for Microsoft Exchange Server - Antivirus and Internet...

ESET Mail Security 4 for Microsoft Exchange Server

User Guide Microsoft® Windows® Server 2000 / 2003 / 2008

ESET Mail SecurityCopyright © 2010 by ESET, spol. s.r.o.ESET Mail Security was developed by ESET, spol. s r.o. For more information visit www.eset.com.All rights reserved. No part of this documentation may bereproduced, stored in a retrieval system or transmitted in any formor by any means, electronic, mechanical, photocopying, recording,scanning, or otherwise without permission in writing from theauthor.ESET, spol. s r.o. reserves the right to change any of the describedapplication software without prior notice.

Customer Care Worldwide: www.eset.eu/supportCustomer Care North America: www.eset.com/support

REV. 4. 3. 2010

Contents

................................................41. Introduction........................................................................4System requirements1.1........................................................................4Methods used1.2

..............................................................................4Mailbox scanning via VSAPI1.2.1

..............................................................................4Message filtering on the SMTP server level1.2.2........................................................................4Types of protection1.3

..............................................................................4Antivirus protection1.3.1

..............................................................................4Antispam protection1.3.2

..............................................................................5Application of user-defined rules1.3.3

................................................62. Installation........................................................................6Typical Installation2.1........................................................................7Custom Installation2.2........................................................................9License2.3........................................................................9Post-Installation Configuration2.4

................................................113. Update........................................................................11Proxy server setup3.1

................................................124. ESET Mail Security - Microsoft

Exchange Server protection........................................................................12General settings4.1

..............................................................................12Rules4.1.1

..............................................................................12Adding new rules4.1.1.1

..............................................................................13Actions4.1.1.2

..............................................................................13Log files4.1.2

..............................................................................13Message quarantine4.1.3..............................................................................14Adding a new quarantine rule4.1.3.1..............................................................................14Performance4.1.4..............................................................................14Transport Agent4.1.5

........................................................................15Antivirus and antispyware settings4.2..............................................................................15Actions4.2.1..............................................................................15Alerts and notifications4.2.2..............................................................................16Performance4.2.3

..............................................................................16Virus-Scanning Application ProgrammingInterface (VSAPI)

4.2.4

..............................................................................16Microsoft Exchange Server 5.5 (VSAPI 1.0)4.2.4.1.............................................................................16Actions4.2.4.1.1.............................................................................16Performance4.2.4.1.2..............................................................................17Microsoft Exchange Server 2000 (VSAPI 2.0)4.2.4.2.............................................................................17Actions4.2.4.2.1.............................................................................17Performance4.2.4.2.2

..............................................................................18Microsoft Exchange Server 2003 (VSAPI 2.5)4.2.4.3.............................................................................18Actions4.2.4.3.1.............................................................................19Performance4.2.4.3.2

..............................................................................19Microsoft Exchange Server 2007/2010 (VSAPI2.6)

4.2.4.4

.............................................................................19Actions4.2.4.4.1.............................................................................20Performance4.2.4.4.2

..............................................................................20Transport Agent4.2.5........................................................................20Antispam settings4.3

..............................................................................20Antispam engine parameter setup4.3.1..............................................................................21Alerts and notifications4.3.2..............................................................................21Transport Agent4.3.3

........................................................................22FAQ4.4

4

1. Introduction

ESET Mail Security 4 for Microsoft Exchange Server is anintegrated solution protecting user mailboxes fromvarious types of malware content (most often they areemail attachments infected by worms or trojans,documents containing harmful scripts, phishing, spametc.). ESET Mail Security provides three types ofprotection: Antivirus, Antispam and application of user-defined rules. ESET Mail Security filters the maliciouscontent on the mailserver level, before it arrives in theaddressee’s email client inbox.

ESET Mail Security supports Microsoft Exchange Serverversions 5.5 and later, in addition to Microsoft ExchangeServer in a cluster environment. In newer versions(Microsoft Exchange Server 2007 and later), specific roles(mailbox, hub, edge) are also supported. You canremotely manage ESET Mail Security in larger networkswith the help of ESET Remote Administrator.

As far as functionality is concerned, ESET Mail Security isvery similar to ESET NOD32 Antivirus 4.0. It has all thetools necessary to ensure protection of the server-as-client (resident protection, web-access protection, emailclient protection and antispam), while providingMicrosoft Exchange Server protection.

1.1 System requirements

Supported Operating Systems:

Microsoft Windows 2000 ServerMicrosoft Windows 2003 Server (x86 and x64)Microsoft Windows 2008 Server (x86 and x64)Microsoft Windows 2008 Server (x64)

Supported Microsoft Exchange Server versions:

Microsoft Exchange Server 5.5 SP3, SP4Microsoft Exchange Server 2000 SP1, SP2, SP3Microsoft Exchange Server 2003 SP1, SP2Microsoft Exchange Server 2007 SP1, SP2Microsoft Exchange Server 2010

Hardware requirements depend on the operating systemversion and the version of Microsoft Exchange Server inuse. We recommend reading the Microsoft ExchangeServer product documentation for more detailedinformation on hardware requirements.

1.2 Methods used

Two independent methods are used to scan emailmessages:

Mailbox scanning via VSAPIMessage filtering on the SMTP server level

1.2.1 Mailbox scanning via VSAPI

The mailbox scanning process is triggered and controlledby the Microsoft Exchange Server. Emails in the MicrosoftExchange Server store database are scannedcontinuously. Depending on the version of MicrosoftExchange Server, the VSAPI interface version and theuser-defined settings, the scanning process can betriggered in any of the following situations:

When the user accesses email, e.g. in an email client(email is always scanned with the latest virus signaturedatabase)

In the background, when use of the MicrosoftExchange Server is low

Proactively (based on the Microsoft Exchange Server’sinner algorithm)

The VSAPI interface is currently used for antivirus scanand rule-based protection.

