SMS Implementation Guide

Symantec™ Mail Security for Microsoft® Exchange Implementation Guide

Symantec™ Mail Security for Microsoft® Exchange Implementation Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 5.0.3

Legal Notice

Copyright © 2006 Symantec Corporation.

All rights reserved.

Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.

Symantec, the Symantec Logo, and Symantec AntiVirus Corporate Edition are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.Windows is a trademark of Microsoft Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THIS DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections 12.212 and DFARS Section 227.7202.

Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014 USA

www.symantec.com

3

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and Web-based support that provides rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:

http://www.symantec.com/techsupp/enterprise/

Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you use.

Contacting Technical SupportCustomers with a current maintenance agreement may access Technical Support information at the following URL:


Select your region or language under Global Support.

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.



4

When you contact Technical Support, please have the following information available:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technical support Web page at the following URL:


Select your region or language under Global Support, and then select the Licensing and Registration page.

Customer serviceCustomer service information is available at the following URL:


Select your country or language under Global Support.

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade insurance and maintenance contracts

■ Information about Symantec Value License Program

■ Advice about Symantec's technical support options


http://www.symantec.com/techsupp/ent/enterprise.html


5

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:

■ Asia-Pacific and Japan: [email protected]

■ Europe, Middle-East, and Africa: [email protected]

■ North America and Latin America: [email protected]

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Additional services that are available include the following:

To access more information about Enterprise Services, please visit our Web site at the following URL:

www.symantec.com

Select your country or language from the site index.

Symantec Early Warning Solutions

These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur.

Managed Security Services

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Consulting services Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.

Educational Services These services provide a full array of technical training, security education, security certification, and awareness communication programs.

http://www.symantec.com

Symantec Software License AgreementSymantec™ Mail Security for Microsoft® Exchange
SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING ON THE “AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK ON THE “I DO NOT AGREE”, “NO” BUTTON, OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.
1. License:The software which accompanies this license (collectively the “Software”) is the property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, you will have certain rights to use the Software after your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to you. Except as may be modified by a Symantec license certificate, license coupon, or license key (each a “License Module”) which accompanies, precedes, or follows this license, your rights and obligations with respect to the use of this Software are as follows:

You may:A. use that number of copies of the Software as have been licensed to you by Symantec under a License Module, provided that if the Software is part of a suite of Symantec software licensed to you, the number of copies you may use of all titles of the software in the suite, including the Software, may not exceed the total number of copies so indicated in the License Module in the aggregate, as calculated by any combination of licensed suite products. Your License Module shall constitute proof of your right to make such copies. If no License Module accompanies, precedes, or follows this license, you may make one copy of the Software you are authorized to use on a single computer. B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of your computer and retain the original for archival purposes;

C. use the Software on a network, provided that you have a licensed copy of the Software for each computer that can access the Software over that network; andD. after written notice to Symantec, transfer the Software on a permanent basis to another person or entity, provided that you retain no copies of the Software and the transferee agrees to the terms of this license.

You may not:A. copy the printed documentation which accompanies the Software; B. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; C. use a previous version or copy of the Software after you have received a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed; D. use a later version of the Software than is provided herewith unless you have purchased upgrade insurance or have otherwise separately acquired the right to use such later version;E. use, if you received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which you have not received a permission in a License Module; or F. use the Software in any manner not authorized by this license.

2. Content Updates:Certain Symantec software products utilize content that is updated from time to time (antivirus products utilize updated virus definitions; content filtering products utilize updated URL lists; firewall products utilize updated firewall rules; vulnerability assessment products utilize updated vulnerability data, etc.; collectively, these are referred to as “Content Updates”). You may obtain Content Updates for any period for which you have purchased upgrade insurance for the product, entered into a maintenance agreement that includes Content Updates, or otherwise separately acquired the right to obtain Content Updates. This license does not otherwise permit you to obtain and use Content Updates.

3. Limited Warranty:Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to you. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the

money you paid for the Software. Symantec does not warrant that the Software will meet your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE.

4. Disclaimer of Damages:REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether you accept the Software.

5. U.S. Government Restricted Rights:RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items”, as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation”, as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

6. General:This Agreement will be governed by the laws of the State of California. This Agreement may only be modified by a License Module which accompanies this license or by a written document which has been signed by both you and Symantec. Should you have any questions concerning this Agreement, or if you desire to contact Symantec for any reason, please write: Symantec Customer Service, 555 International Way, Springfield. OR 97477.

Contents

Technical Support

Chapter 1 Introducing Symantec Mail Security for Microsoft ExchangeAbout Symantec Mail Security for Microsoft Exchange ................................15What’s new in Symantec Mail Security ............................................................16Components of Symantec Mail Security ..........................................................18How Symantec Mail Security works .................................................................20What you can do with Symantec Mail Security ..............................................20

Manage your Exchange environment using policies ..............................21Scan your Exchange server for risks and violations ..............................22Protect against threats ................................................................................22Keep your protection up-to-date ...............................................................22Identify spam email .....................................................................................23Filter undesirable message content ..........................................................24Save messages to a folder for archiving ...................................................24Manage outbreaks ........................................................................................25Quarantine infected message bodies and attachments .........................25Monitor Symantec Mail Security events ..................................................26Generate reports ..........................................................................................26Send notifications when a threat or violation is detected .....................27Manage single and multiple Exchange servers .......................................27

Where to get more information about Symantec Mail Security ..................27

Chapter 2 Installing Symantec Mail Security for Microsoft ExchangeBefore you install .................................................................................................29

Software component locations ..................................................................30About security and access permissions ....................................................32

System requirements ..........................................................................................33Server system requirements ......................................................................33Console only system requirements ...........................................................34

About installing Symantec Mail Security ........................................................34Installing Symantec Mail Security on a local server ..............................35About installing Symantec Mail Security on remote servers ...............40Installing the Symantec Mail Security console only ..............................43About installing Symantec Mail Security in a Microsoft Cluster .........45

10 Contents

Post-installation tasks ........................................................................................ 50About setting up impersonation privileges on the IWAM account ..... 51Restarting the IIS ......................................................................................... 51Implementing SSL communications ......................................................... 51Accessing the Symantec Mail Security console ...................................... 52About using Symantec Mail Security with other antivirus

products ................................................................................................. 57Setting scanning threads and number of scan processes ..................... 58

Migrating to version 5.0.3 .................................................................................. 59Uninstalling Symantec Mail Security .............................................................. 60

Chapter 3 Activating licensesAbout licensing .................................................................................................... 63How to activate a license .................................................................................... 64

If you do not have a serial number ............................................................ 65Obtaining a license file ............................................................................... 65About the Symantec Premium AntiSpam license file ............................ 67Installing license files ................................................................................. 68Checking the license status of a server .................................................... 69

If you want to renew a license ........................................................................... 69

Chapter 4 Managing your Exchange serversAbout managing your Exchange servers ......................................................... 71Deploying settings to a server or group ........................................................... 72How to manage servers and server groups ...................................................... 74

Modifying or viewing server or server group settings .......................... 74Viewing the status of a server ................................................................... 75Creating a server group .............................................................................. 76Adding servers to a group .......................................................................... 77Moving a server to another group ............................................................. 78Synchronizing group settings to a server ................................................ 80Restoring default settings to a server or group ...................................... 80Removing a server from group management .......................................... 81Removing a server group ............................................................................ 81Importing and exporting settings ............................................................. 82Modifying the port and communication properties of a server ........... 83

Chapter 5 Quarantining messages and attachmentsAbout the quarantine .......................................................................................... 85Forwarding quarantined items to the Quarantine Server ............................ 86Establishing local quarantine thresholds ........................................................ 87Viewing the contents of the local quarantine ................................................. 88

11Contents

Release messages from the quarantine ............................................................90Releasing messages from the quarantine by email ................................90Releasing messages from the quarantine to a file ..................................92

Deleting an item from the quarantine ..............................................................93

Chapter 6 Protecting your server from risksAbout protecting your server from risks .........................................................95

How Symantec Mail Security detects risks ..............................................97Configuring threat detection .............................................................................98Configuring security risk detection ................................................................100Configuring file scanning limits ......................................................................102Configuring rules to address unscannable container files ..........................104

