F-Secure Anti-Virus for Microsoft Exchange
Administrator’s Guide "F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.
Copyright © 1993-2008 F-Secure Corporation. All rights reserved. Portions Copyright © 1991-2006 Kaspersky Lab.
This product includes software developed by the Apache Software Foundation (http:// www.apache.org/). Copyright © 2000-2006 The Apache Software Foundation. All rights reserved.
This product includes PHP, freely available from http://www.php.net/. Copyright © 1999-2006 The PHP Group. All rights reserved.
This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution are Copyright © 2000-2002 Justin Mason and others, unless specified otherwise in that particular file. All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the “Artistic License”.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233 GB2374260
12000040-7B15 Contents
About This Guide 7 How This Guide Is Organized ...... 8 Conventions Used in F-Secure Guides...... 9 Symbols ...... 9 Chapter 1 Introduction 11 1.1 Overview ...... 12 1.2 How F-Secure Anti-Virus for Microsoft Exchange Works...... 13 1.3 Key Features...... 15 1.4 F-Secure Anti-Virus Mail Server and Gateway Products ...... 17 Chapter 2 Requirements 19 2.1 Which SQL Server to Use for the Quarantine Database?...... 20 2.2 Network Requirements...... 21 2.3 Web Browser Software Requirements ...... 22 2.4 Improving Reliability and Performance ...... 23 2.5 Configuring the Product After the Installation...... 24 Chapter 3 Using F-Secure Anti-Virus for Microsoft Exchange 25 3.1 Administering F-Secure Anti-Virus for Microsoft Exchange ...... 26 3.1.1 Logging in for the First Time...... 26 3.2 Checking the Product Status...... 29 3.3 Configuring the Web Console ...... 32
3 3.4 Modifying Settings and Viewing Statistics...... 33 3.5 Manually Processing Mailboxes and Public Folders ...... 34 3.5.1 Stand-alone Mode ...... 34 3.5.2 Creating Scanning Operations ...... 34 3.6 Configuring Alert Forwarding ...... 67 3.7 Viewing Alerts ...... 69 Chapter 4 Administration with Web Console 70 4.1 Overview ...... 71 4.2 F-Secure Anti-Virus for Microsoft Exchange Settings ...... 71 4.2.1 Summary ...... 72 4.2.2 Virus Scanning ...... 74 4.2.3 Stripping Attachments ...... 90 4.2.4 Content Filtering ...... 100 4.2.5 Manual Scanning...... 107 4.2.6 Quarantine...... 111 4.2.7 Advanced...... 121 4.2.8 Internal Domains ...... 127 4.3 F-Secure Content Scanner Server Settings...... 129 4.3.1 Summary ...... 129 4.3.2 Database Updates...... 136 4.3.3 Scan Engines ...... 138 4.3.4 Proxy Configuration...... 143 4.3.5 Archive Scanning...... 146 4.3.6 Advanced...... 149 4.3.7 Interface...... 151 4.4 F-Secure Automatic Update Agent Settings ...... 152 4.4.1 Summary ...... 153 4.4.2 Automatic Updates ...... 156 4.5 F-Secure Management Agent Settings ...... 157 Chapter 5 Quarantine Management 160 5.1 Introduction ...... 161 5.2 Configuring Quarantine Options...... 162 5.3 Searching the Quarantined Content...... 163
4 5.4 Query Results Page ...... 167 5.5 Viewing Details of a Quarantined Message ...... 169 5.6 Reprocessing the Quarantined Content...... 171 5.7 Releasing the Quarantined Content...... 172 5.8 Removing the Quarantined Content...... 174 5.9 Deleting Old Quarantined Content Automatically...... 174 5.10 Quarantine Logging...... 175 5.11 Quarantine Statistics ...... 176 5.12 Moving the Quarantine Storage ...... 177 Chapter 6 Administering F-Secure Spam Control 179 6.1 Overview ...... 180 6.2 Spam Control Settings in Web Console...... 180 6.3 Realtime Blackhole List Configuration ...... 185 6.3.1 Enabling Realtime Blackhole Lists ...... 185 6.3.2 Optimizing F-Secure Spam Control Performance ...... 187 Chapter 7 Updating Virus and Spam Definition Databases 189 7.1 Overview ...... 190 7.2 Automatic Updates with F-Secure Automatic Update Agent...... 190 7.3 Configuring Automatic Updates ...... 190 7.4 Manual Updates ...... 191 7.4.1 Using FSUPDATE ...... 191 Appendix A Variables in Warning Messages 192 List of Variables...... 193 Outbreak Management Alert Variables ...... 195 Appendix B Services and Processes 196 Chapter C Troubleshooting 202 C.1 Overview ...... 203 C.2 Starting and Stopping...... 203
5 C.3 Viewing the Log File...... 203 C.4 Common Problems and Solutions...... 204 C.4.1 Installing Service Packs...... 207 C.4.2 Securing the Quarantine...... 207 C.5 Frequently Asked Questions ...... 208 C.6 F-Secure Automatic Update Agent Troubleshooting...... 213 Technical Support 218 F-Secure Online Support Resources ...... 219 Web Club ...... 220 Virus Descriptions on the Web ...... 221
6 ABOUT THIS GUIDE
How This Guide Is Organized...... 8 Conventions Used in F-Secure Guides ...... 13
7 8
How This Guide Is Organized
F-Secure Anti-Virus for Microsoft Exchange Administrator's Guide is divided into the following chapters: Chapter 1. Introduction. General information about F-Secure Anti-Virus for Microsoft Exchange and other F-Secure Anti-Virus Mail Server and Gateway products. Chapter 2. Requirements. System requirements and instructions how to set up F-Secure Anti-Virus for Microsoft Exchange. Chapter 3. Using F-Secure Anti-Virus for Microsoft Exchange. Instructions how to use and administer F-Secure Anti-Virus for Microsoft Exchange. Chapter 4. Administration with Web Console. Instructions how to administer F-Secure Anti-Virus for Microsoft Exchange with the Web Console. Chapter 6. Administering F-Secure Spam Control. General information about and instructions on how to configure F-Secure Spam Control. Chapter 7. Updating Virus and Spam Definition Databases. Instructions how to update your virus definition database. Appendix A. Variables in Warning Messages. Lists variables that can be included in virus warning messages. Appendix B. Services and Processes. Describes services, devices and processes of F-Secure Anti-Virus for Microsoft Exchange. Chapter C. Troubleshooting. Solutions to some common problems. Technical Support. Contains the contact information for assistance. About F-Secure Corporation. Describes the company background and products. 9
Conventions Used in F-Secure Guides
This section describes the symbols, fonts, and terminology used in this manual. Symbols
WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data.
IMPORTANT: An exclamation mark provides important information that you need to consider.
REFERENCE - A book refers you to related information on the topic available in another document.
NOTE - A note provides additional information that you should consider.
l
TIP - A tip provides information that can help you perform a task more quickly or easily.
⇒ An arrow indicates a one-step procedure.
Fonts Arial bold (blue) is used to refer to menu names and commands, to buttons and other items in a dialog box. Arial Italics (blue) is used to refer to other chapters in the manual, book titles, and titles of other manuals. Arial Italics (black) is used for file and folder names, for figure and table captions, and for directory tree names. Courier New is used for messages on your computer screen. 10
Courier New bold is used for information that you must type.
SMALL CAPS (BLACK) is used for a key or key combination on your keyboard. Arial underlined (blue) is used for user interface links. Arial italics is used for window and dialog box names.
PDF Document This manual is provided in PDF (Portable Document Format). The PDF document can be used for online viewing and printing using Adobe® Acrobat® Reader. When printing the manual, please print the entire manual, including the copyright and disclaimer statements.
For More Information Visit F-Secure at http://www.f-secure.com for documentation, training courses, downloads, and service and support contacts. In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at [email protected]. 1 INTRODUCTION
Overview...... 12 How F-Secure Anti-Virus for Microsoft Exchange Works ...... 13 Key Features ...... 15 F-Secure Anti-Virus Mail Server and Gateway Products...... 17
11 12
1.1 Overview
Malicious code, such as computer viruses, is one of the main threats for companies today. In the past, malicious code spread mainly via disks and the most common viruses were the ones that infected disk boot sectors. When users began to use office applications with macro capabilities - such as Microsoft Office - to write documents and distribute them via mail and groupware servers, macro viruses started spreading rapidly. After the millennium, the most common spreading mechanism has been the e-mail. Today about 90% of viruses arrive via e-mail. E-mails provide a very fast and efficient way for viruses to spread themselves without any user intervention and that is why e-mail worm outbreaks, like Sober, Netsky and Bagle, have caused a lot of damage around the world. F-Secure Anti-Virus Mail Server and Gateway products are designed to protect your company's mail and groupware servers and to shield the company network from any malicious code that travels in HTTP or SMTP traffic. In addition, they protect your company network against spam. The protection can be implemented on the gateway level to screen all incoming and outgoing e-mail (SMTP), web surfing (HTTP and FTP-over-HTTP) and file transfer (FTP) traffic. Furthermore, it can be implemented on the mail server level so that it does not only protect inbound and outbound traffic but also internal mail traffic and public sources, such as Public Folders on Microsoft Exchange servers. Providing the protection already on the gateway level has plenty of advantages. The protection is easy and fast to set up and install, compared to rolling out antivirus protection on hundreds or thousands of workstations. The protection is also invisible to the end users which ensures that the system cannot be by-passed and makes it easy to maintain. Of course, protecting the gateway level alone is not enough to provide a complete antivirus solution; file server and workstation level protection is needed, also. Why clean 1000 workstations when you can clean one attachment at the gateway level? CHAPTER 1 13 Introduction
1.2 How F-Secure Anti-Virus for Microsoft Exchange Works
F-Secure Anti-Virus for Microsoft Exchange is designed to detect and disinfect viruses and other malicious code from e-mail transmissions through Microsoft Exchange 2000/2003 Server. Scanning is done in real time as the mail passes through Microsoft Exchange Server. On-demand scanning of user mailboxes and Public Folders is also available.
Scanning F-Secure Anti-Virus for Microsoft Exchange scans attachments and Attachments and message bodies for malicious code. It can also be instructed to remove Message Bodies particular attachments according to the file name or the file extension. In addition, it can filter out messages containing keywords that have been defined as disallowed. If the intercepted mail contains malicious code, F-Secure Anti-Virus for Microsoft Exchange can be configured to disinfect or drop the content. Any malicious code found during the scan process can be placed in the Quarantine, where it can be further examined. Stripped attachments can also be placed in the Quarantine for further examination.
Flexible and Scalable F-Secure Anti-Virus for Microsoft Exchange is installed on Microsoft Anti-Virus Protection Exchange 2000/2003 Server and it intercepts mail traveling through mailboxes and Public folders. Intercepted attachments and documents are sent to F-Secure Content Scanner Server, which returns disinfected files back to F-Secure Anti-Virus for Microsoft Exchange. The two-component product architecture ensures that the anti-virus protection does not increase the load on the protected system and that the infected data is never stored on the production network. It also enables you to implement a server pool, so you can share the traffic load between multiple F-Secure Content Scanner Servers and have backup servers if the traffic to primary servers stops for some reason. 14
Alerting F-Secure Anti-Virus for Microsoft Exchange has extensive alerting functions, which means that the system administrator can specify a recipient inside the company network to be notified about the infection found in the data content. Of course, the network administrator can be notified about the infection also.
Powerful and Always F-Secure Anti-Virus for Microsoft Exchange uses the award-winning Up-to-date F-Secure Anti-Virus scanner to ensure the highest possible detection rate and disinfection capability. The daily F-Secure Anti-Virus signature database updates provide F-Secure Anti-Virus for Microsoft Exchange an always up-to-date protection capability. F-Secure Anti-Virus scanner consistently ranks at the top when compared to competing products. Our team of dedicated virus researchers is on call 24-hours a day responding to new and emerging threats. In fact, F-Secure is one of the only companies to release tested virus definition updates on a daily basis, to make sure our customers are receiving the highest quality service and protection.
Virus and Spam Massive spam and virus outbreaks consist of millions of messages which Outbreak Detection share at least one identifiable pattern that can be used to distinguish the outbreak. Any message that contains one or more of these patterns can be assumed to be a part of the same spam or virus outbreak. F-Secure Anti-Virus for Microsoft Exchange can identify these patterns from the message envelope, headers and body, in any language, message format and encoding type. It can detect spam messages and new viruses during the first minutes of the outbreak.
Easy to Administer F-Secure Anti-Virus for Microsoft Exchange can be managed with the web-based user interface. With Web Console, you can configure F-Secure Anti-Virus for Microsoft Exchange settings, set up scheduled scans or run manual processes any time you want. CHAPTER 1 15 Introduction
Figure 1-1 (1) E-mail arrives from the Internet to F-Secure Anti-Virus for Microsoft Exchange, which (2) filters malicious content from mails and attachments, and (3) delivers cleaned files forward.
1.3 Key Features
F-Secure Anti-Virus for Microsoft Exchange provides the following features and capabilities.
Superior Protection Superior detection rate with multiple scanning engines. Automatic malicious code detection and disinfection. Heuristic scanning detects also unknown Windows and macro viruses. Recursive scanning of ARJ, BZ2, CAB, GZ, JAR, LZH, MSI, RAR, TAR, TGZ, Z and ZIP archive files. Automatic daily virus definition database updates. Suspicious and unsafe attachments can be stripped away from e-mails. 16
Password protected archives can be treated as unsafe. Intelligent file type recognition. Message filtering based on keywords in message subjects and text. Utilizes the low-level Anti-Virus API (AV API 2.0) for Microsoft Exchange 2000 Server, and AV AP 2.5 for Microsoft Exchange 2003 Server.
Virus Outbreak The virus outbreak detection is an additional active layer of Detection protection that automatically detects virus outbreaks and quarantines suspicious messages. Virus outbreaks are transparently detected and infected messages are quarantined before the outbreak becomes widespread. The product can notify the administrator about virus outbreaks. Quarantined unsafe messages can be reprocessed automatically.
Transparency and Viruses are intercepted before they can enter the network and Scalability spread out on workstations and servers. Real-time scanning of internal, inbound and outbound mail messages and Public Folder notes. Automatic protection of new mailboxes and Public Folders. Total transparency to end-users. Users cannot bypass the system, which means that messages and documents cannot be exchanged without scanning.
Management Controlling and monitoring the behavior of the products remotely. Starting predefined operations remotely. Monitoring statistics provided by the products remotely with F-Secure Anti-Virus for Microsoft Exchange Web Console. You can manage and search quarantined content with the F-Secure Anti-Virus for Microsoft Exchange Web Console. CHAPTER 1 17 Introduction
Protection against Possible spam messages are transparently detected before they Spam become widespread. Efficient spam detection based on different analyses on the e-mail content. Multiple filtering mechanisms guarantee the high accuracy of spam detection. Spam detection works in every language and message format.
1.4 F-Secure Anti-Virus Mail Server and Gateway Products
The F-Secure Anti-Virus product line consists of workstation, file server, mail server, gateway and mobile products.
F-Secure Internet Gatekeeper is a high performance, totally automated web (HTTP and FTP-over-HTTP) and e-mail (SMTP) virus scanning solution for the gateway level. F-Secure Internet Gatekeeper works independently of firewall and e-mail server solutions, and does not affect their performance. F-Secure Anti-Virus for Microsoft Exchange™ protects your Microsoft Exchange users from malicious code contained within files they receive in mail messages and documents they open from shared databases. Malicious code is also stopped in outbound messages and in notes being posted on Public Folders. The product operates transparently and scans files in the Exchange Server Information Store in real-time. Manual and scheduled scanning of user mailboxes and Public Folders is also supported. F-Secure Anti-Virus for MIMEsweeper™ provides a powerful anti-virus scanning solution that tightly integrates with Clearswift MIMEsweeper for SMTP and MIMEsweeper for Web products. F-Secure provides top-class anti-virus software with fast and 18
simple integration to Clearswift MAILsweeper and WEBsweeper, giving the corporation the powerful combination of complete content security. F-Secure Internet Gatekeeper for Linux™ provides a high-performance solution at the Internet gateway level, stopping viruses and other malicious code before the spread to end users desktops or corporate servers. The product scans SMTP, HTTP, FTP and POP3 traffic for viruses, worms and trojans, and blocks and filters out specified file types. ActiveX and Java code can also be scanned or blocked. The product receives updates automatically from F-Secure, keeping the virus protection always up to date. A powerful and easy-to-use management console simplifies the installation and configuration of the product. F-Secure Messaging Security Gateway™ delivers the industry’s most complete and effective security for e-mail. It combines a robust enterprise-class messaging platform with perimeter security, antispam, antivirus, secure messaging and outbound content security capabilities in an easy-to-deploy, hardened appliance. 2 REQUIREMENTS Which SQL Server to Use for the Quarantine Database?...... 20 Network Requirements...... 21 Web Browser Software Requirements ...... 22 Improving Reliability and Performance...... 23 Configuring the Product After the Installation...... 24
19 20
2.1 Which SQL Server to Use for the Quarantine Database?
As a minimum requirement, the Quarantine database should have the capacity to store information about all inbound and outbound mail to and from your organization that would normally be sent during 2-3 days. Take into account the following SQL server specific considerations when deciding which SQL server to use:
Microsoft SQL Server When using Microsoft SQL Server Desktop Engine (MSDE), the Desktop Engine and Quarantine database size is limited to 2 GB. SQL Server 2005 MSDE includes a concurrent workload governor that limits the Express Edition scalability of MSDE. For more information, see http://msdn.microsoft.com/library/?url=/library/en-us/architec/ 8_ar_sa2_0ciq.asp?frame=true. It is not recommended to use MSDE or SQL Server 2005 Express Edition if you are planning to use centralized quarantine management with multiple F-Secure Anti-Virus for Microsoft Exchange installations.
MSDE is delivered together with F-Secure Anti-Virus for Microsoft Exchange, and you can install it during the F-Secure Internet Anti-Virus for Microsoft Exchange Setup. For more information, see “Installation Overview”, 28. CHAPTER 2 21 Requirements
Microsoft SQL If your organization sends a large amount of e-mails, it is Server 2000/2005 recommended to use Microsoft SQL Server 2000/2005. It is recommended to use Microsoft SQL Server 2000/2005 if you are planning to use centralized quarantine management with multiple F-Secure Anti-Virus for Microsoft Exchange installations. For more information, see “Performance-Critical Installation”, 24. Note that the product does not support Windows Authentication when connecting to Microsoft SQL Server 2000/2005. The Microsoft SQL Server 2000/2005 that the product will use for the Quarantine database should be configured to use Mixed Mode authentication.