1.2.2 Message filtering on the SMTP server level

SMTP server-level filtering is secured by a specializedplugin. In Microsoft Exchange Server 2000 and 2003, theplugin in question (Event Sink) is registered on the SMTPserver as a part of Internet Information Services (IIS). InMicrosoft Exchange Server 2007/2010, the plugin isregistered as a transport agent on the Edge or the Hubroles of the Microsoft Exchange Server.

SMTP server-level filtering by a transport agent providesprotection in the form of antivirus, antispam and user-defined rules. As opposed to VSAPI filtering, the SMTPserver-level filtering is performed before the scannedemail arrives in the Microsoft Exchange Server mailbox.

1.3 Types of protection

There are three types of protection:

1.3.1 Antivirus protection

Antivirus protection is one of the basic functions of theESET Mail Security product. It guards against malicioussystem attacks by controlling file, email and Internetcommunication. If a threat with malicious code isdetected, the Antivirus module can eliminate it by firstblocking it and then cleaning, deleting or moving it toquarantine.

1.3.2 Antispam protection

Antispam protection integrates several technologies(RBL, DNSBL, Fingerprinting, Reputation checking,Content analysis, Bayesian filtering, Rules, Manualwhitelisting/blacklisting, etc.) to achieve maximumdetection of email threats. The antispam scanning core’soutput is the spam probability value of the given emailmessage expressed as a percentage (0 to 100). Values of90 and above are considered sufficient for ESET MailSecurity to classify an email as spam.

Another component of the antispam protection module

4

4

5

is the Greylisting technique (disabled by default). Thetechnique relies on the RFC 821 specification, which statesthat since SMTP is considered an unreliable transport,every message transfer agent (MTA) should repeatedlyattempt to deliver an email after encountering atemporary delivery failure. A substantial part of spamconsists of one-time deliveries (using specialized tools) toa bulk list of email addresses generated automatically. Aserver employing Greylisting calculates a control value(hash) for the envelope sender address, the enveloperecipient address and the IP address of the sending MTA.If the server cannot find the control value for the tripletwithin its own database, it refuses to accept the message,returning a temporary failure code (temporary failure, forexample, 451). A legitimate server will attempt aredelivery of the message after a variable time period. Thetriplet’s control value will be stored in the database ofverified connections on the second attempt, allowing anyemail with relevant characteristics to be delivered fromthen on.

1.3.3 Application of user-defined rules

Protection based on user-defined rules is available forscanning with both the VSAPI and the transport agent.You can use the ESET Mail Security user interface tocreate individual rules that may also be combined. If onerule uses multiple conditions, the conditions will be linkedusing the logical operator AND. Consequently, the rulewill be executed only if all its conditions are fullfilled. Ifmultiple rules are created, the logical operator OR will beapplied, meaning the program will run the first rule forwhich the conditions are met.

In the scanning sequence, the first technique used isgreylisting - if it is enabled. Consequent procedures willalways execute the following techniques: protectionbased on user-defined rules, followed by an antivirusscan and, lastly, an antispam scan.

6

2. Installation

After purchase, the ESET Mail Security installer can bedownloaded from ESET’s website as an .msi package.Once you launch the installer, the installation wizard willguide you through the basic setup. There are two typesof installation available with different levels of setupdetails:

1. Typical Installation2. Custom Installation

2.1 Typical Installation

Typical installation provides configuration optionsappropriate for most users. The settings provide excellentsecurity coupled with ease of use and high systemperformance. Typical installation is the default option andis recommended if you do not have the particularrequirements for specific settings.

After selecting the installation mode and clicking Next,you will be prompted to enter your username andpassword for automatic updates of the program. Thisplays a significant role in providing constant protection ofyour system.

Enter your Username and Password, i.e., theauthentication data you received after the purchase orregistration of the product, into the corresponding fields.If you do not currently have your username andpassword available, authentication data can be insertedat any time, directly from the program.

In the next step - License Manager - Add the license filedelivered via email after product purchase.

The next step is configuration of the ThreatSense.NetEarly Warning System. The ThreatSense.Net EarlyWarning System helps ensure that ESET is immediatelyand continuously informed about new infiltrations inorder to quickly protect its customers. The system allowsfor submission of new threats to ESET‘s Threat Lab,where they are analyzed, processed and added to thevirus signature database.

By default, the Enable ThreatSense.Net Early WarningSystem option is selected, which will activate thisfeature. Click Advanced setup... to modify detailedsettings for the submission of suspicious files.

The next step in the installation process is to configure Detection of potentially unwanted applications.Potentially unwanted applications are not necessarilymalicious, but can often negatively affect the behavior of

7

your operating system.

These applications are often bundled with otherprograms and may be difficult to notice during theinstallation process. Although these applications usuallydisplay a notification during installation, they can easilybe installed without your consent.

Select the Enable detection of potentially unwantedapplications option to allow ESET Mail Security to detectthis type of threat (recommended).The final step in Typical installation mode is to confirminstallation by clicking the Install button.

2.2 Custom Installation

Custom installation is designed for users who haveexperience with fine-tuning programs and who wish tomodify advanced settings during installation.

After selecting the installation mode and clicking Next,you will be prompted to select a destination location forthe installation. By default, the program installs inC:\Program Files\ESET\ESET Mail Security\. Click Browse… to change this location (notrecommended).

Next, Enter your Username and Password. This step isthe same as in Typical installation (see “Typicalinstallation” ).

In the next step - License Manager - Add the license filedelivered via email after the product purchase.

After entering your username and password, click Nextto proceed to Configure your Internet connection.

6

8

If you use a proxy server, it must be correctly configuredfor virus signature updates to work correctly. If you donot know whether you use a proxy server to connect tothe Internet, select the default setting I am unsure if myInternet connection uses a proxy server. Use the samesettings as Internet Explorer (Recommended) and clickNext. If you do not use a proxy server, select the I do notuse a proxy server option.

