DOCSLIB.ORG

F-Secure Anti-Virus for Microsoft Exchange

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
F-Secure Anti-Virus for Microsoft Exchange F-Secure Anti-Virus for Microsoft Exchange Administrator’s Guide "F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice. Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation. Copyright © 1993-2008 F-Secure Corporation. All rights reserved. Portions Copyright © 1991-2006 Kaspersky Lab. This product includes software developed by the Apache Software Foundation (http:// www.apache.org/). Copyright © 2000-2006 The Apache Software Foundation. All rights reserved. This product includes PHP, freely available from http://www.php.net/. Copyright © 1999-2006 The PHP Group. All rights reserved. This product includes code from SpamAssassin. The code in the files of the SpamAssassin distribution are Copyright © 2000-2002 Justin Mason and others, unless specified otherwise in that particular file. All files in the SpamAssassin distribution fall under the same terms as Perl itself, as described in the “Artistic License”. This product may be covered by one or more F-Secure patents, including the following: GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233 GB2374260 12000040-7B15 Contents About This Guide 7 How This Guide Is Organized .............................................................................................. 8 Conventions Used in F-Secure Guides................................................................................ 9 Symbols ...................................................................................................................... 9 Chapter 1 Introduction 11 1.1 Overview ....................................................................................................................12 1.2 How F-Secure Anti-Virus for Microsoft Exchange Works...........................................13 1.3 Key Features..............................................................................................................15 1.4 F-Secure Anti-Virus Mail Server and Gateway Products ...........................................17 Chapter 2 Requirements 19 2.1 Which SQL Server to Use for the Quarantine Database?..........................................20 2.2 Network Requirements...............................................................................................21 2.3 Web Browser Software Requirements .......................................................................22 2.4 Improving Reliability and Performance ......................................................................23 2.5 Configuring the Product After the Installation.............................................................24 Chapter 3 Using F-Secure Anti-Virus for Microsoft Exchange 25 3.1 Administering F-Secure Anti-Virus for Microsoft Exchange .......................................26 3.1.1 Logging in for the First Time...........................................................................26 3.2 Checking the Product Status......................................................................................29 3.3 Configuring the Web Console ....................................................................................32 3 3.4 Modifying Settings and Viewing Statistics..................................................................33 3.5 Manually Processing Mailboxes and Public Folders ..................................................34 3.5.1 Stand-alone Mode ..........................................................................................34 3.5.2 Creating Scanning Operations .......................................................................34 3.6 Configuring Alert Forwarding .....................................................................................67 3.7 Viewing Alerts ............................................................................................................69 Chapter 4 Administration with Web Console 70 4.1 Overview ....................................................................................................................71 4.2 F-Secure Anti-Virus for Microsoft Exchange Settings ................................................71 4.2.1 Summary ........................................................................................................72 4.2.2 Virus Scanning ...............................................................................................74 4.2.3 Stripping Attachments ....................................................................................90 4.2.4 Content Filtering ...........................................................................................100 4.2.5 Manual Scanning..........................................................................................107 4.2.6 Quarantine....................................................................................................111 4.2.7 Advanced......................................................................................................121 4.2.8 Internal Domains ..........................................................................................127 4.3 F-Secure Content Scanner Server Settings.............................................................129 4.3.1 Summary ......................................................................................................129 