Chapter 7 Identifying spamAbout spam detection .......................................................................................107

How Symantec Mail Security detects and processes spam .................109About spam confidence level (SCL) values .............................................110

Blocking spam using real-time blacklists ......................................................112Configuring whitelists .......................................................................................113How to detect spam using Symantec Premium AntiSpam ..........................114

How the Symantec Premium AntiSpam service works ........................115About spam foldering ................................................................................117About registering Symantec Premium AntiSpam through an

ISA server ............................................................................................117Configuring your proxy server to download spam definition

updates .................................................................................................118About the Symantec Spam Folder Agent for Exchange .......................119About the Symantec Spam Plug-in for Outlook ....................................124Configuring Symantec Premium AntiSpam to identify spam ............130What you can do with spam and suspected spam messages ...............132

Configuring heuristic antispam protection ...................................................141

Chapter 8 Filtering content using content filtering rulesAbout filtering content .....................................................................................145

About default content filtering rules ......................................................147About content evaluation .........................................................................147Elements of a content filtering rule ........................................................149

Working with match lists .................................................................................154

12 Contents

Working with content filtering rules .............................................................157Specifying inbound SMTP domains ........................................................157Enabling or disabling content filtering for auto-protect scanning ...158Creating a new rule ....................................................................................159Editing an existing rule .............................................................................159About configuring a content filtering rule ............................................160Prioritizing content filtering rules .........................................................168Deleting a content filtering rule ..............................................................169Refreshing the Active Directory groups cache .....................................169

How to enforce email attachment policies ....................................................170Blocking attachments by file name .........................................................170Configuring multimedia file detection ...................................................172Configuring executable file detection ....................................................175

Chapter 9 Scanning your Exchange servers for threats and violationsAbout the scanning process .............................................................................178Configuring auto-protect scanning ................................................................179About manual scans ..........................................................................................180

Configuring the manual scan parameters .............................................180Running a manual scan ............................................................................182Viewing manual scan results ...................................................................183

About scheduling a scan ...................................................................................183Creating a scheduled scan ........................................................................183Editing a scheduled scan ..........................................................................184Configuring scheduled scan options .......................................................184Enabling a scheduled scan ........................................................................187Deleting a scheduled scan ........................................................................187

Configuring notification settings for scan violations ..................................188

Chapter 10 Managing outbreaksAbout outbreak management ..........................................................................189

What defines an outbreak ........................................................................190About outbreak triggers ...........................................................................191

Enabling outbreak management .....................................................................192Configuring outbreak triggers .........................................................................193Configuring outbreak notifications ................................................................194Clearing outbreak notifications .......................................................................195

13Contents

Chapter 11 Logging events and generating reportsAbout logging events .........................................................................................197

Viewing the Symantec Mail Security Event log ....................................198Specifying the duration for storing data in the Reports database .....200Purging the Reports database ..................................................................201

About report templates .....................................................................................201About report output formats ....................................................................202Creating or modifying a Summary report template .............................203Creating or modifying a Detailed report template ...............................208Deleting a report template .......................................................................211

What you can do with reports ..........................................................................211Generating a report on demand ...............................................................211Accessing a report ......................................................................................212Printing a report ........................................................................................214Saving report data .....................................................................................214Deleting a report ........................................................................................215Resetting statistics ....................................................................................216

Chapter 12 Updating your protectionAbout keeping your server protected .............................................................217

Configuring a proxy server to permit LiveUpdate definitions ...........218About setting up your own LiveUpdate server ......................................220

How to update definitions ................................................................................220Updating definitions on demand .............................................................220Scheduling definition updates .................................................................221

Distributing definitions to multiple servers ..................................................222

Appendix A Using variables to customize alerts and notificationsAbout alert and notification variables ............................................................225

Appendix B Integrating Symantec Mail Security with SESAAbout SESA .........................................................................................................227Interpreting Symantec Mail Security events in SESA .................................229Configuring logging to SESA ............................................................................230

Configuring SESA 2.1 to recognize Symantec Mail Security ..............231Configuring SESA 2.5 to recognize Symantec Mail Security ..............232Installing the local SESA Agent ...............................................................235Updating the Windows hosts file to log events to SESA 2.5 ...............235Configuring Symantec Mail Security to log events to SESA ...............236

14 Contents

About uninstalling SESA ..................................................................................236About uninstalling the SIP .......................................................................236About uninstalling the SESA Agent ........................................................237

Index

Chapter
1
Introducing Symantec Mail Security for Microsoft Exchange

This chapter includes the following topics:

■ About Symantec Mail Security for Microsoft Exchange

■ What’s new in Symantec Mail Security

■ Components of Symantec Mail Security

■ How Symantec Mail Security works

■ What you can do with Symantec Mail Security

■ Where to get more information about Symantec Mail Security

About Symantec Mail Security for Microsoft Exchange

Symantec™ Mail Security for Microsoft® Exchange is a complete, customizable, and scalable solution that scans email messages that pass through the Microsoft Exchange server.

Symantec Mail Security protects your Exchange server from the following:

■ Threats (such as viruses, Trojan horses, worms, and denial-of-service attacks)

■ Security risks (such as adware and spyware)

16 Introducing Symantec Mail Security for Microsoft ExchangeWhat’s new in Symantec Mail Security

■ Unwanted content

■ Unsolicited email messages (spam)

Symantec Mail Security also lets you manage the protection of one or multiple Exchange servers from a single console.

See “What you can do with Symantec Mail Security” on page 20.

The Exchange environment is only one avenue by which a threat can penetrate a network. For complete protection, ensure that every computer and workstation is protected by an antivirus solution.

See “About using Symantec Mail Security with other antivirus products” on page 57.

What’s new in Symantec Mail SecurityTable 1-1 lists the new and enhanced features in Symantec Mail Security 5.0.3 for Microsoft Exchange.

Table 1-1 New and enhanced features

Feature Description

Protection from mail-based security risks

Symantec Mail Security protects your mail environment from security risks, such as spyware and adware.

See “Configuring security risk detection” on page 100.

Redesigned console You can manage a single mail server or a group of servers from the same console. The new console lets you view summary information about the activities on an individual mail server or a group of servers.

See “Accessing the Symantec Mail Security console” on page 52.

Improved support for cluster environments

Symantec Mail Security is Microsoft cluster-aware. In a clustering environment, multiple nodes on the network operate like a single system to ensure high availability.

Symantec Mail Security is installed as a cluster resource on an active/passive cluster. It is designed to interact with and detect the nodes that are within the cluster environment.

See “About installing Symantec Mail Security in a Microsoft Cluster” on page 45.

Automatic server discovery

Symantec Mail Security can automatically detect the Exchange servers that are within your organization using Active Directory.

17Introducing Symantec Mail Security for Microsoft ExchangeWhat’s new in Symantec Mail Security

User-based and group-based policies

You can select the users or groups for which a content filtering policy applies.

You can configure the rule to apply to all Active Directory groups or to only the users or Active Directory groups that you select. You can also specify users or groups who are exceptions to the rule.

See “About configuring a content filtering rule” on page 160.

File attachment content scanning

You can scan for content violations within file attachments.

Symantec Mail Security supports over 300 file attachment types and common file types, such as Microsoft Office documents, Adobe Acrobat PDF files, text files, RTF files, and database files.


Multimedia and executable file detection based on true file type

Symantec Mail Security can detect multimedia and executable files based on an analysis of their true file type instead of relying on their file extensions.

See “Configuring multimedia file detection” on page 172.

See “Configuring executable file detection” on page 175.

Summary and Detailed reports

You can generate a report that contains statistics about the scanning activities that occurred on one or more mail servers. You can configure Symantec Mail Security to send the report to the email addresses that you specify.

See “What you can do with reports” on page 211.

Automatically save messages to a folder

You can save messages that are identified as spam or suspected spam, or messages that trigger content filtering violations, to a specified folder. This lets you use an archiving program to automatically archive messages in the folder.

See “Save messages to a folder for archiving” on page 24.

Table 1-1 New and enhanced features (Continued)

Feature Description

18 Introducing Symantec Mail Security for Microsoft ExchangeComponents of Symantec Mail Security

Components of Symantec Mail SecurityTable 1-2 lists the components of Symantec Mail Security.