If you plan to use Microsoft SQL Server 2005, you must purchase it and obtain your own license before you start to deploy F-Secure Anti-Virus for Microsoft Exchange. To purchase Microsoft SQL Server 2005, contact your Microsoft reseller.
2.2 Network Requirements
This network configuration is valid for all scenarios described in this chapter. Make sure that the following network traffic can travel:
Service Process Inbound ports Outbound ports
F-Secure Content Scanner %ProgramFiles%\F-Secure\ 18971 (TCP) + DNS (53, UDP/TCP), Server Content Scanner Server\ 1024-65536 (TCP), only HTTP (80) or other known fsavsd.exe with F-Secure Anti-Virus port used for HTTP proxy for Internet Mail on a separate host
F-Secure Anti-Virus for %ProgramFiles%\F-Secure\ 25023 DNS (53, UDP and TCP), Microsoft Exchange Web Web User Interface\ 1433 (TCP), only with the Console bin\fswebuid.exe dedicated SQL server
F-Secure Automatic F-Secure Automatic Update.exe 371 (UDP), only if DNS (53, UDP and TCP), Update Agent BackWeb Polite Protocol HTTP (80) is used 22
Service Process Inbound ports Outbound ports
FSNRB %ProgramFiles%\F-Secure\ - DNS (53, UDP/TCP), Common\fnrb32.exe HTTP (80)
FSMA (AMEH) %ProgramFiles%\F-Secure\ - DNS (53, UDP/TCP), Common\fameh32.exe SMTP (25)
F-Secure Quarantine %ProgramFiles%\F-Secure\ - DNS (53, UDP/TCP), Manager Quarantine Manager\fqm.exe 1433 (TCP), only with the dedicated SQL server
2.3 Web Browser Software Requirements
In order to administer the product with F-Secure Anti-Virus for Microsoft Exchange Web Console, one of the following web browsers is required:
Microsoft Internet Explorer 6.0 or later Netscape Communicator 8.1 or later Mozilla Firefox 1.5 or later Opera 9.00 or later Konqueror 3.5 or later Any other web browser supporting HTTP 1.0, SSL, Java scripts and cookies may be used as well. Microsoft Internet Explorer 5.5 or earlier cannot be used to administer the product. CHAPTER 2 23 Requirements
2.4 Improving Reliability and Performance
You can improve the system reliability and overall performance by upgrading the following components.
Processor If the system load is high, a fast processor on the Microsoft Exchange Server speeds up the e-mail message processing. As Microsoft Exchange Server handles a large amount of data, a fast processor alone is not enough to guarantee a fast operation of F-Secure Anti-Virus for Microsoft Exchange.
Memory Memory consumption is directly proportional to the size of processed mails - scanning a single mail may use memory in amounts up to three times the size of the mail concerned. If the average size of mail messages is big, or Microsoft Exchange Server has to process large messages regularly, increasing the amount of physical memory increases the overall performance. If large messages are processed only now and then, it might be enough to increase the size of the virtual memory. In this case, large messages will slow the system down.
Hard Drive Hard drive size is an important reliability factor. Hard drive performance is crucial for Microsoft Exchange Server to perform well. For best performance, a RAID system is recommended; for servers with only moderate load, SCSI hard disks are adequate. If your server has an IDE hard disk, DMA access support is recommended.
Operating System It is highly recommended to have the latest service packs for the operating system being used. These fixes make the platform more stable and thus increase the reliability of the system. 24
2.5 Configuring the Product After the Installation
After the installation, F-Secure Anti-Virus for Microsoft Exchange is functional, but it is using mostly default values. It is highly recommended to go through all the settings of all installed components. You should also retrieve the latest virus definition database updates.
Configure F-Secure Anti-Virus for Microsoft Exchange. Use the F-Secure Anti-Virus for Microsoft Exchange Web Console to configure the settings of F-Secure Anti-Virus for Microsoft Exchange. For more information, see “Administration with Web Console”, 70.
Specify the domains which should be considered to be internal domains. For more information, see “Internal Domains”, 159. Retrieve virus definition database updates. For more information, see “Updating Virus and Spam Definition Databases”, 189. USING F-SECURE 3 ANTI-VIRUS FOR MICROSOFT EXCHANGE
Overview...... 65 Administering F-Secure Anti-Virus for Microsoft Exchange...... 26 Using the Web Console...... 66 Checking the Product Status...... 29 Configuring the Web Console...... 32 Using F-Secure Policy Manager Console...... 73 Modifying Settings and Viewing Statistics ...... 33 Manually Processing Mailboxes and Public Folders ...... 34 Configuring Alert Forwarding...... 67 Viewing Alerts...... 69
25 26
3.1 Administering F-Secure Anti-Virus for Microsoft Exchange
You can use the F-Secure Anti-Virus for Microsoft Exchange Web Console to start and stop F-Secure Anti-Virus for Microsoft Exchange, modify its settings, edit scheduled tasks and start manual processing. To open the F-Secure Anti-Virus for Microsoft Exchange Web Console, start it from F-Secure Settings and Statistics or select F-Secure Anti-Virus for Microsoft Exchange from the Windows Start menu > Programs > F-Secure Anti-Virus for Microsoft Exchange > F-Secure Anti-Virus for Microsoft Exchange Web Console. You can open F-Secure Settings and Statistics by double-clicking the F-Secure icon in the Windows system tray.
3.1.1 Logging in for the First Time
F-Secure Anti-Virus for Microsoft Exchange Web Console does not support Microsoft Internet Explorer 5.5 or older.
Microsoft Internet Explorer 6.0 users: The address of the F-Secure Anti-Virus for Microsoft Exchange Web Console, https://127.0.0.1:25023/, should be added to the Trusted sites in Internet Explorer 6.0 Security Options. This ensures that the F-Secure Anti-Virus for Microsoft Exchange Web Console works properly in all environments. Before you log in the F-Secure Anti-Virus for Microsoft Exchange Web Console for the first time, check that Java script and cookies are enabled in the browser you use. CHAPTER 3 27 Using F-Secure Anti-Virus for Microsoft Exchange
When you log in for the first time, your browser will display a Security Alert dialog window about the security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console. You can create a security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console before logging in, and then install the certificate during the login process.
If your company has an established process for creating and storing certificates, you can follow that process to create and store the security certificate for F-Secure Anti-Virus for Microsoft Exchange Web Console.
Step 1. Create the security certificate 1. Browse to the F-Secure Anti-Virus for Microsoft Exchange Web Console installation directory, for example: C:\Program Files\F-Secure\Web User Interface\bin\ 2. Locate the certificate creation utility, makecert.bat, and double click it to run the utility. 3. The utility creates a certificate that will be issued to all local IP addresses, and restarts the F-Secure Anti-Virus for Microsoft Exchange Web Console service to take the certificate into use. Wait until the utility completes, and the window closes. Now you can proceed to logging in. Step 2. Log in and install the security certificate 1. Select Programs>F-Secure Anti-Virus for Microsoft Exchange>F-Secure Anti-Virus for Microsoft Exchange Web Console, or enter the address of the F-Secure Anti-Virus for Microsoft Exchange and the port number in your web browser. Note, that the protocol used is https. For example: https://127.0.0.1:25023 28
2. The Security Alert about the F-Secure Anti-Virus for Microsoft Exchange Web Console certificate is displayed. If you install the certificate now, you will not see the Security Alert window again. Click View Certificate to view the certificate information and to install the certificate. 3. The Certificate window opens. Click Install Certificate to proceed to the Certificate Import Wizard. 4. Follow the instructions in the Certificate Import Wizard. When the wizard has completed, you are prompted to add the new certificate in the Certificate Root Store. Click Yes. 5. If the Security Alert window is still displayed, click Yes to proceed. 6. When the login page opens, enter the user name and the password. Note, that you must have administrator rights to the host. Then click Log In.
Figure 3-1 F-Secure Anti-Virus for Microsoft Exchange Web Console Login page 7. You will be forwarded to the home page, which displays a summary of the system status. CHAPTER 3 29 Using F-Secure Anti-Virus for Microsoft Exchange
Figure 3-2 F-Secure Anti-Virus for Microsoft Exchange Home page
3.2 Checking the Product Status
You can check the overall product status on the Home page. The Home page displays an overview of each component status and most important statistics of the installed F-Secure Anti-Virus for Microsoft Exchange components. From the Home page you can also open the product logs and proceed to configure the product components. This section describes the statistics and operations available on the Home page. 30
F-Secure Anti-Virus for Microsoft Exchange The Home page displays the status the F-Secure Anti-Virus for Microsoft Exchange as well as a summary of the F-Secure Anti-Virus for Microsoft Exchange statistics.
Status indicator Displays the status of F-Secure Anti-Virus for Microsoft Exchange.
Processed messages Displays the total number of messages that have been processed.
Infected messages Displays the number of infected messages found since the last reset of statistics.
Stripped attachments Displays the number of attachments that have been stripped.
Click Configure to configure F-Secure Anti-Virus for Microsoft Exchange. For more information, see “Overview”, 71. F-Secure Content Scanner Server The Home page displays the status the F-Secure Content Scanner Server as well as a summary of the F-Secure Content Scanner Server statistics.
Status indicator Displays the status of F-Secure Content Scanner Server.
Last time virus definition Displays the last date and time when the databases updated virus definition databases were updated.
Database update version Displays the version of the virus definition database update. CHAPTER 3 31 Using F-Secure Anti-Virus for Microsoft Exchange
The version is shown in YYYY-MM-DD_NN format, where YYYY-MM-DD is the release date of the update and NN is the number of the update for that day.
Scanned files Displays the number of files the server has scanned for viruses.
Last time infection found Displays the last infection detected by the server.
Click Configure to configure F-Secure Content Scanner Server. For more information, see “F-Secure Content Scanner Server Settings”, 129. F-Secure Automatic Update Agent
Status indicator Displays the status of F-Secure Automatic Update Agent.
Communication method Displays the currently used client protocol.
Last connection to the Displays the last date and time when server F-Secure Automatic Update Agent polled the F-Secure Automatic Update Server for new updates.
Click Configure to configure F-Secure Automatic Update Agent. For more information, see “Updating Virus and Spam Definition Databases”, 189. F-Secure Management Agent
Status indicator Displays the status of F-Secure Management Agent.
Management method Displays if the host is standalone (configured locally) or networked (at least sometimes connected through a network or a temporary link). 32
Click Configure to configure the F-Secure Management Agent. For more information, see “F-Secure Management Agent Settings”, 157. Toolbar Buttons Click Show F-Secure Log to view the F-Secure log file (LogFile.log) in a new Internet browser window. Click Download to download and save the LogFile.log for later use. Click Export Settings to open a list of all F-Secure Anti-Virus for Microsoft Exchange settings in a new Internet browser window. Select File > Save As... to save the file for later use. Click Export Statistics to open a list of all F-Secure Anti-Virus for Microsoft Exchange statistics in a new Internet browser window. Select File > Save As... to save or print the file for later use. Click Configure Console to configure the F-Secure Anti-Virus for Microsoft Exchange Web Console. For instructions, see “Configuring the Web Console”, 32. Click Help to open the online help.
3.3 Configuring the Web Console
On the F-Secure Anti-Virus for Microsoft Exchange Web Console Configuration page you can specify settings for connections to the server. You can also open the F-Secure Anti-Virus for Microsoft Exchange Web Console access log from this page.
Limit session timeout Specify the length of time a client can be connected to the server. When the session expires, the F-Secure Anti-Virus for Microsoft Exchange Web Console displays a warning. The default value is 60 minutes. CHAPTER 3 33 Using F-Secure Anti-Virus for Microsoft Exchange
Click Show Access Log to view the F-Secure Anti-Virus for Microsoft Exchange Web Console access log. Note that the Web Console access log differs from standard web server access logs, as it logs only the first request per session.
Listen on address Specify the IP address of the F-Secure Anti-Virus for Microsoft Exchange Web Console Server.
Port Specify the port where the server listens for connections. The default port is 25023.
Accept connections from Specify a list of hosts which are allowed to the following hosts connect to F-Secure Anti-Virus for Microsoft Exchange Web Console.
To add a new host in the list, click Add to add new a new line in the table and then enter the IP address of the host.
3.4 Modifying Settings and Viewing Statistics
To change F-Secure Anti-Virus for Microsoft Exchange settings in stand-alone mode, open the F-Secure Anti-Virus for Microsoft Exchange Web Console and select the variables you want to change from the options tree. For detailed explanations of all variables, see “Administration with Web Console”, 70. To view statistics for real-time scanning, select Summary on the options tree. To reset all counters to zero, click Reset Statistics. To view statistics for the latest manual scan, select Manual Scanning on the options tree. The Manual Scanning property page displays the following statistics: the number of processed mailboxes, the number of processed Public Folders, the numbers of processed, infected, and suspicious messages in mailboxes and in the Public Folders. Manual scanning statistics are reset every time a new manual scan is performed. 34
3.5 Manually Processing Mailboxes and Public Folders
You can scan mailboxes and Public Folders for viruses and strip attachments manually at any time. You can also create scheduled scan tasks to scan mailboxes and Public Folders periodically.
3.5.1 Stand-alone Mode Specify the manual scanning settings on the Manual Scanning property pages. After you have specified the manual scanning settings, select the Manual Processing and click Start. Under Progress, you can view the progress of the manual scan - the total numbers of mailboxes and Public Folders, and the numbers of processed mailboxes and Public Folders. In the bottom of the property page, the results of the previous manual scan are shown - the numbers of processed, infected and suspicious messages in the mailboxes and in the Public Folders.
3.5.2 Creating Scanning Operations To process mailboxes manually, you need to set up a manual processing task. For more information, see “Creating Manual Scanning Operation”, 34. If you want to run scanning tasks frequently, you can set up scheduled operations. For more information, see “Creating Scheduled Operation”, 50.
Creating Manual Scanning Operation Start the Manual Scanning Wizard by clicking the Configure... button on the Manual Scanning page. CHAPTER 3 35 Using F-Secure Anti-Virus for Microsoft Exchange
Step 1. Specify Messages to Process
1. Specify whether you want to process all messages or only those messages that have not been processed previously. 2. Specify how many concurrent transactions the scanner can have with F-Secure Content Scanner Server. 3. Click Next to continue.
If F-Secure Anti-Virus for Microsoft Exchange is operating on a system that has multiple processors or you are using a high-performance computer, you can increase performance by increasing the number of concurrent transactions.
If you want to use the default settings for most of the scanning settings, click Last to proceed to the last page of the Manual Scanning wizard where you can see a summary of the scanning task settings. 36
Step 2. Select Mailboxes to Process
1. Choose mailboxes that should be processed during the manual scanning operation. Do not process mailboxes - Do not process any mailboxes. Process all mailboxes - Process all mailboxes. Process only these mailboxes - Process all specified mailboxes. Process all except these mailboxes - Process all except specified mailboxes. Click Add... to add a new mailbox to the list. Click the checkbox in the column to mark a mailbox to be removed. Click Clear to remove all currently marked entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange examines all mailboxes. 2. Click Next to continue. CHAPTER 3 37 Using F-Secure Anti-Virus for Microsoft Exchange
Step 3. Specify Virus Scanning Settings for Mailboxes
1. Choose settings for virus scanning of mailboxes.
Attachments to scan Specify which message attachments are checked for viruses.
Do not scan attachments for viruses - Process messages without scanning any attachments for viruses.
Scan all attachments - Scan all message attachments regardless of filename extension.
Scan all attachments with these extensions - Scan all attachments with specified filename extensions.
Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions. 38
You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces.
Scan mail message Specify whether the body of the e-mail message body should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies.
Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not.
By default, Intelligent File Type Recognition is disabled during the real-time processing.
Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the ‘rtf’ filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the ‘doc’ filename extension). Intelligent File Type Recognition can degrade the system performance. Action Action on infected Specify whether infected attachments should be attachments disinfected or dropped. CHAPTER 3 39 Using F-Secure Anti-Virus for Microsoft Exchange
Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped.
By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments.
Quarantine infected Specify whether infected attachments should be attachments placed in the Quarantine or not. For more information, see “Quarantine Management”, 160.
Send warning Specify whether to send a message to the message to mailbox mailbox owner when an infected attachment is owner found. Click Edit... to edit the informational text file that replaces the infected attachment if it is dropped.
2. Click Next to continue. 40
Step 4. Specify Attachment Stripping Settings for Mailboxes
1. Choose settings for stripping attachments.
Strip attachments Specify which attachments should be stripped from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from all messages and notes.
Strip all attachments except these allowed - Strip all except specified attachments.
Strip only these disallowed attachments - Strip only specified attachments.
You can add new file types on the attachments lists by typing the file extensions in the allowed and disallowed attachments text boxes. Separate the extensions by spaces. CHAPTER 3 41 Using F-Secure Anti-Virus for Microsoft Exchange
Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. Action Action on stripped Specify whether stripped attachments should be attachment quarantined or dropped.
Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see “Quarantine Management”, 160.
Drop attachment - All stripped attachments are deleted automatically.
By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments.
Send informational Specify whether an informational message message to the should be sent to the owner of the mailbox when mailbox owner an attachment is stripped. Click Edit to edit the message. 42
Notify administrator Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment.
Do not notify - Do not send any notification to the administrator.
Send informational alert - Send an informational alert to the administrator.
Send warning alert - Send a warning alert to the administrator.
Send security alert - Send a security alert to the administrator.
2. Click Next to continue. Step 5. Select Public Folders to Process CHAPTER 3 43 Using F-Secure Anti-Virus for Microsoft Exchange
1. Select Public Folders that should be processed. Do not process public folders - Do not process any Public Folders. Process all public folders - Process all notes posted to all Public Folders. Process only included public folders - Process all notes posted to the listed Public Folders. Process all except excluded public folders - Process all notes posted to all Public Folders, except the listed ones.
The notes and attachments to be processed in the selected folders are defined with the Attachments to Scan and Scan Mail Message Body settings. Click Add to add a new Public Folder to the list. Click Clear to remove the selected folder or Clear All to remove all entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders. 2. Click Next to continue. 44
Step 6. Specify Virus Scanning Settings for Public Folders
1. Choose settings for virus scanning of Public Folders.
Attachments to scan Specify which message attachments are checked for viruses.
Do not scan attachments for viruses - Do not scan any attachments.
Scan all attachments - Scan all message attachments.
Scan all attachments with these extensions - Scan all attachments with specified filename extensions.
Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions. CHAPTER 3 45 Using F-Secure Anti-Virus for Microsoft Exchange
You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces.
Scan mail message Specify whether the body of the e-mail message body should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies.
Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not.
By default, Intelligent File Type Recognition is disabled during the real-time processing.
Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the ‘rtf’ filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the ‘doc’ filename extension). Intelligent File Type Recognition can degrade the system performance. Action Action on infected Specify whether infected attachments should be attachments disinfected or dropped. 46
Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped.