4.3.2 Database Updates........................................................................................136 4.3.3 Scan Engines ...............................................................................................138 4.3.4 Proxy Configuration......................................................................................143 4.3.5 Archive Scanning..........................................................................................146 4.3.6 Advanced......................................................................................................149 4.3.7 Interface........................................................................................................151 4.4 F-Secure Automatic Update Agent Settings ............................................................152 4.4.1 Summary ......................................................................................................153 4.4.2 Automatic Updates .......................................................................................156 4.5 F-Secure Management Agent Settings ....................................................................157 Chapter 5 Quarantine Management 160 5.1 Introduction ..............................................................................................................161 5.2 Configuring Quarantine Options...............................................................................162 5.3 Searching the Quarantined Content.........................................................................163 4 5.4 Query Results Page .................................................................................................167 5.5 Viewing Details of a Quarantined Message .............................................................169 5.6 Reprocessing the Quarantined Content...................................................................171 5.7 Releasing the Quarantined Content.........................................................................172 5.8 Removing the Quarantined Content.........................................................................174 5.9 Deleting Old Quarantined Content Automatically.....................................................174 5.10 Quarantine Logging..................................................................................................175 5.11 Quarantine Statistics ................................................................................................176 5.12 Moving the Quarantine Storage ...............................................................................177 Chapter 6 Administering F-Secure Spam Control 179 6.1 Overview ..................................................................................................................180 6.2 Spam Control Settings in Web Console...................................................................180 6.3 Realtime Blackhole List Configuration .....................................................................185 6.3.1 Enabling Realtime Blackhole Lists ...............................................................185 6.3.2 Optimizing F-Secure Spam Control Performance ........................................187 Chapter 7 Updating Virus and Spam Definition Databases 189 7.1 Overview ..................................................................................................................190 7.2 Automatic Updates with F-Secure Automatic Update Agent....................................190
Load more

Recommended publications
  • FEATURE RESCUE ME 2: DISINFECTION Some Recovery Solutions Can Be Started from the Installation CD, While Others Need to Be Created Manually
    VIRUS BULLETIN www.virusbtn.com FEATURE RESCUE ME 2: DISINFECTION Some recovery solutions can be started from the installation CD, while others need to be created manually. This may call WITH BOOTABLE RESCUE MEDIA for up to nine disks in the case of Norton AntiVirus or a Andreas Marx single CD-R/RW in the case of G Data AntiVirusKit (AVK). AV-Test.org, Germany Here, the CD image with up-to-date signatures is created using Mkisofs and burned using Cdrecord, both of which are available as free software for Windows (see These days, it is not an uncommon occurrence for a PC to http://www.fokus.gmd.de/research/cc/glone/employees/ become infected by a virus or worm, or for a backdoor to joerg.schilling/private/cdrecord.html). Maybe we will see be installed on one’s PC – at the time of writing, for rescue USB sticks in the not too distant future. example, Trend Micro’s free online virus scanner has found more than 1.6 million PCs infected with W32/Mydoom.A. Today’s rescue solutions can be classified into three main categories: DOS, Linux and Windows (PE)-based. In most There is, and there always will be a time delay between the cases, NTFS is supported only in read-only mode. initial detection of a worm and the release of anti-virus definition updates (see VB, February 2004, p.4). Heuristics and the generic proactive malware detection techniques DOS-BASED SOLUTIONS used by anti-virus products do not always work – for Most rescue media, like those from Grisoft AVG, Command example, no AV scanner was able to detect W32/Sober.C or AntiVirus, Computer Associates eTrust, McAfee VirusScan W32/Mydoom.A without updated signatures.