Table 1-2 Product components

Component Description Location on the product CD

Symantec Mail Security for Microsoft Exchange

This is the software that you install to protect your Exchange servers. It protects your servers from threats (such as viruses and denial-of-service attacks), security risks (such as adware and spyware). It also detects spam email messages and unwanted content.

\SMSMSE\Install\

LiveUpdate™ Administration Utility

This is the utility that lets you configure one or more intranet FTP, HTTP, or LAN servers to act as internal LiveUpdate servers. LiveUpdate lets Symantec products download program and definition file updates directly from Symantec or from a LiveUpdate server.

For more information, see the LiveUpdate Administrator’s Guide on the Symantec Mail Security product CD in the following location:

\DOCS\LUA\Luadmin.pdf

\ADMTOOLS\LUA\

Symantec Spam Folder Agent for Exchange

This is the program that lets you install a spam foldering agent. The foldering agent works with the Symantec Premium AntiSpam service. It lets you automatically route spam and suspected spam messages to a spam folder in each user’s inbox.

The Symantec Spam Folder Agent is recommended for Exchange 2000 servers only.

\ADMTOOLS\SPA\BSFA\

19Introducing Symantec Mail Security for Microsoft ExchangeComponents of Symantec Mail Security

Outlook Plug-in This is the software that lets you submit missed spam and false positives to Symantec. It also lets users administer allowed senders and blocked senders lists and block email messages based on language identification.

The Outlook Plug-in is used with the Symantec Premium AntiSpam service.

The Outlook Plug-in can be used on Exchange 2000 and Exchange 2003 servers.

\ADMTOOLS\SPA\BMOP\

Symantec Enterprise Security Administration (SESA) Integration Package (SIP)

This is the software configuration package that you must install on each computer that runs a SESA Manager. The SIP extends SESA functionality to include Symantec Mail Security event data.

\ADMTOOLS\SIPI\

Adobe® Acrobat® Reader® 6.0

This is the software that makes it possible to read electronic documentation in Portable Document Format (PDF).

\DOCS\ar60enu.exe

Symantec Central Quarantine

Symantec Mail Security can forward infected messages and messages that contain violations from the local quarantine to the Central Quarantine, which acts as a central repository.

For more information, see the Symantec Central Quarantine Administrator’s Guide on the Symantec Mail Security product CD in the following location:

\DOCS\DIS\CentQuar.pdf

\ADMTOOLS\DIS

Table 1-2 Product components (Continued)

Component Description Location on the product CD

20 Introducing Symantec Mail Security for Microsoft ExchangeHow Symantec Mail Security works

How Symantec Mail Security worksIn a typical configuration, Symantec Mail Security scans items (message headers, bodies, and attachments) that are sent to Exchange servers by SMTP or directly to the store (mailboxes and public folders) by MAPI.

Symantec Mail Security can scan messages and their attachments to detect the following:

■ Risks

Such as viruses, worms, Trojan horses, adware, and spyware

See “About protecting your server from risks” on page 95.

■ Spam

See “About spam detection” on page 107.

■ Content filtering rule violations

See “About filtering content” on page 145.

See “About the scanning process” on page 178.

When spam, a risk, or a content filtering rule violation is detected, Symantec Mail Security takes the actions that you specify in the respective polices.

See “Manage your Exchange environment using policies” on page 21.

Symantec Mail Security contains a decomposer that extracts container files so that they can be scanned for risks and content filtering violations. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule.

See “Configuring rules to address unscannable container files” on page 104.

What you can do with Symantec Mail SecurityYou can use Symantec Mail Security to do the following:

■ Manage your Exchange environment using policies

■ Scan your Exchange server for risks and violations

■ Protect against threats

■ Keep your protection up-to-date

■ Identify spam email

■ Filter undesirable message content

■ Save messages to a folder for archiving

21Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Symantec Mail Security

■ Manage outbreaks

■ Quarantine infected message bodies and attachments

■ Monitor Symantec Mail Security events

■ Generate reports

■ Send notifications when a threat or violation is detected

■ Manage single and multiple Exchange servers

Manage your Exchange environment using policiesSymantec Mail Security scans email messages and their attachments for violations to polices. A policy is a set of rules designed to detect potential risks to your Microsoft Exchange mail system or content policy violations.

Symantec Mail Security contains the following policies:

General Contains rules controlling scanning limits, exceptions, and outbreak management

Antivirus Contains rules for detecting threats in messages and attachments with viruses, virus-like characteristics, or security risks, such as adware or spyware

Antispam Contains rules for the following:

■ Allowed senders

■ Recipients whose email messages are not scanned for spam

■ Real-time blacklist domains

Also lets you enable and configure the heuristic antispam engine or the Symantec Premium AntiSpam service

Content Enforcement

Contains rules for filtering inappropriate content in message bodies and attachments

22 Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Symantec Mail Security

Scan your Exchange server for risks and violationsYou can keep your server protected by performing any of the following types of scans:


Protect against threatsSymantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, and worms) to identify new risks. After a threat is identified, information about the threat (a signature) is stored in a definition file. This file contains information to detect and eliminate the threat. When Symantec Mail Security scans for threats, it searches for these signatures.

Symantec Mail Security also uses Symantec Bloodhound heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments.

See “Configuring threat detection” on page 98.

Keep your protection up-to-dateSymantec Mail Security relies on up-to-date information to detect and eliminate risks. One of the most common reasons computers are vulnerable to attacks is that definition files are out-of-date. Symantec regularly supplies updated definition files.

Using LiveUpdate, Symantec Mail Security connects to a Symantec server over the Internet and automatically determines if definitions need to be updated. If they do, the definition files are downloaded to the proper location and installed. If you need a quicker response for emerging threats, you can use Rapid Release to get the most current definitions that are available.

Auto-protect scanning

Auto-protect scanning detects risks, spam, and content filtering rule violations in real-time as email messages are routed through the Exchange server to the information store.

Manual scans Manual scans are on-demand scans of local mailbox and public folder items.

Scheduled scans These are scans that run according to the schedule that you specify.


If your organization has both front-end and back-end Exchange servers, you might want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and certified Live Update definitions on the back-end mailbox servers.

See “About keeping your server protected” on page 217.


Note: To update definitions, you must have a valid content license.

See “About licensing” on page 63.

Identify spam emailSpam is unsolicited bulk email, most often advertising messages for a product or service. It wastes productivity, time, and network bandwidth.

You can use one of the following features to identify spam:

You can enhance heuristic or premium antispam detection by specifying domains that are allowed to bypass antispam scanning or that are automatically blocked. You can also specify email addresses to which inbound emails are permitted to bypass real-time blacklist blocking and antispam scanning.

See “Blocking spam using real-time blacklists” on page 112.

See “Configuring whitelists” on page 113.

Symantec Premium AntiSpam

Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available. You must have a valid Symantec Premium AntiSpam license to enable Symantec Premium AntiSpam.

See “How to detect spam using Symantec Premium AntiSpam” on page 114.

See “About the Symantec Premium AntiSpam license file” on page 67.

Heuristic antispam The heuristic antispam feature uses a pattern-matching, heuristics engine to compare the contents of email messages to a list of spam characteristics. You can select the antispam engine sensitivity level.

See “Configuring heuristic antispam protection” on page 141.


Filter undesirable message contentSymantec Mail Security lets you filter undesirable content using the following features:

Save messages to a folder for archivingYou can configure Symantec Mail Security to automatically save email messages that trigger violations (such as spam and content filtering violations) to a folder location that you specify. This lets you configure your mail archiving solution to archive the messages in this folder. Maintaining archives of files can help your organization comply with regulatory requirements, such as the Sarbanes-Oxley Act of 2002 (SOX).


See “Processing spam messages” on page 133.


Match lists To filter content that applies to a specific situation, you can create a match list that includes words and phrases that are standard for or particular to your company or industry and for which you want to filter content.

After you create a match list, you can define a content filtering rule that uses the match list. A content filtering rule can refer to one or more match list. Match lists can consist of literal strings, regular expressions, or DOS wildcard expressions.

See “Working with match lists” on page 154.

