A•B and matches the phrase A•B.  In HTML-encoded message texts, punctuation (any non-alphanumeric character) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter '' will match '', but not 'html'. Examples (the • character represents a space):  apples•_AND_•oranges•_AND_•lemons•_WITHIN[50]OF_•juice This expression means that “apples”, “oranges”, and “lemons” all appear at least once, and that “lemons” is within 50 words of “juice”.  confidential•_WITHIN[10]OF_•project•_AND_•banana•_WITHIN[25]OF_•shake This expression means that “confidential” is within 10 words of “project”, and that “banana” is within 25 words of “shake”.  _HAS[2]OF_•get rich•_WITHIN[20]OF_•quick This expression means that “get rich” appears at least 2 times within 20 words of “quick”.

About case-sensitive filtering The General Option setting, Case Sensitive Keyword Filtering, causes Antigen to use case- sensitive comparisons for all keyword filters. By default, all comparisons are not case-sensitive. For more information, see “General Options” in Chapter 4 - Using the Antigen Administrator.

Filtering e-mail messages that automatically load HTML images To filter e-mail messages that automatically load HTML images from a Web server, add the following items to a keyword filter list:  img _WITHIN[6]OF_ src="http"  img _WITHIN[6]OF_ src='http' These filters will identify instances of the text "img" that occur within six words of the following text: src="http" If e-mail messages that contain HTML images are not filtered after you add these filters to the keyword list, you may want to examine the source code of the e-mail messages to see how these e-mail messages identify images. Then, you can create additional customized filters.

Creating allowed senders lists Antigen provides allowed senders list functionality so that administrators can maintain lists of safe e-mail addresses or e-mail domains that are not subjected to filtering or spam scanning. Antigen checks the sender address or domain against the allowed senders list. If the e-mail address or domain appears on the allowed senders list, Antigen bypasses all filtering that has been enabled for the list.

To create an allowed senders list 1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator. 2. In the List Types work pane, select Allowed Senders. 3. In the List Names work pane, click Add. 4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names work pane. 5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to enter e-mail addresses or e-mail domains to include in the allowed senders list. 6. In the Include In Filter section, click Add. 7. Type an e-mail address or domain to be included in the filter list, and then press ENTER. User addresses should be entered in the format: [email protected]. E-mail domain names should be entered in the format: *customer.com. You can have as many allowed senders as you want, but each address or domain must be entered separately. The Exclude From Filter section is used to enter addresses or domains that should never be included on the allowed senders list. This prevents those addresses and domains from being accidentally added when importing a list from a text file. For more information on importing files, see Importing new items into a filter list. 8. When you have finished adding items, click OK. The list of addresses and domains that you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save. After you have created an allowed senders list, you must enable it.

To enable an allowed senders list 1. Click the Allowed Senders icon in the FILTERING section of the Shuttle Navigator. 2. In the Allowed Senders work pane, select the scan job from the list in the upper pane. 3. In the Sender Lists work pane, select the allowed senders list. 4. Set the List State to Enabled. 5. In the Skip Scanning for section, indicate whether the allowed senders list should apply to Mailhost Filtering, Content Filtering, Keyword Filtering, or File Filtering. If you have installed the Antigen Spam Manager, you can also select or clear Spam Scanning. You can click All Types to select all options. If none of the check boxes are selected, the filter is effectively disabled. 6. Click Save. Importing new items into a filter list Filter lists can be created offline in Notepad or a similar text editor, and then imported into the appropriate filter list by using the Antigen Administrator.

To create and import entries into a filter list 1. Create a list and save it as a text file. Place each filter on its own line in the file. 2. Open the Antigen Administrator, and then click Filter Lists on the FILTERING area of the Shuttle Navigator. 3. Select the filter list into which you will be importing data. 4. Click Edit. The Edit Filter List dialog box appears. 5. Click Import. A File Explorer window will open so that you can navigate to the text file that you created in step 1. 6. Select the file, and then click Open. 7. The file will be imported into the middle pane of the Import List editor so that you can select the entries that you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section, or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Filter section. 8. When you have moved all of the desired items, click OK. 9. Click Save.

Chapter 16 - Purging messages infected by worms

Antigen for Exchange enables administrators to configure the Internet Scan Job, the Realtime Scan Job, and the MTA Scan Job to purge messages infected by worms. Worm purging is a powerful feature for containing attacks before they harm your network. Antigen identifies worm messages by using a regularly updated worm list titled WormPrge.dat, which is maintained by Microsoft and updated like the antivirus scan engines. The WormPrge.dat file typically contains the names of worms that are reported by the current third-party scan engines. (Note that each scan engine may report the worm name differently.)

The definitions in the worm list differ from the definitions that are used by the antivirus scan engines. The worm list includes generic worm name entries. These entries may help provide more protection against future worms that are part of a worm family that has already been detected. For example, if a new worm that is named "Win32/abcdef.A@mm" is detected, Antigen updates the worm list to include a generic entry such as "*abcdef*". This entry covers any new variant of the same virus, such as Win32/abcdef.M@mm. Because the worm list contains generic worm name entries, the worm list does not have to be updated as frequently as the antivirus scan engines are updated.

Purging by the Realtime Scanner Realtime purging is supported for Exchange 2003/VSAPI 2.5 servers. The registry key RealtimePurge is used by the Realtime Scan Job to determine whether or not worm purging is enabled. The Microsoft registry key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ VirusScan\EnableScanDeletion, determines whether VSAPI message purging is enabled. If the EnableScanDeletion key is set (with a value of 1), when the Realtime Scan Job finds a message body or an attachment that should be purged, the Microsoft® Exchange Server will be directed to delete the entire message. Antigen for Exchange is not given access to the entire message before it is purged. Antigen for Exchange does not support quarantine for Realtime worm purging.

Realtime purging is not enabled on Exchange 2000 Servers. Infected attachments on Exchange 2000 will be deleted, but the message will be delivered.

Purging by the Internet Scanner When the Internet scanner determines that a message is infected with a worm, it purges the message by deleting it entirely. Purging is handled for both inbound and outbound messages. No message or notification is sent to the intended recipient of the infected message. Messages purged by the Internet scanner are not recoverable. The Internet scanner can be configured to send notifications to the administrator and the sender by selecting the Send Notifications check box on the File Filtering work pane. It cannot be configured to send notifications to the recipients of purged worm messages, because this would defeat the purpose of purging worm-generated messages. Worm viruses (messages and attachments) that are purged by the Internet scanner are not quarantined even if quarantine is enabled. This is to prevent the quarantine database from receiving hundreds or thousands of copies of the same message.

Purging by the MTA Scanner Purging by the MTA scanner works in the same manner as the Internet scanner.

Purging by the Manual Scanner Antigen does not support message purging during a Manual Scan. Using file filtering to purge worm viruses To prevent a new worm threat from spreading before a scanner engine is updated, the attachment names for worm-generated messages can be placed in the file filter list under the File Filtering work pane. This is done by accessing the File Filtering work pane and adding a new entry to the file names list with Purge: eliminate message as the action. The file filter is configured to send notifications to the administrator and the sender by default. It cannot be configured to send notifications to the recipients of purged worm messages because this would prevent purging worm-generated messages.

When you select the Purge: eliminate message option, the entire message will be deleted and will not be recoverable. It is recommended that you select this action only for the purpose of purging worm messages prior to the release of virus scanner updates. Unlike quarantining for non-worm messages, even if you select Quarantine Message, only the attachment that triggered the filter is quarantined; the message body and any other attachments are deleted. This should not present any problems when using filtering for worm messages because the message body has no value and should not contain any other attachments.

Using notifications The Internet, Realtime, and MTA scanners can be configured to send distinct notification messages to the Worm Administrator when a message is purged. Additionally, notifications can be sent when a message is purged by the file filter. All notifications can be modified as needed in the Notification Setup work pane, described in Chapter 18 - Using e-mail notifications.

Enabling and disabling worm purging When you install or upgrade Antigen, the worm purge feature is enabled by default. WormPrge.dat is installed in the Antigen\Bin folder, which can be found in the directory where Antigen was installed. To disable the worm purge feature for the Internet Scan Job, you must set up the InternetPurge registry key with a value of 0. To disable the worm purge feature for the Realtime Scan Job, you must set up the RealtimePurge registry key with a value of 0. For more information about these keys, including their location, see Appendix B - Setting registry values.

Each time you change these registry values, you must recycle the Exchange IMC Service for the change to take effect for the Internet Scan Job and recycle the Exchange Information Store for the change to take effect for the Realtime Scan Job. Updating the worm purge list As new worm threats are identified, the worm identification list is updated by Microsoft and the new update becomes available for download by the same process that is used for updating virus scan engines. Updates can be performed manually or by schedule. After a successful update, the Wormlist\Bin folder contains the newest version of the WormPrge.dat file and a LastKnownGood folder contains the previous WormPrge.dat file. For more information about performing updates, see Chapter 20 - File scanner updating overview.

Creating a custom worm purge list Administrators can create a custom worm purge list (CustPrge.dat) either to specify additional virus names not already included in the Wormprge.dat file or to create a list that will purge all messages that are identified as infected by a virus. Infected messages and files will then be checked against both the worm purge list and the custom purge list.

To create a custom worm purge list 1. Create a new folder named CustomList in the following folder: Microsoft Antigen for Exchange\Engines\x86\Antigen 2. Create a text file named CustPrge.dat in the CustomList folder. 3. Using a text editor, enter the names of the viruses that you would like purged into CustPrge.dat. Enter only a single virus name on each line, followed by a carriage return. These names can be obtained from antivirus engine update notifications or antivirus engine vendor Web sites. Entries may contain asterisk (*) wildcard characters.

Note: If different antivirus companies refer to the same virus by different names, you should include each of the names in CustPrge.dat to be fully protected. 4. If you would like all virus-infected messages to be purged, enter a single line consisting of just an asterisk (*), followed by a carriage return. This will result in all messages identified as infected being purged.

Note: Because this would result in all infected messages being purged and unrecoverable, it is not recommended that you use this procedure. Instead, use the Delete or Clean options for non-worm viruses, because these options allow infected messages and files to be quarantined. 5. Recycle the Exchange IMC/SMTP services. Chapter 17 - Antigen Spam Manager overview

The Antigen Spam Manager (ASM) provides sophisticated and robust spam detection and removal through the integration of Cloudmark anti-spam engine. The Antigen Spam Manager also provides the following features:  Identify: tag message action on detection to allow the routing of spam messages to Junk Mail folders.  Integration with Microsoft® Exchange Server 2003 anti-spam options.  ASM Junk Folder for Microsoft Office Outlook® users and the ability for Outlook users to create allowed senders lists and block lists (Microsoft Exchange 2000 Server only). With the release of Microsoft Antigen and the Antigen Spam Manager, the Junk Mail Folder features on the Exchange 2003 platform are unified. This improves usability and consolidates feature sets across the Antigen and Exchange platforms. Therefore, the ASM Junk Mail Folder feature has been removed for the Exchange 2003 platform. Antigen continues to support the ASM Junk Mail Folder for the Exchange 2000 platform. Exchange 2003 provides built-in Junk E-Mail folder functionality in conjunction with Microsoft Outlook 2003. ASM fully supports this Junk E-Mail folder functionality through the use of the Spam Confidence Level (SCL) rating, which ASM can apply to e-mail messages determined to be spam. When upgrading from older Antigen installations on an Exchange 2003 Server, existing ASM Junk Folders are left in the users’ Microsoft Office Outlook® clients, but do not receive suspected spam e-mail unless the user sets client-side rules to route messages that have been tagged by Antigen. The Block and Allow Sender buttons are still displayed in the folder, but any rules created by using them do not function. If ASM is configured to set the SCL rating for a suspected spam e-mail and the SCL rating for a particular message is higher than the Store Action Threshold configured in the SMTP Scan Job pane, the message is routed to the Outlook Junk Mail folder. For new ASM installations, the functionality for Microsoft Exchange 2000 Server and Exchange 2003 installations is:  Exchange 2000—All functionality described in this chapter.  Exchange 2003—All functionality with the exception of ASM Junk Folders and automatic routing of tagged messages (MIME header or subject line) to that folder. If messages are tagged by ASM, they will be delivered to the user’s inbox unless the user sets a client-side rule to route tagged messages to a Junk Mail folder.

Configuring the anti-spam scanning settings ASM includes anti-spam settings that use the Cloudmark anti-spam engine to detect spam e-mail. In Antigen Version 9 with Service Pack 2, the Cloudmark anti-spam engine was introduced as an improved anti-spam option. When performing a fresh installation of Antigen version 9 with Service Pack 2, Cloudmark is the anti-spam solution. To enable the Cloudmark engine for scanning, in the Antigen Administrator, click SETTINGS and then click Anti-Spam. In the Anti-Spam Settings pane, select the SMTP Scan Job and then select the Cloudmark Authority Engine check box. Next, configure the Action and whether to Send Notifications and Quarantine Files. The action choices for the anti-spam scanning settings are as follows:  Skip: detect only—Spam is reported but no other action is taken on the message.  Purge: eliminate message—Deletes the entire message from your mail system. It cannot be recovered unless you selected to quarantine the message.  Identify: tag message—For details, see About the Identify: tag message action.

Configuring Cloudmark updates Cloudmark distributes anti-spam signature updates directly to the Antigen server. This differs from the other scan engines, which receive signature updates directly from Microsoft. Cloudmark signature updates occur automatically throughout the day; they are not configurable in the Antigen Administrator. However, administrators can schedule Antigen to check to see if Cloudmark has released an engine update. (An engine update refers to updating to a new version of a scan engine (which replaces the old version), whereas a signature update refers to new signatures being added to an existing scan engine.) Because engine updates occur much less frequently than signature updates, it is recommended that engine updates be scheduled to occur once daily during off hours. Historically, an engine update occurs once every several months but these occur as needed. In the Antigen Administrator, click SETTINGS, and then click Scanner Updates. Use the Scanner Update Settings pane to schedule Cloudmark engine updates. It is also recommended that you click the Update Now button before scanning. The Cloudmark engine utilizes HTTPS (port 443) to verify the user license while signatures are updated via HTTP (port 80). This requires that the Antigen server has the ability to connect to the Internet and that both port 80 and port 443 are open on any firewall through which the Antigen server connects. Administrators can verify the connection to the Cloudmark servers by running the following commands on the Antigen server:  telnet cdn-microupdates.cloudmark.com 80  telnet lvc.cloudmark.com 443 If you are not connecting to the required ports, you must configure your firewall to allow these connections.

Cloudmark uses the FSEContentScanner.exe process to receive signature updates. This uses approximately 80 MB initially, after which it uses an average of between 80 MB to 150 MB per 24-hour period, so that only a small amount of bandwidth is used every minute. Caution:

The Cloudmark anti-spam signature updates may fail when passing through a proxy server if NTLM Authentication is enabled. As a workaround, configure the proxy server to allow the Antigen server through anonymously.