    [Show full text]
  • Combating Spyware in the Enterprise.Pdf
    www.dbebooks.com - Free Books & magazines Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you will find an assortment of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE EBOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These eBooks are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our ebooks onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • Procurve Network Access Controller 800
    ProCurve Network Access Controller 800 The ProCurve Network Access Controller (NAC) 800 combines a RADIUS- based authentication server and the ability to validate the integrity of the systems connecting to the network, allowing network administrators to secure the network from unauthorized users and systems that pose a threat to the network resources. ProCurve Network Access Controller 800 (J9065A) ProCurve Network Access Controller 800 Features and benefits Resiliency and high availability Management • Enforcement server resiliency and redundancy: enable high network availability • Centralized endpoint policy management: for mission-critical LAN deployments; endpoint testing policies are centrally enforcement servers continue to provide managed by a single management server and authentication and endpoint testing services in shared by up to ten enforcement servers the absence of a management server and can be configured in clusters to provide • Administration console: a Web-based console redundancy and load-balancing for endpoint provides an easy-to-use interface for testing configuring endpoint policies and enforcement clusters as well as a dashboard-style interface Security for viewing the status of endpoint integrity testing • Built-in RADIUS server: can perform authentication services or act as a proxy server • Default testing policies: default testing for a remote RADIUS authentication service policies provide a great starting point for endpoint testing and can be easily utilized as • Supports standard-based or a local the basis
    [Show full text]
  • Contents in This Issue
    DECEMBER 2003 The International Publication on Computer Virus Prevention, Recognition and Removal CONTENTS IN THIS ISSUE 2 COMMENT THE CAT’S OUT OF The risks of spam filtering THE BAG Since the close of VB2003 in 3 NEWS Toronto the cat has been clawing at the bag trying to Season’s greetings get out. This month moggie makes a bid for VB2004: location, location, location freedom as we announce the location of VB2004 … Virus writers elusive in US cybercrime sweep page 3 SOBERING STUFF 3 VIRUS PREVALENCE TABLE W32/Sober uses some cunning tricks to make both detection and disinfection rather tricky. With this in 4 VIRUS ANALYSIS mind, Andreas Marx tested nine disinfection tools to It’s in the (Smi)bag! see how well they cleaned up after the virus. The results were sobering. page 7 FEATURES 7 The Sober effect: disinfection disasters DIVERSITY – THE SPICE OF LIFE? 9 Microsoft, monopolies and migraines: In biological systems diversity is the key to stability the role of monoculture and survivability, but does the same apply to computer systems? Richard Ford undertakes a 12 OPINION scientific investigation of monoculture. page 9 ‘It’s life Jim, but not as we know it!’ page 9 14 PRODUCT REVIEW F-Prot Antivirus for Linux Mail Servers 4.3.1 19 CALL FOR PAPERS VB2004 call for papers In this month’s VB Spam Supplement Neil 20 END NOTES & NEWS Schwartzman takes an in-depth look at a new open source initiative, the DNS protocol known as SPF. ISSN 0956-9979 COMMENT ‘Perhaps with some thought and So spam can now take its place beside malware in the catalog of computer security threats.
    [Show full text]
  • Contents in This Issue
    FEBRUARY 2004 The International Publication on Computer Virus Prevention, Recognition and Removal CONTENTS IN THIS ISSUE 2 COMMENT A NEW TREND IN Are your networks secure? VIRUS WRITING? Following in the footsteps 3 NEWS of W32/Bugbear.A, VB2004 call for papers W32/Mimail.I and .J took Divine intervention the concern of identity theft Waiting, reflecting and removing to another level, producing a plausible-looking popup and web page and asking questions that are favoured security checks of many 3 VIRUS PREVALENCE TABLE banks. Stuart Taylor asks: is there a criminal element entering virus writing? 4 FEATURE page 11 Outbreak response times: putting AV to the test TESTING TIMES It’s not just a product’s ability to detect malware 7 TUTORIAL that is of vital importance to the user, but the speed Mission impossible: the Messenger with which the developer produces an update in and others outbreak situations. Andreas Marx puts AV response times to the test. 11 OPINION page 4 Misguided or malevolent? New trends in virus writing COMPARATIVE REVIEW Matt Ham lines up the AV products for 12 COMPARATIVE REVIEW Windows NT. page 12 Windows NT 4.0 20 END NOTES & NEWS This month: Anti-spam news and events, Habeas delivering the goods, ASRG summary. ISSN 0956-9979 COMMENT ‘Until now, most who are not located in the same office, who may be travelling on business or may be working from home. business use of Managers from any location can respond to instant instant messaging messages with quick decisions. Presence-awareness allows each user to see the online status and availability has been of the of other colleagues on the system.