Content filtering rules

You can create content filtering rules that apply to SMTP inbound and SMTP outbound mail and the Exchange information store. Content filtering rules let you filter messages for attachments names, attachment content, specific words, phrases, subject lines, and senders. Symantec Mail Security takes the action that you specify in the rule when it detects a violation.

Symantec Mail Security also provides File Filtering Rules. File Filtering Rules let you filter email messages based on attached files names or file types, such as multimedia or executable files.

See “Working with content filtering rules” on page 157.


If you specify an absolute path (with ':'; for example, C:\Program Files\Archive), Symantec Mail Security creates the folder, if one does not already exist. If you specify a relative path (without ':'; for example, Archive), Symantec Mail Security creates a subfolder underneath the “SavedMessages” folder in the server installation directory, if one does not already exist.

The mail foldering option is only available for inbound and outbound SMTP traffic.

Manage outbreaksAn outbreak occurs when the number of threats to the Microsoft Exchange system that are detected over a period of time exceeds a specified limit.

Symantec Mail Security lets you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications when an outbreak is detected. You can also select an action to take when an outbreak is detected, such as deleting the entire message, deleting the attachment or message body, quarantining the attachment or message body, or logging the event.

You can set rules to define an outbreak based on event. For example, the same threat occurs a specified number of times within a specified time period. You can also configure Symantec Mail Security to send notifications and alerts in the case of an outbreak.

See “About outbreak management” on page 189.

Quarantine infected message bodies and attachmentsSymantec Mail Security for Microsoft Exchange includes a local quarantine that can store infected message bodies and attachments that are detected during scans. You can configure Symantec Mail Security to quarantine threats, security risks, content filtering violations, and file filtering violations in the local quarantine.

Quarantined items that contain threats can be forwarded to the Symantec Central Quarantine, if it is installed. The Symantec Central Quarantine program is available on the Symantec Mail Security product CD.

See “About the quarantine” on page 85.


Monitor Symantec Mail Security eventsSymantec Mail Security logs events to the Windows Application Event Log. You can view events that are logged to the Windows Application Event Log from the console.

See “Viewing the Symantec Mail Security Event log” on page 198.

Symantec Mail Security logs extensive report data on threats, security risks, content violations, spam, and server information to a reports database. You can use this data to generate summary or detailed reports based on different subsets of the data.

See “About logging events” on page 197.

You can also configure Symantec Mail Security to post events to Symantec Enterprise Security Architecture (SESA). SESA is an event management system that compiles data for events that Symantec and supported third-party products generate.

Symantec Mail Security sends a subset of security and application events to SESA. The events that Symantec Mail Security generates include failed definition updates, threat detections, unscannable files, and spam events.

See “Configuring Symantec Mail Security to log events to SESA” on page 236.

Generate reportsSymantec Mail Security collects and saves scan data on your Exchange servers. You can create reports from the data, which gives you a history of risk detection activity and rule violations.

Report templates let you define a subset of the raw report data that is collected by Symantec Mail Security for a single server. Report templates can include different categories or combinations of security-related statistics.

You can create different report templates to describe different subsets of the raw report data. Once you create a report template, you use it to generate reports.

Symantec Mail Security provides two pre-configured report templates that you can modify. You can also create your own report templates. When you create or modify a report template, Symantec Mail Security provides a wizard to guide you through the configuration process.

27Introducing Symantec Mail Security for Microsoft ExchangeWhere to get more information about Symantec Mail Security

The types of report templates that you can create are as follows:

■ Summary

See “Creating or modifying a Summary report template” on page 203.

■ Detailed

See “Creating or modifying a Detailed report template” on page 208.

Send notifications when a threat or violation is detectedSymantec Mail Security provides several options for notifying administrators and email recipients of risks and violations.

You define the conditions in which to send an alert. You can also customize the alert message text for each alert condition that you define.

See “Configuring notification settings for scan violations” on page 188.

Manage single and multiple Exchange serversSymantec Mail Security can protect one or more Exchange servers. If your organization has multiple Exchange servers, you can manage all of the servers from the same console that you use to manage a single server. By switching between server view and group view, you can manage the configuration settings for individual servers, a logical grouping of servers (such as all front-end servers), or all servers in a specific location.

See “About managing your Exchange servers” on page 71.

Where to get more information about Symantec Mail Security

Symantec Mail Security includes a comprehensive help system that contains conceptual, procedural, and context-sensitive information.

Press F1 to access information about the page in which you are working. If you want more information about features that are associated with the page, select a More Information link in the Help page, or use the Table of Contents, Index, or Search tabs in the Help viewer to locate a topic.

The About folder in the Help page provides information about the feature or topic. If there are procedures that are associated with a feature or topic, a How to folder for the Help topic is enabled. Click that folder to display the procedures.

28 Introducing Symantec Mail Security for Microsoft ExchangeWhere to get more information about Symantec Mail Security

You can visit the Symantec Web site for more information about your product. The following online resources are available:

Provides access to the technical support Knowledge Base, newsgroups, contact information, downloads, and mailing list subscriptions

www.symantec.com/techsupp/ent/enterprise.html

Provides information about registration, frequently asked questions, how to respond to error messages, and how to contact Symantec License Administration

www.symantec.com/licensing/els/help/en/help.html

Provides product news and updates www.enterprisesecurity.symantec.com

Provides access to the Virus Encyclopedia, which contains information about all known threats; information about hoaxes; and access to white papers about threats

www.securityresponse.symantec.com

http://www.symantec.com/techsupp/ent/enterprise.html

http://www.symantec.com/licensing/els/help/en/help.html

http://www.enterprisesecurity.symantec.com

http://www.symantec.com/avcenter/global/index.html

Chapter
2
Installing Symantec Mail Security for Microsoft Exchange


■ Before you install

■ System requirements

■ About installing Symantec Mail Security

■ Post-installation tasks

■ Migrating to version 5.0.3

■ Uninstalling Symantec Mail Security

Before you installBefore you install Symantec Mail Security, ensure that all pre-installation and system requirements are met. You also should ensure that you have an installation plan that best matches your organization’s needs.

See “System requirements” on page 33.

Symantec Mail Security supports upgrades from Symantec Mail Security 4.x. If you are upgrading from a prior version, you should review the migration information.

See “Migrating to version 5.0.3” on page 59.

30 Installing Symantec Mail Security for Microsoft ExchangeBefore you install

Before you install the product, you should do the following:

■ If you are running Symantec Brightmail™ AntiSpam on the same server on which you want to install Symantec Mail Security, you must uninstall Symantec Brightmail AntiSpam before you install Symantec Mail Security.

■ The email tools feature of Symantec AntiVirus Corporate Edition is not compatible with Microsoft Exchange or Symantec Mail Security for Microsoft Exchange. You must uninstall the feature before you install Symantec Mail Security.

■ You must disable any antivirus software that is on the server in which you want to install Symantec Mail Security. After installation, you should re-enable the antivirus protection.


■ To install Symantec Mail Security components correctly, log on as a Windows domain administrator.

See “Software component locations” on page 30.

■ For optimal visibility, modify your screen resolution to 1024 x 768.

Software component locationsTable 2-1 lists the default locations in which Symantec Mail Security installs software components.

Table 2-1 Software component locations

Component Location

Symantec Mail Security program files

C:\Program Files\Symantec\SMSMSE\5.0\Server

Quarantined items in encrypted format

Note: You should configure all antivirus file system scanners to exclude the quarantine directory from scanning. The system scanners might try to scan and delete Symantec Mail Security files that are placed in the quarantine directory.

C:\Program Files\Symantec\SMSMSE\5.0\Server\Quarantine

Reporting data C:\Program Files\Symantec\SMSMSE\5.0\Server\Reports

31Installing Symantec Mail Security for Microsoft ExchangeBefore you install

Data files for reports that are generated

C:\Program Files\Symantec\SMSMSE\5.0\Server\Reports\<report name>

File type can be .csv, .html, xml, or image file

Report templates C:\Program Files\Symantec\SMSMSE\5.0\Server\Reports\Templates

Match list files C:\Program Files\Symantec\SMSMSE\5.0\Server\MatchLists

Heuristic antispam configuration files, allowed senders files, and Symantec Premium AntiSpam configuration files

C:\Program Files\Symantec\SMSMSE\5.0\Server\SpamPrevention

Location where Symantec Mail Security scans items

Note: You should configure all antivirus products that scan files to exclude the Temp directory from scanning. The system scanners might try to scan and delete Symantec Mail Security files that are placed in the Temp directory during the scanning process.