To configure your proxy server settings, select I use aproxy server and click Next. Enter the IP address or URLof your proxy server in the Address field. In the Port field,specify the port where the proxy server acceptsconnections (3128 by default). In the event that the proxyserver requires authentication, enter a valid Usernameand Password to grant access to the proxy server. Proxyserver settings can also be copied from Internet Explorerif desired. To do this, click Apply and confirm theselection.

Click Next to proceed to Configure automatic updatesettings. This step allows you to designate howautomatic program component updates will be handledon your system. Click Change... to access the advancedsettings.

If you do not want program components to be updated,select the Never update program components option.

Select the Ask before downloading programcomponents option to display a confirmation windowbefore downloading program components. To downloadprogram component upgrades automatically, select the Always update program components option.

NOTE: After a program component update, a restart isusually required. We recommend selecting the Ifnecessary, restart computer without notifying option.

The next installation window offers the option to set apassword to protect your program settings. Select the Protect configuration settings with a password optionand choose a password to enter in the New passwordand Confirm new password fields.

The next two installation steps, ThreatSense.Net EarlyWarning System and Detection of potentiallyunwanted applications are the same as in Typicalinstallation (see “Typical installation” ).Click Install in the Ready to install window to completeinstallation.

6

9

2.3 License

A very important step is to enter the license file for ESETMail Security for Microsoft Exchange Server. Without it,email protection on the Microsoft Exchange Server willnot work properly. If you do not add the license fileduring installation, you can do so later in the advancedsettings, under Miscellaneous > Licenses.

There are two types of licence available for ESET MailSecurity. One unlocks all ESET Mail Security-relatedfeatures except Antispam, the second one unlockseverything without restriction. If the first one is used, allantispam-related features will be unavailable within ESETMail Security.

2.4 Post-Installation Configuration

There are several options that have to be configured afterthe product installation.

Antispam protection setup

This section describes the settings, methods andtechniques you can use to protect your network fromspam. We recommend reading the following instructionscarefully before choosing the most suitable combinationof settings for your network.

Spam managementTo ensure a high level of Antispam protection you mustset actions to be performed on messages already markedas SPAM.

There are three options available:

1. Deleting spam

The criteria for a message to be marked as SPAM byESET Mail Security are set reasonably high, decreasingthe chances of deleting legitimate email. The morespecific the Antispam settings, the less likely it is todelete legitimate email. Advantages of this methodinclude very low consumption of system resources andless administration. The drawback to this method isthat if a legitimate email is deleted it cannot berestored locally.

2. Quarantine

This option excludes the risk of deleting legitimateemail. Messages can be restored and resent to theoriginal recipients immediately. The drawbacks of thismethod are higher consumption of system resourcesand additional time required for email quarantinemaintenance. You can use two methods to quarantineemail:

A. Internal Exchange Server quarantine: - If you want to use the internal server quarantinemake sure the Common message quarantinefield on the right pane in the advanced settingsmenu (under Mail server protection > Messagequarantine) is left blank.

B. Custom quarantine mailbox:- If you type the desired mailbox in the Commonmessage quarantine field ESET Mail Security willmove all new spam messages into your custommailbox.

3. Forwarding spam

Spam will be forwarded along to its recipient.However, ESET Mail Security will fill in the relevantMIME header with the SCL value into each message.Based on the SCL value the relevant action will beexecuted by the Exchange server IMF (IntelligentMessage Filtering).

Spam filtering

Antispam EngineThe Antispam engine offers the three followingconfigurations - Recommended, Most accurate,Fastest.If there is no need to optimize your configuration to allowmaximum throughput (e.g. high server load), werecommend you select the Most accurate option. Whenthe Recommended configuration is set, the server willautomatically adjust its settings based on scannedmessages to balance the load. When Most accurate isenabled, the settings will be optimized in regard to thecatch rate. Clicking Custom > Open configuration fileallows a user to edit the spamcatcher.conf file. Thisoption is recommended for advanced users only.

Before starting full operation, we recommend that youmanually configure the lists of restricted and allowed IPaddresses. To do so:1) Open the Advanced settings window and navigate to

the section Antispam protection > Mail serverprotection.

2) Make sure to check the Enable mail server antispamprotection field.

3) Click the Setup... button to set Allowed, Ignored andBlocked IP addresses lists.

The Blocked IP addresses tab contains the list ofrestricted IP addresses, i.e., if any non-ignored IPin Received headers matches the address on this list,

10

the message scores 100 and no other checks aremade.The Allowed IP addresses tab lists all IP addressesthat are approved, i.e., if the first non-ignored IP inReceived headers matches any address on this list,the message scores 0 and no other checks aremade.The Ignored IP addresses tab lists addresses thatshould be ignored during Real-time Blackhole List(RBL) checks. The list should include all internal IPaddresses in the firewall not directly accessible fromthe Internet. Doing so prevents unnecessarychecks and helps to differentiate the externalconnecting IP addresses from the internal IPaddresses.

GreylistingGreylisting is a method protecting users from spam usingthe following technique: Transport agent sends a “temporarily reject” SMTP return value (default is 451/4.7.1)for any email from a sender it does not recognize. Alegitimate server will attempt to redeliver the message.Spammers typically do not attempt to redelivermessages, because they go through thousands of emailaddresses at a time and typically cannot spend extra timeon resending.

When evaluating the message source, the method takesinto account the configurations of the Approved IPaddresses list, the Ignored IP addresses list, the SafeSenders and Allow IP lists on the Exchange server andthe AntispamBypass settings for the recipient mailbox.Greylisting must be thoroughly configured, or elseunwanted operational flaws (e.g. delays in legitimatemessage deliveries etc.) may occur. These negative effectsrecede continuously as this method fills the internalwhitelist with trusted connections. If you are not familiarwith this method, or if you consider its negative side-effect unacceptable, we recommend that you disable themethod in the Advanced settings menu under Antispamprotection > Mail server protection > MicrosoftExchange Server > Transport agent > EnableGreylisting.

We recommend disabling greylisting if you intend to testthe product's basic functionalities and do not want toconfigure the advanced features of the program.