    [Show full text]
  • Progress Made, Trends Observed a White Paper from the Microsoft Antimalware Team Msrwindows Malicious Software Removalt Tool
    Progress Made, Trends Observed A White Paper from the Microsoft Antimalware Team MSRWindows Malicious Software RemovalT Tool Matthew Braverman Program Manager Microsoft Antimalware Team Acknowledgements I would like to thank the following individuals for their contribution to this paper: Mike Chan, Brendan Foley, Jason Garms, Robert Hensing, Ziv Mador, Mady Marinescu, Michael Mitchell, Adam Overton, Matt Thomlinson, and Jeff Williams The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photo- copying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2006 Microsoft Corporation. All rights reserved.
    [Show full text]
  • Paul Collins Status Name/Startup Item Command Comments X System32
    SYSINFO.ORG STARTUP LIST : 11th June 2006 (c) Paul Collins Status Name/Startup Item Command Comments X system32.exe Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field X pathex.exe Added by the MKMOOSE-A WORM! X svchost.exe Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder X SystemBoot services.exe Added by the SOBER-Q TROJAN! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a HelpHelp subfolder of the Windows or Winnt folder X WinCheck services.exe Added by the SOBER-S WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "ConnectionStatusMicrosoft" subfolder of the Windows or Winnt folder X Windows services.exe Added by the SOBER.X WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "WinSecurity" subfolder of the Windows or Winnt folder X WinStart services.exe Added by the SOBER.O WORM! Note - this is not the legitimate
    [Show full text]
  • Dynamic Analysis of Malicious Code
    J Comput Viol (2006) DOI 10.1007/s11416-006-0012-2 ORIGINAL PAPER Dynamic analysis of malicious code Ulrich Bayer · Andreas Moser · Christopher Kruegel · Engin Kirda Received: 13 January 2006 / Accepted: 27 March 2006 © Springer-Verlag 2006 Abstract Malware analysis is the process of determining the which leads to excellent emulation accuracy. These factors purpose and functionality of a given malware sample (such make TTAnalyze an ideal tool for quickly understanding the as a virus, worm, or Trojan horse). This process is a necessary behavior of an unknown malware. step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for Keywords Malware · Analysis · API · Virus worm · the development of removal tools that can thoroughly delete Static analysis · Dynamic analysis malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time- 1 Introduction intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly Malware is a generic term to denote all kinds of unwanted increasing. This clearly reveals the need for tools that auto- software (e.g., viruses, worms, or Trojan horses). Such soft- mate and simplify parts of the analysis process. In this paper, ware poses a major security threat to computer users. Accord- we present TTAnalyze, a tool for dynamically analyzing the ing to estimates, the financial loss caused by malware has behavior of Windows executables. To this end, the binary been as high as 14.2 billion US dollars in the year 2005 [5].
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware And
    DECEMBER 2008 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT TRICKS OF THE TRADE Public liability insurance for Unpackers have been around for as long as packers computer intrusion themselves, but anti-unpacking tricks are a more recent development and have grown quickly both in 3 NEWS number and, in some cases, complexity. Peter Ferrie describes a range of anti-unpacking tricks. Festive greetings page 4 VB2009 Geneva: call for papers DYNAMIC WARNING Apple urges Mac users to install AV Roel Schouwenberg has a word of caution regarding the attention currently being devoted to dynamic 3 VIRUS PREVALENCE TABLE testing of anti-malware products. page 9 4 TECHNICAL FEATURE VB100: WINDOWS VISTA X64 Anti-unpacker tricks – part one The fi nal VB100 of the year sees a double whammy of potential pitfalls 9 OPINION for comparative participants – the Dec 2008 Repercussions of dynamic testing Vista operating system as well as the x64 architecture. John Hawes reveals how the products coped. 12 SPOTLIGHT page 14 Frame4: in the picture 14 COMPARATIVE REVIEW Windows Vista x64 This month: anti-spam news and events, and 26 END NOTES & NEWS Alexandru Cosoi describes a method that attempts to deal with the phishing problem at the browser level, combining both whitelisting and content-based solutions in a web page forgery detector. ISSN 1749-7027 COMMENT ‘By installing a In order to understand how a greater number of protected computers would be benefi cial, let’s look at motor security suite you not insurance. Uninsured car drivers cause higher insurance only protect yourself, premiums (because if an uninsured driver causes an accident and cannot pay the damage, the other driver(s) but you increase the have to collect from their own insurance companies, safety of the whole driving their premiums upwards).