Managing Cloudmark updates with FSSMC or AEM Support for distributing Cloudmark engine updates is available in FSSMC Version 10 Rollup 3. You must have this version installed in order to be able to administer your Cloudmark engine updates using FSSMC. Note that Cloudmark signature updates are not managed by FSSMC because they are distributed directly from the Cloudmark servers. Cloudmark is not supported in Antigen Enterprise Manager (AEM).

Submitting false positives and false negatives to Cloudmark You can submit false positives and false negatives to Cloudmark for analysis. Information regarding target spam catch-rates, false positive and false negative rates, and other advantages of using the Cloudmark anti-spam solution can be found on the Cloudmark anti-spam Web site. To submit false positive or false negative spam e-mails to Cloudmark, send the e-mail as an RFC 2822 attachment (.eml). Do not send misclassified messages by using the Forward command; this strips them of essential header information and results in an invalid submission. False positives (legitimate e-mail marked as spam by Cloudmark) should be sent to: Forefront- [email protected] False negatives (spam not detected by Cloudmark) should be sent to: Forefront- [email protected]

To attach an e-mail message as an RFC 2822 attachment 1. In Microsoft Outlook, create a new e-mail message. 2. Address it to the appropriate address. 3. Click the Attach Item button, select the e-mails that were falsely classified, and then click OK.

Using the GTUBE anti-spam test file to determine whether Cloudmark is detecting spam To ensure that spam is being properly detected by the Cloudmark engine, you should verify that a GTUBE message is caught as spam. Similar to the EICAR antivirus test file, GTUBE provides a test by which you can verify that Cloudmark is detecting incoming spam. A GTUBE message should always be detected as spam by the Cloudmark engine. Include the following GTUBE text in a mail message on a single line, without any spaces or line breaks:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

About the Identify: tag message action When ASM is enabled, the Identify: tag message action is available for all filtering and anti- spam functions. This action enables administrators to select how they would like a suspect message to be tagged for later identification. You can choose from the following options:

Setting Description

Tag subject line The text specified in the Tag Text dialog box is added to the subject line of the message. The Tag Text dialog box can be accessed by clicking the Tag Text button on the SMTP Scan Job Settings pane. This setting can be used to enable Outlook users to route suspected spam e-mail to a Junk Mail folder by setting client-side rules in their Outlook client.

Message Header The text specified in the Tag Text dialog box is added to the MIME header. This setting can be used to enable Outlook users to route suspected spam e-mail to a Junk Mail folder by setting client-side rules in their Outlook client.

Set SCL property Sets the SCL Rating on the message indicating whether Antigen determined the message to be spam. To use this action, you must select the Enable SCL Rating option in the General Options pane. Antigen always sets the SCL Rating to level 9. The Store Action Threshold in the SMTP Scan Job Settings work pane must also be set to 8 or lower. Using this setting allows Outlook to route suspected spam e-mail to the Outlook Junk Mail folder.

Move to ASM Junk Mail Routes all messages that match a content filter or are identified as spam to the ASM Junk Mail folder in the user’s Outlook desktop.

Note: Setting Description

To use this action, you must select the Enable Junk Mail Folders option in the General Options pane (Exchange 2000 only).

Multiple options may be checked for each filter.

Outlook Junk Mail folders and user Junk Mail options When installed on Exchange 2000 servers, ASM enables Outlook users to configure their own Junk Mail settings to block or approve specific senders. When the Junk Mail folders are enabled, administrators can use Antigen to tag suspected spam messages so that the messages are automatically routed to the ASM Junk Mail folder in Outlook. To enable Junk Mail folders, administrators must first create the client side Junk Mail folders using the Antigen General Options setting Enable Junk Mail Folders. When the Junk Mail folders have been enabled, you must select the option Move to ASM Junk Mail as one of the actions in the Identify: tag message action selection box for the anti-spam scanning settings or for content filters.

Notes:

The Windows® World Wide Web Publishing Service must be started, IIS must be installed, and for Exchange 2000, the .NET Framework must be installed for ASM Junk Mail folders to function properly. If your IIS server is configured to use SSL and you are using the ASM Junk Mail feature, you must change the Antigen registry DWORD value named UsingSSL to 1. When the ASM Junk Mail folders have been created, the following settings will be enabled in Outlook for each user:

Setting Description

Approve Sender Enables users to add safe e-mail senders to a personal allowed senders list.

Block Sender Enables users to add unwanted e-mail senders to a personal block list.

ASM Manager Enables users to edit their approve sender and block sender rules. Setting Description

Purge Junk Mail Enables users to purge their Junk Mail folder manually or schedule a purge cycle.

To access the Junk Mail folder, click the ASM Junk Mail folder that appears in the Outlook All Mail Folders area of the navigation shuttle. The page displays any junk mail that is addressed to the user that has been identified by Antigen. Click the appropriate button in the menu bar to approve or block specific senders, edit rules, or configure the purge cycle for the Junk Mail folder. Each job is described in the following sections.

Notes:

Outlook server-side rules take precedence over ASM Junk Mail folder settings. If the Outlook user’s Microsoft Internet Explorer® settings are configured to use a proxy server, the Bypass proxy server for local addresses option must be checked for the user to access the ASM Junk Mail homepage. (To set this option in Internet Explorer, select Internet Options from the Tools menu. Next, click the Connections tab and then click LAN Settings. In the Local Area Network (LAN) Settings dialog box, select the Bypass proxy server for local addresses check box, and then click OK two times to exit the Internet Options dialog box.) If a user sets the AutoArchive feature for the ASM Junk Mail folder by using the Properties settings for the folder, the setting overrides the ASM Purge: eliminate message setting.

Approving senders If mail is incorrectly identified as spam, you can configure Antigen to allow future messages from the user to bypass spam filtering or content filtering. To do so, select a message from a sender you trust and click the Approve Sender button. The message is moved to the inbox and future messages from the sender are not filtered by the anti-spam engine or content filtering. Each sender to be trusted must be configured individually.

Blocking senders If spam has been missed and delivered to your inbox, you can configure Antigen to block messages from the same user in the future. To do so, you must first move unwanted messages from your inbox to the ASM Junk Mail folder using Outlook’s Move to Folder function. When the mail is in the ASM Junk Mail folder, select the message, and then click the Block Sender button. The message is deleted from the Junk Mail folder and future messages from the sender are automatically blocked. Each sender to be blocked must be configured individually. Managing rules To edit the approve sender and block sender rules, click ASM Manager. The Advanced Spam Manager work pane opens to enable you to modify your Junk Mail folder rules. All rules that are currently enabled are displayed in the window. You can edit, delete, or add rules as needed.  To delete a rule, click Delete in the column of the rule that you want to delete.  To edit a rule, click Edit in the column of the rule that you want to edit. A work pane appears so that you can modify the sender e-mail address. To modify the e-mail address in the rule, click Update. A dialog box appears for the e-mail address field. After you make changes, click OK to accept the changes or click Cancel to discard the changes.  To add a rule, click the Add Rule button, and then complete the following fields in the Add Rule dialog box:

Setting Description

Rule Type Select Approve or Block.

Sender Enter the e-mail address that you would like to approve or block.

Click OK when you have completed both fields.

Purging Junk Mail Antigen can be configured to purge your ASM Junk Mail folder at set intervals. Click the Mail Purge button and enter the number of days that you would like messages to remain in your ASM Junk Mail folder.

Chapter 18 - Using e-mail notifications

E-mail notifications are critical in keeping Microsoft® Exchange Server users informed about changes that occur to their attachments due to virus cleaning and file filtering, or informing users of infections that exist when a virus is detected and not cleaned. E-mail notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.

Sending notifications Antigen utilizes SMTP messaging for notification purposes, placing the message in the SMTP service Pickup folder and resolving the Exchange name with the Active Directory® directory service. By default, the server profile used for this purpose is: Antigen_Server_Name. For example: Antigen_EX_Server1. To change the server profile, you must modify the FromAddress registry value.

To change the FromAddress registry value on Exchange 2000/2003 1. Open the registry editor and navigate to the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\SybariSoftware\Notifications\FromAddress 2. Change the default value to the sender name you would like. Alphanumeric characters are acceptable. You can also use the at sign (@) or a period (.), but these characters cannot be the first or last character. Any illegal characters will be replaced with an underscore (_). 3. You must restart the Exchange and Antigen services for this change to take effect.

Configuring notifications There are various types of notification messages and each can be individually configured.

To configure notifications 1. Select Notification in the REPORT shuttle. The Notification Setup work pane appears. The top pane of the Notification Setup work pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. For more information about each of the roles, see About notification roles. 2. Enable those notifications that are to be in effect. For more information, see Enabling and disabling a notification.

Note: Scan job configurations control whether a scan job will send any enabled notifications. 3. Make the desired changes to the notifications that are to be enabled. For more information, see Editing a notification. 4. Click Save.

About notification roles The following list describes the various notification roles. Typically, each notification is used for reporting the who, what, where, and when details of the infection or the filtering performed, including the disposition of the virus or the attachment.

Role Description

Virus Administrators Alerts administrators of all viruses detected on a server being protected by Antigen. Role Description

Virus Sender (internal) Use this notification to alert the sender of the infection if the sender is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user’s own computer, who to call, and how to proceed.

Virus Sender (external) Alerts the sender of the infection if the sender is not a user in your organization.

Virus Recipients (internal) Alerts the recipient of the infection if the recipient is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user's own computer, who to call, and how to proceed.

Virus Recipients (external): Alerts the recipient of the infection if the recipient is not a user in your organization.

File Administrators Alerts administrators of all files that are filtered by file filtering on the server being protected by Antigen. This notification is also used for messages purged by the file filter.

File Sender (internal) Alerts the sender of the filtered attachment if the sender is an Exchange user in your organization. This notification is also used for messages purged by the file filter.

File Sender (external) Alerts the sender of the filtered attachment if the sender is not a user in your organization. This notification is also used for messages purged by the file filter.

File Recipients (internal) Alerts the recipient of the filtered attachment if the recipient is an Exchange user in your organization. This notification is also used for messages purged by the file filter.

File Recipients (external) Alerts the recipient of the filtered attachment if the recipient is not a user in your organization. This notification is also used for messages purged by the file filter.

Worm Administrators Alerts administrators of all worm messages that are detected or purged by Antigen. Role Description

Content Administrators Alerts administrators of all messages that are filtered by content filtering (sender-domains and subject line filtering).

Content Sender (internal) Alerts the sender that a message was filtered by sender or subject line filtering if the sender is an Exchange user in your organization.

Content Sender (external) Alerts the sender that a message was filtered by sender or subject line filtering if the sender is not a user in your organization.

Content Recipients (internal) Alerts the recipient that a message was filtered by sender or subject line filtering if the recipient is an Exchange user in your organization.

Content Recipients (external) Alerts the recipient that a message was filtered by sender or subject line filtering if the recipient is not a user in your organization.

Keyword Administrators Alerts administrators of all messages that are filtered by keyword filtering.

Keyword Sender (internal) Alerts the sender that a message was filtered by keyword filtering if the sender is an Exchange user in your organization.

Keyword Sender (external) Alerts the sender that a message was filtered by keyword filtering if the sender is not an Exchange user in your organization.

Keyword Recipients (internal) Alerts the recipient that a message was filtered by keyword filtering if the recipient is an Exchange user in your organization.

Keyword Recipients (external) Alerts the recipient that a message was filtered by keyword filtering if the recipient is not an Exchange user in your organization.

Spam/RBL Administrators Alerts administrators of all messages that are filtered by a spam engine or RBL filters.

Configuring Antigen for internal addresses Internal addresses must be identified in Antigen so that the proper notifications can be sent to senders and recipients. Internal addresses are configured in the General Options pane or in an external text file. For information on configuring internal addresses, see Chapter 4 - Using the Antigen Administrator.

Enabling and disabling a notification The Enable and Disable buttons in the Notification Setup work pane let you selectively enable or disable any selected notification. The current status of each notification is displayed in the list in the top pane, under the State column. A change made to the status of a notification takes effect as soon as you click Save.

Scan job configurations control whether a scan job will send any enabled notifications.

Editing a notification The changes that are made to the lower portion of the Notification Setup work pane apply to the notification role currently selected in the notification list. If no changes have been made to the selected notification, the Save and Cancel buttons appear dimmed. Making any change to the configuration will activate these buttons. If you make a change to a notification and try moving to another notification role or shuttle icon, you will be prompted to save or discard your changes. All changes take effect immediately on saving them. The following are the fields that can be edited:

Field Description

To A semicolon-separated list of people and groups who will receive the notification. This list can include Exchange names, aliases, groups, and keyword substitution macros. Notifications may also be sent to cc and bcc recipients.

Subject The message that will be sent on the subject line of the notification. This field can include keyword substitution macros.

Body The message that will be sent as the body of the notification. This field can include keyword substitution macros. (Administrators may also include the MIME headers in this field by inserting the %MIME% macro.)

Antigen provides keywords that can be used in the notification fields to obtain information from the message in which the infection was found or filtering was performed. For more information about this feature, see Appendix C - Using keyword substitution macros. Chapter 19 - Reporting and statistics overview

Antigen provides a variety of reports designed to help administrators analyze the state and performance statistics of the Antigen services through the Administrator interface.

About the incidents database The Incidents database (Incidents.mdb) stores all virus and filter detections for a Microsoft® Exchange Server, regardless of which scan job caught the infection or performed the filtering. Antigen collects statistics on a per-storage-group basis for the Manual and Realtime Scan Jobs. To view the virus Incidents log, click REPORT in the left navigation shuttle, and then click the Incidents icon. The Incidents work pane opens on the right. The results are stored to disk in the Incidents database by the AntigenService service and are not dependent on the Administrator remaining open. Antigen reports a variety of information in the Incidents work pane. The various values are described in the following table.

Value Description

Time Date and time of the incident.

State Action taken by Antigen.

Name Name of the scan job that reported the incident.

Folder Name of the folder where the file was found. This column also reports whether messages were inbound or outbound when caught by the SMTP scanner. Messages that are being relayed by the SMTP server are reported as inbound and outbound to distinguish them from standard inbound and outbound messages.

Message Subject line of the message or the name of the file that triggered the incident.

File Name of the virus or name of the file that matched a file or content filter.

Incident Type of incident that occurred. For example: VIRUS, FILE FILTER, SENDER FILTER, and SUBJECT FILTER. Each type is followed by either the name of the virus caught, or the file or content filter that triggered the event. Value Description

Sender Name Name of the person who sent the infected or filtered message.

Sender Address E-mail address of the person who sent the infected or filtered message.

Recipient Name Names of the people who received the infected or filtered message.

Recipient Addresses E-mail addresses of the people who received the infected or filtered message.