NOTE: Greylisting is an additional layer of antispamprotection and does not have any effect on the spamevaluation capabilities of the antispam module.

Antivirus protection setup

QuarantineDepending on the type of cleaning mode you are usingwe recommend that you configure an action to beperformed on infected (not cleaned) messages. Thisoption can be set in the Advanced settings window >Antivirus and antispyware > Mail server protection >Microsoft Exchange Server > Transport agent.If the option to move messages into email quarantine isenabled, you need to configure the quarantine under the

section Message quarantine in the Advanced settingswindow.

PerformanceIf there are no other restrictions, our recommendation isto increase the number of ThreatSense scan enginesaccording to this formula: number of scan engines = numberof scan threads and increase the number of VSAPIscanning threads based on this formula: number of scanthreads = (number of physical CPUs * 2) + 1 in the Advancedsettings window under Antivirus and antispyware >Performance.

NOTE: We recommend that you set the number ofThreatSense scan engines equal to the number of scanthreads used.

11

3. Update

Updating the virus signature database and updatingprogram components are an important part of providingcomplete protection against malicious code. Please payattention to their configuration and operation. From themain menu, select Update and then click Update virussignature database in the primary window to check for anewer database update. Username and Passwordsetup... displays a dialog box where the username andpassword received at the time of purchase should beentered.

If the username and password were entered duringinstallation of ESET Mail Security you will not beprompted for them at this point.

The Advanced Setup window (click Setup from the mainmenu and then click Advanced setup..., or press F5 onyour keyboard) contains additional update options. Click Update from the Advanced Setup tree. The Updateserver: drop-down menu should be set to Chooseautomatically. To configure advanced update optionssuch as the update mode, proxy server access, LANconnections and creating virus signature copies, click the Setup... button.

3.1 Proxy server setup

If you use a proxy server to control Internet connectionson a system using ESET Mail Security, it must be specifiedin Advanced Setup. To access the Proxy serverconfiguration window, press F5 to open the AdvancedSetup window and click Miscellaneous > Proxy serverfrom the Advanced Setup tree. Select the Use proxyserver option and then fill in the Proxy server (IPaddress) and Port fields. If needed, select the Proxyserver requires authentication option and then enterthe Username and Password.

If this information is not available, you can attempt toautomatically detect proxy server settings by clicking the Detect proxy server button.

NOTE: Proxy server options for various update profilesmay differ. If this is the case, configure the differentupdate profiles in Advanced Setup by clicking Updatefrom the Advanced Setup tree.

12

4. ESET Mail Security - MicrosoftExchange Server protection

4.1 General settings

This section describes how to administer rules, log files,message quarantine and performance parameters.

4.1.1 Rules

The Rules menu item allows administrators to manuallydefine email filtering conditions and actions to take withfiltered emails. The rules are applied according to a set ofcombined conditions. Multiple conditions are combinedwith the logical operator AND, applying the rule only if allthe conditions are met. The column Number (next toeach rule name) displays the number of times the rulewas successfully applied.

The rules are checked against a message when it isprocessed by transport agent (TA) or VSAPI. When bothTA and VSAPI are enabled and the message matches therule conditions, the rule counter may increase by 2 ormore. This is because VSAPI accesses each part of themessage individually (body, attachment) meaning therules are consequently applied to each part individually.Furthermore, rules are also applied during backgroundscanning (e.g. repeated mailbox-store scan after virussignature database update), which can increase the rulecounter.

NOTE: You can also use system variables to apply Rules(for example: %PATHEXT%).

4.1.1.1 Adding new rules

This wizard guides you through adding user-specifiedrules with combined conditions.

Note, that not all of the conditions are applicable whenthe message is scanned by transport agent.

By target mailbox applies to the name of a mailbox(VSAPI)By message recipient applies to a message sent to aspecified recipient (VSAPI + TA)By message sender applies to a message sent by aspecified sender (VSAPI + TA)By message subject applies to a message with aspecified subject line (VSAPI + TA)By message body applies to a message with specifictext in the message body (VSAPI)By attachment name applies to a message with aspecific attachment name (VSAPI)By attachment size applies to a message with anattachment exceeding a defined size (VSAPI)By frequency of occurrence applies to objects (emailbody or attachment) for which the number ofoccurrences within the specified time interval exceedsthe specified number. This is particularly useful if youare constantly spammed with emails with the sameemail body or the same attachment.

When specifying the abovementioned conditions (exceptthe By attachment size condition) it is sufficient to fill inonly part of a phrase as long as the Match whole wordsoption is not selected. Values are not case-sensitive,unless the Match case option is selected. If you are usingvalues other than alphanumerical characters, useparentheses and quotes. You can also create conditionsusing the logical operators AND, OR and NOT.

NOTE: Microsoft Exchange Server 2000 (VSAPI 2.0) onlyevaluates displayed sender/recipient name and not theemail address. Email addresses are evaluated startingwith Microsoft Exchange Server 2003 (VSAPI 2.5) andhigher.

13

Examples of entering conditions:By target mailbox: smithBy email sender: [email protected] email recipient: “J.Smith” or “[email protected]”By email subject: “ ”By attachment name:“.com” OR “.exe”By email body: (“free” OR “lottery”) AND (“win” OR

“buy”)

4.1.1.2 Actions

This section allows you to select actions to take withmessages and/or attachments matching conditionsdefined in rules. You can take no action, mark themessage as if it contained a threat/spam or delete thewhole message.When a message or its attachmentmatches the rule conditions, it is not scanned by theantivirus or antispam modules by default, unlessscanning is enabled explicitly by selecting the respectivecheckboxes on the bottom (the action taken thendepends on the antivirus/antispam settings).