C:\Program Files\Symantec\SMSMSE\5.0\Server\Temp

Dynamic-link libraries for Symantec Premium AntiSpam

C:\Program Files\Symantec\SMSMSE\5.0\Server\bin

Manual scan configuration data

C:\Program Files\Symantec\SMSMSE\5.0\Server\Config

Configuration files for allowed and blocked senders for Symantec Premium AntiSpam

C:\Program Files\Symantec\SMSMSE\5.0\Server\etc

Component logs for Symantec Premium AntiSpam

C:\Program Files\Symantec\SMSMSE\5.0\Server\logs

Statistical information on the effectiveness of Symantec Premium AntiSpam rules

C:\Program Files\Symantec\SMSMSE\5.0\Server\stats

Console files C:\Program Files\Symantec\SMSMSE\5.0\UI

Table 2-1 Software component locations (Continued)

Component Location

32 Installing Symantec Mail Security for Microsoft ExchangeBefore you install

About security and access permissionsUsers must have System Administrator privileges to configure or modify Symantec Mail Security settings.

When you install the product, Symantec Mail Security automatically creates the SMSMSE viewers group in Active Directory and assigns the group read-only access to Symantec Mail Security components and features. Users in this group cannot change settings for Symantec Mail Security. Users can run reports, view event logs, and view settings through the console.

The SMSMSE viewers group is domain-wide for Active Directory. You can use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to change membership in this group.

During the security set-up process, security is also set for the Symantec Mail Security registry key and file folders. You must have administrator access to the local servers and domain administrator rights for the security set-up to proceed.

Component to update virus definitions

C:\Program Files\Symantec\LiveUpdate

Definitions C:\Program Files\Common Files\SymantecShared\VirusDefs

License files C:\Program Files\Common Files\SymantecShared\Licenses

Verity content extraction component

C:\Program Files\Symantec\SMSMSE\5.0\Server\Verity\bin

Symantec Mail Security Web service components

C:\Program Files\Symantec\SMSMSE\5.0\Server\DExLService\bin

.NET Framework 1.1 service pack 1.1

C:\Windows\Microsoft.NET\Framework

SESA agent installation files C:\Program Files\Server\AgtInst

Symantec rulesets C:\Program Files\Server\

Table 2-1 Software component locations (Continued)

Component Location

33Installing Symantec Mail Security for Microsoft ExchangeSystem requirements

System requirementsEnsure that you meet the appropriate system requirements for the type of installation that you are performing.

See “About installing Symantec Mail Security” on page 34.

Server system requirementsYou must have domain administrator-level privileges to install Symantec Mail Security.

The server system requirements are as follows:

See “Installing Symantec Mail Security on a local server” on page 35.

See “About installing Symantec Mail Security on remote servers” on page 40.


Operating system ■ Windows 2000 Server/Advanced Server/Data Center SP4

■ Windows Server 2003 Standard/Enterprise/Data Center SP1

Exchange platform ■ Exchange 2000 Server SP3/Enterprise Server

■ Exchange Server 2003/Enterprise Server

Minimum system requirements ■ Intel® Server class 32-bit processor

■ 1 GB RAM

■ 775 MB available disk spaceRequired available disk space for Symantec Mail Security and required third-party components. This does not include the space required for items such as quarantined messages and attachments, reports, and log data.

■ .NET Framework version 1.1 SP1 (is automatically installed if not detected)

■ MDAC 2.6 or higher (is automatically installed if not detected)

■ DirectX 8.01 or higher (automatically installs DirectX 9 DirectX 8.01 or higher if not detected)

34 Installing Symantec Mail Security for Microsoft ExchangeAbout installing Symantec Mail Security

If you install Symantec Mail Security on a Windows 2000 Server Domain Controller that does not allow impersonation, you might have difficulty changing settings in a group view or from a remote console. You should run Microsoft Exchange on a computer that is not a Domain Controller. If this is not feasible, set the computer to allow impersonation by configuring the “Impersonate a client after authentication” policy for the IWAM account.

See “About setting up impersonation privileges on the IWAM account” on page 51.

Console only system requirementsYou can install the Symantec Mail Security console only. The console only system requirements are as follows:

See “Installing the Symantec Mail Security console only” on page 43.

About installing Symantec Mail Security Use any of the following installation procedures, depending on the type of installation that you want to perform:

Operating system ■ Windows 2000 Server SP4

■ Windows Server 2003 SP1

■ Windows XP SP1

Minimum system requirements ■ Intel Server class 32-bit processor

■ 512 MB RAM

■ 162 MB available disk spaceThis does not include the space required for items such as quarantined messages and attachments, reports, and log data.

■ .NET Framework version 1.1 SP1 (is automatically installed if not detected)

Local server installation

You can install or upgrade Symantec Mail Security on a local computer that is running Microsoft Exchange Server.


35Installing Symantec Mail Security for Microsoft ExchangeAbout installing Symantec Mail Security


Installing Symantec Mail Security on a local serverYou can install Symantec Mail Security on a local Microsoft Exchange Server. You must install the product on a local server before you can perform the remote server or console installations.

Before you begin the installation process, ensure that you have met the system requirements.


You must be logged on as a member of the administrator group on the local computer and have domain administrator privileges on the computer on which you want to install Symantec Mail Security.

If you do not have .NET Framework version 1.1 SP1, MDAC 2.6 or higher, or DirectX 8.01 or higher installed, Symantec Mail Security automatically installs these components during installation. If Symantec Mail Security installs any of these components, you are prompted to restart your computer after installation is complete.

When installation is complete, a Symantec Mail Security icon is placed on the computer desktop.

Remote server installation

If you have multiple servers on which you want to install or upgrade Symantec Mail Security, after you install Symantec Mail Security to a local server, you can use the Asset Management tool in the console to install the product to remote servers.


Console only installation

You can install the product console on a computer that is not running Symantec Mail Security. This lets you manage your servers from any computer that has access to your Exchange servers.

See “Installing the Symantec Mail Security console only” on page 43.

Microsoft Clustering service installation

If you are installing Symantec Mail Security with the Microsoft Clustering service, follow the instructions for clustering service installation.



To install Symantec Mail Security on a local server, do the following:

To begin the installation process

1 Insert the Symantec Mail Security product CD in the CD-ROM drive.

The installation program launches automatically. If it does not, you should run cdstart.exe from the product CD.

2 Click Install Symantec Mail Security for Microsoft Exchange.

3 In the InstallShield welcome panel, click Next.

4 Click Next until you reach the Software License Agreement panel.

Begin the installation process

The installation wizard guides you through the installation process of selecting upgrade configurations (if applicable), the product installation folder location, and the type of installation that you want to perform.

Configure additional setup options and confirm settings

You can specify if you want to stop IIS during installation, specify the Web service set-up values, designate an email notification address, install the SESA agent, and review your setup configurations.

See “Installing the local SESA Agent” on page 235.

Install licenses You can install your licenses during installation.


If you install a valid content license, Symantec Mail Security lets you perform a LiveUpdate to obtain the most current definitions.



5 In the License Agreement panel, click I accept the terms in the license agreement, and then click Next.

You must accept the terms of the license agreement for the installation to continue.

6 In the Existing Settings panel, select one of the following, and then click Next:

This panel only appears if you are upgrading.

7 In the Destination Folder panel, do one of the following:

■ To install the product in the default location, click Next.

The default directory is as follows:


■ To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next.

Symantec Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam service, you cannot install the product to a directory that contains high ASCII characters.

8 In the Setup Type panel, click Complete, and then click Next.

9 In the Setup Preview panel, click Next.

This panel only appears if Symantec Mail Security must install a third-party component (such as .NET Framework).

See “Server system requirements” on page 33.

10 In the information dialog box, click OK.

Restore default settings

Applies the default settings of the version that you are installing.

Retain existing settings

Retains your existing settings.


To configure additional setup options

1 In the IIS Reset Options panel, select whether to stop IIS during installation, and then click Next.

2 In the Web Service Setup panel, do one of the following:

■ Click Next if you want to accept the default values.