By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments.
Quarantine infected Specify whether infected attachments should be attachments placed in the Quarantine or not. For more information, see “Quarantine Management”, 160.
Send warning Specify whether to send a warning message to message to the the originator of the public folder message, originator which contained an infected attachment. Click Edit to edit the message.
2. Click Next to continue. CHAPTER 3 47 Using F-Secure Anti-Virus for Microsoft Exchange
Step 7. Specify Attachment Stripping Settings for Public Folders
1. Choose settings for stripping attachments.
Strip attachments Specify which attachments should be stripped from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from all messages and notes.
Strip all attachments except these allowed - Strip all except specified attachments.
Strip only these disallowed attachments - Strip only specified attachments. 48
You can add new file types on the attachments lists by typing the file extensions in the allowed and disallowed attachments text boxes. Separate the extensions by spaces.
Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. Action Action on stripped Specify whether stripped attachments should be attachments quarantined or dropped.
Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see “Quarantine Management”, 160.
Drop attachment - All stripped attachments are deleted automatically.
By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments.
Send the Specify whether an informational message informational should be sent to the originator of the message message to the when an attachment is stripped. Click Edit to originator edit the message. CHAPTER 3 49 Using F-Secure Anti-Virus for Microsoft Exchange
Notify administrator Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment.
Do not notify - Do not send any notification to the administrator.
Send informational alert - Send an informational alert to the administrator.
Send warning alert - Send a warning alert to the administrator.
Send security alert - Send a security alert to the administrator.
2. Click Next to continue. 50
Step 8. Finish
The Manual Scanning Wizard displays the summary of created operation. Click Finish accept the new manual scanning operation and to exit the wizard.
Creating Scheduled Operation Start the Scheduled Operation Wizard by clicking Add Task...in the Scheduled Processing window. CHAPTER 3 51 Using F-Secure Anti-Virus for Microsoft Exchange
Step 1. Specify Scanning Task Name and Schedule
1. Enter the name for the new task and select how frequently you want the operation to be performed. Once - Only once at the specified time Daily - Every day at the specified time, starting from the specified date Weekly - Every week at the specified time on the same day when the first operation is scheduled to start. Monthly - Every month at the specified time on the same date when the first operation is scheduled to start. 2. Enter the start time of the task in hh:mm format. 3. Enter the start date of the task in mm/dd/yyyy format.
Do not use any special characters in the task name.
4. Click Next to continue. 52
Step 2. Specify Messages to Process
1. Specify whether you want to process all messages or only those messages that have not been processed previously during the scheduled processing. 2. Specify how many concurrent transactions the scanner can have with F-Secure Content Scanner Server. 3. Click Next to continue. CHAPTER 3 53 Using F-Secure Anti-Virus for Microsoft Exchange
Step 3. Select Mailboxes to Process
1. Choose mailboxes that should be processed during the scheduled operation. Do not process mailboxes - Do not process any mailboxes. Process all mailboxes - Process all mailboxes. Process only these mailboxes - Process all specified mailboxes. Process all except these mailboxes - Process all except specified mailboxes. Click Add... to add a new mailbox to the list. Click the checkbox in the column to mark a mailbox to be removed. Click Clear to remove all currently marked entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange examines all mailboxes. 2. Click Next to continue. 54
Step 4. Specify Virus Scanning Settings for Mailboxes
1. Choose settings for virus scanning of mailboxes during the scheduled operation.
Attachments to scan Specify which message attachments are checked for viruses.
Do not scan attachments for viruses - Process messages without scanning any attachments for viruses.
Scan all attachments - Scan all message attachments regardless of filename extension.
Scan all attachments with these extensions - Scan all attachments with specified filename extensions. CHAPTER 3 55 Using F-Secure Anti-Virus for Microsoft Exchange
Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions.
You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces.
Scan mail message Specify whether the body of the e-mail message body should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies.
Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not.
By default, Intelligent File Type Recognition is disabled during the real-time processing.
Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the ‘rtf’ filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the ‘doc’ filename extension). Intelligent File Type Recognition can degrade the system performance. 56
Action Action on infected Specify whether infected attachments should be attachments disinfected or dropped.
Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped.
By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments.
Quarantine infected Specify whether infected attachments should be attachments placed in the Quarantine or not. For more information, see “Quarantine Management”, 160.
Send warning Specify whether to send a message to the message to mailbox mailbox owner when an infected attachment is owner found. Click Edit... to edit the informational text file that replaces the infected attachment if it is dropped.
2. Click Next to continue. CHAPTER 3 57 Using F-Secure Anti-Virus for Microsoft Exchange
Step 5. Specify Attachment Stripping Settings for Mailboxes
1. Choose settings for stripping attachments during the scheduled operation.
Strip attachments Specify which attachments should be stripped from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from all messages and notes.
Strip all attachments except these allowed - Strip all except specified attachments.
Strip only these disallowed attachments - Strip only specified attachments. 58
You can add new file types on the attachments lists by typing the file extensions in the allowed and disallowed attachments text boxes. Separate the extensions by spaces.
Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. Action Action on stripped Specify whether stripped attachments should be attachment quarantined or dropped.
Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see “Quarantine Management”, 160.
Drop attachment - All stripped attachments are deleted automatically.
By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments.
Send the Specify whether an informational message informational should be sent to the owner of the mailbox when message to the an attachment is stripped. Click Edit to edit the mailbox owner message. CHAPTER 3 59 Using F-Secure Anti-Virus for Microsoft Exchange
Notify administrator Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment.
Do not notify - Do not send any notification to the administrator.
Send informational alert - Send an informational alert to the administrator.
Send warning alert - Send a warning alert to the administrator.
Send security alert - Send a security alert to the administrator.
2. Click Next to continue. Step 6. Select Public Folders to Process 60
1. Select Public Folders that should be processed during the scheduled operation. Do not process public folders - Do not process any Public Folders. Process all public folders - Process all notes posted to all Public Folders. Process only included public folders - Process all notes posted to the listed Public Folders. Process all except excluded public folders - Process all notes posted to all Public Folders, except the listed ones.
The notes and attachments to be processed in the selected folders are defined with the Attachments to Scan and Scan Mail Message Body settings. Click Add to add a new Public Folder to the list. Click Clear to remove the selected folder or Clear All to remove all entries from the list. By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders. 2. Click Next to continue. CHAPTER 3 61 Using F-Secure Anti-Virus for Microsoft Exchange
Step 7. Specify Virus Scanning Settings for Public Folders
1. Choose settings for virus scanning of Public Folders during the scheduled operation.
Attachments to scan Specify which message attachments are checked for viruses.
Do not scan attachments for viruses - Do not scan any attachments.
Scan all attachments - Scan all message attachments.
Scan all attachments with these extensions - Scan all attachments with specified filename extensions.
Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions. 62
You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces.
Scan mail message Specify whether the body of the e-mail message body should be scanned for malicious code.
By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies.
Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not.
By default, Intelligent File Type Recognition is disabled during the real-time processing.
Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the ‘rtf’ filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the ‘doc’ filename extension). Intelligent File Type Recognition can degrade the system performance. Action Action on infected Specify whether infected attachments should be attachments disinfected or dropped. CHAPTER 3 63 Using F-Secure Anti-Virus for Microsoft Exchange
Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient.
Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped.
By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments.
Quarantine infected Specify whether infected attachments should be attachments placed in the Quarantine or not. For more information, see “Quarantine Management”, 160.
Send warning Specify whether to send a warning message to message to the the originator of the public folder message, originator which contained an infected attachment. Click Edit to edit the message.
2. Click Next to continue. 64
Step 8. Specify Attachment Stripping Settings for Public Folders
1. Choose settings for stripping attachments during the scheduled operation.
Strip attachments Specify which attachments should be stripped from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from all messages and notes.
Strip all attachments except these allowed - Strip all except specified attachments.
Strip only these disallowed attachments - Strip only specified attachments. CHAPTER 3 65 Using F-Secure Anti-Virus for Microsoft Exchange
You can add new file types on the attachments lists by typing the file extensions in the allowed and disallowed attachments text boxes. Separate the extensions by spaces.
Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. Action Action on stripped Specify whether stripped attachments should be attachment quarantined or dropped.
Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see “Quarantine Management”, 160.
Drop attachment - All stripped attachments are deleted automatically.
By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments.
Send the Specify whether an informational message informational should be sent to the originator of the message message to the when an attachment is stripped. Click Edit to originator edit the message. 66
Notify administrator Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment.
Do not notify - Do not send any notification to the administrator.
Send informational alert - Send an informational alert to the administrator.
Send warning alert - Send a warning alert to the administrator.
Send security alert - Send a security alert to the administrator.
2. Click Next to continue. CHAPTER 3 67 Using F-Secure Anti-Virus for Microsoft Exchange
Step 9. Finish
The Scheduled Operation Wizard displays the summary of created operation. Click Finish accept the new scheduled operation and to exit the wizard.
3.6 Configuring Alert Forwarding
Alerts are sent if security has been compromised or a program wants to notify about some specific events, such as starting/stopping modules, low disk space, etc. Alerts are also sent when a program or operation has encountered a problem.
You can configure alert forwarding by editing the Alert Forwarding table in the F-Secure Anti-Virus for Microsoft Exchange Web Console. You can access it from the Home page by clicking the Configure... button in the F-Secure Management Agent section. When the F-Secure Management Agent Configuration page opens, click the Alert Forwarding... button to open the F-Secure Management Agent Configuration > Alert Forwarding page. 68
Figure 3-3 F-Secure Management Agent Configuration > Alert Forwarding page You can specify where an alert is sent according to its severity level. You can send an alert to any of the following:
Windows Event Viewer E-mail SNMP. To forward alerts to an e-mail, specify the e-mail address of the recipient. Follow these instructions: 1. Click Add to add a new row in the E-mail Address table. 2. Type the e-mail address on the new row. 3. Select the types of alerts that are to be sent to this address. 4. Click Apply. CHAPTER 3 69 Using F-Secure Anti-Virus for Microsoft Exchange
3.7 Viewing Alerts
When F-Secure Anti-Virus for Microsoft Exchange has encountered a problem, it sends an alert to the administrator. Alerts are also sent if security has been compromised or a program wants to notify about some specific events - the product has found a virus, there is not enough disk space to do some operation, and so on. Every received alert is displayed in the following format:
Ack Click Ack to acknowledge the alert. If all alerts are acknowledged, Ack is grayed out.
Severity The severity of the alert. Each severity level has its own icon:
Info Normal operating information from the host
Warning Warning from the host
Error Recoverable error on the host
Fatal error Unrecoverable error on the host
Security Virus or other security hazard detected alert
Date/Time Date and time of the alert.
Description Description of the problem.
Host/User Name of the host and user where the alert originated.
Product The F-Secure product that sent the alert. ADMINISTRATION WITH 4 WEB CONSOLE
Overview...... 71 F-Secure Anti-Virus for Microsoft Exchange Settings ...... 71 F-Secure Content Scanner Server Settings ...... 129 F-Secure Automatic Update Agent Settings...... 152 F-Secure Management Agent Settings ...... 157
70 CHAPTER 4 71 Administration with Web Console
4.1 Overview
F-Secure Anti-Virus for Microsoft Exchange can be administered with F-Secure Anti-Virus for Microsoft Exchange Web Console. The Web Console is installed with F-Secure Anti-Virus for Microsoft Exchange. To open the Web Console, double-click the F-Secure Settings and Statistics icon in the Windows system tray and double-click F-Secure Anti-Virus for Microsoft Exchange, or select it from the Start menu > Programs > F-Secure Anti-Virus for Microsoft Exchange.
4.2 F-Secure Anti-Virus for Microsoft Exchange Settings
You can use the F-Secure Anti-Virus for Microsoft Exchange Web Console to start and stop F-Secure Anti-Virus for Microsoft Exchange, modify its settings, edit scheduled tasks and start manual processing. 72
4.2.1 Summary The Summary page displays the current status of the product and a summary of the most important product statistics.
Figure 4-1 Summary page CHAPTER 4 73 Administration with Web Console
Status Status The current status of F-Secure Anti-Virus for Microsoft Exchange. F-Secure Anti-Virus for Microsoft Exchange is Started when it is Running and Stopped when it has been stopped or disabled.
Version The version and the build number of installed F-Secure Anti-Virus for Microsoft Exchange.
Protected mailboxes Displays the number of currently protected mailboxes.
Protected public Displays the number of currently protected folders Public Folders.
Infections found Displays the number of infections found.
Infections found within Displays the number of infections that have outbreak interval been found within the currently defined outbreak interval.
Last time infection Displays the date and time when the last found infection was found.
Last infection found Displays the name of the last infection that was found.
Click Start to start the product and Stop to stop it. Click Reset Statistics to reset the statistics displayed on this page. 74
4.2.2 Virus Scanning Virus Scanning settings are used to specify how inbound and outbound messages and Public Folder notes that are sent to F-Secure Content Scanner Server are to be checked for malicious code.
Figure 4-2 Virus Scanning / Statistics page
Statistics Infections found Displays the total number of infections found.
Infections found within Displays the number of infections that have outbreak interval been found during the currently defined outbreak interval.
Last time infection Displays the date and time when the last found infection was found. CHAPTER 4 75 Administration with Web Console
Last infection found Displays the name of the last infection that was found.
Processed Displays the number of processed message bodies and attachments.
Infected Displays the number of attachments that have been infected with malicious code.
Suspicious Displays the number of stripped messages and messages that have not been scanned reliably. The message is considered to be suspicious if it is encrypted or it has been compressed with an unknown algorithm, or there was a scanning problem when the message was being scanned. 76
Common Edit the Virus Scanning / Common settings to specify which messages should be scanned for malicious code.
Note that you may have to scroll the page to view all the settings.
Figure 4-3 Virus Scanning / Common settings CHAPTER 4 77 Administration with Web Console
Scan mail and public folders for viruses Scan mail and public Specify which message attachments are folders for viruses checked for viruses. Do not scan - Do not scan any attachments Scan all - Scan all message attachments Scan all attachments with these extensions - Scan all attachments with specified filename extensions. Scan all attachments except with these extensions - Scan all attachments except those with specified filename extensions. You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces. Scan mail message Specify whether the body of the e-mail message body should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans message bodies.
Although scanning message bodies can slow down the performance, it is recommended as a virus can be carried inside a message body. Scan OLE objects Specify whether linked and embedded OLE objects in messages should be scanned for malicious code. By default, F-Secure Anti-Virus for Microsoft Exchange scans OLE objects. 78
Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. By default, Intelligent File Type Recognition is disabled during the real-time processing.
Intelligent File Type Recognition strengthens the security - you can block unsafe content that has a safe filename extension (for example, a Microsoft Word document using the ‘rtf’ filename extension) and you do not accidentally block safe content that has unsafe filename extension (for example, a text file using the ‘doc’ filename extension). Intelligent File Type Recognition can degrade the system performance. Max level of nested Set the maximum number of levels of messages messages inside messages that F-Secure Anti-Virus for Microsoft Exchange should scan. If the number of levels exceeds the specified limit, F-Secure Anti-Virus for Microsoft Exchange performs the action specified in the Action on messages with exceeding nesting levels setting. Action Action on infected Specify whether infected attachments should be attachments disinfected or dropped. Disinfect attachment - Try to disinfect the infected attachment. If the disinfection succeeds, the recipient receives the disinfected file instead of the original one. If the disinfection fails, the infected attachment is dropped, and it is not delivered to the recipient. CHAPTER 4 79 Administration with Web Console
Drop attachment - Do not disinfect or deliver infected attachments. All infected attachments are dropped. By default, F-Secure Anti-Virus for Microsoft Exchange tries to disinfect infected attachments. Action on messages Specify the action to take on e-mail messages with exceeding nesting with nesting levels exceeding the upper level levels specified in the Max Levels of Nested Messages setting. Drop - E-mail messages with exceeding nesting levels are not delivered to the recipient(s). The nested messages are quarantined if the Quarantine Problematic Mails setting on the General / Quarantine page is set to Yes. Pass Through - Nested e-mail messages will be scanned up to level specified in the Max Levels of Nested Messages setting and then delivered to the recipient(s). Quarantine infected Specify whether infected attachments should be attachments placed in the Quarantine or not. For more information, see “Quarantine”, 111. Virus informational text Edit the informational text file that replaces the file infected attachment if it is dropped. Reporting
Notification sender Define the SMTP address to use when sending address notifications to end-users. The SMTP address should be a valid, existing address that is allowed to send messages. 80
Inbound Mail Edit Virus Scanning / Inbound Mail settings to define whether the whole message should be stopped if an infection is found and to specify the trusted mailboxes and the warning messages for infected, inbound mails. These settings are specific to the mails that are destined to the internal domains defined under the General / Internal Domains branch. For more information, see “Internal Domains”, 127.
Figure 4-4 Real-Time Scanning / Inbound Mail settings CHAPTER 4 81 Administration with Web Console
Processing options Stop the whole Specify whether F-Secure Anti-Virus for message if infection Microsoft Exchange should stop inbound found messages that contain malicious code.
When this setting is enabled, inbound messages with infected attachment(s) will be stopped completely.
When this setting is disabled, infected attachments will be disinfected automatically or dropped from inbound messages.
In both cases, a warning message will be sent to the sender if the Send Warning Message to Sender setting enabled.
When this setting is enabled, all messages are scanned when they enter the system. The clean messages will be delivered to the mailbox server, where they will be scanned again. On the other hand, enabling this setting reduces internal network traffic, because infected messages are stopped before they enter the system. Trusted mailboxes Trusted mailboxes Define users’ mailboxes that should be excluded from real-time virus scanning.
Trusted mailbox feature works only for messages that are sent directly to an address defined as trusted mailbox. If the message has multiple recipients, and some of them are defined on the Trusted mailboxes list but some are not, the message will be scanned. 82
Editing Trusted Mailboxes List Click Specify to open a dialog box where you can add new trusted mailboxes, or remove trusted mailboxes from the list.
To add new mailbox to the list, click Add. Select mailboxes from the list and click OK. To delete a address from the list, click on column to select mailboxes that you want to delete. Click Clear to delete the currently marked mailboxes from the trusted mailboxes list.
It is not safe to use trusted mailboxes. You should not send or copy messages from trusted mailboxes to other mailboxes. Keep all trusted mailboxes on a separate message store, as messages are scanned always when they are sent to another store.
Notification message options Add warning message Specify whether a virus warning message to the original message should be added to the mail message which had infected content and which goes to the original message recipient. If you want to add the warning message, the original message is embedded in the virus warning message without the infected attachment.
Click Edit to edit the warning message that is added to the mail message.
By default, F-Secure Anti-Virus for Microsoft Exchange does not add the virus warning message.