Antigen keyword filtering scans both plain text and HTML message body content. If Antigen finds a match in both the HTML and the plain text, it will report two detections in the Virus Incidents pane and in the Quarantine database, respectively.

About VirusLog.txt Incidents can also be written to a text file called VirusLog.txt, located under the Antigen for Exchange installation path. To enable this feature, select the Enable Antigen Virus Log check box in the General Options work pane (it is disabled by default). The following is a sample entry from the VirusLog.txt file: Thu. Apr 25 14:12:51 2002 (3184), “Information: Realtime scan found virus: Folder: First Storage Group\Usera\Inbox Message: Hello File: Eicar.com Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE State: Cleaned”

About Antigen incidents The following table describes the various incidents that Antigen reports. Many of the reported incidents are generated by Antigen settings that are controlled through the General Options work pane.

Reported Incident General Options Description Setting

CorruptedCompressedFile Delete Corrupted Antigen has deleted a corrupted Compressed Files compressed file. Reported Incident General Options Description Setting

CorruptedCompressedUuencodeFile Delete Corrupted Antigen has deleted a corrupted Uuencode Files compressed Uuencode file.

EncryptedCompressedFile Delete Encrypted Antigen has deleted an encrypted Compressed Files compressed file.

EngineLoopingError Not applicable Antigen has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file.

ExceedinglyInfected Maximum Container Antigen has deleted a container File Infections file that has exceeded the maximum number of infections. When the number is exceeded, the entire container is deleted.

ExceedinglyNested Maximum Nested Antigen has deleted a Compressed Files compressed file that has exceeded the maximum number of infections. When the number is exceeded, the entire container is deleted.

ExceedinglyNested Maximum Nested Antigen has deleted a Attachments compressed file that has exceeded the maximum nested depth. When the number is exceeded, the entire file is deleted.

FragmentedMessage Not applicable A fragmented SMTP message has been replaced with the fragmented message deletion text. This setting is enabled by default, but can be turned off by setting the registry value MIMEDeletePartialMessages to 0.

LargeInfectedContainerFile Maximum Container Antigen has deleted a file that has File Size exceeded the maximum container size that it will attempt to clean or repair. Reported Incident General Options Description Setting

ScanTimeExceeded Max Scan Time Antigen has deleted a container file that has exceeded the maximum amount of scan time in milliseconds (msec).

UnReadableCompressedFile Not applicable Antigen has deleted a compressed file that it could not read.

UnWritableCompressedFile Not applicable Antigen has deleted a compressed file to which it cannot write (for example, during a cleaning operation).

About event statistics Antigen maintains three basic groups of statistics:  Event Rate—Tracks the number of events per second (monitored in the Performance Monitor).  Events—Tracks the number of events for the current Antigen session (the time since the last restart of the Antigen services).  Total Events—Tracks the total number of events since Antigen was installed or the statistics pane was reset.

Statistics for messages Several kinds of statistics are maintained for messages:  Messages Scanned—The number of messages scanned by Antigen since the last restart of the services.  Messages Detected—The number of messages scanned that contained a virus or matched a file, content, or spam filter since the last restart of the services.  Messages Tagged—The number of messages tagged by Antigen due to a filter match since the last restart of the services.  Messages Purged—The number of messages purged by Antigen due to a virus detection or filter match since the last restart of the services. (Action set to Purge – Eliminate Message or a worm purge match.)  Total Messages Scanned—The number of messages scanned by Antigen since the product was installed or since the Statistics pane was last reset.  Total Messages Detected—The number of messages scanned that contained a virus or matched a file, content, or spam filter since the product was installed or since the Statistics pane was last reset.  Total Messages Tagged—The number of messages tagged by Antigen due to a filter match since the product was installed or since the Statistics pane was last reset.  Total Messages Purged—The number of messages purged by Antigen due to a virus detection or filter match since the product was installed or since the Statistics pane was last reset.

Statistics for message attachments Several kinds of statistics are maintained for message attachments:  Attachments Scanned—The number of attachments scanned by Antigen since the last restart of the services.  Attachments Detected—The number of attachments scanned that contained a virus or matched a file, content, or spam filter since the last restart of the services.  Attachments Cleaned—The number of attachments that were cleaned by Antigen due to a virus infection or filter match since the last restart of the services.  Attachments Removed—The number of attachments that were removed by Antigen due to a virus infection or filter match since the last restart of the services.  Total Attachments Scanned—The number of attachments scanned by Antigen since the product was installed or since the Statistics pane was last reset.  Total Attachments Detected—The number of attachments scanned that contained a virus or matched a file, content, or spam filter since the product was installed or since the Statistics pane was last reset.  Total Attachments Cleaned—The number of attachments that were cleaned by Antigen due to a virus infection or filter match since the product was installed or since the Statistics pane was last reset.  Total Attachments Removed—The number of attachments that were removed by Antigen due to a virus infection or filter match since the product was installed or since the Statistics pane was last reset. Event statistics are maintained on a physical basis as well as a logical basis for the different Antigen scan jobs. Antigen makes a distinction between the number of times the attachment has been actually scanned (physical), and the number of times the same attachment can potentially be scanned (logical). For example, if three recipients receive the same mail message with one attachment, the attachment will be reported as physically scanned once, and logically scanned three times.

Antigen scans the message body and the attachments, but reports all scanned files as attachments. A single message with one attachment, therefore, will be reported as two attachments in the Statistics work pane. Resetting statistics To reset all the statistics for a scan job, click the x next to the scan job's name (Internet, Realtime, Manual, or MTA) in the Statistics work pane. The following image shows the Statistics work pane:

You will be asked to confirm the reset. Clicking Yes will reset all the statistics for the selected scan job.

Exporting statistics To save the report statistics in either formatted text or delimited text formats, click the Export button on the Incidents work pane.

About quarantine Antigen will, by default, create a copy of every detected file before a clean, delete, or skip action occurs. These files are stored in an encoded format in the Quarantine folder under the Antigen installation folder. Each detected file is saved under the name Filex, where x is the ID number of the file. The actual file name of the detected attachment, the name of the infecting virus or the file filter name, its associated ID value, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses, along with other bookkeeping information, are saved in the file Quarantine.mdb and in the Quarantine folder. The Quarantine database consists of two tables stored inside the Quarantine.mdb file. This database is configured as a system data source name (DSN) with the name Antigen Quarantine. This database can be viewed and manipulated by using third-party tools.

About quarantine options Antigen performs two different quarantine operations: quarantine of entire messages or quarantine of attachments only. Entire messages are quarantined only for content filters, spam filters, and file filters that are set to Purge when quarantine is enabled. When the General Options setting SMTP Quarantine Messages is set to Quarantine as Single EML File (which applies only to the SMTP Scan Job), the quarantined messages are quarantined in an EML file format. If you want to view the attachments that are contained inside the EML file, you must save the file from the Quarantine database and use Microsoft® Office Outlook® Express to view the contents of the file. If Outlook Express is not installed on the computer, the message's attachments cannot be easily separated from the EML file for viewing. If you do not have Outlook Express installed on the server on which you are quarantining messages, you can choose to have messages quarantined in pieces by setting SMTP Quarantine Messages to Quarantine Message Body and Attachments Separately. Antigen will quarantine messages as separate pieces (bodies or attachments) so that they can be viewed more easily after they are saved to disk from the Quarantine database. Messages that have been quarantined can also be forwarded to a mailbox. When the SMTP Quarantine Messages option is set to Quarantine Message Body and Attachments Separately, you must forward each piece of the message that was quarantined if you want the recipient to see the entire contents of the original message. If the SMTP Quarantine Messages option is set to Quarantine as Single EML File, only the quarantined EML file needs to be forwarded, and the recipient will receive the original message and any attachments as a single attachment to a new message.

These settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.

About quarantine database tables The Quarantine database (Quarantine.mdb) contains the following tables: HeaderInfo Table—Contains the quarantine version, the number of quarantined files, and the ID to use for the next quarantined file.

Field Name Type

Version Int

Count Int

NextDetectedId Int

Quarantine Table—Contains all the details for the quarantined message.

Field Name Type Size Description

FileName Text 255 Attachment file name

VirusIncident Text 255 Virus name

Message Memo 5000 Subject line

SenderName Text 255 Sender name

SenderAddress Text 255 Sender address Field Name Type Size Description

RecipientNames Memo 255 Recipient names

RecipientAddresses Memo 255 Recipient addresses ccNames Text 255 cc names ccAddresses Text 255 cc addresses bccNames Text 255 bcc names bccAddresses Text 255 bcc addresses

_DateTime Date/Time Not applicable Date and time file was quarantined

DetectedFileId Int Not applicable File ID used to save renamed quarantined file (for example, File9)

ID AutoNumber Not applicable Identifies a row in the table

An administrator can access the Quarantine work pane to delete or extract stored detected file attachments. To view the Quarantine log, click REPORT in the left navigation shuttle, and then click the Quarantine icon. The Quarantine work pane appears on the right. The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (such as a virus or filter match), the name of the infecting virus or the filter file name, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses.

Saving database items to disk Use the Save As button on the Quarantine work pane to detach and decode a selected file to disk. You can select multiple items from the quarantine list. Each is saved as a separate file.

About the Deliver button The Deliver button on the Quarantine work pane enables administrators to deliver quarantined messages to the intended recipients or any other designated recipients. When the Deliver button is clicked, a dialog box is displayed that lets you configure the recipients and the delivery action for the message being delivered. If a single file is selected for delivery, the original recipients populate the To, Cc, and Bcc fields. If multiple files are selected, the recipients' fields are initially empty. There are three choices in the Delivery Action section:  Original Recipients—The recipients fields are disabled. Click OK to deliver the selected files to their original recipients.  Above Recipients—The recipients fields are enabled and can be changed by the administrator. Click OK to deliver the selected files to the named recipients.  Original and Above Recipients—The recipients fields are enabled and the administrator can change them. Click OK to deliver the selected files to both the original recipients and any additional ones entered. When quarantined messages are delivered to the user’s mailbox, the original message is included as an attachment. When the user opens the attachment, the original message launches in Outlook as a separate message.

About DeliverLog.txt When a message file is delivered from the quarantine database, a text file named Deliverlog.txt is created and saved in the folder where Antigen is installed. This file provides a log of messages and attachments that have been delivered from quarantine.

Forwarding Attachments Attachments that were quarantined by the virus scanner or the file filter can be forwarded.

Forwarding Attachments Quarantined by the Virus Scanner Attachments that were quarantined by the virus scanner cannot be forwarded unless the scan jobs are disabled. Any forwarded attachment that contains a virus will be redetected and treated appropriately.

Forwarding Attachments Quarantined by the File Filter Attachments that were quarantined by the file filter are scanned for filter matches unless the General Options setting Deliver from Quarantine Security is set to Compatibility Mode. This allows messages to be forwarded without being redetected by any of the scan jobs. If you want to run a manual scan and have forwarded attachments redetected, you must set the ManuallyScanForwardedAttachments registry value to TRUE. This value is set to FALSE by default. To allow attachments to be delivered without being redetected, Antigen adds a special tag to the subject line of the message. You can customize this tag by changing the entry in the registry key value ForwardedAttachmentSubject. This value enables administrators to specify the tag text to use in the subject line. The subject line tag text can be changed to a unique string for the organization or changed into a local language.

If the General Option Deliver from Quarantine Security is set to Compatibility Mode and the subject line tag text is changed, filters are applied to messages already in the organization that were tagged with old tag text in the subject line if they are rescanned. Forwarding Attachments and Manual Scans By default, a manual scan does not perform file filtering on messages that were forwarded from quarantine. If the ForwardedAttachmentSubject registry key is changed, a manual scan will perform file filtering on messages already in the organization with the subject line that was in this registry key before the change.

Using the ExtractFiles utility Antigen includes a console tool, ExtractFiles, which enables you to extract all, or a subset, of the quarantined files to a specified directory. This is the syntax of ExtractFiles:

extractfiles Path Type Path: The absolute path of the folder in which to save the extracted quarantined files. Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example: Wingtip.Toys Extracts files that were infected with the virus named Wingtip.Toys. *.doc Extracts quarantined files having a .doc extension. *.* Extracts all quarantined files Examples: extractfiles C:\temp\quarantine Wingtip.Toys extractfiles C:\extract\ *.doc

Using the ExtractFiles tool for fast mail recovery You can use the ExtractFiles utility as part of a fast mail recovery scenario from quarantine: this only works when choosing the Quarantine as Single EML File option for the SMTP Quarantine Messages setting in General Options. This is helpful when delivering a large amount of quarantined e-mails. Such a situation can arise if there is a change in your company's filtering policy, due to a management request, or if e-mails were accidentally quarantined because of an incorrectly configured filter.

To use the ExtractFiles tool for fast mail recovery 1. Extract all the files with the *.* syntax described previously. This extracts all quarantined files, both EML files and attachments.

Note: Be sure you understand which EML files you need to deliver. 2. Copy the needed EML files into the Pickup folder on your Exchange server. Be aware that the usage of this folder is supported only under the following circumstances. a. These operations are performed outside of normal business hours. b. When copying many .eml files, you must copy them into the Pickup directory in batches. Try 10,000 files and see how long processing takes. There are many factors that can impact how long it takes to process the messages, such as server hardware, the load on the server, the volume of messages being processed, and so on. It may be possible to increase the batch size to 15,000 or 20,000 .eml files, or it may need to be reduced to 5,000 files. For basic instructions about the Exchange server Pickup folder, go to the following URL: http://go.microsoft.com/fwlink/?LinkId=140655. If you need further assistance on submitting mail via the Pickup folder, contact Microsoft Help and Support.

Maintaining the databases You can also perform other tasks with the Incidents or Quarantine databases. For example, you can clear or move the databases, export or purge database items, filter database views, or change the database compaction time.

Clearing the databases Over time, you might find that your Incidents and Quarantine databases are becoming very large. Each database (Incidents.mdb and Quarantine.mdb) has a 2 GB limit. When a database is larger than 1.5 GB after being compacted, a notification is sent to all those having a notification role of Virus Administrators, warning that the database is nearing its limit. An administrator can then clear the database to ensure that future incidents and quarantined items will be saved. The subject line of the message reads: Microsoft Antigen for Microsoft Exchange Database Warning The body of the message reads: The Microsoft Antigen for Microsoft Exchange <> database is greater than 1.5 GB (with a maximum size of 2 GB). Its current size is x GB. If this database grows to 2 GB, updates to the <> will not occur. If the notification cannot be sent, the failure is ignored and is noted in the program log. One attempt to send the message is made during each compaction cycle for the specific database.

Clearing the incidents database The Incidents database can be cleared when it becomes too large.