No action – no action will be taken with the messageMark as uncleaned threat - the message will bemarked as if it contained an uncleaned threat(regardless of whether it contained the threat or not)Mark as unsolicited email - the message will bemarked as if it were spam (regardless of whether it isspam or not)Delete message – removes the entire message withcontent that meets the conditions

Quarantine file saves an attached file to thequarantineNOTE: Do not confuse this with mail quarantine (seechapter Message quarantine)Submit file for analysis sends suspicious attachmentsto ESET’s Threat Lab for analysisSend event notification sends a notification to theadministrator (based on settings in Tools > Alerts andnotifications)Log writes information about the applied rule in theprogram logEvaluate other rules allows the evaluation of other

rules, enabling the user to define multiple sets ofconditions and multiple actions to take, given theconditionsScan by antivirus and antispyware protection scansthe message and its attachmentScan by antispam module scans the message usingthe antispam module

The last step in the new rule creation wizard is to nameeach created rule. You can also add a Rule comment.This information will be stored in the Microsoft ExchangeServer log.

4.1.2 Log files

Log files settings let you choose how the log file will beassembled. More detailed protocol can contain moreinformation but it may slow server performance.

If Synchronized writing without using cache isenabled, all the log entries will be immediately written inthe log file without being stored in the log cache. Bydefault, ESET Mail Security components running inMicrosoft Exchange Server store log messages in theirinternal cache and send them to the application log atperiodic time intervals to preserve performance. In thiscase, however, the diagnostic entries in the log might notbe in the proper order. We recommend keeping thissetting turned off unless it is necessary for diagnostics.You can specify the type of information stored in the logfiles in the Content menu.

4.1.3 Message quarantine

The Message quarantine mailbox is a special mailboxdefined by the system administrator to store potentiallyinfected messages and SPAM. Messages stored inquarantine can be analyzed or cleaned later using anewer virus signature database.

13

14

You can specify the message quarantine address in the Common message quarantine field ([email protected]). You can also use theMicrosoft Exchange Server 2007/2010 internal quarantinesystem by leaving this field blank and choosing Quarantine message to the mail server systemquarantine (if defined by administrator) from the drop-down menu on the bottom. Mails are then delivered toquarantine by Exchange's internal mechanism using itsown settings.

In the Message quarantine by recipient field, you candefine message quarantine mailboxes for multiplerecipients. Every quarantine rule can be enabled ordisabled by selecting or deselecting the check box in itsrow.

NOTE: You can also use system variables whenadministering the message quarantine (for example: %PATH%).

4.1.3.1 Adding a new quarantine rule

Enter the desired Recipient’s email address and thedesired Quarantine email address in the appropriatefields.If you want to delete an email message addressed to arecipient who does not have a quarantine rule applied,you can select the Delete message option in theMessage intended for non-existing messagequarantine pull-down menu.

4.1.4 Performance

In this section, you can define a folder in which to storetemporary files to improve program performance. If nofolder is specified, ESET Mail Security will createtemporary files in the system’s temporary folder.

NOTE: In order to reduce the potential I/O andfragmentation impact, we recommend placing theTemporary folder on a different hard drive than the oneon which Microsoft Exchange Server is installed. Westrongly recommend that you avoid assigning theTemporary folder to removable media such as floppydisk, USB, DVD, etc.

NOTE: You can use system variables (e.g., %SystemRoot%\TEMP) when configuring Performance settings.

4.1.5 Transport Agent

In this section, you can set up automatic startup of thetransport agent as well as the agent loading priority. OnMicrosoft Exchange Server 2007 and later, it is onlypossible to install a transport agent if the server is in oneof two roles: Edge Transport or Hub Transport.

NOTE: Transport agent is not available in MicrosoftExchange Server 5.5 (VSAPI 1.0).

In the Agent priority setup menu, you can set thepriority of ESET Mail Security agents. The agent prioritynumber range depends on the version of MicrosoftExchange Server (the lower the number, the higher thepriority).

Write spam confidence level (SCL) to the header of

mailto:[email protected])

15

scanned messages based on spam score – SCL is anormalized value assigned to a message that indicatesthe likelihood of the message being spam (based on thecharacteristics of the message header, its subject,content, etc.). A rating of 0 indicates that the message ishighly unlikely to be spam, while a rating of 9 indicatesthat the message is very likely spam. SCL values can beprocessed further by the Microsoft Exchange Server'sIntelligent Message Filter (or Content Filter Agent). Foradditional information please refer to the MicrosoftExchange Server documentation.

The When deleting messages, send SMTP rejectresponse option:

If unchecked, the server sends an OK SMTP response tothe sender’s Mail Transfer Agent (MTA) in the format‘250 2.5.0 – Requested mail action okay, completed’and then performs a silent drop.

If checked, an SMTP reject response is sent back to thesender’s MTA. You can type a response message in thefollowing format:

Primaryresponse

code

Complementary

status code

Description

250 2.5.0 Requested mail action okay,completed

451 4.5.1 Requested action aborted: localerror in processing

550 5.5.0 Requested action not taken:mailbox unavailable

Warning: Incorrect syntax of the SMTP response codescan lead to malfunctioning of program components anddecrease effectiveness.

NOTE: You can also use system variables whenconfiguring SMTP Reject Responses.

4.2 Antivirus and antispyware settings

You can enable antivirus and antispyware mail serverprotection by selecting the Enable antivirus andantispyware mail server protection option. Note thatantivirus and antispyware protection is turned onautomatically after every service/computer restart.

4.2.1 Actions

In this section you can choose to append a scan task IDand/or scan result information to the header of scannedmessages.

4.2.2 Alerts and notifications

ESET Mail Security allows you to append text to theoriginal subject or body of infected messages.

By enabling Add to the subject of infected messages,ESET Mail Security will append a notification tag to theemail subject with the value defined in the Templateadded to the subject of infected messages text field (bydefault [virus %VIRUSNAME%]). The above-mentionedmodifications can automate infected-email filtering byfiltering email with a specific subject (if supported in youremail client) to a separate folder.

NOTE: You can also use system variables when adding atemplate to the message subject.

16

4.2.3 Performance

In this section, you can set the number of ThreatSensescan engines that should be used for virus scanning.More ThreatSense scan engines on multiprocessormachines can increase the scan rate.