Send warning Specify whether a virus warning message message to sender should be sent to the sender of the mail message which had infected content. If you want to add the warning message, the original message is embedded in the virus warning message without the infected attachment. CHAPTER 4 83 Administration with Web Console
Click Edit to Edit the warning message that is sent to the sender of the mail message which had infected content.
By default, F-Secure Anti-Virus for Microsoft Exchange does not send the virus warning message to the sender.
The virus warning message will be sent to the sender of the infected message only if the sender belongs to the internal domain. F-Secure Anti-Virus for Microsoft Exchange does not send the warning message outside the company domain. 84
Outbound Mail Edit Virus Scanning / Outbound Mail real-time processing settings to define what should be done to infected outbound messages and set warning messages to infected, outbound mails.
Figure 4-5 Virus Scanning / Outbound Mail settings CHAPTER 4 85 Administration with Web Console
Processing options Stop the whole Specify whether all outgoing messages that message if infection have infected content should be stopped or not. found Check the checkbox to stop all outbound messages with infected content completely. The original message will be attached to the warning and bounced back to the sender with disinfected content. Clear the checkbox to disinfect or drop the infected attachment before sending the outbound message. By default, F-Secure Anti-Virus for Microsoft Exchange stops the whole message.
If you set F-Secure Anti-Virus for Microsoft Exchange to disinfect infected files and stop the whole message if an infection is found, messages are not stopped if they are send from a MAPI client if they can be disinfected. Messages are scanned and disinfected when they are in the Outbox. When a message leaves the Outbox folder, it does not contain malicious code anymore, so it is not stopped. Notifications Send warning Specify whether a virus warning message message to sender should be sent to the sender of the mail message which had infected content. If you want to add the warning message, the original message is embedded in the virus warning message.
Click Edit to edit the warning message.
If the sender sends an infected message to internal and external recipients, the sender can receive two warning messages about the same infection. 86
Add disclaimer to all Specify whether you want to add a disclaimer to outgoing messages all outgoing messages.
Click Edit to edit the disclaimer text.
By default, F-Secure Anti-Virus for Microsoft Exchange adds a disclaimer.
Public Folders Edit Public Folders real-time processing settings to define which Public Folders should be scanned for malicious code and to set warning messages to infected Public Folder notes.
Figure 4-6 Virus Scanning / Public Folders settings CHAPTER 4 87 Administration with Web Console
Examine public folders Examine public folders Specify public folders that should be scanned for viruses.
Do not scan public folders - Do not process any Public Folders.
Scan all public folders - Process all notes posted to all Public Folders.
Scan only included public folders - Process all notes posted to the listed Public Folders.
Scan all except excluded public folders - Process all notes posted to all Public Folders, except to the ones in the list.
By default, F-Secure Anti-Virus for Microsoft Exchange processes all Public Folders. Editing Public Folders Click Specify to open a dialog box where you can add new Public Folders, or remove Public Folders from the list.
To add new Public Folder to the list, click Add. Select Public Folders from the list and click OK. To select all subfolders of the Public Folder in the list, check the checkbox in column. To delete a Public Folder from the list, click on column to select Public Folders that you want to delete. Click Clear to delete the currently marked Public Folders from the list.
All infected messages which are sent to public folders with Outlook WebAccess are disinfected or dropped regardless of the Examine Public Folders setting. 88
Notifications Send warning Specify whether a virus warning message message to originator should be sent to the original writer of the note which had infected content that could not be disinfected.
Click Edit to edit the warning message.
By default, F-Secure Anti-Virus for Microsoft Exchange sends the virus warning message to the originator.
Outbreak Detection F-Secure Anti-Virus for Microsoft Exchange can alert administrators when the number of infections detected within a specified time frame exceeds a specified value. CHAPTER 4 89 Administration with Web Console
Figure 4-7 Virus Scanning / Outbreak Detection settings
Condition Notify when number of Specify the number of infected objects that infections detected should be found within a specified time period, exceed for it to be considered as a virus outbreak. Use the value zero (0) to disable the outbreak notification.
By default, the outbreak notification is disabled (0). Action Send security alert to Specify whether a security alert should be sent the administrator to the administrator when a virus outbreak is detected. 90
Send outbreak Specify whether outbreak notification e-mail notification message should be sent to the notification addresses specified in the Notification Addresses setting when a virus outbreak is detected.
By default, F-Secure Anti-Virus for Microsoft Exchange does not send the outbreak notification.
Click Edit to edit the outbreak notification message.
Run outbreak handler Specify an external program that should be run script when a virus outbreak is detected. The external program is run using the user account defined during the installation.
4.2.3 Stripping Attachments F-Secure Anti-Virus for Microsoft Exchange can be configured to remove attachments in real-time from inbound and outbound messages by their file name or the file extension even without scanning them for malicious code. The Statistics page displays the number of attachments stripped from inbound and outbound mail and public folders. CHAPTER 4 91 Administration with Web Console
Figure 4-8 Stripping Attachments / Statistics page
Statistics Attachments stripped Displays the number of stripped attachments in inbound mail, outbound mail and public folders.
On-Access Edit On-Access stripping attachments settings to set which attachments should be stripped during the on-access scanning.
Note that you have to scroll the page to view all the settings. 92
Figure 4-9 Content Blocking / On-Access / Stripping Attachments settings
Strip attachments Strip attachments Specify which attachments should be stripped from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from all messages and notes.
Strip all attachments except these allowed - Strip all except specified attachments.
Strip only these disallowed attachments - Strip only specified attachments. CHAPTER 4 93 Administration with Web Console
You can add new file types on the attachments lists by typing the file extensions in the allowed and disallowed attachments text boxes. Separate the extensions by spaces.
Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not. Action on stripped attachment Action on stripped Specify whether stripped attachments should be attachment quarantined or dropped.
Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see “Quarantine”, 111.
Drop attachment - All stripped attachments are deleted automatically.
By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments.
Add informational Specify whether an informational message message should be added to the mail message which originally had the stripped attachment. During the on-access scanning, the informational message can be sent to the mailbox owner or to the originator of an infected message or an infected Public Folder note.
Click Edit to edit the message that is added to the message which contained the stripped attachment. 94
By default, F-Secure Anti-Virus for Microsoft Exchange does not add the informational message.
Send the informational Specify whether an informational message message to sender should be sent to the sender of the mail message which had the stripped attachment.
Click Edit to edit the message that is sent to the sender of the mail message which contained the stripped attachment.
By default, F-Secure Anti-Virus for Microsoft Exchange does not send an informational message to the sender.
Notify administrator Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment.
Do not notify - Do not send any notification to the administrator.
Send informational alert - Send an informational alert to the administrator.
Send warning alert - Send a warning alert to the administrator.
Send security alert - Send a security alert to the administrator.
By default, F-Secure Anti-Virus for Microsoft Exchange sends an informational alert to the administrator. CHAPTER 4 95 Administration with Web Console
Inbound Mail Edit Stripping Attachments / Inbound Mail settings to specify which attachments should be stripped from the inbound mail. For settings descriptions, see below.
Note that you may have to scroll the page to view all the settings.
Figure 4-10 Stripping Attachments / Inbound Mail settings 96
Strip attachments Strip attachments Specify which attachments should be stripped from messages and public folder notes.
Do not strip - Do not strip any attachments.
Strip all attachments - Strip all attachments from all messages and notes.
Strip all attachments with these extensions - Strip all except specified attachments.
Strip all attachments except with these extensions - Strip only specified attachments.
You can add new file types on the extensions lists by typing the file extensions in the file extensions text boxes. Separate the extensions by spaces.
Enable File Type Trojans and other malicious code can disguise Recognition themselves with filename extensions which are usually considered safe to use. Intelligent File Type Recognition can recognize the real file type of the message attachment and use that while the attachment is processed. Specify whether you want to use Intelligent File Type Recognition or not.
By default, the Intelligent File Type Recognition is disabled during the real-time processing and enabled during the manual processing. CHAPTER 4 97 Administration with Web Console
Trusted mailboxes Trusted mailboxes Define users’ mailboxes that should be excluded from real-time content filtering and attachment stripping.
Trusted mailbox feature works only for messages that are sent directly to an address defined as trusted mailbox. If the message has multiple recipients, and some of them are defined on the Trusted mailboxes list but some are not, the message will be scanned.
Editing Trusted Mailboxes List Click Specify to open a dialog box where you can add new trusted mailboxes, or remove trusted mailboxes from the list.
To add new mailbox to the list, click Add. Select mailboxes from the list and click OK. To delete a address from the list, click on column to select mailboxes that you want to delete. Click Clear to delete the currently marked mailboxes from the trusted mailboxes list.
Action on stripped attachment Action on stripped Specify whether stripped attachments should be attachment quarantined or dropped.
Quarantine attachment - All stripped attachments are placed in the Quarantine. For more information, see “Quarantine”, 111.
Drop attachment - All stripped attachments are deleted automatically.
By default, F-Secure Anti-Virus for Microsoft Exchange quarantines stripped attachments. 98
Add informational Specify whether an informational message message should be added to the mail message which originally had the stripped attachment. During on-access scanning, the informational message can be sent to the mailbox owner or to the originator of an infected message or an infected Public Folder note.
Click Edit to edit the warning message that is added to the mail message.
By default, F-Secure Anti-Virus for Microsoft Exchange does not add the informational message.
Send informational Specify whether an informational message message to sender should be sent to the sender of the mail message which had the stripped attachment.
Click Edit to edit the warning message that is sent to the sender of the mail message which contained the stripped attachment.
By default, F-Secure Anti-Virus for Microsoft Exchange does not send an informational message to the sender.
Notify administrator Specify whether the administrator should be notified when F-Secure Anti-Virus for Microsoft Exchange strips an attachment.
Do not notify - Do not send any notification to the administrator.
Send informational alert - Send an informational alert to the administrator.
Send warning alert - Send a warning alert to the administrator. CHAPTER 4 99 Administration with Web Console
Send security alert - Send a security alert to the administrator.
By default, F-Secure Anti-Virus for Microsoft Exchange sends an informational alert to the administrator. For more information, see “Configuring Alert Forwarding”, 67.
F-Secure Management Agent alert forwarding table controls where alerts with certain severity level will be sent.
Outbound Mail Edit Stripping Attachments / Outbound Mail attachment stripping settings to set which attachments should be stripped from the outbound mail. For settings descriptions, see “Inbound Mail”, 95.
Note that you have to scroll the page to view all the settings. 100
Figure 4-11 Stripping Attachments / Outbound Mail settings
4.2.4 Content Filtering The Content Filtering settings specify how content should be filtered based on keywords found in message subject and content. The Spam Control settings are also located under the Content Filtering branch, but they are displayed only if you have installed F-Secure Spam Control with the product. CHAPTER 4 101 Administration with Web Console
Figure 4-12 Content Filtering / Statistics page
Statistics Spam messages Displays the total number of spam messages that have been found.
Size of spam Displays the total size of spam messages that messages have been found.
Filtered inbound Displays the total number of inbound messages messages that have been filtered.
Filtered outbound Displays the total number of outbound messages messages that have been filtered. 102
Spam Control For information on F-secure Spam Control settings, see “Spam Control Settings in Web Console”, 180.
Inbound Mail Edit Content Filtering / Inbound Mail settings to define how content should be filtered in the inbound mail based on keywords in message subjects and text. For settings descriptions, see below. CHAPTER 4 103 Administration with Web Console
Figure 4-13 Content Filtering / Inbound Mail settings
Processing options Enable content filtering Specify whether the content of inbound messages is filtered based on the subjects and texts of the messages as defined on this tab.
List of disallowed Lists the keywords that are not allowed in keywords in message message subject and that are used as filtering subject criteria.
List of disallowed Lists the keywords that are not allowed in keywords in message message text and that are used as filtering text criteria. 104
Click Edit to open a dialog box where you can add new disallowed keywords, or remove keywords from the list.
Select the checkbox in the column to mark the entries that you want to remove.
Click Clear to remove the selected entries from the list. Editing Keyword Lists Click Edit to open a dialog box where you can add new disallowed keywords, or remove keywords from the list.
To add new keyword to the list, click Add. To add multiple entries at once, click Import. To delete a keyword from the list, click on column to select keywords that you want to delete. Click Clear to delete the currently marked keywords from the list.
Trusted mailboxes Trusted mailboxes Define users’ mailboxes that should be excluded from real-time content filtering and attachment stripping.
Trusted mailbox feature works only for messages that are sent directly to an address defined as trusted mailbox. If the message has multiple recipients, and some of them are defined on the Trusted mailboxes list but some are not, the message content will be filtered and attachments stripped. CHAPTER 4 105 Administration with Web Console
Editing Trusted Mailboxes List Click Specify to open a dialog box where you can add new trusted mailboxes, or remove trusted mailboxes from the list.
To add new mailbox to the list, click Add. Select mailboxes from the list and click OK. To delete a address from the list, click on column to select mailboxes that you want to delete. Click Clear to delete the currently marked mailboxes from the trusted mailboxes list.
Action on message with disallowed content Action Specify the action to take on a message with disallowed content.
Quarantine message - The filtered message is placed in the Quarantine.
Drop message - The filtered message will be deleted automatically.
Send informational Specify whether a warning message will be sent message to recipient to the recipient of the disallowed content that has been filtered.
The warning message will be sent only if the recipient of the message with the disallowed content is a user belonging to an internal domain (for more information, see “Internal Domains”, 127). This means that no informational messages will be sent outside the company.
Click Edit to edit the warning message text.
Notify administrator Specify whether an alert will be sent to the administrator when an attachment is stripped from a message and what type of an alert it should be. 106
Do not notify - Do not send any notification to the administrator.
Send informational alert - Send an informational alert to the administrator.
Send warning alert - Send a warning alert to the administrator.
Send security alert - Send a security alert to the administrator.
F-Secure Management Agent alert forwarding table controls where alerts with certain severity level will be sent.
Outbound Mail Edit Outbound Mail content blocking settings to set which attachments should be stripped from the outbound mail and how messages should be blocked based on keywords found in the message subjects and text. For settings descriptions, see “Inbound Mail”, 102. CHAPTER 4 107 Administration with Web Console
Figure 4-14 Content Filtering / Outbound Mail settings
4.2.5 Manual Scanning You can process mailboxes and public folders manually as needed. 108
Figure 4-15 Manual Processing page CHAPTER 4 109 Administration with Web Console
Processing Mailboxes Manually The Status field displays the current status of the manual process.
To start processing mailboxes manually, click Start. Click Stop to terminate the currently running manual scan Click Configure... to set up a new manual processing task. For more information, see “Creating Manual Scanning Operation”, 34. Click Show Report to view the report of the last manual processing task.
Progress Estimated time Displays the estimated time that is left of the manual processing.
Elapsed time Displays the time that has elapsed since the manual processing was started.
Processed number Displays the number of mailboxes that have mailboxes been processed out of the total number of mailboxes.
Last processed Displays the mailbox that is currently being mailbox processed.
Processed number Displays the number of public folders that have public folders been processed out of the total number of public folders.
Last processed public Displays the public folder that is currently being folder processed.
Messages in Displays the number of processed, infected and Mailboxes suspicious messages in mailboxes.
Messages in Public Displays the number of processed, infected and Folders suspicious messages in Public Folders. 110
Scheduled Scan Tasks
Figure 4-16 Scheduled Processing page Editing Scheduled Tasks The Scheduled tasks table displays all scheduled tasks and the date and time when the next scheduled task occurs for the next time. CHAPTER 4 111 Administration with Web Console
Clear the checkbox in front of the task to deactivate a scheduled. Check the checkbox to activate it again.
When the scheduled scanning task is complete, column reports completed scheduled scanning tasks. you can view the report by clicking the Report... link displayed in this column. Click the Edit... link displayed in column to edit a scanning task Click Show Latest Report to display a report of performed scheduled tasks. Click Add Task... to start the Scheduled Operation Wizard. For more information, see “Creating Scheduled Operation”, 50. To delete a scheduled tasks from the list, click on column to select scheduled tasks that you want to delete. Click Clear to delete the currently marked scheduled tasks from the list.
4.2.6 Quarantine Quarantine in F-Secure Anti-Virus for Microsoft Exchange is handled through a SQL database. The product is able to quarantine e-mails and attachments which contain malicious or otherwise unwanted content, such as spam messages. The Quarantine management is divided into two different parts:
Quarantine-related configuration, and the management of the quarantined content, for example searching for and deleting quarantined content. In stand-alone installations, quarantine-related settings are configured and the quarantined files managed through the Web Console. The Quarantine Query page in Web Console is used for searching the quarantined content. When the product places content to the Quarantine, it saves the content as separate files into the Quarantine Storage (a directory specified in the Quarantine settings) and inserts an entry to the Quarantine Database with information about the quarantined content. For more information, see “Quarantine Management”, 248. 112
Quarantine Thresholds
Figure 4-17 Quarantine thresholds settings CHAPTER 4 113 Administration with Web Console
Quarantine thresholds Quarantined items Specify the critical number of items in the threshold Quarantine storage. If the specified value is reached or exceeded, the product sends an alert. If zero (0) is specified, the number of items in the Quarantine storage is not checked. The default value is 100000 items.
E-mail messages and infected, suspicious and disallowed attachments are stored and counted as separate items in the Quarantine storage. For example, if a message has three attachments and only one of them has been found infected, two items will be created in the Quarantine storage. These items still have the same Quarantine ID in the Quarantine database. Quarantine size threshold Specify the critical size (in megabytes) of the quarantine folder. If the specified value is reached, the product sends an alert. The default value is 200. If zero (0) is specified, the size of the Quarantine is not checked. The allowed value range is from 0 to 10240. 114
Notify when quarantine Specify how the administrator should be threshold is reached notified when the Quarantine Size Threshold and/or Quarantined Items Threshold are reached. No alert is sent if both thresholds are set to zero (0). The options available are:
Quarantine Reprocess, Retention and Cleanup When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients. For more information, see “Reprocessing the Quarantined Content”, 171. CHAPTER 4 115 Administration with Web Console
Figure 4-18 Quarantine cleanup settings
Reprocess unsafe messages Automatically reprocess Specify how often the product tries to unsafe messages reprocess unsafe messages that are retained in the Quarantine. Set the value to Disabled to keep all unsafe to process unsafe messages manually.
Max attempts to process Specify how many times the product tries to unsafe messages reprocess unsafe messages that are retained in the Quarantine.
Use the Final Action on Unsafe Messages setting to specify the action that takes place if the message is retained in the Quarantine after the maximum attempts. 116
Final action on unsafe Specify the action to unsafe messages after messages the maximum number of reprocesses have been attempted.
Leave in Quarantine - Leave messages in the Quarantine and process them manually.