■ Modify the following settings, and then click Next:

3 In the Notification Email Address panel, do one of the following to specify the administrator to notify of violations and outbreaks:

■ Click Next if you want to accept the default value.

■ Modify the originator email address, and then click Next.

4 In the Symantec Enterprise Security Architecture panel, select one of the following:

See “Integrating Symantec Mail Security with SESA” on page 227.

5 Click Next.

IP/Name By default, the computer name resolves to the primary external network identification card (NIC). You can also use an IP address.

The IP address validates the availability of the port.

Port # Port 8081 is the default port number for the Web service that is used by Symantec Mail Security. If port 8081 is being used by another application, a different default port number appears.

If you change the port number, use a port number that is not used by another application. You should not use port 80. Port 80 is the port number that is used by the default Web service, which is hosted by Microsoft Internet Information Services (IIS).

No Select this option if you do not have a SESA server or do not want to install the SESA agent at this time.

Yes Select this option if you have a SESA server and want to install the SESA agent.

In the IP Address of SESA Server box, type the SESA IP address.


6 In the Setup Summary panel, review the information, and then click Next.

If you need to make any modifications, click Back to return to the appropriate panel.

7 In the Ready to Install the Program panel, click Install.

To install a license and update definitions

1 In the Install Content License File panel, do one of the following:

2 In the LiveUpdate panel, do one of the following:

This panel only appears if you installed a valid license.

3 Click Finish.

The option “Show the readme file” is checked by default. The Readme file contains information that is not available in the product documentation.

4 Click Yes to restart your computer.

This option only appears if Symantec Mail Security installed .NET Framework, MDAC, or DirectX during the installation process. You must restart your computer for the necessary changes to take affect.

See “Post-installation tasks” on page 50.

To install a license file

Do the following:

■ Click Browse, locate the license file, and then click Open.

■ Click Install, and in the confirmation dialog box, click OK. Repeat this process for each license that you have to install.

■ Click Next.

To install a license file later through the console

Click Skip, and then click Next.


To perform a LiveUpdate

Click Yes, and then click Next.

In the LiveUpdate Options window, click Start.

When LiveUpdate is complete, click Close.

To perform a LiveUpdate at a later time

Click No, and then click Next.



About installing Symantec Mail Security on remote serversAfter you install Symantec Mail Security on a local server or install the console, you can install the Symantec Mail Security server component on remote servers. You can also upgrade from versions 4.x.


Before you install the product on remote servers, you should review the pre-installation information and system requirements.

See “Before you install” on page 29.


If you do not have .NET Framework version 1.1 SP1, MDAC 2.6 or higher, or DirectX 8.01 or higher installed, Symantec Mail Security automatically installs these components during installation. If Symantec Mail Security installs any of these components, after installation is complete, the remote computer is automatically restarted.

To install Symantec Mail Security on remote servers, do the following:

■ Customize installation settings, if needed.

Remote servers are installed with default installation settings. If you want to customize the installation settings and apply them to a remote server, you can add the custom features to the vpremote.dat file.

See “Customizing remote server installation settings” on page 40.

■ Install Symantec Mail Security on remote servers.

See “Installing the product on a remote server” on page 42.

Customizing remote server installation settings There may be cases in which you want to customize the installation of Symantec Mail Security on a remote Exchange server. For example, you might want to change the following settings:

■ Installation location

■ Default email address for notifications

■ Stop/start of IIS


Table 2-2 lists the remote customization options that you can modify.

Table 2-2 Remote customization options

Property Description Default value Optional value

EMAILADDRESS= Address of the domain administrator for the “Address of sender” and “Administrator and others to notify” Notification/Alert settings

N/A (Email address of domain administrator)

EXISTINGSETTINGGROUP= Controls whether to retain a previous version’s settings or apply the default settings of the new version

Retain Restore

IIS_RESET= Controls whether to stop and restart IIS

Yes No

INSTALL_SESA= Determines whether to install SESA

No Yes

INSTALLDIR= The default product installation directory

[drive]:\ Program Files\Symantec\SMSMSE\5.0\

(Any valid path)

PORTNUMBER= The port that is used by the product for Web services

8081 (Any valid port)

REMOTEINSTALL Controls whether the console appears during installation

0 1 to hide consoles

Set to 1 if you are performing a silent installation

SESAIP= The IP address of the SESA server

N/A (A valid SESA IP number)


Warning: The following entry should not be changed: {setup.exe /s /v"/qn NOT_FROM_ARP=1”}. You can append the entry. For example, {setup.exe /s /v"/qn NOT_FROM_ARP=1 REMOTEINSTALL=1”}

To customize remote server installation settings

1 Locate the folder that contains the Symantec Mail Security console files. The default location is as follows:

\Program Files\Symantec\SMSMSE\5.0\UI\

2 Using WordPad or a similar tool, open the following file:

vpremote.dat

3 Insert one or more properties by doing the following:

■ Type a space after the previous or existing entry inside the quotation marks.

■ Type the new property.

The property portion of each entry is case sensitive.

■ Type the value immediately after the = sign with no space.

The values are not case sensitive.

For example, to specify a silent installation, the entry would appear as follows:{setup.exe /s /v"/qn NOT_FROM_ARP=1 REMOTEINSTALL=1”}

Installing the product on a remote serverYou must be logged on as a member of the administrator group on the local computer and have domain administrator privileges on all remote computers on which you want to install Symantec Mail Security.


Note: You should not use the remote installation procedures if you are installing the product on cluster server nodes.



To install the product on a remote server

1 In the console on the menu bar, click Tasks > Manage Assets.

2 In the Asset Management window, in the sidebar under Tasks, click Install/Upgrade server(s).

3 In the Select Server(s) window, in the Servers and server groups list, highlight one or more servers and click the >> command icon.

4 Under Server options, check Keep installation files on server(s) to maintain the installation files on the server.

5 Check Send group settings to apply group settings.

If unchecked, existing server settings are retained. Future changes that are made to the server group are applied to the server.

6 Click OK, and then click Close.


Installing the Symantec Mail Security console onlyThe Symantec Mail Security console is a Windows application. The console lets you manage local and remote installations of Symantec Mail Security from a single computer. You can install and use the console on a computer in which Symantec Mail Security is not installed. This lets you manage Symantec Mail Security from a convenient location.

Before you install the console, you must first install Symantec Mail Security on a local Exchange server. You should also review the console installation system requirements.


See “Console only system requirements” on page 34.

Symantec Mail Security automatically installs .NET Framework version 1.1 SP1 if it is not detected during installation. If Symantec Mail Security installs .NET Framework, after installation is complete, you are prompted to restart the computer.



To install the Symantec Mail Security console only


The installation program launches automatically. If it does not, you should run cdstart.exe from the Symantec Mail Security product CD.

2 Click Install Multiserver Console.

If the installation program detects that you have Windows XP or that there is no version of the Exchange server installed, the installation program defaults to console only installation options.

3 Click Next until you reach the Software License Agreement panel.

4 In the License Agreement panel, check I accept the Terms in the license agreement, and then click Next.

5 In the Destination Folder panel, do one of the following:

■ To install the product in the default location, click Next.

The default destination directory is as follows:


■ To install the product in a different location, click Change, select the location of the installation folder, click OK, and then click Next.

Symantec Mail Security does not support directory names that contain multi-byte characters. If you intend to use the Symantec Premium AntiSpam service, you cannot install the product to a directory that contains high ASCII characters.

6 Click Next until you reach the Ready to Install the Program panel.

7 In the Ready to Install the Program panel, click Install.

The installation may take several minutes.

8 Click Finish.

9 Click Yes to restart your computer.

This option only appears if Symantec Mail Security installed .NET Framework during the installation process. You must restart your computer for the necessary changes to take affect.



About installing Symantec Mail Security in a Microsoft ClusterYou can install Symantec Mail Security in a Microsoft Cluster. Symantec Mail Security supports active/active configurations, but recommends configurations with one or more passive nodes. The two configuration types have different installation considerations.

When you install Symantec Mail Security in a cluster environment, you should install the product individually on each node of the cluster. The remote installation feature should not be used.