4.2.4 Virus-Scanning Application ProgrammingInterface (VSAPI)

Microsoft Exchange Server provides a mechanism tomake sure that every message component is scannedagainst the current virus signature database. If a messagecomponent is not scanned, its corresponding componentis submitted to the scanner before the message isreleased to the client. Every supported version ofMicrosoft Exchange Server (5.5/2000/2003/2007/2010)offers a different version of VSAPI.

4.2.4.1 Microsoft Exchange Server 5.5 (VSAPI 1.0)

This version of Microsoft Exchange Server includes VSAPIversion 1.0.

The Background scanning option allows scanning of allmessages in the system background. Microsoft ExchangeServer decides whether a background scan will run ornot, based on various factors, such as the current systemload, the number of active users, etc. Microsoft ExchangeServer keeps a record of scanned messages and the virussignature database version used. If you are opening amessage that has not been scanned by the most currentvirus signature database, Microsoft Exchange Serversends the message to ESET Mail Security to be scannedbefore opening the message in your e-mail client.Since background scanning can affect system load

(scanning is performed after each virus signaturedatabase update), we recommend using scheduledscanning outside working hours. Scheduled backgroundscanning can be configured via a special task in theScheduler/Planner. When you schedule a Backgroundscanning task you can set the launch time, the number ofrepetitions and other parameters available in theScheduler/Planner. After the task has been scheduled, itwill appear in the list of scheduled tasks and, as with theother tasks, you can modify its parameters, delete it ortemporarily deactivate the task.

4.2.4.1.1 Actions

In this section you can specify the actions to beperformed when a message and/or attachment isevaluated as infected.

The Actions to take if cleaning not possible field allowsyou to block infected content or delete the message. Thisaction will be applied only if the automatic cleaning(defined in ThreatSense engine parameter setup >Cleaning) did not clean the message.

The Deletion option allows you to truncate a fileattachment to zero size or replace an infected file with avirus protocol or rule description.

By activating Rescan, you can scan messages and filesthat have already been scanned again.

4.2.4.1.2 Performance

During a scan, Microsoft Exchange Server allows you tolimit a time for opening message attachments. This timeis set in the Response time limit (ms) field andrepresents the period after which the client will retryaccessing the file that had previously been inaccessibledue to scanning.

17

4.2.4.2 Microsoft Exchange Server 2000 (VSAPI2.0)


If the Proactive scanning option is enabled, newinbound messages will be scanned in the same order inwhich they were received.

The Background scanning option allows scanning of allmessages in the system background. Microsoft ExchangeServer decides whether a background scan will run ornot, based on various factors, such as the current systemload, the number of active users, etc. Microsoft ExchangeServer keeps a record of scanned messages and the virussignature database version used. If you are opening amessage that has not been scanned by the most currentvirus signature database, Microsoft Exchange Serversends the message to ESET Mail Security to be scannedbefore opening the message in your e-mail client.Since background scanning can affect system load(scanning is performed after each virus signaturedatabase update), we recommend using scheduledscanning outside working hours. Scheduled backgroundscanning can be configured via a special task in theScheduler/Planner. When you schedule a Backgroundscanning task you can set the launch time, the number ofrepetitions and other parameters available in theScheduler/Planner. After the task has been scheduled, itwill appear in the list of scheduled tasks and as with theother tasks, you can modify its parameters, delete it ortemporarily deactivate the task.

If you want to scan plain text messages, select the Scanplain text message bodies option.

Enabling the Scan RTF email bodies option activatesscanning of RTF message bodies.

4.2.4.2.1 Actions

In this section you can specify the actions to beperformed when a message and/or attachment isevaluated as infected.


The Message body deletion method option offers thechoice to either delete the message body or rewrite themessage body with action information.

Attachment deletion method lets you decide to deletethe message, truncate file attachment to zero size orreplace the infected file with action information.



In this section you can set the number of independentscan threads used at a single time. More threads onmultiprocessor machines can increase the scan rate. Forthe best program performance we advise using an equalnumber of ThreatSense scan engines and scan threads.

The Response time limit (sec.) allows you to set themaximum amount of time a thread waits for a messagescan to complete. If the scan is not finished within thistime limit, Microsoft Exchange Server will deny the clientaccess to the email. Scanning will not be interrupted and,after it is finished, every other attempt to access the filewill be successful.

18

TIP: To determine the Number of scan threads theMicrosoft Exchange Server provider recommends, usethe following formula: [number of physical processors] x2 + 1.

NOTE: Performance is not improved significantly if thereare more ThreatSense scanning engines than scanningthreads.

4.2.4.3 Microsoft Exchange Server 2003 (VSAPI2.5)


If the Proactive scanning option is checked, newinbound messages will be scanned in the same order inwhich they were received.

The Background scanning option allows scanning of allmessages in the system background. Microsoft ExchangeServer decides whether a background scan will run ornot, based on various factors, such as the current systemload, the number of active users, etc. Microsoft ExchangeServer keeps a record of scanned messages and the virussignature database version used. If you are opening amessage that has not been scanned by the most currentvirus signature database, Microsoft Exchange Serversends the message to ESET Mail Security to be scannedbefore opening the message in your e-mail client.Since background scanning can affect system load(scanning is performed after each virus signaturedatabase update), we recommend using scheduledscanning outside working hours. Scheduled backgroundscanning can be configured via a special task in the

Scheduler/Planner. When you schedule a Backgroundscanning task you can set the launch time, the number ofrepetitions and other parameters available in theScheduler/Planner. After the task has been scheduled, itwill appear in the list of scheduled tasks and as with theother tasks, you can modify its parameters, delete it ortemporarily deactivate the task.

If you want to scan plain text messages, select the Scanplain text email bodies option.

Enabling the Scan RTF email bodies option activatesscanning of RTF message bodies. RTF message bodiesmay contain macro viruses.

The Scan transported messages option enablesscanning for messages that are not stored on the localMicrosoft Exchange Server and are delivered to other e-mail servers through the local Microsoft Exchange Server.If scanning for transported messages is enabled, ESETMail Security also scans these messages. This option isonly available when the transport agent is disabled.