To clear the Incidents database 1. Click Clear Log on the Incidents work pane on the REPORT shuttle. This clears all the items from the Incidents work pane. You will be asked to confirm your decision. 2. Select Run Job in the OPERATE shuttle. Select a scan job, and then click Clear Log. This clears the items from the job in the Incidents work pane. Once again, you will be asked to confirm your decision. You must individually clear all scan jobs to have all items flagged for deletion from the database. After you have cleared the entries in both places, they will no longer appear in Incidents the work pane. However, they will actually be deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.). You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then pressing the DELETE key to remove them from both locations, as indicated above.

Note: If a large number of entries are selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

Clearing the quarantine database The Quarantine database can be cleared when it becomes too large. To clear the Quarantine database, click Clear Log on the Quarantine work pane on the REPORT shuttle. This clears all of the items from the Quarantine work pane. You will be asked to confirm your decision. After you have cleared the entries, they no longer appear in the work pane. However, they are actually deleted from the Quarantine.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.). You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then pressing the DELETE key to remove them from the Quarantine listing.

If a large number of entries are selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

Exporting database items Click Export on the Incidents or Quarantine work panes to save all the results from the Incidents or Quarantine databases as a text file. Clicking Export displays a standard Windows® Save dialog box, in which you select a location for the Incidents.txt or Quarantine.txt file, and then choose a format of formatted text or delimited text. Entries in the delimited text format are separated by a vertical bar ( | ). In addition to the Export button, the Quarantine pane has a Save As button. This is used to detach and decode a selected file to disk. You can select multiple items from the Quarantine list. Each is saved as a separate file.

Purging database items You can instruct Antigen to remove items from the databases after they are a certain number of days old. The number of days is indicated by the after field on both the Incidents and Quarantine work panes. Each database can have a separate purge value (or none at all). If the purge function is enabled for a database (by means of its associated check box), all files older than the specified number of days are flagged for removal from that database.

To purge database items after a certain number of days 1. On either the Incidents or the Quarantine work pane in the REPORT shuttle, select the Purge check box. This causes the after field to become available. 2. In the after field, indicate the number of days after which items will be purged. All items older than that number of days will be deleted from the database. The default is 30 days. 3. Click Save. Setting or changing the purge value takes effect only after being saved. To suspend purging, clear the Purge check box. The value in the after field will remain, but no purging will take place until the Purge check box is selected again.

Filtering database views You can filter the Incidents or Quarantine views to see only certain items. The filter has no effect on the database itself, just on which records are displayed.

To filter the database view 1. Select the Filtering check box on the Incidents or Quarantine work pane. 2. Select the item that you want to see with the Col option. Each choice in Col corresponds to one of the columns in the display (for example, State). 3. In the Filter edit box, type the string specifying your filter view. For example, you can specify to show only those Incidents whose State is Purged. You can use wildcard characters. The wildcard characters are those used by the Microsoft Jet database OLE DB driver. The wildcard characters are: _ (underscore)—Matches any single character. [ ]—Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]). To filter for multiple days, specify the date using a range. For example, to filter for incidents that occurred between July 20 and July 25, you would use the following value in the Filter field: 7/2[0 5]. [!]—Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]). 4. Click Save to apply the filter. The only items that you see now are those that match your parameters.

Moving the databases You can move the Quarantine and Incidents databases. However, for Antigen to function properly, you must move both databases, as well as all related databases and support files. To move the databases and all related files 1. Create a new folder in a new location (for example, C:\Moved Databases). 2. Stop Exchange and any Antigen services that might still be running after the Exchange server is stopped. 3. Copy the Quarantine folder from the Antigen installation folder into the folder that was created in step 1. (This results in a folder called C:\Moved Databases\Quarantine.) 4. Move ProgramLog.txt, Incidents.mdb, AntigenHRLog.txt, and all .adb files to the new location (C:\Moved Databases). 5. Change the path in the following DatabasePath registry key to point to the new Quarantine folder location: HKEY_LOCAL_MACHINE/Software/Antigen 6. Restart the Exchange services.

Changing the database compaction time Typically, Antigen runs daily database management functions on the Incident.mdb and Quarantine.mdb databases. The CompactIncidentDB function and the CompactQuarantineDB function are run to delete old database records and to delete stale Quarantine items. By default, these functions are run at 02:00 local time. However, you may want to compact the databases at a different time. To run the compaction functions at a different time, you must add a registry entry.

To change the database compaction time 1. Click Start, click Run, type regedit, and then click OK. 2. In Registry Editor, expand the following registry subkey. HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange 3. On the Edit menu, point to New, and then click String Value. 4. Type CompactDatabaseTime, and then press ENTER. 5. Right-click CompactDatabaseTime, and then click Modify. 6. In the Value data box, type a new value, for example 21:00, and then click OK.

Note: Type the time value by using the 24-hour (hh:mm) format. Type the time value based on the local time during which you want the compaction functions to run. 7. Exit Registry Editor. 8. Click Start, point to Settings, and then click Control Panel. 9. Double-click Administrative Tools, and then click Services. 10. Right-click AntigenService, and then click Restart. 11. Close the Services Microsoft Management Console (MMC) snap-in. About Windows Event Viewer Antigen stores virus detections, stop codes, system information, and other general application events in the Windows application log. Use Windows Event Viewer to access the log. Additionally, these events are stored in ProgramLog.txt in the Antigen installation directory as a method for logging events when the application log is full. The ProgramLog.txt file size can be controlled by using the registry key ProgramLogMaxSize. This key specifies in KB the maximum size of the ProgramLog.txt file.

About Performance Monitor All Antigen virus scan statistics can be displayed using the Performance Monitor (Perfmon.exe) that is provided by Windows and is usually found in Administrative Tools. The performance object is called Antigen Scan.

Reinstalling Antigen performance counters In the event that the Antigen performance counters are deleted, they can be reinstalled by reinstalling Antigen, or by issuing AntigenPMSetup from a command prompt. The AntigenPMSetup command reinstalls the performance counters without the need to reinstall Antigen.

To reinstall performance counters from a command prompt 1. Open a Command Prompt window. 2. Navigate to the Antigen installation folder (default: C:\Program Files\Microsoft Antigen for Exchange). 3. Enter the command: AntigenPMSetup –install

Chapter 20 - File scanner updating overview

Antigen enables you to choose virus scanning engines from multiple vendors. The standard Antigen license includes four antivirus engines. After Antigen is installed, engine updates automatically begin. The scanner update settings are, by default, set to begin updating your engines five minutes after the Antigen Service is started. Updates are spaced at five-minute intervals. All licensed engines are automatically downloaded and installed by the first update. You can also update an engine at any time by clicking the Update Now button on the Scanner Update Settings work pane. For more information on configuring scanning options, see Chapter 6 - Configuring Manual Scan Jobs, Chapter 7 - Configuring Realtime Scan Jobs, Chapter 8 - Configuring SMTP Scan Jobs, and Chapter 9 - Configuring MTA Scan Jobs. Notes:

After an upgrade to Antigen, the Microsoft Engine will not be scheduled for updates. You must manually set the update schedule for the Microsoft Engine after the upgrade is complete. If you add scan engines after installation by upgrading your license, the new scan engines will not be scheduled for updates. You must manually set the update schedule for any new engines that are added. If you are using a proxy server to access the Internet for scanner updates, these scheduled updates will fail. For information on configuring Antigen to use a proxy server to retrieve updates, see Updating the file scanner through a proxy. After the configuration settings have been entered, click Update Now on the Scanner Update Settings work pane to perform an immediate scanner update for each engine. It is recommended that you schedule updates or do a manual update before scanning with an engine that you have not used before. This chapter describes antivirus engine updates. For information about anti-spam engine updates, see Chapter 17 - Antigen Spam Manager overview.

About automatic file scanner updating Scan engines, signature files, and worm list updates can be downloaded automatically from the Microsoft HTTP server, or from another Microsoft Exchange server running Antigen. Setting a schedule for checking the HTTP or Exchange server for a new scan engine means that you are automatically protected against new viruses without having to check versions or manually update the files. After Antigen has automatically downloaded an updated scan engine, it automatically puts that scan engine to use. During file scanner updates, only the engine being updated is taken offline. The other engines continue to scan for viruses. To set the schedule times for updating the scanning engines, click SETTINGS in the left navigation shuttle and then click the Scanner Updates icon. The Scanner Update Settings work pane appears on the right. The top portion of the work pane shows the list of supported file scanners and the worm list. The bottom portion of the work pane contains the scheduling features for the selected scanner along with information about that scanner.

If a scan engine becomes locked or it generates an error message when it attempts to load, you may need to rebuild the scan engine. For more information, see "Rebuilding scan engines" in Chapter 21 - Troubleshooting overview.

Scheduling an update You can control when your scanning engines update, how often, and the update source. Note:

If you are using the optional Microsoft Antigen Enterprise Manager to update the scan engines, you should use the Scanner Updates work pane to disable scheduled updates.

To schedule updates for scanning engines 1. Select Scanner Updates in the SETTINGS shuttle. The Scanner Update Settings work pane appears. The top of the pane shows a list of all supported file scanners and the worm list. 2. Select a scan engine to be scheduled. The bottom pane contains the primary and secondary update paths and the update schedule for the selected engine, along with information about that engine. (For more information, see About scanner information.) 3. Set the primary update path by clicking Primary in the bottom pane and then entering a value into the Network Update Path field. By default, Antigen uses the primary update path to download updates. If the primary path fails for any reason, Antigen uses the secondary update path. The default primary update path is http://antigendl.microsoft.com/antigen. You can change it to point to another HTTP update site, or if you would prefer to use UNC updating as the primary update path, enter the UNC path to another Exchange server. For more information about UNC updating, see Distributing updates. To restore the default server path, right-click the Network Update Path field, and then select Default HTTP Path. 4. Set the secondary update path, if desired, by clicking Secondary in the bottom pane and entering a value into the Network Update Path field. If the primary path fails for any reason, Antigen will use the secondary update path. It is left blank by default. The secondary path can be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another Exchange server. For more information about UNC updating, see Distributing updates. 5. Specify the Date to check for updates. If you choose a Frequency of Once, this date is the only time that update checking will occur; otherwise, this date represents the first time that update checking will occur. Click the left and the right arrows on the calendar to change the month. Click a particular day to select it. (The current date is circled in red; a selected date turns blue.) 6. Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time or use the up and down buttons to change the current value of each subfield. Antigen for Exchange defaults to staggering the update time, leaving an interval of five minutes between engines. It is recommended that you stagger updates a minimum of 15 minutes apart. 7. Specify how often the update occurs (the frequency). You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). It is recommended that you select Daily, and then set a Repeat interval to update the engine at multiple times during the day. 8. Optionally, indicate a repeat interval. Select Repeat, and then choose a time interval. (The minimum time is 15 minutes, which is the default value.) It is recommended that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline and no updating is done. 9. Use the Enable and Disable buttons to control whether the update check will be performed for a selected engine. All engine updates are enabled by default. Even if you are not using a particular engine, you should schedule updates for it. That way, if you find you need to use that engine in the future, it will already be at the current update level. 10. Click Save.

The Enable and Disable buttons control updating only, and not the use of the engine. To discontinue using the engine itself, see Chapter 6 - Configuring Manual Scan Jobs, Chapter 7 - Configuring Realtime Scan Jobs, Chapter 8 - Configuring SMTP Scan Jobs, and Chapter 9 - Configuring MTA Scan Jobs.

Update Now You can click the Update Now button on the Scanner Updates work pane to perform an immediate update of the selected scanner. If an update exists, Antigen will download the scanner and will start using it after the download is complete. While the engine download is in progress, the Update Now button remains inoperable. This button is useful for quick checks for a new scanner between regularly scheduled updates.

Update on load Antigen can be configured to update its file scanners when AntigenService starts up. To configure Antigen to update at startup, select the Perform Updates at Startup option in the Scanner Updates section of the General Options work pane. The updating of the engines is scheduled using the scheduler on the Scanner Updates work pane. The engines that are to be updated are scheduled in five-minute intervals to avoid possible conflicts.

About scanner information This is the information that appears on the Scanner Updates work pane for a selected scanner:  Engine Version—The version, as reported by the third-party scan dynamic-link library (DLL).  Signature Version—The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner).  Update Version—The value located in the manifest.cab file.  Last Checked—The date and time of the last check made for a new scan engine or definition files.  Last Updated—The date and time of the last update made to the scan engine or definition files.

About Manifest.cab The manifest.cab files, maintained by Microsoft, store information for determining whether a newer version of a scan engine is available for download (each engine has an associated manifest.cab file in its package folder). During a scheduled update or when Update Now has been invoked, Antigen searches the network update path for a new update. To minimize overhead, the manifest.cab file is first downloaded and used to determine if an update is required. If an update is not required, no further processing takes place. If an update is required, the update is downloaded and applied. When the update is finished, the new manifest.cab file overlays the old one. This is the directory structure of the scan engines on a server running Antigen: Antigen Directory\ Engines\ x86\ Engine Name\ Package\ manifest.cab Version Directory\ manifest.cab enginename_fullpkg.cab other enginename files  Antigen Directory is the top-level directory where all of the Antigen for SMTP Gateways files are kept. This was created during the product’s installation.  Engine Name is a directory with the name of an engine’s vendor. There is an Engine Name directory for each engine.  The Package directory contains the most recent manifest.cab file.  The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0512140001). On any specific day, there may be multiple version directories. Each contains the current manifest.cab file, the enginename_fullpkg.cab, and all other required files for the engine.

Distributing updates The most common method of distributing updates is to have one server receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers (the "spoke" servers) in your environment. After one server receives an engine update, it can share that update with any other server whose network update path points to it. Configuring servers to distribute and receive updates You must configure both the hub and the spoke servers before distributing updates. To prepare a server to act as an update hub, you first need to establish a Windows® share for the Engines directory (which is usually in the Antigen installation directory). Next, enable the Redistribution Server option in the Scanner Updates section of General Options on the chosen hub server. This configures Antigen to save the two most recent engine update packages in the engine package folder instead of the usual single engine package. Antigen will also download the full update package rather than performing an incremental update. The multiple engine packages allow the spoke servers to continue pulling updates from the redistribution server while a new update is being downloaded. Then, enter the UNC credentials.

To configure UNC credentials 1. Select General Options from the SETTINGS shuttle. 2. Select Use UNC Credentials in the Scanner Updates section. 3. In the UNC Username field, enter the name of a user with access rights to the UNC path. Also enter the UNC Password. 4. Click Save. After the hub server has been set up, configure the spoke servers to point to the shared directory by entering the hub's UNC path (\\ServerName\ShareName), in the Primary Network Update Path field of each of the spoke servers.

The use of static IP addresses within the update path is neither recommended nor supported. Example: Server Ex1 receives its updates automatically from the Microsoft HTTP server. Ex1 has Antigen installed in C:\Program Files\Microsoft Antigen for Exchange, and you have created a share, called AdminShare, that begins at the Engines directory. Another server, Ex2, will get its updates from Ex1, by using \\Ex1\AdminShare as its primary network update path.