To install Symantec Mail Security in a cluster environment, do the following:

■ Ensure that your environment meets the pre-installation requirements.

See “Considerations before you install on a Microsoft Exchange cluster” on page 46.

■ Install Symantec Mail Security using the procedures for your cluster configuration.

See “About installing Symantec Mail Security on a cluster with one or more passive nodes” on page 47.

See “About installing Symantec Mail Security on a Veritas cluster server” on page 50.

■ Configure the cluster resource if you are using an active/passive configuration only.

See “Configuring the cluster resource” on page 48.


Considerations before you install on a Microsoft Exchange clusterTable 2-3 describes the items that you should consider before you install Symantec Mail Security in a cluster environment.

Table 2-3 Cluster installation considerations

Configuration Considerations

One or more passive nodes

Symantec Mail Security must be installed on all active and passive nodes of a cluster.

Only one Exchange Virtual Server (EVS) can run on any cluster node at any time. If two EVSs try to run on the same node, the results are undefined.

Before you install Symantec Mail Security on an Exchange cluster with one or more passive nodes, ensure that the following requirements are met:

■ There must be an available passive node to fail to. Multiple failovers are supported only if multiple passive nodes are available.

■ Symantec Mail Security must be installed with the same configuration and in the same locations on all nodes of the cluster.

During installation, Symantec Mail Security checks for presence of a cluster environment. If the installation is running in a cluster environment, you are prompted to register a cluster resource DLL (SMSMSEClusterResource.dll). This DLL must be registered on only one of the cluster nodes.

Symantec Mail Security runs on all the nodes (even passive) immediately after installation. After the first instance of the cluster resource is configured, the service runs on only the active node or nodes.

Active/active Before you install Symantec Mail Security on an active/active Exchange 2000 or 2003 cluster, ensure that the following requirements are met:

■ The cluster is a group of identical servers containing two nodes. An active/active cluster can contain only two nodes.

■ At least two Exchange Virtual Servers exist and are capable of running on either node in the cluster.


About installing Symantec Mail Security on a cluster with one or more passive nodesYou can install Symantec Mail Security on Exchange servers that are running Microsoft Clustering Service with one or more passive nodes.

Symantec Mail Security settings are stored in the registry and local hard drive of each individual server. Each time settings are changed, the settings are duplicated on the hard drive of the shared storage that is used as a dependency for the Symantec Mail Security resource. Any time the active node goes down and control transfers to the passive node, the passive node checks for settings on the shared hard disk storage. The settings are then downloaded to the passive node (which is now active) and applied.

Symantec Mail Security is Microsoft cluster aware and does not require any specific settings prior to installing the product on a cluster with one or more passive nodes. Symantec Mail Security requires its own cluster resource.

You must use IP addresses or names of the Exchange Virtual Server nodes instead of the actual server IP addresses or names for managing Symantec Mail Security through the console.

When the EVS group and Symantec Mail Security cluster resource move from one node to another, the following items are not transferred:

■ Quarantine contents

■ Virus definitions and spam rules

■ Report database and generated reports

■ Spam statistics

■ Mailbox and public folder lists

In a cluster environment, you should manage Symantec Mail Security with a console that is installed on a computer that is not a part of the cluster rather than from one of the cluster nodes. This lets you maintain independent Symantec Mail Security settings for each Exchange Virtual Server.




Configuring the cluster resource

After Symantec Mail Security is installed on each node of the cluster, you must create a new resource. This resource provides high availability by monitoring and controlling Symantec Mail Security. You should create the resource in each Exchange Virtual Server group.

As the Symantec Mail Security resource is created, the Symantec Mail Security service on all nodes is stopped and service startup is changed to manual. This occurs because the service is running under the control of the Symantec Mail Security cluster resource.

The Symantec Mail Security cluster resource is responsible for all of the following tasks:

■ Handling cluster events

■ Saving Symantec Mail Security settings for each Exchange Virtual Server to shared storage

■ Retrieving settings from shared storage and making them active on a given cluster node

■ Managing the Symantec Mail Security service

To configure the cluster resource

1 On the Windows taskbar, click Start > Programs > Administrative Tools > Cluster Administrator.

2 Select an EVS group and launch the New Resource Wizard.

3 Name the resource.

You must assign a unique name to each resource.

4 Select Symantec Mail Security for Microsoft Exchange as the resource type, and then click Next.

5 Choose the nodes for which the resource is being created, and then click Next.

The nodes should be the same as those on which EVS can operate.


6 Choose the dependencies for this resource.

The required dependencies are as follows:

■ Physical Disk Resource (disk on which the settings are saved)

■ EVS Network Name resource

7 Repeat steps 2 through 6 for each EVS server group.

Installing Symantec Mail Security on an active/active clusterYou can install Symantec Mail Security on an active/active Microsoft Exchange cluster.

To install Symantec Mail Security on an active/active cluster

1 Log on to a node using an Administrator account that is a member of the Domain and Local Admin groups.

2 Insert the Symantec Mail Security product CD into the CD-ROM drive.

3 Run the following file to install the Symantec Mail Security product on the cluster node.

\SMSMSE\Install\setup.exe

The installation directory should be on a local node (non-shared drive).

4 In the Web Service wizard, type the IP address of the externally accessible network card of the current node (if not already present).

The Virtual Server IP address, the cluster IP address, or name of the node are invalid entries.

5 Repeat steps 3 and 4 to install Symantec Mail Security on the remaining node.



50 Installing Symantec Mail Security for Microsoft ExchangePost-installation tasks

About installing Symantec Mail Security on a Veritas cluster serverBefore you install Symantec Mail Security on a Veritas cluster server, you should consider the following:

■ Symantec Mail Security should be installed to all nodes of a cluster.

■ The name of the server is usually used when installing to a cluster, but you can use an IP address to specify the computer. If you are using IP addresses, use the IP address of the computer and not the IP address of the cluster or virtual server.

■ You should use the Symantec Mail Security console to schedule definition updates and scans for each server in the cluster.

For more information, see An Introduction to Symantec Mail Security and Availability for Microsoft Exchange. To view this document, on the Internet, go to the following URL:

http://enterprisesecurity.symantec.com/content.cfm?articleid=6302&rnav=0

Post-installation tasks After you install Symantec Mail Security, you can perform the following post-installation tasks:

■ If you are using Windows 2000, set up the appropriate impersonation privileges on the IWAM account.

See “About setting up impersonation privileges on the IWAM account” on page 51.

■ Restart Internet Information Service (IIS).

See “Restarting the IIS” on page 51.

■ Implement SSL communications.

See “Implementing SSL communications” on page 51.

■ Install the license file if it was not installed during setup.


■ Update definitions if a LiveUpdate was not performed during setup.


■ Access the Symantec Mail Security console.

See “Accessing the Symantec Mail Security console” on page 52.

http://enterprisesecurity.symantec.com/content.cfm?articleid=6302&rnav=0

51Installing Symantec Mail Security for Microsoft ExchangePost-installation tasks

■ Configure other antivirus products that are on the same computer as Symantec Mail Security.


■ Configure the number of scanning threads and scan processes, if necessary.

See “Setting scanning threads and number of scan processes” on page 58.

About setting up impersonation privileges on the IWAM accountIf you are using Windows 2000, the IWAM account is not granted Impersonate privileges for ASP.NET 1.1 on a Domain Controller. You must manually assign “Impersonate a client after authentication” to the IWAM account.

For more information, on the Internet, go to the following URL:

http://support.microsoft.com/?id=824308

Restarting the IIS If you are upgrading from a prior version of Symantec Mail Security, after installation is complete, you must restart Internet Information Services (IIS) to ensure that Symantec Mail Security functions properly.

If you are installing the product for the first time, Symantec Mail Security restarts IIS automatically after installation.

To restart the IIS

◆ Do any of the following:

■ At the command prompt, type the following:

IISRESET

■ Restart your server.

■ In the Windows Services window, right-click IIS Admin Service and select Restart.

Implementing SSL communicationsYou can configure Symantec Mail Security to use Secure Sockets Layer (SSL) communications, which requires a server certificate. You can create your own server certificate using Microsoft Certificate Services 2.0 or request one from a certificate authority.

After you implement SSL, you must enable SSL from the console and specify the SSL port for each server.