NOTE: Plain text email bodies are not scanned by VSAPI.

4.2.4.3.1 Actions

In this section you can specify the actions to beperformed if a message and/or attachment is evaluatedas infected.

The Actions to take if cleaning not possible field allowsyou to block infected content or delete the message. Thisaction will be applied only if the automatic cleaning (in ThreatSense engine parameter setup > Cleaning) didnot clean the message.



By activating Rescan, you can scan the messages andfiles that have already been scanned again.

19



The Response time limit (sec.) allows you to set themaximum amount of time a thread waits for a messagescan to complete. If the scan is not finished within thistime limit, Microsoft Exchange Server will deny the clientaccess to the email. Scanning will not be interrupted andafter it is finished, every other attempt to access the filewill be successful.

TIP: To determine the Number of scan threads theMicrosoft Exchange Server provider recommends, usethe following formula: [number of physical processors] x2 + 1.


4.2.4.4 Microsoft Exchange Server 2007/2010(VSAPI 2.6)


If the Proactive scanning option is enabled, newinbound messages will be scanned in the same order inwhich they were received.

The Background scanning option allows scanning of all

messages in the system background. Microsoft ExchangeServer decides whether a background scan will run ornot, based on various factors, such as the current systemload, the number of active users, etc. Microsoft ExchangeServer keeps a record of scanned messages and the virussignature database version used. If you are opening amessage that has not been scanned by the most currentvirus signature database, Microsoft Exchange Serversends the message to ESET Mail Security to be scannedbefore opening the message in your e-mail client. You canchoose to Scan only messages with attachment andfilter based on time received. Since background scanning can affect system load(scanning is performed after each virus signaturedatabase update), we recommend using scheduledscanning outside working hours. Scheduled backgroundscanning can be configured via a special task in theScheduler/Planner. When you schedule a Backgroundscanning task you can set the launch time, the number ofrepetitions and other parameters available in theScheduler/Planner. After the task has been scheduled, itwill appear in the list of scheduled tasks and as with theother tasks, you can modify its parameters, delete it ortemporarily deactivate the task.

Enabling the Scan RTF email bodies option activatesscanning of RTF message bodies. RTF message bodiesmay contain macro viruses.

NOTE: Plain text email bodies are not scanned by VSAPI.

4.2.4.4.1 Actions

In this section you can specify the actions to take if amessage and/or attachment is evaluated as infected.




If the Use VSAPI Quarantine option is enabled, infected

20

messages will be stored in the email server quarantine.Please note that this is the server's managed quarantine(not the client's quarantine or the quarantine mailbox).Infected messages stored in mail server quarantine areinaccessible until they are cleaned with the latest virussignature database.




TIP: To determine the Number of scan threads theMicrosoft Exchange Server provider recommends, usethe following formula: [number of physical processors] x 2 + 1.



In this section you can enable or disable antivirus andantispyware protection by the transport agent. ForMicrosoft Exchange Server 2007 and higher it is onlypossible to install a transport agent if the server is in oneof two roles: Edge Transport or Hub Transport.

If the message cannot be cleaned, you can delete it, send

it to the quarantine mailbox or retain it.

If a threat is found, you can choose to write a spam scoreto the scanned message and specify the value (in %).Since botnets are responsible for sending the majority ofinfected messages, the messages distributed this way areto be categorized as spam. Write spam confidence level(SCL) to scanned messages based on spam scoreoption (in Mail server protection > Microsoft ExchangeServer > Transport agent) must be enabled in order forthis feature to work effectively.

You can also choose to scan messages received fromauthenticated sources or local servers.

4.3 Antispam settings

In the Mail server protection section you can enable spamprotection for the installed mail server, configureantispam engine parameters and set other levels ofprotection.

4.3.1 Antispam engine parameter setup

You can select a profile from a set of preconfiguredprofiles (such the Recommended, Most accurate orFastest profiles). The list of profiles is loaded from theAntispam module.

The Recommended profile is comprised of therecommended settings, striking a balance betweensecurity and impact on system performance.

The Most accurate profile is focused solely on mail serversecurity. This profile requires more system resources thanthe Recommended profile.

The Fastest profile is preconfigured for a minimal usageof system resources, achieved through the disabling ofsome scanning features.

Custom > Open configuration file allows a user to editthe spamcatcher.conf file. This option is recommendedfor advanced users only.

21

In the Allowed IP addresses tab you can specify IPs thatshould be approved, i.e., if the first non-ignored IP inReceived headers matches any address in this list, themessage scores 0 and no other checks are made.

In the Ignored IP addresses tab you can specify IPs thatshould be ignored during Real-time Blackhole List (RBL)checks. You should include all internal IP addresses withinthe firewall not directly accessible from the Internet.Doing so prevents unnecessary checks and helps identifyactual connecting IP addresses. Internal IP addresses arealready skipped by the engine (192.168.x.y and 10.x).

In the Blocked IP addresses tab you can specify IPs thatshould be blocked, i.e., if any non-ignored IP in Receivedheaders matches the address in this list, the messagescores 100 and no other checks are made.

In the Allowed domains tab you can specify domainsused in the message body that should be approved.

In the Ignored domains tab you can specify domainsused in the message body that should always beexcluded from the DNSBL and MSBL checks and ignored.

In the Blocked domains tab you can specify domainsused in the message body that should always be blocked.

4.3.2 Alerts and notifications

Each email scanned by ESET Mail Security and marked asspam can be flagged by appending a notification tag tothe email subject. By default, the tag is [SPAM], althoughit can be a user-defined string.

NOTE: You can also use system variables when adding atemplate to the message subject.


In this section you can set up options for spam protectionusing the transport agent.

NOTE: The transport agent is not available in MicrosoftExchange Server 5.5.

You can take any of the following actions with spammessages:

Retain the message even if it is marked as spam Send the message to the quarantine mailbox Delete the message

If you want to include information about a message’sspam score in its header, enable the Write spam score toscanned messages option.