    [Show full text]
  • Dynamic Analysis of Malicious Code
    J Comput Virol (2006) 2:67–77 DOI 10.1007/s11416-006-0012-2 ORIGINAL PAPER Dynamic analysis of malicious code Ulrich Bayer · Andreas Moser · Christopher Kruegel · Engin Kirda Received: 13 January 2006 / Accepted: 27 March 2006 / Published online: 16 May 2006 © Springer-Verlag France 2006 Abstract Malware analysis is the process of determining the which leads to excellent emulation accuracy. These factors purpose and functionality of a given malware sample (such make TTAnalyze an ideal tool for quickly understanding the as a virus, worm, or Trojan horse). This process is a necessary behavior of an unknown malware. step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for Keywords Malware · Analysis · API · Virus worm · the development of removal tools that can thoroughly delete Static analysis · Dynamic analysis malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time- 1 Introduction intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly Malware is a generic term to denote all kinds of unwanted increasing. This clearly reveals the need for tools that auto- software (e.g., viruses, worms, or Trojan horses). Such soft- mate and simplify parts of the analysis process. In this paper, ware poses a major security threat to computer users. Accord- we present TTAnalyze, a tool for dynamically analyzing the ing to estimates, the financial loss caused by malware has behavior of Windows executables. To this end, the binary been as high as 14.2 billion US dollars in the year 2005 [5].
    [Show full text]
  • Security Intelligence Report
    Microsoft Security Intelligence Report July–December 2006 An in-depth perspective of software vulnerabilities, malicious code threats, and potentially unwanted software, focusing on the second half of 2006 Microsoft Security Intelligence Report The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2007 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, Active Directory, ActiveX, Forefront, Internet Explorer, OneCare, the Security Shield logo, SmartScreen, Win32, Windows, Windows Live, Windows Live OneCare, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
    [Show full text]
  • Manipulating the Internet Ting the Internet
    MANIPULATING THE INTERNET MUTTIK MANIPULATING THE INTERNET (SymbOS/Cabir, SymbOS/CommWarrior, SymbOS/Skulls families). But perhaps the most important shift is that the bad Dr. Igor G. Muttik guys are very seriously turning their resources to exploiting McAfee AVERT, Aylesbury, UK the backbone of the Internet – the web. This vehicle is going to stay with us for a long time and, thus, should give the highest Email [email protected] return on investment for the bad guys. PUSH VERSUS PULL ABSTRACT ABSTRACT It is very natural that users treat unsolicited material with Traditionally, viruses and other malware were distributed suspicion. Browsing the Internet is not generally considered a using push techniques – viruses directly or malware authors dangerous activity. In the mind of users the worst that can actively distributed copies around. With the exception of happen is that they could accidentally stumble on some sites of auto-executing worms this method of distribution requires user explicit nature. intervention – a user has to click on an email attachment or The work by E.Wolak indicates that advertisements on launch a program. And users have been told for years to be websites are generally trusted a lot more than the same ads very cautious about all unsolicited emails. So, in such distributed via spamming [1]. For this very reason malware situations users’ defences are higher and such objects are more distribution via websites is more likely to be successful than likely to be avoided or treated with caution. by using newsgroup distribution, spamming executables or The situation changes if a user himself is browsing the Internet even spamming URLs to them.
    [Show full text]