Notifications following engine updates Antigen can be configured to send a notification to the Virus Administrator following each engine update. The notifications include:

Notification Subject Line Body

Successful update: Successful update of The engine_name scan engine_name scan engine engine has been updated on server server_name. from update_path.

No update available: No new update for the There are currently no new Notification Subject Line Body

engine_name scan engine scan engine files available on server server_name. for the engine_name scan engine at update_path.

Error updating: Failed update of An error occurred while engine_name scan engine updating the engine_name on server server_name. scan engine. (There may be an error message included here.) For more information, see the Program Log.

Engine update notifications are controlled in the General Options work pane by selecting Send Update Notification in the Scanner Updates section.

Putting the new file scanner to use After the download has successfully completed, the new file scanner is immediately put to use. Any currently running scan jobs are temporarily paused while the new file scanners are loaded. The previous file scanner files are then archived in a folder named LastKnownGood. If for any reason the newly downloaded file scanner fails, Antigen returns to the file scanner that was archived in the LastKnownGood folder.

Updating the file scanner through a proxy In environments where the Exchange server must access the Internet through a proxy server, Antigen can be configured to retrieve engine updates through a proxy server.

To configure Antigen for proxy server updating 1. Select General Options from the SETTINGS shuttle. 2. In the Scanner Updates section of General Options, select Use Proxy Settings. 3. Enter information about the proxy server: name or IP address, port, user name (optional), and password (optional). For more information about these fields, see Chapter 4 - Using the Antigen Administrator. 4. Click Save. After the proxy server settings have been entered and saved, they can be deployed to other servers by replicating the General Options settings by using the Microsoft Antigen Enterprise Manager (AEM). Adding and deprecating scan engines When Antigen adds or deprecates an engine, you are informed via notification entries in the event log. You can also configure notifications to be sent to Virus Administrators in addition to the event log by using the Antigen Administrator; for more information about how to do this, see Chapter 18 - Using e-mail notifications.

Adding new scan engines When Antigen adds a scan engine, an announcement is written to the event log that publicizes that the engine was added to your configuration. This notification - which includes links to information about this new engine - is written to the event log only once.

Deprecating scan engines When Antigen is no longer going to support a scan engine, an announcement is written to the event log to publicize the date on which updates for this engine will no longer be available. Notifications, which include links to information about this engine's deprecation, are written to the event log on a weekly basis up until the date on which the engine becomes obsolete. Upon receiving a notification about an engine being deprecated, it is strongly recommended that you disable the use of this engine with any scan jobs. Once the engine becomes obsolete, the definitions on disk will become out of date and the scanning usefulness of this engine diminishes. After the date on which the engine becomes obsolete, updates are no longer available for this engine. If the obsolete engine is still enabled for updates, update checks for that engine are automatically disabled, and an error notification is written to the event log. If the obsolete engine is in use with a scan job, an error notification is written to the event log on a daily basis until the engine is disabled for that scan job.

Chapter 21 - Troubleshooting overview

This section contains troubleshooting information.

Getting help To obtain technical support, visit the Microsoft® Web site at Microsoft Help and Support.

Using diagnostics Diagnostic logging is helpful information that can be used by Microsoft support technicians to help troubleshoot any problems that are occurring while Antigen is not working properly. Diagnostics can be set independently for each scan job by selecting the appropriate check box for each scan job in the Diagnostics area of the General Options work pane. The settings are: Additional Internet, Additional Realtime, Additional Manual, and Archive SMTP Mail. These options are disabled by default. For more information about these settings, see Chapter 4 - Using the Antigen Administrator. For information about collecting diagnostic information, see Appendix D - Using the Antigen diagnostic utility.

Antigen installation failure Antigen cannot co-exist with any VSAPI-based antivirus product. If you previously used VSAPI to install another antivirus software product, you receive an error message when attempting to install Antigen, and the installation fails. When using VSAPI to install antivirus software, the following registry subkey is created to save information about the VSAPI library: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusScan If the VirusScan registry subkey is present in the registry when you try to install Antigen, the installation fails. The VirusScan registry subkey must be present in the registry but only after you successfully install Antigen.

To delete the VirusScan registry entry 1. Click Start, click Run, type regedit, and then click OK. 2. In Registry Editor, expand the following registry subkey. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusSca n 3. Right-click the VirusScan registry entry, and then click Delete. 4. Exit Registry Editor.

Antigen services do not start when you start the computer When you start the computer on which Antigen for Exchange is installed, the Microsoft Exchange and the Antigen services should start automatically. If the Antigen services do not start, an error message is logged in the ProgramLog.txt file stating that the VirusScan key is not enabled, and Antigen cannot virus scan. You can resolve this issue by enabling the VirusScan registry entry.

To enable the VirusScan registry entry 1. Click Start, click Run, type regedit, and then click OK. 2. In Registry Editor, expand the following registry subkey. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusSca n 3. In the right pane, right-click Enabled, and then click Modify. 4. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK. 5. Exit Registry Editor. 6. Restart all Antigen for Exchange services. 7. Restart all Exchange services.

Submitting malicious software files to Microsoft for analysis If you suspect a file to contain malware or potentially unwanted software, you can submit it to Microsoft for analysis. You can use one of the following methods to submit malware files to Microsoft for analysis:  Submitting files through the Microsoft Malware Protection Center Portal  Submitting files through Microsoft Customer Support Services

Submitting files through the Microsoft Malware Protection Center Portal The following Web site enables users to submit files that are suspected of containing malware or potentially unwanted software to Microsoft for analysis: http://go.microsoft.com/fwlink/?LinkId=196858 After you have accessed the Microsoft Malware Protection Center portal, on the Submit a sample page, follow the instructions for the portal submission process.

When prompted, enter your Microsoft Software Assurance ID. This ensures that your malware submission is given a higher priority assignment in our submission queue as compared to those anonymously submitted. For more information on software assurance, visit the following Microsoft Web site: Software assurance information

Preparing files for submission If your submission is larger than 10 megabytes or you want to submit multiple files for analysis, compress the file or files into a single .zip or .rar archive (must be less than 10 megabytes in size) and password protect the file with the password "infected" (without quotation marks). When you submit the file, make sure that you include the following data:  Your name and email address Microsoft sends all responses to the email address that you use to submit the files. When you submit the archive file, Microsoft processes the file and then sends a determination of the files that it contains, based on the current Microsoft malware definitions. If it is necessary, adjust your incoming mail filters to ensure that you receive this message. If you want to add additional email contacts to receive updates about the status of the submission, also include these contacts and add the following note in the comments field: "Please Reply All".  Support case number (optional) A support case number is not required to submit files for analysis. However, if a support case is already open for this submission, you can include the case number.  Product that you are using Select Microsoft Forefront Server Security. (In the comments section, you may want to list a more specific product name, for example Microsoft Antigen for Exchange.)  False positives If the submission includes files that you believe were incorrectly determined to contain malware, select the I believe this file should not be detected as malware check box. Otherwise, the files are assumed to contain malware.  File to submit Click the Choose File button to browse to the file you want to submit for analysis.  Description of the malicious activity In the comments field, describe what the files did to make you suspect that it contained malware. Also include the operating system on which the suspected malware was found (for example, Windows Server 2003), as well as any additional information that may be helpful in analyzing the files.

About the response message After you submit the malware files, we send you a response to confirm the receipt of the submission. We then follow up with the results of our analysis and with responses from our partners. If you want more frequent updates through sample review, such as for high-priority submissions, it is recommended that you open a support case.

Submitting files through Microsoft Customer Support Services Microsoft Customer Support Services can submit files on your behalf. If you have an urgent malware situation that Antigen does not address, or if it is after regular business hours, it is recommended that you contact Customer Support Services for help. To do this, use the support information that was provided to you when you purchased Antigen, or visit the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=159889

No Realtime scanning occurs on the Exchange store after installing Antigen After installing Antigen for Exchange, you may find that no Realtime virus scanning occurs on the Exchange store if a third-party antivirus product was installed and then uninstalled on the server. This problem occurs because a registry entry is incorrectly reset when the third-party antivirus product is uninstalled.

To correctly reset the registry entry 1. Click Start, click Run, type regedit, and then click OK. 2. In Registry Editor, expand the following registry subkey. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ServerNa me\Private-GUID 3. Right-click VirusScanEnabled, click Modify, type 1, and then click OK. 4. Repeat steps 2 and 3 for each Exchange Server database that is present on the server. 5. Exit Registry Editor. 6. Restart the Microsoft Exchange Information Store service.

Attaching a disclaimer message that includes non-US-ASCII characters When using the Add Outbound Disclaimer function to attach a disclaimer message to an outgoing e-mail message, the e-mail message may be unreadable if the disclaimer message includes non-US-ASCII characters. By default, Antigen formats the e-mail message in the basic Internet encoding standard when Antigen adds a disclaimer message. The basic Internet encoding standard is the UTF7 encoding standard. However, many languages include characters that are not included in the UTF7 encoding standard. Therefore, non-US-ASCII characters are not represented correctly after Antigen processes the e-mail message. By default, Antigen formats the e-mail message in the UTF7 encoding standard even if the original e-mail message from the sender is in a different character set. For example, Antigen does this even if the original e-mail message is in the ISO-8859-1 character set. To prevent Antigen from forcing the disclaimer encoding type from the original format into UTF7, create the following registry key.

To prevent Antigen from forcing the UTF7 format 1. Click Start, click Run, type regedit, and then click OK. 2. In Registry Editor, expand the following registry subkey. HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange 3. Right-click Antigen for Exchange, point to New, and then click DWORD Value. 4. To name the new value, type ForceDisclaimerNonUTF7, and then press ENTER. 5. Right-click ForceDisclaimerNonUTF7, and then click Modify. 6. In the Value data box, type 1, and then click OK. 7. Exit Registry Editor. 8. Restart the Antigen services.

Exchange cannot deliver e-mail messages to certain domains after you configure an e-mail disclaimer After you configure an e-mail disclaimer in Microsoft Antigen for Exchange, you may encounter that Exchange cannot deliver e-mail messages to certain domains because they remain queued for delivery to the destination domains. This occurs if you have internal messaging servers that do not use the MIME format for e-mail messages. When troubleshooting this issue, you will notice that the affected destination domains reject the SMTP connection from Exchange. When Antigen for Exchange appends a disclaimer to outgoing e-mail messages that are not in MIME format, Antigen may leave a bare line feed (LF) after the disclaimer. Therefore, the e-mail messages are in a non-standard Internet e-mail format. Certain destination e-mail servers may reject these messages. To resolve this issue, enable the Fix Bare CR or LF in Mime Headers setting, located under the Scanning heading of the General Options pane.

Rebuilding scan engines

Important:

Before you rebuild a scan engine in Antigen, it is recommended that you first contact Microsoft Product Support Services (PSS) to help determine whether the problem that you experience requires a scan engine rebuild operation. For information about how to contact Microsoft PSS, visit the following Web site: http://support.microsoft.com/contactussupport/?ws=support Symptoms that may require that you rebuild a scan engine include the following:  Scan engine files become locked. Therefore, a scan engine can no longer be automatically updated.  A scan engine generates an error message when it attempts to load. When any of these symptoms occur, one of the following errors may be logged in the ProgramLog.txt file, located in the Antigen for Exchange folder.  ERROR: Could not create mapper object  INFORMATION: The engine_name engine was rolled back  ERROR: Scan engine was corrupted on download  ERROR: CheckCrc failed

To rebuild a scan engine 1. Create the UNC update folder structure. To do this, follow these steps: a. Create a directory that is named Antigen. b. In the Antigen directory, create a directory that is named Engines. c. In the Engine directory, create a directory that is named x86. d. In the x86 directory, create a folder for the engine on which you are working. For example, create a folder that is named Microsoft. e. In the Engine Name directory, create a folder that is named Package. An example of a UNC update folder path is as follows: C:\Antigen\Engines\x86\Microsoft\Package 2. Download the latest scan engine files. To do this, follow these steps: a. Save the Manifest.cab file to the Package folder for the engine that you are updating. An example of the path of this file in the directory is as follows: C:\Antigen\Engines\x86\Microsoft\Package\manifest.cab To obtain the Manifest.cab file, go to the following Microsoft Web site: http://antigendl.microsoft.com/antigen/x86/Microsoft/Package/manifest.cab b. Extract the Manifest.xml file from the Manifest.cab file, and then open the Manifest.xml file by using a text editor, such as Notepad. Search for the "version=" string in the Manifest.xml file. After one of the instances of "version=" a 10-digit number is displayed. For example, locate the entry that resembles the following entry: version="0606080004" In this entry, the 10-digit number represents the update version number of the latest update. For this procedure, this update version number is represented by the update_version placeholder. c. Save the Microsoft_fullpkg.cab file to a directory that has the same version name within the Package folder. An example of the path of this file in the directory is as follows: C:\Antigen\Engines\x86\Microsoft\Package\0606080004\Microsoft_fullpkg.cab To obtain the Microsoft_fullpkg.cab file, go to the following Microsoft Web site: http://antigendl.microsoft.com/antigen/x86/Microsoft/Package/update_version\micros oft_fullpkg.cab

Important: In this URL, replace update_version with the update version number that you located in step 2b. For example, use a URL that resembles the following sample URL: http://antigendl.microsoft.com/antigen/x86/Microsoft/Package/0606080004\mi crosoft_fullpkg.cab d. Copy the Manifest.cab file in the Package folder, and then paste the file into the Version folder. An example of the final structure of the file is as follows: c:\Antigen\Engines\x86\Microsoft\Package\manifest.cab c:\Antigen\Engines\x86\Microsoft\Package\0606080004\manifest.cab c:\Antigen\Engines\x86\Microsoft\Package\0606080004\Microsoft_fullpkg.cab 3. Update the engine. To do this, follow these steps: a. Open the Antigen Administrator. b. Under SETTINGS, click Scanner Updates. c. Select the engine on which you are working. For example, select Microsoft. d. Change Network Update Path to the parent directory of the x86 folder. For example, change this item to C:\Antigen\Engines. e. Click Save. f. Click Update Now.

The third-party products that the preceding procedure discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Appendix A - Using the Antigen utility

The Antigen utility (antutil.exe) is a command-line tool with which you can enable or disable Antigen.

Unlike a reset, the Antigen services are not removed. Only the dependencies that have been set are removed. The antutil.exe command is located in the Microsoft Antigen for Exchange installation directory. It has the following parameters:  antutil /enable - Enables Antigen by reestablishing dependencies.  antutil /disable - Disables Antigen by removing dependencies.  antutil /status - Displays an onscreen report showing the status of Antigen and the server. There are other parameters, but they should be used only when you are directed to do so by support technicians.

Enabling and disabling Antigen You can use the Antigen utility to disable and enable Antigen.