Release to Intended Recipients - Release messages from the Quarantine and send them to original recipients. Quarantine retention and cleanup Retain items in Specify how long quarantined items should quarantine be retained in the Quarantine before they are deleted.
Use the Quarantine Cleanup Exceptions table to change the retention period for a particular Quarantine category.
Delete old items every Specify how often the storage should be cleaned of old quarantined items.
Use the Quarantine Cleanup Exceptions table to change the cleanup interval for a particular Quarantine category.
Exceptions Specify separate quarantine retention period and cleanup interval for each Quarantine category. If retention period and cleanup interval for a category are not defined in this table, then the default ones (specified above) are used.
Active -Enable or disable the selected entry in the table.
Quarantine category - Select a category the retention period or cleanup interval of which you want to modify. The categories are: CHAPTER 4 117 Administration with Web Console
Infected Disallowed Suspicious Spam Scan failure Unsafe Retention period - Specify an exception to the default retention period for the selected Quarantine category.
Cleanup interval - Specify an exception to the default cleanup interval for the selected Quarantine category.
Send informational alert Send warning alert Send error alert Send security alert 118
Quarantine Logging
Figure 4-19 Quarantine logging settings
Logging Quarantine log Specify the path for Quarantine log files. directory
Rotate quarantine Specify how often the product rotates logs Quarantine log files. At the end of each rotation time a new log file is created.
Keep rotated Specify how many rotated log flies should be quarantine logs stored in the Quarantine. CHAPTER 4 119 Administration with Web Console
Quarantine Options
Quarantine Options Quarantine worms Specify whether the product should Quarantine files infected with mass worms or mail viruses such as Sobig or Bagle.
Quarantine problematic Specify if messages that contain malformed messages or broken attachments should be quarantined for later analysis or recovery.
This setting works together with the Security Options/Action on Malformed Mails setting in the inbound and outbound mail settings. 120
Quarantine Database
Figure 4-20 Quarantine database settings You can specify the database where information about quarantined e-mails is stored and from which it is retrieved. Quarantine database SQL server name The name of the SQL server where the database is located.
Database name The name of the Quarantine database. The default name is FSMSE_Quarantine.
User name The user name the product uses when accessing the database.
Password The password the product uses when accessing the database. CHAPTER 4 121 Administration with Web Console
Quarantine Storage
Quarantine storage Specify the location of the Quarantine Storage where quarantined e-mails and attachments are placed.
WARNING: During the setup, access rights are adjusted so that only the operating system, the product itself and the local administrator can access files in the Quarantine. If you make changes to the Quarantine storage settings, make sure that the new directory has the same rights.
IMPORTANT: This setting must be defined as Final with the Restriction Editor before the policies are distributed. Otherwise the setting will not be changed in the product.
Make sure that F-Secure Anti-Virus for Microsoft Exchange service has write access to this directory. Adjust the access rights to the directory so that only the F-Secure Anti-Virus for Microsoft Exchange service and the local administrator can access files in the Quarantine.
4.2.7 Advanced Advanced settings control mail delivery and scanning timeout settings and polling intervals for new mailboxes and Public Folders.
IMPORTANT: These settings control the Virus Scanning interface of Microsoft Exchange Server and modifying them may seriously affect system performance. Use them with caution. 122
Figure 4-21 Advanced settings
Mail Delivery Settings Mail opening timeout Specify the number of seconds to try to open a message.
Max mail sending Specify the number of times to try to send a retries message if sending it fails.
Mail sending timeout Specify the number of seconds to wait to try sending a message. Scanning Interface Parameters Number of scanning Specify the maximum number of scans to be run threads simultaneously. When the upper limit of simultaneous scanning threads is reached, messages are queued until a thread is finished. Advanced CHAPTER 4 123 Administration with Web Console
New mailbox polling Specify how often F-Secure Anti-Virus for interval Microsoft Exchange should check for newly established mailboxes. You can disable the new mailbox polling by using the value 0 (zero).
By default, F-Secure Anti-Virus for Microsoft Exchange polls new mailboxes every 60 minutes.
New Public Folder Specify how often F-Secure Anti-Virus for polling interval Microsoft Exchange should check for newly established Public Folders. You can disable the new mailbox polling by using the value 0 (zero).
By default, F-Secure Anti-Virus for Microsoft Exchange polls new folders every 60 minutes.
Message scan timeout Specify the maximum time to wait (in seconds) to scan a message. 124
Scanning Servers Edit the Servers settings to configure the connection between F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server.
Note that you may have to scroll the page to view all the settings.
Figure 4-22 Advanced / Scanning Servers settings CHAPTER 4 125 Administration with Web Console
Scanning servers Primary Content Specify all F-Secure Content Scanner Servers Scanner Servers where F-Secure Anti-Virus for Microsoft Exchange should send files to be processed. If you list more than one F-Secure Content Scanner Server, F-Secure Anti-Virus for Microsoft Exchange uses load sharing between them.
Backup Content Specify F-Secure Content Scanner Servers that Scanner Servers act as backup servers for primary servers. If F-Secure Anti-Virus for Microsoft Exchange cannot contact primary F-Secure Content Scanner Servers, it interacts with backup servers. Editing F-Secure Content Scanner Server Addresses
To add new F-Secure Content Scanner Server IP addresses or host names to the list, click Add. To delete a address from the list, click on column to select addresses that you want to delete. Click Clear to delete the currently marked addresses permanently.
Connection timeout Enter the time interval (in seconds) that specifies how long F-Secure Anti-Virus for Microsoft Exchange should wait for a response from F-Secure Content Scanner Server before stopping attempts to send or receive data.
Restore connection Enter the time interval (in seconds) that interval specifies how long F-Secure Anti-Virus for Microsoft Exchange will wait before attempting a new connection with the primary F-Secure Content Scanner Servers, in case the previous connection attempt failed or a connection with the server was lost. 126
Use local interaction Specify whether the product should interact with mode F-Secure Content Scanner Server in the local interaction mode.
When F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server are installed on the same host and the local interaction mode is enabled, data are transferred via local temporary files and/or shared memory. This provides the best possible performance.
If local interaction mode is disabled, data is transferred via data stream sockets.
It is recommended to use the local interaction mode to obtain the optimum performance.
Maximum shared Specify the maximum size of data to be memory data size transferred between the Anti-Virus Agent and the F-Secure Content Scanner Server via shared memory.
By default, the maximum size is 1024 kilobytes. When the amount of data exceeds the maximum size, a local temporary file will be used for data transfer.
If the option is set to zero (0), all data transfers via shared memory are disabled.
This setting is ignored if local interaction mode is disabled. CHAPTER 4 127 Administration with Web Console
Working directory Specify the name and location of the Working directory, where temporary files are placed.
During the installation, F-Secure Anti-Virus for Microsoft Exchange automatically adjusts the access rights so that only the operating system and the local administrator can access files in the Working directory. If you change this setting after the installation, make sure that the new folder has secure access permissions.
4.2.8 Internal Domains Specify the domains which should be considered to be internal domains. All messages which are going to internal domains are considered to be inbound messages. Separate each domain name with a space. You can use * wildcard, for example, *example.com. 128
Figure 4-23 Internal Domains settings You can define how the mails destined for the internal domains are processed by configuring the Virus Scanning / Inbound Mail, Stripping Attachments / Inbound Mail and Content Filtering / Inbound Mail settings. Editing Internal Domain Addresses
To add a new domain name to the list, click Add. You can use ‘*’ wildcard. For example, *example.com. To import a list of domain addresses from a CSV file, click Import.... To delete a domain name from the list, click on column to select addresses that you want to delete. Click Clear to delete the currently marked addresses permanently. CHAPTER 4 129 Administration with Web Console
4.3 F-Secure Content Scanner Server Settings
F-Secure Content Scanner Server can be administered with the F-Secure Anti-Virus for Microsoft Exchange Web Console. You can check the system status, check statistics and modify the settings of F-Secure Content Scanner Server on the computer where the product is installed and running.
4.3.1 Summary You can see the current status of the F-Secure Content Scanner Server, and virus and spam scanner statistics under the Summary branch.
Status You can see the statistics of all virus scans on the Status page of F-Secure Content Scanner Server. The statistics display the number of scanned files, the last database update, the last virus found and the last time a virus was found. 130
Figure 4-24 Summary page
Status Status Displays whether F-Secure Content Scanner Server is currently running or not.
Version Displays the current version number and build of F-Secure Content Scanner Server.
Start time Displays the start date and time of F-Secure Content Scanner Server.
Scanned files Displays how many files have been scanned since the last reset.
Last database update Displays the last date and time when virus definition databases were updated. CHAPTER 4 131 Administration with Web Console
Database Update Displays the version of the virus definition Version database update.
The version is shown in YYYY-MM-DD_NN format, where YYYY-MM-DD is the release date of the update and NN is the number of the update for that day.
Last infection found Displays the name of the last virus that was found.
Last time infection Displays the date and time the last virus was found found.
Click Start to start F-Secure Content Scanner Server and Stop to stop F-Secure Content Scanner Server. Click Reset Statistics to reset the statistics in this window.
Virus Statistics You can see the list of most active viruses on the Summary > Virus Statistics page in F-Secure Anti-Virus for Microsoft Exchange Web Console. 132
Figure 4-25 Summary / Virus Statistics settings
Most active viruses Most active viruses This table displays a list of the 5, 10 or 30 most table often found viruses during the specified time period. It also displays the number of times each virus has been found and the percentage that each virus represents of the total number of viruses encountered.
Click Configure to specify the statistics you want to view.
Time period - Specify the number of days from which the virus information is displayed. CHAPTER 4 133 Administration with Web Console
Viruses to show - Specify the number of most active viruses to show in the Virus Statistics table. The options available are Top 5, Top 10 and Top 30. F-Secure World Map The product can collect and send statistics about viruses and other malware to the F-Secure World Map service.
When the F-Secure World Map support is enabled, the product sends encrypted e-mail reports periodically to the service. These reports list only the name and the amount of found malware and they do not contain any sensitive information such as IP or e-mail addresses or user names.
You can also forward unencrypted reports to a configurable e-mail address and use the same statistics for your own internal purposes.
MTA IP address Specify the IP address of mail transfer agent where you want to send the unencrypted report.
MTA port Specify the port of the mail transfer agent.
Recipients Specify e-mail addresses where the unencrypted report is sent.
Spam Scanner Statistics
This page is displayed only if you have installed F-Secure Spam Control.
On the Spam Control page you can see the status of F-Secure Spam Control, spam definition databases and the spam scanning statistics. 134
Figure 4-26 Summary / Spam Scanner Statistics page
Spam Control statistics Version Shows the version and build number of the F-Secure Spam Scanner.
Status Shows the status of the F-Secure Spam Scanner. The possible statuses are:
Unknown or not installed - This status might be displayed right after installation when the product statistics are not yet updated, or if the F-Secure Spam Scanner is not installed. CHAPTER 4 135 Administration with Web Console
Not loaded - This status is displayed when the F-Secure Content Scanner Server failed to load the scan engine for some reason. You should check the logfile.log for the reason of the failure. It might be, for example, that one or more database files are missing or corrupted.
Loaded but disabled - This status is displayed when the engine is loaded but disabled by the administrator. It means that the disabled scan engine will not be used on scanning. A scan engine should be disabled for troubleshooting purposes only.
Loaded and enabled - This status is normally shown for the scan engine. It means that the engine has been loaded and will be used for scanning.
Database version Shows the version of the database currently used by the F-Secure Spam Scanner.
Last database update Shows the date and time when the F-Secure Spam Scanner database was last updated.
Number of processed Shows the total number of files that have been files analyzed for spam. Total spam statistics table: Confidence level rating Shows the confidence levels used in the spam scanning. The scale used is from 1 to 9.
Number of messages Shows the number of messages that have received a certain spam confidence level when scanned by F-secure Spam Scanner.
Click Reset Statistics to reset the statistics in this window. 136
4.3.2 Database Updates F-Secure Content Scanner Server can notify the administrator if it detects that virus and/or spam definition databases are outdated. You can change the notification and other database updates settings on the Updates page. For more information about virus definition database updates, see “Updating Virus and Spam Definition Databases”, 189. CHAPTER 4 137 Administration with Web Console
Figure 4-27 Database Updates settings
‘
Database updates Verify integrity of Specify whether the product verifies that the downloaded databases downloaded virus definition databases are the original databases published by F-Secure Corporation and that they have not been altered or corrupted in any way before taking them to use.
Notify when databases Specify what kind of an alert F-Secure Content become old Scanner Server should send to the administrator when virus definition databases are not up-to-date.
Send informational alert - Send an informational alert to the administrator. 138
Send warning alert - Send a warning alert to the administrator.
Send security alert - Send a security alert to the administrator.
Do not notify - Do not send any notification to the administrator.
Notify when databases Specify when virus definition databases are older than outdated. If databases are older than the specified amount of days, F-Secure Content Scanner Server sends an alert to the administrator.
4.3.3 Scan Engines F-Secure Content Scanner Server uses multiple top quality scanning engines to ensure the highest possible detection rate and disinfection capability. You can view an overview of the engine statuses and updates on the Scan Engines page. CHAPTER 4 139 Administration with Web Console
Figure 4-28 Virus Scanning page
Scan engines Scan Engine Displays the name of the scan engine.
Version Displays the version number of the scan engine.
Database Date Displays the date of the currently used virus definition database.
Last Updated Displays the last date when the virus definition database was updated. 140
Properties You can view the detailed statistics and statuses of the scan engines on the Scan Engines > Properties page.
Note that you have to scroll the page to view all the settings.
Figure 4-29 Scan Engines > Properties page
Scan engine Number of processed Displays the number of files the selected scan files engine has scanned.
Number of files found Displays the number of infected files the infected selected scan engine has found. CHAPTER 4 141 Administration with Web Console
Number of disinfected Displays the number of infected files the files selected scan engine has successfully disinfected.
Database date Displays the date of the currently used virus definition database for the selected scan engine.
Last database update Displays the last date when the virus definition database was updated.
Last infection found Displays the name of the latest infection that was found with the selected scan engine.
Last time infection Displays the date and time of the last infection. found
Engine excluded Specify a space-separated list of file extensions extensions excluded from scanning by the engine. You can also use wildcards: ‘?’ matches exactly one character, ‘*’ matches any number of characters, including zero (0) characters. For example: “PP?, PDF, X*”.
Click Reset Statistics to reset the statistics for a scan engine. Select the scan engine and click Enable to turn it on or Disable to turn it off.
Threat Detection You can configure the virus outbreak and spam threat detection on the Scan Engines > Threat Detection page. 142
Figure 4-30 Scan Engines > Threat Detection page
Cache VOD cache size Specify the maximum number of patterns to cache for the virus outbreak detection service. By default, the cache size is 10000 cached patterns.
Class cache size Specify the maximum number of patterns to cache for spam detection service. By default, the cache size is 10000 cached patterns.
Increasing cache sizes may increase the threat detection performance but it requires more disk space and may degrade the threat detection rate. Cache sizes can be disabled (set the size to 0) for troubleshooting purposes. Advanced CHAPTER 4 143 Administration with Web Console
Action on connection Specify the action for messages when the threat failure detection center cannot be contacted and the threat detection engine cannot classify the message.
Pass through - The message is passed through without scanning it for spam.
Heuristic Scanning - F-Secure Content Scanner Server checks the message using spam heuristics.
Trusted networks Specify networks and hosts in the mail relay network which can be trusted not to be operated by spammers and do not have open relays or open proxies.
Define the network as a network/netmask pair (10.1.0.0/255.255.0.0), with the network/nnn CIDR specification (10.1.0.0/16), or use ‘*’ wildcard to match any number and ‘-’ to define a range of numbers (172.16.*.1, 172.16.4.10-110).
4.3.4 Proxy Configuration You can specify proxy server parameters that Content Scanner Server uses when it connects to the threat detection center on the Proxy Configuration page. 144
Figure 4-31 Proxy Configuration page
Proxy Configuration Use proxy server Specify whether F-Secure Content Scanner Server uses a proxy server when it connects to the threat detection center.
Proxy server address Specify the address of the proxy server.
Proxy server port Specify the port number of the proxy server.
Authentication Specify the authentication method to use to method authenticate to the proxy server.
NoAuth - The proxy server does not require authentication.
Basic - The proxy uses the basic authentication scheme. CHAPTER 4 145 Administration with Web Console
NTLM - The proxy uses NTLM authentication scheme.
User name Specify the user name for the proxy server authentication.
Password Specify the password for the proxy server authentication.
Domain Specify the domain name for the proxy server authentication. 146
4.3.5 Archive Scanning F-Secure Content Scanner Server can scan files inside archives. You can change the archive scanning and other advanced settings in the Virus Scanning / Archive Scanning page.
Figure 4-32 Archive Scanning settings page CHAPTER 4 147 Administration with Web Console
Virus scanning Scan inside archives Select whether F-Secure Content Scanner Server should scan files inside the archives for possible infections.
Max levels in nested Set the number of levels of archives inside archives archives that F-Secure Content Scanner Server should scan. Note that nested archives can be used in denial-of-service attacks, so it is not recommended to set the maximum value very high.
Suspect max nested Specify whether F-Secure Content Scanner archives Server should treat archives with more nested levels than you have set above as safe or unsafe.
Treat as safe - Archives are scanned to the specified level and allowed through if no infections are found.
Treat as unsafe - Archives with exceeding nested levels are always quarantined.
Suspect password Password protected archives cannot be protected archives scanned. Select whether to treat them as safe or unsafe. As password protected archives cannot be inspected without knowing the password, the user who receives the password protected archive should have up-to-date virus protection on the workstation if they are treated as safe.
Treat as safe - Password protected archives are allowed to go through.
Treat as unsafe - Password protected archives are quarantined. 148
Acceptable unpacked Specify the acceptable unpacked size (in size threshold kilobytes) for archive files. If the unpacked size of an archive file exceeds this threshold, the server will consider the archive suspicious and corresponding action will be taken.
Scan these extensions Specify files that are scanned inside archives. in archive files
Click Modify to edit the list of extensions you want to scan inside archives.
Extensions allowed in Specify a space-separated list of the file password protected extensions allowed in password protected archives archives. Wildcards (*, ?) can be used. Example: "DO? *ML". CHAPTER 4 149 Administration with Web Console
4.3.6 Advanced You can change the Working Directory settings from the Advanced page. The Working directory specifies where temporary files are stored.
Figure 4-33 Advanced settings
Advanced Working directory Specify the working directory. Enter the complete path to the field or click Browse to browse to the path you want to set as the new working directory.
Working directory Specify how often the working directory is clean interval cleaned of all files that may be left there. By default, files are cleaned every 30 minutes. 150
Free space threshold Set the free space threshold of the working directory. F-Secure Content Scanner Server sends an alert to the administrator when the drive has less than the specified amount of space left.