The Enable Greylisting function activates a feature thatprotects users from spam using the following technique:The transport agent will send a “temporarily reject” SMTPreturn value (default is 451/4.7.1) for any received emailthat is not from a recognized sender. A legitimate serverwill try to resend the message after a delay. Spam servers

22

will typically not attempt to resend the message, as theyusually go through thousands of email addresses and donot waste time resending. Greylisting is an additionallayer of antispam protection and does not have any effecton the spam evaluation capabilities of the antispammodule.When evaluating the message source the method takesinto account the configurations of the Approved IPaddresses list, the Ignored IP addresses list, the SafeSenders and the Allow IP lists on the Exchange serverand the AntispamBypass settings for the recipientmailbox. Emails from these IP addresses/senders lists oremails delivered to a mailbox that has theAntispamBypass option enabled will be bypassed by thegreylisting detection method.

The SMTP response for temporarily denied connectionsfield defines the SMTP temporary denial response sent tothe SMTP server if a message is refused.

Example of SMTP response message:

Primaryresponse code

Complementarystatus code

Description

451 4.7.1 Requested actionaborted: local error

in processing

Warning: Incorrect syntax in SMTP response codes maylead to malfunctioning of greylisting protection. As aresult, spam messages may be delivered to clients ormessages may not be delivered at all.

Time limit for the initial connection denial (min.) -when a message is delivered for the first time andtemporarily refused, this parameter defines the timeperiod during which the message will always be refused(measured from the first refusal). After the defined timeperiod has elapsed, the message will be successfullyreceived. The minimum value you can enter is 1 minute.

Unverified connections expiration time (hours) – thisparameter defines the minimum time interval for whichthe triplet data will be stored. A valid server must resenda desired message before this period expires. This valuemust be greater than the value of Time limit for theinitial connection denial.

Verified connections expiration time (days) – theminimum number of days for which the tripletinformation is stored, during which emails from aparticular sender will be received without any delay. Thisvalue must be greater than the value of Unverifiedconnections expiration time.

NOTE: You can also use system variables when definingthe SMTP reject response.

4.4 FAQ

Q: After installing ESET Mail Security with Antispam,emails stopped being delivered into mailboxes.A: If Greylisting is enabled, this is normal behavior. In thefirst hours of full ESET Mail Security operation emails mayarrive with several hours of delay. If the issue continuesfor a longer period, we recommend you turn off (orreconfigure) Greylisting.

Q: When the VSAPI scans email attachments, does it alsoscan email message bodies?A: In Microsoft Exchange Server 2000 SP2 and later, theVSAPI scans email message bodies as well.

Q: Why does message scanning continue after the VSAPIoption has been disabled?A: Changes to VSAPI settings run asynchronously,meaning the modified VSAPI settings have to be called bythe Microsoft Exchange Server to go into effect. Thiscyclic process runs in intervals of approximately oneminute. The same applies to all other VSAPI settings.

Q: Can VSAPI remove an entire message containing aninfected attachment?A: Yes, VSAPI can remove the entire message. However,it is necessary to select the Delete whole message optionin the Actions section of the VSAPI settings first. Thisoption is available in Microsoft Exchange Server 2003 andlater. Older versions of Microsoft Exchange Server do notsupport removal of entire messages.

Q: Is outgoing email also scanned by VSAPI for viruses?A: Yes, VSAPI scans outgoing emails unless you haveconfigured an SMTP server in your mail client that isdifferent from your Microsoft Exchange Server. Thisfeature is applied in Microsoft Exchange Server 2000Service Pack 3 and later.

Q: Is it possible to add a notification tag text via VSAPI toeach scanned message, in the same manner as theTransport agent?A: Adding text to messages scanned by VSAPI is notsupported in Microsoft Exchange Server.

Q: Sometimes I can‘t open a particular email in MicrosoftOutlook. Why is that?A: The Action to take if cleaning not possible option inyour VSAPI settings in the Actions section is most likelyset to Block or you have created a rule that includes theBlock action. Either of these settings will mark and blockboth infected messages and/or messages that fall underthe aforementioned rule.

Q: What does the Response time limit item in thePerformance section stand for?

23

A: If you have Microsoft Exchange Server 2000 SP2 orlater, the value Response time limit represents themaximum time in seconds required to finish the VSAPIscanning of one thread. If the scan is not finished withinthis time limit, Microsoft Exchange Server will deny theclient access to the email. Scanning will not beinterrupted and, after it is finished, every other attemptto access the file will be successful. If you have MicrosoftExchange Server 5.5 SP3 or SP4, the value will beexpressed in milliseconds and represents the period afterwhich the client will retry accessing the file that had beenpreviously inaccessible due to scanning.

Q: How long can the list of file types be in one rule? A: The file extensions list can contain a maximum of 255characters in a single rule.

Q: I have enabled the Background scanning option inVSAPI. Until now, messages on Microsoft ExchangeServer were always scanned after each virus signaturedatabase update. This didn’t happen after the lastupdate. Where is the problem?A: The decision to scan all messages immediately or at theuser's attempt to access a message depends on severalfactors, including server load, CPU time required to scanall messages in bulk and the total number of messages.The Microsoft Exchange Server will scan every messagebefore it reaches the client’s inbox.

Q: Why did the rule counter increase by more than oneafter receiving a single message?A: The rules are checked against a message when it isprocessed by transport agent (TA) or VSAPI. When bothTA and VSAPI are enabled and the message matches therule conditions, the rule counter may increase by 2 ormore. VSAPI accesses the parts of the messageindividually (body, attachment) meaning the rules areconsequently applied to each part individually.Furthermore, rules can be applied during a backgroundscan (e.g. repeated mailbox-store scan after a virussignature database update), which can increase the rulecounter.

for Microsoft Exchange Server - Antivirus and Internet...

Documents

Transcript of for Microsoft Exchange Server - Antivirus and Internet...