To disable Antigen 1. Stop the Microsoft Exchange and Antigen services. Note: In a clustered environment, when running the Antigen utility to disable Antigen, the Exchange services are automatically taken offline. Therefore, you can skip step 1 and proceed directly to step 2. 2. From a command prompt, navigate to the Antigen for Exchange installation directory. Disable Antigen dependencies by typing: antutil /disable 3. To confirm that the Antigen dependencies have been removed, type: antutil /status 4. Restart the Exchange services.

Caution: When you are not running Antigen, you do not have its protection.

To enable Antigen 1. Stop the Exchange services.

Note: In a clustered environment, when running the Antigen utility to enable Antigen, the Exchange services are automatically taken offline. Therefore, you can skip step 1 and proceed directly to step 2. 2. From a command prompt, navigate to the Antigen for Exchange installation directory. Enable Antigen dependencies by typing: antutil /enable 3. To confirm that the Antigen dependencies have been reestablished, type: antutil /status 4. Restart the Exchange services.

Appendix B - Setting registry values

Caution:

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Make sure that you back up the registry before you modify it, and that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base article Windows registry information for advanced users. Antigen stores many settings in the Windows® registry. You rarely need to edit the registry yourself because most of those settings are derived from entries that you make in General Options. However, there are some additional settings that you may occasionally need to make. Antigen stores registry values in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange

Variable Description and Values

AdditionalEngines Enables users to use locally installed antivirus engines by specifying the engines in the DWORD value for this registry key.

AdditionalTypeChecking Antigen performs signature type checking on files to avoid scanning files that can never contain a virus. If it becomes necessary to scan an additional file type, you will need to contact Microsoft Technical Support to obtain the proper setting for the file type that you would like to add. This key is set to 0 (off) by default.

CloudmarkDownloadTimeout Specifies the time (in seconds) that the Cloudmark scan engine will attempt to download an update before timing out. The default value is 900 (15 minutes).

ConvertExtensionType When this value is set with a specified extension type (for example, "txt"), all deleted attachments will be renamed with that extension. By default, this registry value is set to "txt.” To disable this feature, replace "txt" with an empty string (that is, ""). To specify a different extension, replace "txt" with the desired extension. The allowed maximum size of a specified extension is three characters. If you place an extension larger than three characters or if you delete the ConvertExtensionType registry value, the extension will default back to "txt" at the next recycling of the services. Any changes made to this registry value will take effect only after recycling the appropriate Exchange and Antigen services.

DatabasePath Specifies the path under which the Antigen configuration files and Quarantine folder reside. It defaults to the Antigen installation path (InstalledPath). If this value is changed, the Variable Description and Values

configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If this value is changed and the files are not moved, Antigen recreates them and the previous settings are lost. Move the files first and then change this value.

DisableInboundFileFiltering When set to 1, this value disables inbound file filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableInboundContentFiltering When set to 1, this value disables inbound content filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableInboundVirusScanning When set to 1, this value disables inbound virus scanning for the Internet Scan Job. The default value is 0.

DisableOutboundFileFiltering When set to 1, this value disables outbound file filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableOutboundContentFiltering When set to 1, this value disables outbound content filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableOutboundVirusScanning When set to 1, this value disables outbound virus scanning for the Internet Scan Job. The default value is 0.

DisableSMTPVS By default, Antigen will scan mail on all SMTP Virtual Servers when the SMTP Scan Job is enabled. This value can be used to prevent Antigen from scanning selected SMTP Virtual Servers. To disable scanning on selected SMTP Virtual Serves, create a STRING registry value named DisableSMTPVS. The STRING value must be populated with a comma delimited list of numbers from 1 through 10 representing the virtual servers (VS) that you would like Antigen to skip during scanning. For example, if you Variable Description and Values

have four virtual servers and want Antigen to scan only VS1 and VS3, the STRING value would be: 2,4.

Note: Placing anything other than the numbers 1 through 10 in the STRING will cause unpredictable results.

DomainDatFilename Specifies whether an external text file will be used to indicate your internal domains. Specify the full path of the external text file into which you have entered domains. If the DomainDatFilename registry key is not present, the Internal Address field in General Options is used.

DoNotScanIPMReplicationMessages Specifies whether to scan IPM replication messages. The SMTP Scan Job scans files called Winmail.dat for viruses. Exchange uses these files for several purposes, including facilitating replication between servers (IPM replication messages). If Antigen modifies a Winmail.dat file, the public folder replication process will fail. Setting this DWORD registry key to 1 prevents the SMTP Scan Job from scanning IPM replication messages. If a virus is replicated because of public folder replication, the Realtime Scan Job will still detect the virus even if this key is set.

EngineDownloadTimeout Specifies the time (in seconds) that the antivirus scan engines will attempt to download an update before timing out. The default value is 300 (5 minutes).

HttpPort Specifies the port used while performing an engine update via HTTP. The default value is 80. By default, entries into the registry are hex values. You will not notice this unless you enter a value that is greater then 9. If you are entering a value greater then 9, you must change the option from hexadecimal to decimal.

HTTPUseWinInet Configures scan engine updating to use the Variable Description and Values

WinInet API to handle MS Proxy authentication. Set the value to 1 to enable and 0 (the default) to disable.

IncidentPurge Sets a purge threshold for removing entries from the incidents.mdb file. To enable the incident purging feature, a new DWORD registry key called IncidentPurge must be added to the registry. The upper byte of this registry value must be set to 0001 for incident purging to be enabled. The lower byte must be set to the number of days (in hex) of the threshold limit. For example, to enable purging after 20 days, which is 14 hex, make the key 00010014. (Note that this key is similar to the QuarantinePurge registry value that is set and enabled in the Quarantine work pane.)

InternetPurge Enables or disables purging by the Internet scanner. If set to 0, purging is disabled. If set to 1 (the default), purging is enabled.

ManualScanContinueOnFailed Used to recover from a manual scan failure when a scan engine encounters problems with a file or when moving between folders. This prevents the manual scan from stopping when an engine encounters a problem while scanning a file or traversing a folder structure. When this key is set to any value other than 0, Antigen continues scanning after such an event.

MaxCompressedSize This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxCompressedSize, the Delete Corrupted Compressed Files General Option setting must be enabled. This key sets the maximum compressed file size that Antigen attempts to clean or repair in the event that it discovers an infected file. This key is set to 26 MB by default but may be changed by the administrator. Infected files or files that meet file filter rules that are larger than the allowed maximum size are deleted. Antigen Variable Description and Values

reports a deleted file as having a LargeCompressedInfectedFile virus.

MaxUncompressedFileSize This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxUncompressedFileSize, the Delete Corrupted Compressed Files General Option setting must be enabled. This key sets the maximum uncompressed file size for a file within a .zip or a RAR archive file. Files larger than the maximum permitted size are deleted and reported as Large Uncompressed File Size. The default setting is 100 MB. A restart of the Exchange services is required for any changes to this setting to take effect. The RAR archive format allows one or more compressed files to be stored in multiple RAR volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. The files stored in the multipart RAR volumes are subject to the size limit specified by the registry value MaxUncompressedFileSize (its default is 100MB). If a file exceeds the limit, any multipart RAR volume that contains the file, or a part of the file, is deleted. However, the outcome can vary depending on the size of the original files and how they are distributed across the multiple RAR volumes. Example 1: A single file (F1) is split across 3 RAR volumes (V1, V2, V3). Outcome: If the uncompressed size of F1 exceeds the default 100MB limit, all 3 RAR volumes (V1, V2, V3) will be deleted. Example 2: Four files (F1, F2, F3, F4) are split across three RAR volumes (V1, V2, V3) as follows: V1 contains F1 and the first half of F2. V2 contains the second half of F2 and F3. Variable Description and Values

V3 contains only F4. Outcome: If only F1 exceeds the default 100MB limit, only V1 will be deleted. If only F2 exceeds the default 100MB limit, V1 and V2 will be deleted but V3 will not. If only F4 exceeds the limit, only V3 will be deleted. Note that deleting a volume causes all files stored in the same volume to be deleted, even if only one file or part of a file exceeded the size limit. In both examples, deletion text specifies that a file (the RAR volume) was deleted because it exceeded the maximum uncompressed file size limit. To prevent the volumes from being deleted, you must set the registry value MaxUncompressedFileSize to a value large enough to exceed the uncompressed size of the largest file in the multipart RAR volumes.

MIMEDeletePartialMessages Some e-mail client programs, such as Microsoft Outlook Express, let you send large e-mail messages in several fragments. By default, when Antigen for Exchange scans fragmented messages (content type: message/partial), the e-mail message may be tagged as FragmentedMessage. In this case, the message body is deleted and replaced with the file filter deletion text. To prevent Antigen from deleting fragmented e- mail messages, you must create a new DWORD registry key called MIMEDeletePartialMessages and set it to a value of zero.

Note: Fragmented messages are not deleted when the value data is set to 0. Fragmented messages are deleted when there is no MIMEDeletePartialMessages DWORD value in the registry or when the MIMEDeletePartialMessages value Variable Description and Values

data is set to 1.

QuarantineTimeout Specifies whether items that cause a scan job timeout should be quarantined. If this DWORD registry value is not present or if it is present and its value is not zero, a message that causes a scan job timeout will be quarantined. If the registry value is present and its value is zero, that message will not be quarantined.

RealtimePurge Enables or disables purging by the Realtime scanner. If set to 1 (the default), purging is enabled. If set to 0, purging is disabled.

ScanAllAttachments When this DWORD value is set to 1 (the default), Antigen scans all file attachments.

UpdateDllonScanJobUpdate When set to 1, this key ensures that a background scan is initiated every time a change is made and saved to the Realtime Scan Job. This key is disabled by default.

UpdateOnLoad When this value is set to 1, updates are scheduled for each file scanner that was installed with Antigen after an AntigenService startup. This feature is mainly used in clustered Exchange servers. By default, this value is set to 0.

UpdateStatusNotification When this key is set to 1, it will enable Antigen to send notifications to the Virus Administrator following an engine update. Antigen will send unique notifications for a Successful Update, No Update Available, or an Error Updating.

VirusLogEnabled When this key is set to 1, the Incidents log is enabled. If set to 0, the log is disabled. When enabled, all virus incidents are written to a text file VirusLog.txt under the Antigen installation path (InstalledPath). The Virus Incident Log also follows the ProgramLogMaxFile settings.

There are also registry keys containing the scanner information that is reported on the Scanner Update Settings work pane. Although these should not be modified, you may find them useful for reporting purposes. These registry values are stored in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange\Scan Engines\engine name

Variable Description

Engine Version Indicates the current version of engine name, as specified in the Antigen Administrator.

Last Checked Indicates the date and time engine name was last checked, as specified in the Antigen Administrator.

Last Updated Indicates the date and time engine name was last updated, as specified in the Antigen Administrator.

Signature Version Indicates the current version of engine name signature file, as specified in the Antigen Administrator.

Update Version Indicates the current update of engine name, as specified in the Antigen Administrator.

Appendix C - Using keyword substitution macros

Antigen provides keyword macros that can be used in the Deletion Text and in the various fields of a notification (To, Cc, Bcc, Subject, and body) to display information obtained from an item in which an infection was found or that matched a filter. Type keywords into those fields surrounded by leading and trailing percent signs (%). For example, to include the name of the virus in the subject line, you could use the %Virus% macro, in the Subject field, as follows: The %Virus% virus was found by Antigen for Exchange. Instead of typing the keyword, you can select it from a shortcut menu.

To select a keyword from the shortcut menu 1. Position the cursor in any notification field, at the point where you want the keyword to appear. 2. Right-click at that point to display the shortcut menu. 3. Select Paste Keyword. 4. Choose from a list of available keywords. 5. Click Save. The following table describes the possible keyword substitution macros. Use consecutive percent signs (%%) to display the percent sign itself in the notification field.

Macros Description

%Company% The name of your organization, as found in the registry.

%EBccAddresses% External Bcc Addresses. A list of the addresses of all of the external Bcc recipients.

%EBccNames% External Bcc Names. A list of the names of all of the external Bcc recipients.

%ECcAddresses% External Cc Addresses. A list of the addresses of all of the external Cc recipients.

%ECcNames% External Cc Names. A list of the names of all of the external Cc recipients.

%ERAddresses% External Recipient Addresses. A list of the addresses of all of the external To recipients.

%ERNames% External Recipient Names. A list of the names of all of the external To recipients.

%ESAddress% External Sender Address. The address of the message sender, if external to the company.

%ESName% External Sender Name. The name of the message sender, if external to the company.

%File% The name of the detected file.

%Filter% The name of the file filter that detected the item.

%Folder% The public or private store (mailbox) and subfolders where the virus or attachment was found.

%IBccAddresses% Internal Bcc Addresses. A list of the addresses of all of the internal Bcc recipients.

%IBccNames% Internal Bcc Names. A list of the names of all of the internal Bcc recipients.

%ICcAddresses% Internal Cc Addresses. A list of the addresses of all of the internal cc recipients.

%ICcNames% Internal Cc Names. A list of the names of all of the internal cc recipients.

%IRAddresses% Internal Recipient Addresses. A list of the Macros Description

addresses of all of the internal To recipients.

%IRNames% Internal Recipient Names. A list of the names of all of the internal To recipients.

%ISAddress% Internal Sender Address. The address of the message sender, if internal to the company.

%ISName% Internal Sender Name. The name of the message sender, if internal to the company.

%Message% The Subject field of the message.

%MIME% MIME Header. The MIME header information.

%ScanJob% The name of the scan job that scanned the attachment or performed the filtering operation.

%Server% The name of the server that found the infection or performed the filtering operation.

%Site% The site name of the server that found the infection or performed the filtering operation.

%State% The disposition of the file after detection (Deleted, Cleaned, or Skipped).

%Virus% The name of the virus, as reported by the file scanner.

%VirusEngines% A list of all the scan engines that found the virus.

Appendix D - Using the Antigen diagnostic utility

To accurately diagnose a problem, support engineers typically need a diverse amount of information about Antigen and the Exchange server it is running on. This information consists of Antigen version information, third-party scan engine versions, registry settings, and Antigen databases. Gathering this configuration information is a major effort that can hinder the troubleshooting process. To make it easier for you to collect this information, the Antigen Diagnostic Utility automates the process, assembling all the necessary data in one file that can then be uploaded to Microsoft. When you contact Microsoft support, you will be told where to upload the file. For more information about support, see Chapter 21 - Troubleshooting overview. The Antigen Diagnostic Utility can collect any or all of the following information, based on your requests:  Antigen file versions (including scan engine file versions)  Microsoft® Exchange Server file versions  Antigen registry key  Antigen database (*.adb) files  Antigen archive files  Antigen program log files  Windows® event log files  Dr. Watson log files  user.dmp files  Antigen installation log files You can request any or all of this information.