Max number of Specify how many files F-Secure Content concurrent Scanner Server should process simultaneously. transactions
Max scan timeout Specify how long a scan task can be carried out before it is automatically cancelled.
Number of spam Specify the number of Spam Scanner instances scanner instances to be created and used for spam analysis. As one instance of the spam scanner is capable of processing one mail message at a time, this setting defines how many messages will undergo spam analysis simultaneously. The default value is 3.
You might need to modify this setting if you enable Realtime Blackhole Lists (DNSBL/ RBL) for spam filtering.
The server must be restarted after this setting has been changed.
IMPORTANT: Spam analysis is a processor-intensive operation and each spam scanner instance takes approximately 25MB of memory (process fsavsd.exe). Do not increase the number of instances unless the product is running on a powerful computer. CHAPTER 4 151 Administration with Web Console
4.3.7 Interface You can specify how F-Secure Content Scanner Server should interact with F-Secure Anti-Virus Agent for Microsoft Exchange.
Figure 4-34 Interface settings
Service connections IP address Specify the IP address that F-Secure Content Scanner Server listens to. If you do not assign any IP address (0.0.0.0), F-Secure Content Scanner Server responds to all connections.
TCP port Specify the port number that F-Secure Content Scanner Server listens for incoming connections. By default, the port number is 18971. 152
Accept connections Specify the hosts that are allowed to connect to F-Secure Content Scanner Server. If you do not specify any clients, F-Secure Content Scanner Server accepts connections from all clients.
Limit max connections Specify the maximum number of simultaneous to connections that F-Secure Content Scanner Server accepts. If you do not want to limit the number of connections, set the value to 0.
Limit max connections Specify the maximum number of simultaneous per host to connections per client that F-Secure Content Scanner Server accepts. If you do not want to limit the number of connections per client, set the value to 0.
Send content timeout Specify how long F-Secure Content Scanner Server tries to send data to a client before it stops sending it.
Receive content Specify how long F-Secure Content Scanner timeout Server waits to receive data from a client before it stops listening.
Keep alive timeout Specify how long F-Secure Content Scanner Server keeps an inactive connection open.
4.4 F-Secure Automatic Update Agent Settings
With F-Secure Automatic Update Agent, virus and spam definition database updates are retrieved automatically when they are published. When a new virus is found, F-Secure provides a new virus definition database update. CHAPTER 4 153 Administration with Web Console
4.4.1 Summary
Status Displays the current status of F-Secure Automatic Update Agent.
Version Displays the version number of F-Secure Automatic Update Agent.
Channel name Displays the channel from where the updates are downloaded.
Channel address Displays the address of the Automatic Updates Server.
Latest installed update Displays the version and name of the latest installed update.
Last check time Displays the date and time when the last update check was done. 154
Last check result Displays the result of the last update check.
Next check time Displays the date and time for the next update check.
Last successful check Displays the date and time when the last time successful update check was done.
Current HTTP proxy Displays the address of the HTTP proxy that is currently used.
Downloads CHAPTER 4 155 Administration with Web Console
Available Packages
Title Displays the title of the downloaded package.
Download time Displays the download date and time.
Size Displays the size of the downloaded package. Installed Packages
TItle Displays the title of the downloaded package.
Installation time Displays the date and time when the update was installed.
Result Displays the installation status. 156
4.4.2 Automatic Updates
You can configure the Download options on the Downloads page. Updates
Enable automatic Select whether automatic updates are updates enabled or disabled. CHAPTER 4 157 Administration with Web Console
HTTP Settings
Internet connection Use ‘Detect connection’, unless you checking experience problems with that setting. The options available are:
Assume always connected - Assume that the computer is always connected to the Internet.
Detect connections - Detect when the computer is connected to the Internet.
Detect traffic - Assume that there is an Internet connection when the product detects any traffic.
Use HTTP proxy Select whether HTTP proxy should be used.
No - HTTP proxy is not used.
From browser settings - Use the same HTTP proxy settings as the web browser.
User defined - Define the HTTP proxy.
User defined proxy Define the HTTP proxy address.
4.5 F-Secure Management Agent Settings
F-Secure Management Agent enforces the security policies set by the administrator. It handles all management functions on the local workstations and provides a common interface for all F-Secure applications. and operates within the policy-based management infrastructure. 158
You can access F-Secure Management Agent settings from F-Secure Anti-Virus for Microsoft Exchange Web Console Home page by clicking the Configure... button in the F-Secure Management Agent section.
Note that you may have to scroll the page to view all the settings. CHAPTER 4 159 Administration with Web Console
Figure 4-35 F-Secure Management Agent Configuration page
Status The Status section displays detailed information on the host, for example the DNS and WINS names and the IP address. In addition, it displays the date and time when the policy file that is currently in use was issued and the date and time when the host connected to the server last time. Advanced Maximum size of Specify the maximum size for F-Secure log F-Secure log file file. The default value is 5000 KB. QUARANTINE 5 MANAGEMENT
Introduction...... 161 Configuring Quarantine Options...... 162 Searching the Quarantined Content...... 163 Query Results Page ...... 167 Viewing Details of a Quarantined Message...... 169 Reprocessing the Quarantined Content ...... 171 Releasing the Quarantined Content ...... 172 Removing the Quarantined Content...... 174 Deleting Old Quarantined Content Automatically...... 174 Quarantine Logging...... 175 Quarantine Statistics ...... 176 Moving the Quarantine Storage...... 177
160 CHAPTER 5 161 Quarantine Management
5.1 Introduction
You can manage and search quarantined mails with the F-Secure Anti-Virus for Microsoft Exchange Web Console. You can search for quarantined content by using different search criteria, including the quarantine ID, recipient and sender address, the time period during which the message was quarantined, and so on. You can reprocess and delete messages, and specify storage and automatic deletion times based on the reason for quarantining the message. If you have multiple F-Secure Anti-Virus for Microsoft Exchange installations, you can manage the quarantined content on all of them from one single F-Secure Anti-Virus for Microsoft Exchange Web Console. For more information, see “Performance-Critical Installation”, 24 and “Microsoft Exchange Cluster Environment”, 28. The quarantine consists of:
Quarantine database Quarantine storage. Quarantine Database The quarantine database contains information about the quarantined messages. If there are several F-Secure Anti-Virus for Microsoft Exchange installations in the network, they can either have their own quarantine databases, or they can use a common quarantine database. An SQL database server is required for the quarantine database. The following SQL databases can be used for storing information about the quarantined content:
Microsoft SQL Server 2000 Desktop Engine (MSDE) Microsoft SQL Server 2000 Microsoft SQL Server 2005 MSDE is delivered together with the product. If you want to use another database (Microsoft SQL Server 2000), you must buy it and get your own license before you start to deploy F-Secure Anti-Virus for Microsoft Exchange. 162
For more information on the SQL servers recommended for different environments, see “Which SQL Server to Use for the Quarantine Database?”, 20. Quarantine Storage The quarantine storage where the quarantined messages are stored is located on the server where F-Secure Anti-Virus for Microsoft Exchange is installed. If there are several F-Secure Anti-Virus for Microsoft Exchange installations in the network, they all have their own storages. The storages are accessible from a single F-Secure Anti-Virus for Microsoft Exchange Web Console. Quarantine Reasons The quarantine storage can store:
Messages and attachments that are infected and cannot be automatically disinfected. (Infected) Suspicious content, for example password-protected archives, nested archives and malformed messages. (Suspicious) Messages and attachments that have been blocked by their filename or filename extension. (Disallowed) Messages that are considered spam. (Spam) Files that could not be scanned, for example severely corrupted files. (Scan failure) Messages that have been identified as unsafe; messages that contain patterns that can be assumed to be a part of a spam or virus outbreak. (Unsafe)
5.2 Configuring Quarantine Options
All the quarantine settings can be configured on the Quarantine page in F-Secure Anti-Virus for Microsoft Exchange Web Console. For more information on the settings, see “Quarantine”, 111. CHAPTER 5 163 Quarantine Management
5.3 Searching the Quarantined Content
You can search the quarantined content on the F-Secure Anti-Virus for Microsoft Exchange > Quarantine page in the Web Console.
Figure 5-1 Quarantine query options 164
You can use the following search criteria:
Quarantine ID Enter the quarantine ID of a quarantined message. The quarantine ID is displayed in the notification sent to the user about the quarantined message.
Object type Select the type of the quarantined content.
Attachment - Search for quarantined attachments. You can also specify the Name of the attachment and the Location of the mailbox or public folder where the quarantined attachment was found.
Mail - Search for quarantined mails. You can also specify the Message ID and the Sender host of the quarantined mail.
Mails and attachments - Search for both quarantined mails and attachments.
Reason Select the quarantining reason from the drop-down menu. For more information, see “Quarantine Reasons”, 162.
Reason details Specify details about the scanning or processing results that caused the message to be quarantined. For Example:
The message is classified as spam - the field displays the spam confidence level rating and a list of spam tests that triggered the spam level.
The message is infected - the field displays the name of the infection found.
Sender Enter the e-mail sender address. You can only search for one address at a time, but you can widen the search by using the wildcards. CHAPTER 5 165 Quarantine Management
Recipients Enter the e-mail recipient address.
Subject Enter the message subject to be used as search criteria.
Show only You can use this option to view the current status of messages that you have set to be reprocessed, released or deleted. Because processing a large number of e-mails may take time, you can use this option to monitor how the operation is progressing.
The options available are:
Unprocessed e-mails - Displays only e-mails that the administrator has not set to be released, reprocessed or deleted.
E-mails to be released - Displays only e-mails that are currently set to be released, but have not been released yet.
E-mails to be reprocessed - Displays only e-mails that are currently set to be reprocessed, but have not been reprocessed yet.
E-mails to be reprocessed and released - Displays e-mails that are currently set to be reprocessed or released, but have not been reprocessed or released yet. 166
Search period Select the time period when the data has been quarantined. Select Exact start and end dates to specify the date and time (year, month, day, hour, minute) when the data has been quarantined.
Sort Results Specify how the search results are sorted by selecting one of the options in the Sort Results by: drop-down menu: based on Date, Sender, Recipients, Subject or Reason.
Display Select how many items you want to view per page.
Click Query to start the search. The Quarantine Query Results page is displayed once the query is completed. If you want to clear all the fields on the Query page, click Reset. Using Wildcards You can use the following SQL wildcards in the quarantine queries: Wildcard Explanation % Any string of zero or more characters.
_ (underscore) Any single character.
[ ] Any single character within the specified range ([a-f]) or set ([abcdef]).
[^] Any single character not within the specified range ([^a-f]) or set ([^abcdef]).
If you want to search for '%', '_' and '[' as regular symbols in one of the fields, you must enclose them into square brackets: '[%]', '[_]', '[[]' CHAPTER 5 167 Quarantine Management
5.4 Query Results Page
Figure 5-2 Quarantine Query Results Page The Quarantine Query Results page displays a list of mails and attachments that were found in the query. To view detailed information about a quarantined content, click the Quarantine ID (QID) number link in the QID column. For more information, see “Viewing Details of a Quarantined Message”, 169. The Query Results page displays status icons of the content that was found in the search: Icon E-mail status Quarantined e-mail. The administrator has not specified any actions to be taken on this e-mail.
Quarantined e-mail with attachments. The administrator has not specified any actions to be taken on this e-mail.
Quarantined e-mail that the administrator has set to be released. The release operation has not been completed yet. 168
Icon E-mail status Quarantined e-mail that the administrator has set to be reprocessed. The reprocessing operation has not been completed yet.
Quarantined e-mail that the administrator has set to be deleted. The deletion operation has not been completed yet.
Quarantined e-mail set to be released, which failed.
Quarantined e-mail set to be reprocessed, which failed.
Quarantined Mail Operations You can select an operation to perform on the messages that were found in the query:
Click Reprocess to scan the currently selected e-mail again, or click Reprocess All to scan all e-mail messages that were found. For more information, see “Reprocessing the Quarantined Content”, 171. Click Release to deliver the currently selected e-mail without further processing, or click Release All to deliver all e-mail messages that were found. For more information, see “Releasing the Quarantined Content”, 172. WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned. Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that were found. For more information, see “Removing the Quarantined Content”, 174. CHAPTER 5 169 Quarantine Management
Quarantined Attachment Operations You can select an operation to perform on the attachments that were found in the query:
Click Send to deliver the currently selected attachment without further processing, or click Send All to deliver all attachments that were found. For more information, see “Releasing the Quarantined Content”, 172. WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned. Click Delete to delete the currently selected e-mail from the quarantine, or click Delete All to delete all e-mail messages that were found. For more information, see “Removing the Quarantined Content”, 174.
5.5 Viewing Details of a Quarantined Message
To view the details of a quarantined message, do the following: 1. On the Query Search Results page, click the Quarantine ID (QID) number link in the QID column. 2. The Quarantined Content Details page opens. 170
Figure 5-3 Quarantined Content Details page The Quarantined Content Details page displays the following information about the quarantined mails:
QID - Quarantine ID. Submit date - The date and time when the item was placed in the quarantine. Processing server - The F-Secure Anti-Virus for Microsoft Exchange server that processed the message. Sender - The address of the message sender. Recipients - The addresses of all the message recipients. Sender host - The address of the sender mail server or client. Subject - The message subject. Message size - The size of the quarantined message. Quarantine reason - The reason why the content was quarantined. Click the Show... link to access the content of the quarantined message. CHAPTER 5 171 Quarantine Management
Click Download to download the quarantined message to your computer to check it.
WARNING: In many countries, it is illegal to read other people’s messages. The Quarantined Content Details page displays the following information about the quarantined attachments:
QID - Quarantine ID. Submit date - The date and time when the item was placed in the quarantine. Sender - The address of the attachment sender. Recipients - The addresses of all the attachment recipients. Location - The location of the mailbox or public folder where the quarantined attachment was found. Subject - The message subject. Attachment name - The name of the attachment. Attachment size - The size of the attachment file. Quarantine reason - The reason why the content was quarantined. Click Download to download the quarantined attachment to your computer to check it.
WARNING: In many countries, it is illegal to read other people’s messages.
5.6 Reprocessing the Quarantined Content
When quarantined content is reprocessed, it is scanned again, and if it is found clean, it is sent to the intended recipients. For example, if some content was placed in the quarantine because of an error situation, you can use the time period when the error occurred as search criteria, and then reprocess the content. This is done as follows: 172
1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the Quarantine page. 2. Select the start and end dates and times of the quarantining period from the Start time: and End Time: drop-down menus. 3. If you want to specify how the search results are sorted, select the sorting criteria and order from the Sort results by: and order: drop-down menus. 4. Select the number of items to be displayed on a results page from the Display: drop-down menu. 5. Click the Query button. 6. When the query is finished, the query results page is displayed. Click the Reprocess All button to reprocess the displayed quarantined content. 7. The e-mails that have been reprocessed and found clean are delivered to the intended recipients. They are also automatically deleted from the quarantine. The progress of the reprocessing operation is displayed in the Web Console.
5.7 Releasing the Quarantined Content
When quarantined content is released, it is sent to the intended recipients without any further processing. You might need to do this, for example, to deliver a password-protected archive from the quarantine to the recipient. In the example below the quarantined message is searched for by using the Quarantine ID as the search criteria. The Quarantine ID is included in the notification message delivered to the user.
WARNING: Releasing quarantined content entails a security risk, because the content is delivered to the recipient without being scanned. If you need to release a quarantined message, it is done as follows: CHAPTER 5 173 Quarantine Management
1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the Quarantine page. 2. Enter the Quarantine ID of the message in the Quarantine ID field. 3. Click Query. 4. When the query is finished, the query results page is displayed. Click the Release button to release the displayed quarantined content. The Release Quarantined Content dialog opens.
5. Specify whether you want to release the content to the original recipient or specify an address where the content is to be forwarded.
It may not be legal to forward the e-mail to anybody else than the original recipient.
6. Specify what happens to the quarantined content after it has been released by selecting one of the Action after release options: Leave in the quarantine Delete from quarantine 7. Click Release. The content is now delivered to the recipient. 174
5.8 Removing the Quarantined Content
Quarantined messages are removed from the quarantine based on the currently configured quarantine retention and cleanup settings. For an example on how to configure those settings, see “Deleting Old Quarantined Content Automatically”, 174. If you want to remove a large amount of quarantined messages at once, for example all the messages that have been categorized as spam, do the following: 1. Select the F-Secure Anti-Virus for Microsoft Exchange tab and the Quarantine page in the Web Console. 2. Select the quarantining reason, Spam, from the Reason: drop-down menu. 3. Click Query. 4. When the query is finished, the query results page is displays all quarantined messages that have been classified as spam. Click the Delete All button to delete all the displayed quarantined content. 5. You are prompted to confirm the deletion. Click OK. The content is now removed from the quarantine.
5.9 Deleting Old Quarantined Content Automatically
Quarantined content is deleted automatically based on the Quarantine Retention and Cleanup settings on the Quarantine > Options page. By default all types of quarantined content are stored in quarantine for one month, and quarantine clean-up task is executed once an hour. You can specify exceptions to the default retention and clean-up times in the Exceptions table. These exceptions are based on the quarantine category. If you want, for example, to have infected messages deleted sooner, you can specify an exception rule for them as follows: 1. Go to the Quarantine > Options page. 2. Click the Add button below the Exceptions table. A new row is added in the table. CHAPTER 5 175 Quarantine Management
3. Select the category for which you want to specify the exception, for example Infected, from the Quarantine Category drop-down menu. 4. Specify a retention period that is shorter than the default value, for example 1 day, in the Retention Period column. 5. Specify a cleanup interval that is shorter than the default value, for example 30 minutes, in the Cleanup Interval column. 6. Enable the exception you just created by selecting the Enabled check box.
7. Click Apply.
5.10 Quarantine Logging
To view the Quarantine Log, open the F-Secure Anti-Virus for Microsoft Exchange tab in the Web Console, and go to the Quarantine page. Then click the Show Log File button. 176
5.11 Quarantine Statistics
The Quarantine statistics page displays the number of quarantined items in each quarantine category, and the total size of the quarantine.