Running the Antigen diagnostic utility The selected data is gathered and compressed into a single file to be uploaded to Microsoft.

To run the Antigen diagnostic utility 1. Navigate to the Antigen installation folder (default: c:\Program Files\Microsoft Antigen for Exchange) and launch AntigenDiag.exe. The utility runs in a Command Prompt window. You can also run the utility from the command line by navigating to the Antigen installation folder and typing antigendiag at a command prompt. 2. Select the information to be included by answering each of the following screen prompts. Type Y for yes or N for no, pressing ENTER after each response. Add Antigen file versions Yes(Y)/No(N) ? Add Exchange file versions Yes(Y)/No(N) ? Add Antigen registry key Yes(Y)/No(N) ? Add Antigen database files Yes(Y)/No(N) ? Add Antigen archive files Yes(Y)/No(N) ? Add Antigen Program Log Yes(Y)/No(N) ? Add Windows Event log Yes(Y)/No(N) ? Add Dr. Watson log Yes(Y)/No(N) ? Add User.dmp Yes(Y)/No(N) ? Add Antigen Install.log Yes(Y)/No(N) ? After the final prompt, the utility gathers the requested information and compresses the results into a new file in the Log\Diagnostics folder (in the Antigen installation directory). The file name, constructed from the name of the server, the date, and the time, has the following format: AntigenDiag-servername-date-time.zip date has the format yyyymmdd time has the format hh.mm.ss (where hh represents a 24-hour clock) Example: C:\ Program Files\Microsoft Antigen for ISA\Log\Diagnostics\ AntigenDiag-Server1-20051210-17.50.27.zip 3. Upload the compressed file to Microsoft.

Appendix E - File types list overview

This is a list of the file types that are used when creating file filters to detect files based solely on their content type. The program log number is reported in the Antigen program log when the associated file type is identified by a virus scanner or a file filter. For more information about detecting files by type, see “Filtering by file type” in Chapter 12 - Using file filtering.

When a Microsoft® Office file (a PowerPoint®, Access, Excel®, or Word document) is embedded in another Office file, its data is included as part of the original Office file. These files are not scanned as individual files. However, if another file type (such as .exe) is embedded in one of these files and that file is subsequently embedded in an Office file, it will be detected and scanned as a separate file. (The .exe extension, however, is still visible because the icon is a GIF file that cannot be deleted. If you click on the file, the icon will be replaced with the correct TXT icon.)

File type Program log number Description

ANIFILE 66 Windows® 95 animated cursor file.

ARCFILE 21 ARC compression format file.

ARJFILE 20 ARJ compression format file.

AUTOCAD 63 AutoCad file.

AVIFILE 29 Windows Audio/Visual file format (Audio/Video Interleaved resource interchange file format).

BMPFILE 24 Bitmap image file.

DATAZFILE 15 InstallShield file (InstallShield File type Program log number Description

DOCFILE 6 Microsoft OLE Structured Storage file. The DOCFILE test checks for the OLE Structured Storage file format. Contained within this format is information that describes the application to use to process the data. Among the applications that use this format are those in the Microsoft Office suite: Word (.doc), Excel (.xls), PowerPoint (.ppt), Exchange Message files (.msg), and Shell scraps (.shs).

EICAR 5 Eicar test virus file.

EPSFILE 57 Encapsulated PostScript file (Adobe).

EXEFILE 3 Microsoft executable file.

FONT_TYPE1 64 Adobe Type 1 font file.

GIFFILE 22 GIF image file.

GZIPFILE 16 GZip compression format file.

HYPERARC 54 ARC compression format file (Systems Enhancement Associates).

ICOFILE 27 Windows icon file.

IS_UNINST 48 InstallShield uninstall file.

ISCABFILE 14 Microsoft cabinet archive format file.

JARFILE 52 Java archive file.

JAVACLASS 45 Java byte code file (usually contained inside a JAR file).

JPEG 23 JPEG image file.

LHAFILE 12 Compression format file (LHA/LHARC). File type Program log number Description

MACFILE 77 A binary (nontext) format that encodes Macintosh files so that they can be safely stored or transferred through non- Macintosh systems.

MDB 71 Access database file.

MP3FILE 67 MP3 audio file.

MPEG1 32 MPEG animation file (.mpg).

MS_CHIFILE 51 Document file for Microsoft Help index (.chi).

MS_HELP 50 Microsoft Help file (.hlp).

MS_TYPELIB 49 Microsoft Type Library file format (typically used for Microsoft ActiveX® service).

MS_WMF 59 Windows metafile format graphics (vectored and bit- mapped).

MSCABFILE 13 Cabinet file (Microsoft installation. archive).

MSCOMPRESS 17/18 Microsoft compression format file.

MSIMC_MIME 46 MIME formatted text file with IMC binary header.

MSLIBRARY 42 Microsoft object code library file.

MSSHORTCUT 44 Microsoft shortcut file (.lnk).

NOTESDB 68 Notes database file.

OBJFILE 43 Object code file (Intel Relocatable Object Module - .obj).

OPENXML 83 OpenXML file. This file type applies to Office Word, PowerPoint, and Excel 2007 files only. The Scan Doc Files As Containers settings in General Options (for Manual, File type Program log number Description

Internet, and Realtime scan jobs) do not apply to Office 2007 files because these are always scanned as containers. Although OpenXML files are essentially ZIP containers and the individual files inside are scanned by Antigen, settings that affect ZIP files do not apply to them. OpenXML documents have an XML-based schema that Antigen cannot modify if an infection is found. Therefore, if an infection is in a file that is part of the XML schema, the file is not cleaned and the entire OpenXML document is deleted. However, if the infected file is not part of the XML schema, then Antigen will attempt to clean just that infected file (replacing it with the Deletion Text) and leave the rest of the OpenXML document intact. If it cannot be cleaned, just that file will be deleted. However, in practice, Office 2007 does not open any OpenXML file containing files that are not part of the XML schema.

PALFILE 26 Adobe PageMaker library palette file or a color palette file.

PCXFILE 25 Bitmap graphic file (PC Paintbrush).

PDFFILE 47 Portable Document Format file (Adobe).

PIFFILE 4 Program Information File (Windows), or Vector Graphics GDF format file (IBM mainframe computers). File type Program log number Description

PKLITE 55 PKLite compression format file.

PNGFILE 61 Bitmap graphics file (Portable Network Graphics).

QTMovie 31 QuickTime movie file.

RARFILE 76 RAR-compressed archive file.

RIFFILE 30 RIFF bitmap graphics file (Fractal Design Painter).

SFXEXE 73 Self-extracting executable file.

TARFILE 75 TAR archive format file (a UNIX method of archiving files that can also be used on personal computers). TAR archives files but does not compress them, so .tar files are compressed with other tools; this produces extensions such as .tar.gz, .tar.Z, and .tgz.

TEXT 1 Text file (.txt).

TIFFILE 62 Tagged Image File Format (TIFF) bitmap graphics file.

TNEFFILE 56 Microsoft Transport Neutral Encapsulation Format file (Message file).

TRUETYPE 65 Microsoft TrueType font file (.ttf).

UNICODE 2 Universal Character Code double-byte text file.

UNIXCOMPRS 53 Unix Compressed format file.

VISIO_WMF 60 Visio exported meta file.

WAVFILE 28 Waveform audio file (RIFF WAVE format).

WINEXCEL1 8 Microsoft Excel 1.x file (.xls).

WINWORD1&2 7 Microsoft Word (1.x and 2.x) file. File type Program log number Description

WINWRITE 9 Microsoft Write file.

XARAFILE 58 XaraX graphic file.

ZIPFILE 10 Compressed file created by PKZip.

ZOOFILE 19 Compressed file created by ZOO.

Appendix F - Using multiple disclaimers

Antigen supports multiple SMTP disclaimers for outgoing e-mail messages. With multiple disclaimers, administrators can create custom disclaimers that can be appended to mail that is destined for certain domains or recipients, or for mail that is from certain senders or domains. They can also customize disclaimers based on the encoding type that is used in the message. Antigen uses an XML document to review the sender and recipient address information of an outgoing message to determine which disclaimer should be used. An XML formatted string is entered into the Disclaimer Text dialog box in the Antigen user interface (UI), and the client validates that it is well-formed XML. If there is a syntax problem, an error message appears when you click the OK button. When a disclaimer is added to an outgoing message, the sender and recipient information is gathered and processed to select the correct disclaimer text from the XML formatted string. The following code provides an example of well-formed XML text that can be used as a template. This example can be modified to suit the administrator’s needs, and then copied and pasted into the client Disclaimer Text dialog box. XML Disclaimer Text

Click here!
Group 1: default disclaimer, iso- 8859-1, html...

Group 1: default disclaimer, iso- 8859-1, plaintext...

Click here!
Group 1: default disclaimer, utf-7, html... Group 1: default disclaimer, utf-7, plaintext...

Group 2: sender domain disclaimer, iso-8859-1, html...

Group 2: sender domain disclaimer, iso-8859-1, plaintext...

Group 2: sender domain disclaimer, utf-7, html...

Group 2: sender domain disclaimer, utf-7, plaintext...

Group 3: sender address disclaimer, iso-8859-1, html...

Group 3: sender address disclaimer, iso-8859-1, plaintext...

Group 3: sender address disclaimer, 日本語のテキスト iso-2022-jp, html...

Group 3: sender address disclaimer, 日本語のテキスト iso-2022-jp, plaintext...

Group 3: sender address disclaimer, 中國語言聲明 Big5, html...

Group 3: sender address disclaimer, 中國語言聲明 Big5, plaintext...

Group 4: sender display name disclaimer, iso-8859-1, html...

Group 4: sender display name disclaimer, iso-8859-1, plaintext...

Click here.Group 4: sender display name disclaimer, utf-8, html...

Group 4: sender display name disclaimer, utf-8, plaintext...

Group 5: recipient display name disclaimer, iso-8859-1, html...

Group 5: recipient display name disclaimer, iso-8859-1, plaintext...

Group 5: recipient display name disclaimer, utf-7, html...

Group 5: recipient display name disclaimer, utf-7, plaintext...

Group 6: recipient address disclaimer, iso-8859-1, html...

Group 6: recipient address disclaimer, iso-8859-1, plaintext...

Group 6: recipient address disclaimer, utf-7, html... Group 6: recipient address disclaimer, utf-7, plaintext...

Group 7: recipient domain disclaimer, iso-8859-1, html...

Group 7: recipient domain disclaimer, iso-8859-1, plaintext...

Group 7: recipient domain disclaimer, utf-7, html...

Group 7: recipient domain disclaimer, utf-7, plaintext...

------XML Sample Review 1. The first section of the preceding XML document will try to match the sender information:

If the sender name is Administrator, the group-number 4 disclaimer is used. If the sender address is [email protected], the group-number 3 disclaimer is used. If the sender address has the domain hotmail.com, the group-number 2 disclaimer text is used. 2. The second section of the document will try to match the recipient information:

If the recipient name contains “mary,” the group-number 5 disclaimer is used. If the recipient address contains “[email protected],” the group number 6 disclaimer is used. If the recipient address domain contains “acme.com,” the group-number 7 disclaimer text is used. 3. The last section of the XML document performs group matching.

There can be different disclaimers based on the encoding used in the message, as well as on the content type of the message.

Click here!
Group 1: default disclaimer, iso- 8859-1, html...

Group 1: default disclaimer, iso-8859- 1, plaintext...

Click here!
Group 1: default disclaimer, utf- 7, html...

Group 1: default disclaimer, utf-7, plaintext...

Group 2: sender domain disclaimer, iso- 8859-1, html...

Group 2: sender domain disclaimer, iso- 8859-1, plaintext...

Group 2: sender domain disclaimer, utf- 7, html...

Group 2: sender domain disclaimer, utf- 7, plaintext...

Group 3: sender address disclaimer, iso-8859-1, html...

Group 3: sender address disclaimer, iso-8859-1, plaintext...

Group 3: sender address disclaimer, 日本語のテキスト iso-2022-jp, html...

Group 3: sender address disclaimer, 日本語のテキスト iso-2022-jp, plaintext...

Group 3: sender address disclaimer, 中國語言聲明 Big5, html... Group 3: sender address disclaimer, 中國語言聲明 Big5, plaintext...

Group 4: sender display name disclaimer, iso-8859-1, html...

Group 4: sender display name disclaimer, iso-8859-1, plaintext...

Click here.Group 4: sender display name disclaimer, utf-8, html...

Group 4: sender display name disclaimer, utf-8, plaintext...

Group 5: recipient display name disclaimer, iso-8859-1, html...

Group 5: recipient display name disclaimer, iso-8859-1, plaintext...

Group 5: recipient display name disclaimer, utf-7, html...

Group 5: recipient display name disclaimer, utf-7, plaintext...

Group 6: recipient address disclaimer, iso-8859-1, html...

Group 6: recipient address disclaimer, iso-8859-1, plaintext...

Group 6: recipient address disclaimer, utf-7, html...

Group 6: recipient address disclaimer, utf-7, plaintext...

Group 7: recipient domain disclaimer, iso-8859-1, html...

Group 7: recipient domain disclaimer, iso-8859-1, plaintext...

Group 7: recipient domain disclaimer, utf-7, html...

Group 7: recipient domain disclaimer, utf-7, plaintext...

Group number 1 is the default disclaimer. If there are no matches to the other disclaimer groups, the default disclaimer is used. Group number 1 also has two disclaimer options. If the message body is encoded in iso- 8859-1, there are two possible disclaimer choices. If the content type of the message body is html, the disclaimer text is "
Click here!
Group 1: default disclaimer, iso-8859-1, html...," If the content type of the message body is plain text, the disclaimer text is "Group 1: default disclaimer, iso-8859-1, plaintext...." The disclaimer text is what appears between the and . The second section in group 1 is for utf-7 encoding. If the content type is html, the disclaimer is "
Click here!
Group 1: default disclaimer, utf-7, html...". If the content type is plain text, the disclaimer is "Group 1: default disclaimer, utf-7, plaintext...." Note:

The comparisons are case-insensitive, so "Administrator" and "administrator" are treated identically. The groups can contain as many encoding types or content types as necessary. Each encoding must have one HTML disclaimer text and one plain-text disclaimer text. The two disclaimer texts can be the same for each content type, but there must be one of each. If more than one match is possible, only the disclaimer corresponding to the first match is used. To ensure backward compatibility, if the disclaimer text is not an XML document, then the entire text is used as the disclaimer. If the encoding type for a specific disclaimer group cannot be matched, the ISO-8859 disclaimer for that group is appended to the message. If you are using NT4, for some encoding types no disclaimer can be appended to the e-mail message for the recipient. This is true with the iso-2022-jp encoding. This is caused by a problem in a Microsoft® function that encodes the Japanese characters. The function thinks the characters are invalid. Consequently, the disclaimer text is not encoded and a string of length zero is appended. Microsoft has corrected the problem in Windows® 2000 and later. When editing the XML document for RECIPIENT DISPLAY NAME in Windows NT4, you must append "(E-mail)" to the Display Name. For example, a display name of JSmith must be entered in the XML document as JSmith (E-mail).