Figure 5-4 Quarantine > Statistics page
E-mail messages and infected, suspicious and disallowed attachments are stored and counted as separate items in the quarantine storage. For example, if a message has three attachments and only one of them has been found infected, two items will be created in the quarantine storage. These items still have the same quarantine ID in the quarantine database. CHAPTER 5 177 Quarantine Management
5.12 Moving the Quarantine Storage
When you want to change the Quarantine storage location, note that the product does not create the new directory automatically. Before you change the Quarantine storage directory, make sure that the directory exists and it has proper security permissions. You can use the xcopy command to create and change the Quarantine storage directory by copying the existing directory with the current ownership and ACL information. In the following example, the Quarantine storage is moved from C:\Program Files\F-Secure\Quarantine Manager\quarantine to D:\Quarantine: 1. Stop F-Secure Quarantine Manager service to prevent any quarantine operations while you move the location of the Quarantine storage. Run the following command from the command prompt: net stop "F-Secure Quarantine Manager" 2. Run the following command from the command prompt to copy the current content to the new location: xcopy "C:\Program Files\F-Secure\Quarantine Manager\quarantine" D:\Quarantine\ /O /X /E Note the use of backslashes in the source and destination directory paths. 3. Change the path for FSMSEQS$ shared folder. If the product is installed in the local quarantine management made, you can skip this step. 178
To change the FSMSEQS$ path, follow these steps: a. Open Windows Control Panel > Administrative Tools > Computer Management. b. Open System Tools > Shared Folders > Shares. and find FSMSEQS$ there. c. Right-click FSMSEQS$ and select Stop Sharing. Confirm that you want to stop sharing FSMSEQS$. d. Right-click FSMSEQS$ again and select New Share. e. Follow Share a Folder Wizard instructions to create FSMSEQS$ shared folder. i. Specify the new directory (in this example, D:\Quarantine) as the folder path, FSMSEQS$ as the share name and F-Secure Quarantine Storage as the description. ii. On the Permissions page, select Administrators have full access; other users have read-only access. Note that the Quarantine storage has file/directory security permissions set only for the SYSTEM and Administrators group. f. Click Finish. 4. Change the location of the Quarantine storage (Anti-Virus for Microsoft Exchange > Quarantine > Options > Quarantine Storage). 5. Make sure that the product has received new settings. 6. Restart F-Secure Quarantine Manager service. Run the following command from the command prompt: net start "F-Secure Quarantine Manager" For more information about the xcopy command and options, refer to MS Windows Help and Support. ADMINISTERING 6 F-SECURE SPAM CONTROL
Overview...... 180 Spam Control Settings in Centrally Managed Environments.... 236 Spam Control Settings in Web Console ...... 180 Realtime Blackhole List Configuration...... 185
179 180
6.1 Overview
When F-Secure Spam Control is enabled, incoming messages that are considered spam are marked automatically by adding an X-header with the spam flag or predefined text in the message header. The end users can then create filtering rules that direct the messages marked with the spam flag header into a junk mail folder. F-Secure Spam Control databases can be updated with F-Secure Automatic Update Agent. Database updates are digitally signed for maximum security, and you can use only these updates for updating the F-Secure Spam Control spam definition databases.
F-Secure Spam Control databases are needed for the heuristic spam scanning only.
In Microsoft Exchange 2003 environment, the Microsoft Exchange server can move messages to the Junk mail folder based on the spam confidence level value. This feature is available immediately after the product has been installed, if the end user has activated this functionality. For more information about how to configure this functionality at the end user’s computer, see the Microsoft Outlook 2003 or Microsoft Outlook Web Access online help.
6.2 Spam Control Settings in Web Console
You can configure the spam control settings on the Spam Control page of the F-Secure Anti-Virus for Microsoft Exchange Web Console. CHAPTER 6 181 Administering F-Secure Spam Control
Figure 6-1 Spam Control settings in a locally managed environment
Check messages for Specify whether inbound mails should be spam scanned for spam.
Realtime Blackhole List (RBL) spam filtering is not enabled by default even if you enable spam filtering from the settings. For information on configuring Realtime Blackhole Lists, see “Realtime Blackhole List Configuration”, 185. Enable heuristic Specify whether heuristic spam analysis is used spam analysis to filter inbound mails for spam.
When the heuristic spam analysis is enabled, all messages that the threat detection engine does not classify as spam are further analyzed for spam. 182
When the heuristic spam analysis is disabled, only the threat detection engine scans inbound mails for spam.
Heuristic spam analysis slows down the performance but improves the spam detection rate. Spam filtering level Specify the spam filtering level. Decreasing the level allows less spam to pass, but more regular mails may be falsely identified as spam. Increasing the level allows more spam to pass, but a smaller number of regular e-mail messages are falsely identified as spam.
For example, if the spam filtering level is set to 3, more spam is filtered, but also more regular mails may be falsely identified as spam. If the spam filtering level is set to 7, more spam will pass undetected, but a smaller number of regular mails will be falsely identified as spam.
The allowed values are from 1 to 9.
The spam levels are determined by calculating points for each e-mail. The spam scanning involves a large number of different rules, which give each e-mail different points depending on the mail content and header information. These points are then calculated to a number between 1 and 9, which defines the likelihood of the message being spam.
Action on spam Specify the action to take with a message message considered spam.
Let message pass through - The product allows the message to pass through.
Quarantine message - The product places the message into the quarantine folder. CHAPTER 6 183 Administering F-Secure Spam Control
Drop message - The message is deleted.
Add X-Header with Specifies if the spam flag will be added to the Spam flag mail as a X-Spam-Flag header in the following format:
X-Spam-Flag:
X-Spam-Status:
Example: X-Spam-Status: Yes, hits=8 required=5 tests=DATE_IN_FUTURE_03_06, DATE_SPAMWARE_Y2K,FORGED_MUA_THEBAT_BOUN, MISSING_MIMEOLE,MISSING_OUTLOOK_NAME Add this text to spam Specify the text that will be added in the message subject beginning of the subject of an e-mail considered spam.
Maximum message Specify the maximum size of mail messages to size to process for be scanned for spam. If the size of a mail spam message exceeds the specified maximum size, spam filtering for this mail will be omitted. Since all spam messages are relatively small in size, it is recommended to use the default value. CHAPTER 6 185 Administering F-Secure Spam Control
6.3 Realtime Blackhole List Configuration
This section describes how to enable and disable Realtime Blackhole Lists, how to optimize F-Secure Spam Control performance, and how to specify blocked and safe recipients and senders by using black- and whitelisting.
6.3.1 Enabling Realtime Blackhole Lists The product supports DNS Blackhole List (DNSBL), also known as Realtime Blackhole List (RBL), functionality in spam filtering. The functionality is disabled by default. To enable DNSBL/RBL: 1. Make sure you have a working DNS server configured in Windows Server networking. The primary DNS server should be configured to allow recursive DNS queries. DNS protocol is used to make the DNSBL/RBL queries. 2. Make sure you do not have a firewall preventing DNS access from the host where F-Secure Spam Control is running. 3. Test the DNS functionality by running the nslookup command at Microsoft Windows command prompt on the host running F-Secure Spam Control. An example: C:\>nslookup 2.0.0.127.sbl-xbl.spamhaus.org. Server:
Non-authoritative answer: Name: 2.0.0.127.sbl-xbl.spamhaus.org Addresses: 127.0.0.2, 127.0.0.4, 127.0.0.6
4. If the test is successful, continue with these instructions. If the test is not successful, you should double-check your DNS and firewall configuration. 186
5. Find the sample configuration file fssc_example.cfg in F-Secure Spam Control installation directory:
To force F-Secure Spam Control to use a specific DNS server, do the following: 1. Right-click the My Computer icon and select Properties. 2. Select Advanced and click the Environment Variables.. button. 3. In the System variables panel click New... 4. In the New System Variable dialog specify the new variable as follows: Variable Name: RES_NAMESERVERS Variable Value:
6.3.2 Optimizing F-Secure Spam Control Performance Due to the nature of DNSBL/RBL, processing time for each mail increases when DNS queries are made. If needed, the performance can be improved by increasing the number of mails being processed concurrently by F-Secure Spam Control. By default, the product processes a maximum of three e-mails at the same time, because there can be three Spam Scanner engine instances running simultaneously. The number of Spam Scanner instances can be controlled by using a command-line switch for F-Secure Content Scanner Server. To change the value to 5, so that a maximum five mails can be processed at the same time, type: fsavsd.exe --spam-scanner-instances=x (x is the value you want to take into use), for example: C:\Program Files\F-Secure\Content Scanner Server> fsavsd.exe --spam-scanner-instances=5
F-Secure Content Scanner Server Daemon, 6.42.162 Copyright (c) 1998-2005 F-Secure Corporation 188
'spam-scanner-instances' (oid=1.3.6.1.4.1.2213.18.1.35.500) has been set to 5. To take the new setting into use, restart F-Secure Content Scanner Server.
IMPORTANT: Each additional instance of the Spam Scanner takes approximately 25Mb of memory (process fsavsd.exe). Typically you should not need more than 5 instances. UPDATING VIRUS AND 7 SPAM DEFINITION DATABASES
Overview...... 190 Automatic Updates with F-Secure Automatic Update Agent.... 190 Configuring Automatic Updates...... 190 Manual Updates ...... 191
189 190
7.1 Overview
It is of the utmost importance that virus definition databases are kept up-to-date. F-Secure Anti-Virus for Microsoft Exchange takes care of this task automatically. This section describes how the automatic updates work, how you can configure them and how you can update the virus definitions manually. Information about the latest virus database update can be found at: http://www.F-Secure.com/download-purchase/updates.shtml
7.2 Automatic Updates with F-Secure Automatic Update Agent
With F-Secure Automatic Update Agent, virus and spam definition database updates are retrieved automatically when they are published. When a new virus is found, F-Secure provides a new virus definition database update. F-Secure Automatic Update Agent uses HTTP protocol to fetch this update. Virus and spam definition updates are digitally signed for maximum security. You may install and use F-Secure Automatic Update Agent in conjunction with licensed F-Secure's antivirus and security products. F-Secure Automatic Update Agent shall be used only for receiving updates and related information on F-Secure's antivirus and security products. F-Secure Automatic Update Agent may not be used for any other purpose or service.
7.3 Configuring Automatic Updates
F-Secure Automatic Update Agent user interface provides information about downloaded virus and spam definition updates. To access the F-Secure Automatic Update Agent user interface, open the F-Secure Anti-Virus for Microsoft Exchange Web Console, and select the F-Secure Automatic Update Agent tab. For more information, see “F-Secure Automatic Update Agent Settings”, 152. CHAPTER 7 191 Updating Virus and Spam Definition Databases
7.4 Manual Updates
If you do not want to use F-Secure Automatic Update Agent to automatically update your virus definition database, you can do it manually with a program called FSUPDATE or by downloading the LATEST.ZIP file.
7.4.1 Using FSUPDATE FSUPDATE is a program that automatically updates the virus definition database. FSUPDATE can be downloaded from: http://www.f-secure.com/download-purchase/updates.shtml Run FSUPDATE.exe on the computer where you installed F-Secure Content Scanner Server. The update process takes approximately one minute. APPENDIX: A Variables in Warning Messages
List of Variables ...... 193 Outbreak Management Alert Variables...... 195
192 APPENDIX A 193 Variables in Warning Messages
List of Variables
The following table lists the variables that can be included in the warning and informational messages sent by the product if an infection is found or content is blocked. If both stripping and scanning are allowed and the Agent found both types of disallowed content (infected and to be stripped) in an e-mail message, a warning message will be sent to the end-user instead of an informational one, if it is required. These variables will be dynamically replaced by their actual names. If an actual name is not present, the corresponding variable will be replaced with [Unknown]. Variable Description $ANTI-VIRUS-SERVER The DNS/WINS name or IP address of F-Secure Anti-Virus for Microsoft Exchange.
$CSS-NAME The DNS/WINS name or IP address of F-Secure Content Scanner Server.
$NAME-OF-SENDER The e-mail address where the original content comes from.
$NAME-OF-RECIPIENT The e-mail addresses where the original content is sent.
$SUBJECT The original e-mail message subject.
$REPORT-BEGIN Marks the beginning of the scan report. This variable does not appear in the warning message.
$REPORT-END Marks the end of the scan report. This variable does not appear in the warning message.
When using Microsoft Outlook Web Access and Microsoft Internet Explorer, the $NAME-OF-RECIPIENT variable may contain an incorrect value when posting messages to protected public folders. 194
The following table lists variables that can be included in the scan report, in other words the variables that can be used in the warning message between $REPORT-BEGIN and $REPORT-END. Variable Description $AFFECTED-FILENAM The name of the original file or attachment. E
$AFFECTED-FILESIZE The size of the original file or attachment.
$THREAT The name of the threat that was found in the content. For example, it can contain the name of the found infection, etc.
$TAKEN-ACTION The action that was taken to remove the threat. These include the following: dropped, disinfected, etc.
$QUARANTINE-ID The identification number of the quarantined attachment or file. APPENDIX A 195 Variables in Warning Messages
Outbreak Management Alert Variables
$INTERVAL-TIME Detection interval in minutes.
$INTERVAL-MINUTES Outbreak limit of infections within detection interval.
$INFECTIONS-LIMIT Actual number of infections found within the detection interval.
$INFECTIONS-FOUND Detection interval in minutes. APPENDIX: B Services and Processes
F-Secure Anti-Virus for Microsoft Exchange ...... 197 F-Secure Content Scanner Server ...... 198 F-Secure Anti-Virus for Microsoft Exchange Web Console...... 198 F-Secure Management Agent (FSMA)...... 199 F-Secure Automatic Updates Agent...... 201
196 APPENDIX B 197 Services and Processes
The following tables list the services and processes that are running on the system after the installation. F-Secure Anti-Virus for Microsoft Exchange
Service Process Description
F-Secure fshkmngr.exe The F-Secure Hook Manager Anti-Virus for is a central component of Microsoft F-Secure Anti-Virus for Exchange Microsoft Exchange and it is used to get the whole system up and running.
fswbsthk.exe The F-Secure Web Storage Hook processes mail in mailboxes and public folders, as well as composes and sends warning and notification messages to end users.
fsstrods.exe The F-Secure Web Storage On-Demand Scanner performs manual and scheduled operations under mailboxes and public folders.
F-Secure Outbreak fsobmngr.exe The Outbreak Manager reacts Manager on a virus outbreak by sending an alert, a notification e-mail message and running a specified program or a script. 198
F-Secure Content Scanner Server
Service Process Description
F-Secure Content fsavsd.exe The back-end component that Scanner Server provides anti-virus scanning Daemon and spam filtering services for Simple Content Inspection Protocol (SCIP) compliant clients. F-Secure Management Agent starts and controls the service automatically.
fsdbuh.exe The Database Update Handler process verifies and checks the integrity of virus definition and spam control database updates.
F-Secure Anti-Virus for Microsoft Exchange Web Console
Service Process Descriptions
F-Secure Web UI fswebuid.exe HTTP server that hosts Daemon F-Secure Anti-Virus for Microsoft Exchange Web Console. Supports HTTP/1.0, HTTP/1.1 and HTTPS. F-Secure Management Agent starts and controls the service automatically. APPENDIX B 199 Services and Processes
F-Secure Management Agent (FSMA)
Service Process Description
F-Secure fsma32.exe F-Secure Management Agent Management is an FSMA service Agent responsible for starting other services and monitoring them.
fsmb32.exe F-Secure Message Broker provides the inter-process communication interface for integrated services and applications.
fch32.exe F-Secure Configuration Handler that works with F-Secure Policy Manager driver and enables other components to read base policy settings and to update incremental policy settings and statistics. 200
Service Process Description
fameh32.exe Alert and Management Extensions Handler is used to send alerts and reports to LogFile.log, Windows event log and SMTP server.
fih32.exe F-Secure Installation Handler enables the remote installation and updating of integrated F-Secure products.
fsm32.exe The F-Secure Settings and Statistics User Interface. The process is not running unless the user is logged in to the system. APPENDIX B 201 Services and Processes
F-Secure Automatic Updates Agent
Service Process Description
F-Secure servic~1.exe The service starts and controls Automatic Updates the F-secure Automatic Agent Update Agent client process.
f-secu~1.exe F-Secure Automatic Update.exe. This is the client process that polls and automatically downloads virus and spam definition database updates from F-Secure. It also handles F-Secure Automatic Updates Agent settings and provides the local user interface for a logged-on user.
FSBWSYS.exe The Automatic Update Agent process provides automatic updates of virus definition databases for F-Secure Content Scanner Server. THe process receives virus definition database updates from F-Secure Automatic Updates Agent Server via the HTTP or UDP-based protocol. C TROUBLESHOOTING
Overview...... 203 Starting and Stopping...... 203 Viewing the Log File ...... 203 Common Problems and Solutions...... 204 Frequently Asked Questions ...... 208 F-Secure Automatic Update Agent Troubleshooting ...... 213
202 CHAPTER C 203 Troubleshooting
C.1 Overview
If you have a problem that is not covered in here, see “Technical Support”, 218.
C.2 Starting and Stopping
If you ever need to start or stop F-Secure Anti-Virus for Microsoft Exchange, you can do it in the following ways:
Open the Services applet from the Administrative tools folder in the Windows Control Panel and select F-Secure Anti-Virus for Microsoft Exchange. To stop F-Secure Anti-Virus for Microsoft Exchange, click Stop. To start the service, click Start. Open the F-Secure Anti-Virus for Microsoft Exchange Web Console and select the F-Secure Anti-Virus for Microsoft Exchange tab. Select the Summary page and click Start to activate F-Secure Anti-Virus for Microsoft Exchange. Click Stop to stop it. From the command line - enter NET STOP FSAVAG4MSE to the command line to stop the service, and NET START FSAVAG4MSE to start the service.
C.3 Viewing the Log File
F-Secure Anti-Virus for Microsoft Exchange uses the log file Logfile.log that is maintained by F-Secure Management Agent and contains all alerts generated by F-Secure components installed on the host. Logfile.log can be found on all hosts running F-Secure Management Agent. You can view the Logfile.log with any text editor, for example Windows Notepad. Open the logfile.log from F-Secure Settings and Statistics / F-Secure Management Agent properties / Show log file, or from the Home page of F-Secure Anti-Virus for Microsoft Exchange Web Console by clicking Show F-Secure Log. 204
F-Secure Management Agent uses Logfile.log (in F-Secure / Common directory) for logging of all the alerts on the host. Logfile.log contains all the alerts generated by the host, regardless of the severity. Logfile.log file size can be configured in F-Secure Management Agent / Settings / Alerting / Alert Agents / Logfile / Maximum File Size.
C.4 Common Problems and Solutions
If you think that you have some problem with F-Secure Anti-Virus for Microsoft Exchange, check that both F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server are up and running.
Checking F-Secure Anti-Virus for Microsoft Exchange 1. Make sure that F-Secure Anti-Virus for Microsoft Exchange service and all its processes have started. Open Services in the Windows Control Panel and check that the F-Secure Anti-Virus for Microsoft Exchange service has started. Open the Windows Task Manager and check that the following processes are running:
fshkmngr.exe fsmb32.exe
fswbsthk.exe fameh32.exe
fsobmngr.exe fch32.exe
fsma32.exe fsm32.exe
fnrb32.exe
2. To make sure that F-Secure Content Scanner Server accepts connections, start a telnet session to the F-Secure Content Scanner Server machine to the port 18971. If you have specified a different SCIP port, use that port instead. CHAPTER C 205 Troubleshooting
If you get the cursor blinking in the upper left corner, it means that the connection has been established and F-Secure Content Scanner Server can accept incoming connections. If you get "Connection to the host lost" or other error message or if the cursor does not go to the upper left corner, it means that the connection attempt was unsuccessful. If your connection attempt was unsuccessful, (1) make sure that F-Secure Content Scanner Server is up and running, and (2) check the physical connection between F-Secure Anti-Virus for Microsoft Exchange and F-Secure Content Scanner Server. The connection must be direct (without firewalls or scanners in between) and at least 100 Mbps fast. If the computer running F-Secure Anti-Virus for Microsoft Exchange has two or more network interfaces (including dial-up modem connection), make sure that all files forwarded to F-Secure Content Scanner Server use the right network interface. Edit the routing table if needed.
Checking F-Secure Content Scanner Server Problem: When the F-Secure Anti-Virus for Microsoft Exchange tries to send an attachment to F-Secure Content Scanner Server, the attachment is not scanned and the e-mail does not reach the recipient. Solution: The problem is that F-Secure Anti-Virus for Microsoft Exchange is unable to contact F-Secure Content Scanner Server(s). There are several possible causes for this: 1. Incorrect keycode might have been used when installing F-Secure Content Scanner Server. When installing F-Secure Content Scanner Server you should use the keycode for F-Secure Anti-Virus for Microsoft Exchange, and not the keycode for F-Secure Content 206
Scanner Server. If you have entered a wrong keycode, the installation did not install all the components required for F-Secure Anti-Virus for Microsoft Exchange. 2. A service or process may not be running on F-Secure Content Scanner Server. Make sure that all processes and services of F-Secure Content Scanner Server have started. Check the Services in Windows Control Panel. The following services should be started: F-Secure Content Scanner Server F-Secure Management Agent F-Secure Network Request Broker Check the Task Manager. The following processes should be running:
fsmb32.exe fsma32.exe
fsavsd.exe fih32.exe
fsdbuh.exe fch32.exe
fnrb32.exe fameh32.exe
If any of these processes are not started, uninstall and reinstall the F-Secure Anti-Virus Content Scanner Server.
Checking F-Secure Anti-Virus for Microsoft Exchange Web Console Problem: I cannot open or access F-Secure Anti-Virus for Microsoft Exchange Web Console. Solution: 1. Make sure that F-Secure Web Console daemon has started and is running. Check the Services in Windows Control Panel. The following service should be started: F-Secure Web Console Daemon CHAPTER C 207 Troubleshooting
Check the Task Manager. The following process should be running:
fswebuid.exe 2. If you try to connect to the F-Secure Anti-Virus for Microsoft Exchange Web Console from a remote host, make sure that the connection is not blocked by a firewall or proxy server.
C.4.1 Installing Service Packs If you wish to install a Microsoft Exchange Server Service Pack and F-Secure Anti-Virus for Microsoft Exchange is already installed, stop F-Secure Anti-Virus for Microsoft Exchange before installing the Service Pack and restart it after the Service Pack installation.
C.4.2 Securing the Quarantine Problem: I have installed F-Secure Anti-Virus for Microsoft Exchange and I'm worried about security of the local Quarantine storage where stripped attachments are quarantined. What do you recommend me? Solution: F -Secure Anti-Virus for Microsoft Exchange creates and adjusts access rights to the local Quarantine storage during the installation. Keep in mind the following when setting up the local Quarantine storage:
Do not place the Quarantine storage on a FAT drive. FAT file system does not support access rights on directories and files for different users. If you place the Quarantine storage on a FAT drive everyone who has access to that drive will be able to get access to the quarantined content. Create and adjust access rights to the Quarantine storage manually if you use one on a network drive. Create and adjust access rights to the Quarantine storage manually when you change its path in F-Secure Anti-Virus for Microsoft Exchange Web Console. 208
C.5 Frequently Asked Questions
Performance
Q. Why does the time to open a message in mailboxes and Public Folders increase after installation of F-Secure Anti-Virus for Microsoft Exchange? A. F-Secure Anti-Virus for Microsoft Exchange scans each message for viruses, hence the delay with opening the message. A message scanned once is marked as scanned and will be opened quickly next time. Of course, if a message has been changed, it will be scanned for viruses again.
Q. Microsoft Outlook displays an error message stating something like “Cannot open message” or “Cannot open message in preview pane”. What should be done? A. Check that F-Secure Content Scanner Server is up and running. If a mail cannot be scanned, access to it is not allowed.
Q. Why does e-mail stay in the Outbox for a while after being sent? A. F-Secure Anti-Virus for Microsoft Exchange scans each message for viruses, hence the delay with sending the message.
Q. F-Secure Anti-Virus for Microsoft Exchange complains about connection timeout to F-Secure Content Scanner Server. What should be done? A. Make sure that F-Secure Content Scanner Server is running, that it has been installed with the correct keycode for F-Secure Anti-Virus for Microsoft Exchange, and that the connection to F-Secure Content Scanner Server is direct and at least 100 Mbps fast. If the computer running F-Secure Anti-Virus for Microsoft Exchange has multiple network interfaces (including dial-up connections), make sure that all files forwarded to F-Secure Content Scanner Server(s) use the right network interface. CHAPTER C 209 Troubleshooting
Q. Every time when the server shuts down I get error reports that F-Secure SMTP and Real-Time Scanners cannot connect to the server. What is the problem? A. When you shut down the computer with F-Secure Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange components, F-Secure Content Scanner Server may shut down before F-Secure Anti-Virus for Microsoft Exchange components, which may cause them to report that they have lost the connection to F-Secure Content Scanner Server.
Settings
Q. Is it possible to strip attachments with size greater than or equal to a given value? A. No, this is not possible at the moment. Use the Exchange Manager to limit the size of attached files.
Q. Are the newly created mailboxes and Public Folders automatically covered by F-Secure Anti-Virus? A. Yes. The default polling interval for newly created mailboxes and Public Folders is 1 hour. For more information, see “Advanced”, 121.
Q. A message has an attachment with a file extension that should be stripped. Why the attachment was not stripped? A. F-Secure Anti-Virus for Microsoft Exchange does not strip attachments with a size of 0 Kb, as they cannot contain any malicious code. 210
Q. I have a Public Folder that is excluded from the virus scan, but some messages are scanned and disinfected before they arrive to the excluded Public Folder. Why? A. If you send a message from a MAPI client, the message goes to the Outbox folder before it is sent to the Public Folder. The message is scanned when it is in the Outbox folder according to the processing settings for this mailbox. When the message arrives in the Public Folder, it is scanned according to the Public Folder processing settings. Thus, messages sent with SMTP are not scanned in excluded Public Folders.
Q. A message is not scanned if it comes from a trusted mailbox. Why? A. If an infected attachment arrives to a mailbox, it passes the virus scanner but it is not disinfected or stopped. The real-time scanner scans messages in the message store only once, so when the infected message is sent from the trusted mailbox to another mailbox inside the same message store, the real-time scanner does not scan it again. If you use trusted mailboxes, store those messages in a different message store. When a message moves between message stores, it is scanned and infected attachments can be disinfected. You can also run the manual scan periodically to remove infected attachments.
Q. When I release an e-mail from the Quarantine, sometimes two warning messages are sent to the recipient. Why? A. When you release an e-mail that has an infected attachment from the Quarantine and the user uses POP3 to retrieve mail from the server, the user may receive two warning messages while the infected attachment remains in the Quarantine. CHAPTER C 211 Troubleshooting
Local Protection with F-Secure Anti-Virus for Windows Servers
Q. Can all files on a Microsoft Exchange computer be scanned for viruses, or are some files and folders excluded from scanning automatically? A. The working and quarantine directories of F-Secure Anti-Virus for Microsoft Exchange are added to the OAS excluded list during the installation. Microsoft Knowledgebase article #245822 ‘Recommendations for troubleshooting an Exchange computer with antivirus software installed’ describes what files and folders should never be scanned with file-based antivirus software: http://support.microsoft.com/ default.aspx?scid=kb;en-us;245822.
Quarantined and Disinfected Files
Q. When examining a raw message that has been disinfected, there seems to be some data that should be stripped. Is the message still infected? A. Disinfected messages do not contain any malicious code. The Microsoft Exchange server keeps the original message header in the message, so MIME-part headers may appear in the raw message data. 212
Q. A message has an Attachment_Information.txt file as an embedded OLE object. What is this file and why do I get a warning message when I try to open the file? A. The original message had an infection which F-Secure Anti-Virus for Microsoft Exchange removed and replaced with the Attachment_Information.txt file. As embedded OLE objects have to be replaced with text attachments to avoid corrupting OLE objects, the Attachment_Information.txt is an embedded OLE object that causes the warning message. The VirusInfo text file contains information about the infection that has been removed. The Attachment_Information.txt file may appear also in Public Folder messages for the same reason.
Q. During the installation, I get a notification that an application is requesting access to a protected system. What causes this? A. You are using Windows 2000 Certificate Service and this behavior is normal with it.
Q. What happens to e-mails saved in the Drafts folder during the real-time scanning? A. Messages saved temporarily into the Drafts folder are considered to be inbound and they are scanned and stripped accordingly.
Q. Why users cannot attach some attachments to e-mail messages when using Microsoft Outlook Web Access and Microsoft Internet Explorer? A. When using Microsoft Outlook Web Access and Microsoft Internet Explorer, you cannot send a message that has an attachment that cannot be disinfected or an attachment that is set to be stripped. When users try to attach the attachment, they receive an error message and the sending will fail. CHAPTER C 213 Troubleshooting
C.6 F-Secure Automatic Update Agent Troubleshooting
The F-Secure Automatic Update Agent log file may be useful when solving problems when virus and/or spam definition databases do not update properly. Open the F-Secure Automatic Update Agent from F-Secure Settings and Statistics and click Show log file to view a detailed log of actions of the F- Secure Automatic Update Agent.
Q. How can I verify that updating the virus and spam definition databases really works? A. First, open the F-Secure Automatic Update Agent window from F-Secure Settings and Statistics and select the Received Packages tab. If a virus definitions database update has been downloaded, you should see something like “F-Secure Anti-Virus Update 2004-06-09” under Title. Check the Last Result column. If the update has been successfully placed into the destination directory, the Latest Result displays Installed. If the Latest Result is Not installed, the update has been downloaded but the F-Secure Automatic Update Agent could not copy it into the destination directory. The F-Secure Automatic Update Agent tries to copy it there again in one minute intervals. Click Package Properties to see the error message. If the Last Result value is Installed, check the date and time in the First Installed column at the bottom of the Received Packages page. Then, open Windows Explorer and select the F-Secure Anti-Virus folder, select Details from the View menu, and click the Modified column title above the file list to display the files sorted by date and time. The F-Secure Anti-Virus folder should have files (with filename extensions .def, .avc, .set or .dat) which have the same date and time as the First Installed column. 214
Q. The Received Packages page states that a virus definition database update is “Not installed”. What should I do? A. Click on the package title and then Package Properties to view the error message.
Unable to locate The directory does not exist, the anti-virus database communication directory is corrupted, or update directory your client is in Standard mode and the update directory is in a network drive. Open the Settings page in the F-Secure Automatic Update Agent window and click Change to select the destination directory again.
Not enough free disk The drive of the destination directory is full. space Free some disk space.
Could not create Check that the current user has appropriate temporary directory access rights to the destination directory. Note that if the destination is a communication directory, the same rights are also required for its subdirectories. If the destination is the “Other” subdirectory, the same rights are required for its parent directory.
Could not switch Another application has a file open in the database update destination directory, so it cannot be deleted. directory to a new one This can occasionally happen if multiple hosts are retrieving the update at the same time. The client will retry in one minute intervals, so wait and see if the result changes to “Installed”. If the update is still uninstalled, close all applications on the computer where the destination directory is, or reboot it. If the client is in NT application mode, see the explanation above for “Could not create temporary directory”. CHAPTER C 215 Troubleshooting
Q. The Received Packages page states that a virus definition database update is “Installed”, but there are no new files in the Anti-Virus directory. Why? A. After downloading the update and placing it into a communication directory, F-Secure Content Scanner Server does not immediately retrieve the files from there. The delay depends on the polling interval of F-Secure Management Agent, with a default interval of 10 minutes the delay can be up to 20-30 minutes. Make sure F-Secure Automatic Update Agent is installed in Stand-alone mode. Open the Settings page in F-Secure Automatic Update Agent window. The Change button should be disabled.
Q. The Installed Packages page states that a virus definition database update fas “Failed” after I upgraded the product. What should I do? A. During the upgrade, F-Secure Automatic Update Agent retrieves the latest virus definition update. If the previous version of the product had the same version of the database installed already, F-Secure Automatic Update Agent does not overwrite files and marks the update as failed. The message disappears automatically during the next virus database update. 216
Q. I installed the F-Secure Automatic Update Agent, but it has not downloaded any virus definition updates. What’s wrong? A. Select the Received Packages tab in the F-Secure Automatic Update Agent window and check that no virus definitions update packages are listed in there. Select the Channel Status page in the F-Secure Automatic Update Agent. If the Channel Name and Channel Address fields are empty, the client has not yet connected to F-Secure Automatic Update server. Make sure that your Internet connection is working, and if the Current Status is Ready, click Connect Now to force the client to connect to the server immediately. Downloading the virus definitions database update for the first time can take a while if you have a lot of other Internet traffic open at the same time. If the client cannot connect to the server, make sure that your browser can access the Internet. Open your browser and connect to http://fsbwserver.f-secure.com/. If you cannot connect to the web page, check your network settings. If the connection was successful, open the Settings page. If Polite Agent is selected in the Communication section, change it to HTTP. If you change the protocol from Polite Agent to HTTP or vice versa, you have to restart the F-Secure Automatic Update Agent. If changing to HTTP communication did not help, open the Internet options in your browser to determine if you are connected through an HTTP proxy server. A few examples:
Internet Explorer 6.0: Under the Tools menu, select Internet Options. Select the Connection tab and click LAN Settings.... Check the settings in the Proxy server section. If you have the Use a proxy server for your LAN option selected and there is an address and port defined, you are using an HTTP proxy server. If the Use a proxy server for your LAN option is not selected and CHAPTER C 217 Troubleshooting
you see a proxy server setting in the Address section but it is grayed out, click Advanced, remove the address and specify port 0. Mozilla Firefox 1.0: Under the Tools menu, select Options. Select the General category, and click Connection Settings.... If the Manual proxy configuration option is selected, you can see the address and port number of the HTTP proxy server in the Connection Settings window. If you have determined that you are connecting through an HTTP proxy server, enable the “Use HTTP proxy” checkbox on the F-Secure Automatic Update Agent window’s Settings page and type in the field the proxy server address and port number that you retrieved from your browser (i.e. myproxy.mydomain.com:80). If you are not connected through a proxy server ensure that the Use HTTP proxy option is not selected. After these operations, your Automatic Update Agent client should be able to connect and receive content. If you are not able to receive content and your client is configured correctly you will have to contact your network administrator and have them verify your firewall is configured to accept outgoing HTTP requests and incoming responses to these requests. Technical Support
F-Secure Online Support Resources...... 219 Web Club...... 220 Virus Descriptions on the Web ...... 221
218 Technical Support 219
F-Secure Online Support Resources
F-Secure Technical Support is available through F-Secure support web pages, e-mail and by phone. Support requests can be submitted through a form on F-Secure support web pages directly to F-Secure support. F-Secure support web pages for any F-Secure product can be accessed at http://support.f-secure.com/. All support issues, frequently asked questions and hotfixes can be found under the support pages. If you have questions about F-Secure Anti-Virus for Microsoft Exchange not covered in this manual or on the F-Secure support web pages, you can contact your local F-Secure distributor or F-Secure Corporation directly. For technical assistance, please contact your local F-Secure Business Partner. Send your e-mail to: Anti-Virus-
4. When the tool has finished collecting the data, click Get Report to download and save the collected data. You can also find and run the FSDiag.exe utility under the F-Secure\Common folder, if you prefer not to do it through the F-Secure Anti-Virus for Microsoft Exchange Web Console. The tool generates a file called FSDiag.tar.gz. Please include the following information with your support request:
Version number of F-Secure Management Agent and F-Secure Anti-Virus for Microsoft Exchange. Include the build number if available. Description how F-Secure components are configured. The name and the version number of the operating system on which F-Secure products and protected systems are running. For Windows, include the build number and Service Pack number. The version number and the configuration of your Microsoft Exchange Server. If possible, describe your network configuration and topology. A detailed description of the problem, including any error messages displayed by the program, and any other details that could help us replicate the problem. Logfile.log from the machines running F-Secure products. This file can be found under Program Files\F-Secure\Common. If you are sending the FSDiag report you do not need to send the Logfile.log separately, because it is already included in the FSDiag report. If the whole product or a component crashed, include the drwtsn32.log file from the Windows NT directory and the latest records from the Windows Application Log.
Web Club
The F-Secure Web Club provides assistance and updated versions of the F-Secure products. To connect to the Web Club on our Web site, open the F-Secure Anti-Virus for Microsoft Exchange Web Console, and click the Web Club link in the banner. Technical Support 221
Alternatively, right-click on the F-Secure icon in the Window taskbar, and choose the Web Club command. To connect to the Web Club directly from within your Web browser, go to: http://www.f-secure.com/anti-virus/webclub/corporate/
Virus Descriptions on the Web
F-Secure Corporation maintains a comprehensive collection of virus-related information on its Web site. To view the Virus Information Database, connect to: http://www.f-secure.com/virus-info/. 222 About F-Secure Corporation
F-Secure Corporation protects consumers and businesses against computer viruses and other threats from the Internet and mobile networks. We want to be the most reliable provider of security services in the market. One way to demonstrate this is the speed of our response. According to independent studies in 2004, 2005 and 2006 our response time to new threats is significantly faster than our major competitors. Our award-winning solutions are available for workstations, gateways, servers and mobile phones. They include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999, and has been consistently growing faster than all its publicly listed competitors. F-Secure headquarters are in Helsinki, Finland, and we have regional offices around the world. F-Secure protection is also available as a service through major ISPs, such as Deutsche Telekom, France Telecom, PCCW and Charter Communications. F-Secure is the global market leader in mobile phone protection provided through mobile operators, such as T-Mobile and Swisscom and mobile handset manufacturers such as Nokia. The latest real-time virus threat scenario news are available at the F-Secure Data Security Lab weblog at http://www.f-secure.com/weblog/ 224