Disclaimer hierarchy If both sender and recipient information is included in the multiple disclaimers, the sender match will take precedence over recipient. This is true even if the administrator places the recipient matching section to precede the sender matching section. Therefore, if a match is found in both the sender and recipient section, the disclaimer group that is associated with the matching sender is used. Similarly, if multiple matches are found in either the sender section or the recipient section, the disclaimer group that is associated with the first match is used. For example, if two recipient domain matches are listed in the XML document and the first one matches the domain of one of the recipients of the e-mail message, and the second one matches the domain of another recipient of the e-mail message, then the disclaimer group that is associated with the first recipient domain is used.

Additional sample disclaimer text Additional sample disclaimer files are included in the Antigen installation folder. The three sample files include:  Full Functionality Multiple Disclaimer.xsl—For organizations that require full functionality of multiple disclaimers, this file contains the sample used earlier and would be the appropriate starting point for creating a full-functionality multiple disclaimer.  OneDisclaimer NoSenderRecipient FixedEncoding.xsl—For organizations that do not require different disclaimers for different senders/recipients and do not need to worry about encoding, but want to have a different disclaimer for plain text and HTML message bodies, this file is the appropriate template for creating a custom disclaimer.  OneGroup NoSenderRecipient MultipleDisclaimers.xsl—For organizations that do not require different disclaimers for different senders or recipients but want to have different disclaimers for different encoding types, this file is the appropriate template for creating a custom disclaimer. Each file must be modified to suit the specific needs of your environment and for the actual disclaimer text you would like to use. When the disclaimer has been modified, you must copy and paste the code into the disclaimer edit box.

Important:

When Antigen appends a disclaimer to an e-mail message that has a different encoding, such as iso-2022-jp, it uses the MS API WideCharToMultiByte to convert the Unicode disclaimer text to the format needed before appending it to the message. If support for the particular encoding has not been installed on the server (in Control Panel, double- click Regional and Language Options, and then click the Languages tab), Antigen will not be able to create a disclaimer in the appropriate encoding. If this occurs, a blank disclaimer is added to the message, and the following error is logged to the ProgramLog: "WideCharToMultiByte returns an empty string for the Unicode plaintext disclaimer using the %s encoding." (The “%s” is replaced by the encoding name.)

Appendix G - Backing up and restoring Microsoft Antigen for Exchange

The following topics describe the recommended backup and restore procedures for Microsoft Antigen for Exchange:  About backups  Preparing files for backup  Backing up data files  Restoring data files

About backups A backup is a copy of data that is used to restore and to recover lost data after a system failure. By using suitable backups, you can recover from many failures that include the following conditions:  Media failure  User errors, such as when a file is deleted by mistake  Hardware failures, such as a damaged disk drive or the permanent loss of a server  Natural disasters For more detailed information about creating backups and recovering data for Microsoft Exchange Server 2003, see the Exchange 2003 Disaster Recovery Operations Guide.

Preparing files for backup To keep a copy of the most up-to-date versions of Antigen files and registry data, create a batch file and then create a scheduled task to keep the version information up to date. After completing these steps, the server will be configured to automatically export versions of Antigen files and registry data.

To create a batch file 1. In Windows Explorer, locate the following folder: drive:\Program Files\Microsoft Antigen for Exchange 2. On the File menu, point to New, and then click Text Document. 3. Type AntigenDiagnostics.bat for the file name, press ENTER, and then click Yes. 4. Right-click the AntigenDiagnostics.bat file, and then click Edit. 5. In Notepad, edit the batch file to include a command to start the Antigen Diagnostic tool (AntigenDiag.exe) in order to obtain registry and file information for Antigen. The contents of the AntigenDiagnostics.bat file should resemble the following: cd drive:\Program Files\Microsoft Antigen for Exchange AntigenDiag.exe /c /reg Antigen

Note: If you are not sure about the location of the Antigendiag.exe file, perform a search operation to find the location, and then use it to replace the path in the sample .bat file. 6. On the File menu, click Save, and then close Notepad. 7. Double-click the AntigenDiagnostics.bat file. 8. In Windows Explorer, locate the following folder: drive:\Program Files\Microsoft Antigen for Exchange\log\Diagnostics 9. Make sure that a file that is named AntigenDiag-ServerName-Date-Time.zip is created as a result of running the batch file.

Note: The placeholders ServerName, Date, and Time represent the actual server name and the date and time when the log file is created. To create a scheduled task in order to keep the version information up to date on a computer running Windows Server 2003 or 2000 1. Click Start, click Control Panel, and then double-click Scheduled Tasks. 2. In Scheduled Tasks, double-click Add Scheduled Task. 3. In the Scheduled Task wizard, click Next. 4. On the Click the program you want Windows to run page, click Browse. 5. In the Select Program to Schedule window, locate and then double-click the AntigenDiagnostics.bat file that you previously created. 6. In the Type a name for this task box, type a schedule name, select an acceptable interval, and then click Next. For example, use the following name and interval for the task: Antigen Diagnostics Weekly 7. On the Select the time and date you want this task to start page, set an appropriate start date and time, and then click Next. For example, configure the following settings: Start HH:MM:SS AM/PM Every: X weeks on: Saturday where HH:MM:SS is the hour, minutes, and seconds; and X is the number of weeks. 8. On the Enter the name and password of a user page, provide the credentials for a user who has permissions to the server, and then click Next. 9. On the You have successfully scheduled the following task: schedule name page, click Finish.

Backing up data files To make sure that you can recover Antigen, back up the following folder. Be sure to include all files within the folder:  drive:\Program Files\Microsoft Antigen for Exchange

Restoring data files After you select the restoration strategy that is most applicable to your environment, you can perform the appropriate restoration tasks. The recovery procedures that you perform depend on the following factors:  The kind of disaster or failure that may occur  The kind of backups that are available  The time that you can spend to perform the recovery After the whole system has been restored to an earlier state, you can recover the Incidents database and the Quarantine database along with your configuration settings. You can also create templates in order to deploy configuration settings to servers in your enterprise. (For more information about creating templates, see Using templates.) Then, you can use these templates and Microsoft Forefront Server Security Management Console (FSSMC) or Antigen Enterprise Manager (AEM) in order to help you quickly recover from a failure.

The steps outlined in the following procedures provide general instructions for performing specific tasks; for more detailed instructions, see the Forefront Server Security Management Console User Guide or the Antigen Enterprise Manager User Guide.

Important:

If you use AEM to manage your Antigen servers, you cannot deploy the General Options settings as described in the following steps. Instead, you must configure the General Options settings on each of your Antigen servers manually, as described in the standalone environment procedure. Otherwise, the following steps for restoring data files are the same for both FSSMC and AEM.

To restore data files in an environment that is running FSSMC or AEM 1. On the server that you want to use for configuring the Antigen templates, upload the Template.adb file to FSSMC. 2. In FSSMC, configure the General Options settings. 3. Restore the failed Exchange server. 4. On the Exchange server that you restored, follow these steps: a. Install Antigen for Exchange and all related hotfixes or rollups that were installed at the time of the backup. b. Deploy the FSSMC deployment agent. c. Deploy the “Template” package to the Exchange server. d. Deploy the “General Options” package to the Exchange server. e. Restore the Incidents.mdb database and the Quarantine folder to a temporary location. f. Stop the AntigenService service.

Note: Stopping this service stops the Antigen services, causing mail to stop being scanned by Antigen. Mail will continue to flow unscanned. To prevent mail from flowing unscanned, you must stop the Microsoft Exchange services. g. In Windows Explorer, locate and open the following folder: drive:\Program Files\Microsoft Antigen for Exchange h. Rename the Incidents.mdb file to Incidents.old. i. Rename the Quarantine folder to QuarantineOld. j. Move the Incidents.mdb file and the Quarantine directory from the temporary location to the following folder: drive:\Program Files\Microsoft Antigen for Exchange k. Start the Antigen and Exchange services.

To restore data files in a standalone environment 1. Select the server that you want to use for configuring your Antigen for Exchange templates. 2. Restore the failed Exchange server. 3. On the Exchange server that you restored, follow these steps: a. Install Antigen and all related hotfixes or rollups that were installed at the time of the backup.

Note: You can compare the file versions against the VerAntigen.csv file that is located in the latest AntigenDiag backup. b. Restore the Template.adb file, the Incidents.mdb file, and the Quarantine directory to a temporary location. c. Stop the AntigenService service.

Note: Stopping this service stops the Antigen services, causing mail to stop being scanned by Antigen. Mail will continue to flow unscanned. To prevent mail from flowing unscanned, you must stop the Microsoft Exchange services. d. In Windows Explorer, locate and open the following folder: drive:\Program Files\Microsoft Antigen for Exchange e. Rename the Incidents.mdb file to Incidents.old. f. Rename the Quarantine folder to QuarantineOld. g. Rename the Templates.adb file to Templates.old. h. Move Templates.adb, Incidents.mdb, and the Quarantine folder from the temporary location to the following folder: drive:\Program Files\Microsoft Antigen for Exchange i. Start the Antigen and Exchange services. j. At a command prompt, type the following command and then press ENTER: cd drive:\Program Files\Microsoft Antigen for Exchange AntigenStarter t

Notes: The AntigenStarter t command loads the templates from the Templates.adb file. Because the General Options settings have registry values that are associated with them, they cannot be recovered in a standalone environment. It is recommended that you compare your registry settings against another server in your organization or against the Reg_AntigenSoftware.txt file that is located in the latest AntigenDiag backup, and then manually configure the General Options settings by using the Antigen Administrator. (For more information about configuring General Options, see General Options.) It is recommended that you do not copy Antigen database (.adb) files from another server. If you do this, the associated globally unique identifiers (GUIDs) of the databases will have conflicts.

Appendix H - Antigen security and configuration updates overview

Antigen includes many security updates and configuration changes from earlier releases. This section details security and configuration information and will be updated as necessary to reflect new changes in Antigen.

Security policy changes Security has been improved by reducing the privileges when Antigen services and processes start. This helps prevent malformed data from exploiting any security issues within the Antigen code or the third-party scanning engines. All services and processes run in the Local System account. In Windows Server® 2003, when services and processes start, Antigen removes all privileges except those that are required by the services and processes to do their work. In Windows 2000 Server, privileges cannot be removed, but they can be disabled. In Windows 2000 Server, when services and processes start, all privileges not necessary to perform the tasks are disabled. The only privileges enabled are:  SeImpersonatePrivilege  SeChangeNotifyPrivilege  SeSecurityPrivilege There are now restricted access control lists (ACLs) on resources. The security to Antigen resources has been improved to prevent unauthorized access. With this change, only users who are part of the Administrators group have access to administer Antigen. The ACLs that are applied to Antigen resources are described in the following table:

Resource type Resource ACL set

File SYSTEM – Full Access Resource type Resource ACL set

Administrators group – Full Access

Registry HKLM/Software/xxxxx/xxxxx SYSTEM – Full Access Administrators group – Full Access

DCOM AntigenIMC SYSTEM – Full Access AntigenMonitor Administrators group – Full AntigenService Access AntigenStatisticsService AnigenStore AntigenStoreEvent

General Options changes The following describes default changes to General Options settings:  Engine Error Action—In Version 9, the default action has been changed from Skip to Delete.  Internet Scan Timeout Action—In Version 9, the default action has been changed from Skip to Delete.  Realtime Timeout Action—In Version 9, the default action has been changed from Skip to Delete.  Delete Corrupted Compressed Files—In Version 9, the default setting has been changed from Off to On.  Max Program Log Size—As of Version 9 with SP1, the default value has been changed from 0 (no limit to the maximum size) to 25600 KB.

These changes affect new installations only. The default settings are not changed during an upgrade from a previous version of Antigen. The following are new General Options settings:  Illegal MIME Header Action - Internet—This setting was added in Version 9.  Treat multipart RAR archives as corrupted compressed—This setting was added in Version 9 with SP1.  Treat high compression ZIP files as corrupted compressed— This setting was added in Version 9 with SP1.  Treat concatenated gzips as corrupted compressed— This setting was added in Version 9 with SP1. For more information about these General Options settings, see "General Options" in Chapter 4 - Using the Antigen Administrator.

Other Antigen changes and updates The following describes other changes and updates: QuarantineTimeout—The registry setting QuarantineTimeout has been added to override quarantine after a scan job time-out. The value is a DWORD type. If the registry value is not present or it is present and its value is not zero, messages that cause a scan job time-out will be quarantined. If the registry value is present and its value is zero, the message will not be quarantined. ScanAllAttachments—The registry setting ScanAllAttachments will default to 1 for all new installations of Antigen. This will configure Antigen to scan all attachments for viruses by default. The value of this setting will not change during upgrades from Antigen 8.0. For more information about this setting, see the “Scanning files by type” section of Chapter 6 - Configuring Manual Scan Jobs, Chapter 7 - Configuring Realtime Scan Jobs, or Chapter 8 - Configuring SMTP Scan Jobs. AV Scan Engine Mappers—The engine mappers that are used in pre-9 versions of Antigen are no longer compatible with Antigen. After upgrading a pre-9 version of Antigen, the primary network update path will be changed to point to the Microsoft® Web site (http://antigendl.microsoft.com/antigen). The secondary update path will be set to null. Winmail.dat Scanning—The SMTP Scan Job scans winmail.dat files for viruses. Microsoft Exchange Server uses winmail.dat files for several purposes. One of the uses is to send winmail.dat files between servers to facilitate replication (IPM replication messages). If Antigen modifies any of these winmail.dat files, the public folder replication process will fail. To prevent this, you can set a new DWORD registry key named DoNotScanIPMReplicationMessages to 1, and then the SMTP Scan Job will not scan IPM replication messages.

If a virus is replicated via public folder replication, the Antigen Realtime Scan Job will still detect the virus even if this key is set. ESE Mode—Antigen no longer supports ESE mode. During an upgrade from a pre-9 version of Antigen, the mode will be changed to VSAPI mode. No notification or warning appears during this change. Because Antigen uses VSAPI mode, you no longer need to disable Antigen before applying an Exchange service pack or hotfix. FTP Engine Updates—Engine updates via the File Transfer Protocol (FTP) server are no longer supported. Updates must be done by using HTTP, or locally, by using a UNC share. Exchange 5.5 Not Supported—Antigen does not support Exchange 5.5. Antigen Central Manager and Antigen Quarantine Manager—The Antigen Central Manager (ACM) and Antigen Quarantine Manager (AQM) have been removed from Antigen. All of the functions of the ACM and AQM can now be handled through the Microsoft Antigen Enterprise Manager (AEM). For more information about the AEM, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.