See “Modifying the port and communication properties of a server” on page 83.

http://support.microsoft.com/?id=824308


To implement SSL communications

1 On the computer on which Symantec Mail Security is installed, on the Windows menu, click Start > Administrative Tools > Internet Information Services (IIS) Manager.

2 In the server list, expand the folder for the server that is hosting Symantec Mail Security.

3 On the Web Sites folder, right-click Symantec Mail Security for Exchange, and then click Properties.

4 On the Directory Security tab, under Secure communications, click Server Certificate.

5 Follow the instructions in the Web Server Certificate wizard to install the certificate.

6 On the Directory Security tab, under Secure communications, click Edit.

7 In the Secure Communications dialog box, check Require secure channel (SSL), and then click OK.

8 On the Web Service tab, under Web Service Identification, in the IP Address text box, type the IP address of the Symantec Mail Security server.

9 In the SSL Port text box, type the port to use for SSL communications.

The default port for SSL communications is 636.

10 Click OK to close the Symantec Mail Security Properties window.

Accessing the Symantec Mail Security consoleYou can access the Symantec Mail Security console from the Windows Start menu or from your desktop. You must have the appropriate administrator or viewer rights to open the console. If you do not, you are prompted to provide proper authentication.

See “About security and access permissions” on page 32.

To access the Symantec Mail Security console

◆ Do one of the following:

■ On the desktop, click the Symantec Mail Security icon.


■ On the Windows menu, click Start > Programs > Symantec Mail Security for Microsoft Exchange > Server Management Console.

See “About the Symantec Mail Security console” on page 53.

About the Symantec Mail Security console Figure 2-1 shows the Symantec Mail Security console.

Figure 2-1 Symantec Mail Security Home page server view

Menu barToolbar

Primary navigation bar

Content area


Figure 2-2 shows additional console elements.

Figure 2-2 Additional console elements

About the primary navigation barManagement operations are grouped into the following categories on the primary navigation bar:

Listpane

PreviewpaneSidebar

Resizing bars

Home Lets you view server status, recent activities, and violations statistics

See “About the Home page” on page 55.

Policies Lets you create and configure sets of rules that are implemented by specific scans

Monitors Lets you configure notification addresses and quarantine settings and monitor quarantine data and events

Scans Lets you create, configure, schedule, and run scans

Reports Lets you view and print data collected by Symantec Mail Security

Admin Lets you update definitions, configure system settings, and install licenses


About the Home pageTable 2-4 provides a summary of the information that is displayed on the Home page for the server or group that is selected. The information is categorized in content panes.

Table 2-4 Home page content panes

Pane Description

Status If you are in a group view, the Status pane provides the following information about the status of the servers in the group:

■ Name: Provides the names of the servers.

■ SMSMSE Service State: Indicates whether the services are started and stopped. If the services have been started, indicates when and for how long.

■ Exchange State: Indicates whether the Exchange stores are enabled or disabled.

■ Auto-Protect State: Indicates whether auto-protect scanning is enabled or disabled.

■ Virus Definitions Date: Indicates the date of the definitions that are being used to scan messages.

■ SPA license status: Indicates whether the Symantec Premium AntiSpam service is valid.

If you are in a server view, the Status pane provides the following information about the selected server.

■ Server name: Provides the name of the server.

■ SMSMSE service state: Indicates whether the service is started and stopped. If the service has been started, indicates when and for how long.

■ Exchange store state: Indicates whether the Exchange store is enabled or disabled.

■ Auto-Protect state: Indicates whether auto-protect scanning is enabled or disabled.

■ Virus definitions date: Indicates the date of the definitions that are being used to scan messages.

■ SPA license status: Indicates whether the Symantec Premium AntiSpam service is valid.


Recent Activity The Recent Activity pane provides the following information:

■ Top Ten Threats/Security RisksThis list shows the ten threats and security risks that were detected. The list also provides the number of incidents for each threat or security risk.

■ Top Ten Spam DomainsThis list shows the top ten domains from which spam was most frequently received. It also provides the total number of messages from the domain, the number of messages that were classified as spam, and the percentage of spam messages that were received from the domain.

Total Violations This pie chart illustrates the percentages of the violations in the time specified in Report Settings. If Store no data is selected, the chart is blank.

Violations are shown in following categories: Threats and risks, spam, and content violations.

The categories are color coded as follows:

■ Gold: Threats (such as viruses, Trojan horses, and worms) and security risks (such as spyware and adware)

■ Orange: Spam

■ Blue: Content filtering violations

Table 2-4 Home page content panes (Continued)

Pane Description


About using Symantec Mail Security with other antivirus productsIf you have Symantec AntiVirus™ Corporate Edition installed on the same computer as Symantec Mail Security, you can configure Symantec AntiVirus to perform definition updates.

When Symantec AntiVirus Corporate Edition is installed on a Microsoft Exchange server, you must configure Symantec AntiVirus Corporate Edition following the guidelines that are described a Knowledge Base article. To view the Knowledge Base article, on the Internet, go to the following URL:

http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2000110108382454?Open&src=w

Activity Summary This pane provides a summary of the scanning activity in the time specified in Report Settings. If Store no data is selected, the quantities are blank.

The information provided is as follows:

■ Files scanned via VSAPI: Total number of files scanned through Microsoft Virus Scanning API (VSAPI)

■ Files scanned via SMTP: Total number of files scanned through Simple Mail Transfer Protocol (SMTP)

■ Messages scanned via SMTP: Total number of messages scanned through SMTP

■ Virus infections: Total number of virus infections detected

■ Content enforcement violations: Total number of content enforcement violations that were detected

If Symantec Premium AntiSpam is enabled, the following information appears:

■ Spam: Number of spam messages that were detected since last reset

■ Suspected spam: Number of suspected spam messages detected since last reset

■ Suspected spam and SCL: Number of suspected spam messages with Spam Confidence Level (SCL) that were detected since last reset

■ Not spam: Number of messages scanned since last reset that are not spam

Table 2-4 Home page content panes (Continued)

Pane Description




The Knowledge Base article also provides instructions for how you can configure Symantec AntiVirus Corporate Edition (or any other antivirus program that is running on the same computer as Symantec Mail Security) to exclude certain folders from scanning. If another antivirus program scans the Exchange directory structure or the Symantec Mail Security processing folder, it can cause false-positive threat detection, unexpected behavior on the Exchange Server, or damage to the Exchange databases.

Setting scanning threads and number of scan processesTo control scanning speed and performance, Symantec Mail Security lets you set the number of VSAPI scanning threads and the number of scan processes. The default is configured using the following formula: (number of processors) x 2 + 1. Accept the default, unless you have a compelling reason to do otherwise.

Symantec Mail Security considers a hyper-threaded processor as more than one processor. For example, if you have a dual hyper-threaded processor on your computer, Symantec Mail Security calculates the number of scanning processes as follows:

Number or processors (4 ) x 2 + 1 = 9

When the load is heavy, all nine scanning processes are scanning messages. This can consume a lot of memory, which could severely impact the performance of your Exchange server.

If you have a hyper-threaded processor on your computer, configure the number of scan processes based on the actual number of physical processors. For example, if you have a dual hyper-thread processor, configure the number of scan processes as follows:

Number of physical processors (1) x 2 +1 = 3

Note: If you are using Intel Xeon processors, you must set this value using the formula based on the number of physical processors, instead of the number reported by the operating system.

To set scanning threads and number of scan processes

1 In the console on the primary navigation bar, click Admin.

2 In the sidebar under Views, click System Settings.

3 In the Number of VSAPI scanning threads box, type the number of threads to use for VSAPI scanning.

The default value is 3.

59Installing Symantec Mail Security for Microsoft ExchangeMigrating to version 5.0.3

4 In the Number of scan processes box, type the number of scan processes.

The default is configured during installation using the formula 2 times the number of processors plus 1.

5 On the toolbar, click Deploy changes to apply your changes.

See “Deploying settings to a server or group” on page 72.

Migrating to version 5.0.3 Symantec Mail Security supports upgrades from Symantec Mail Security 4.x. If you are upgrading from a previous version, the policy settings that you configured on the previous installation are incorporated into the applicable policy on the new installation. If you are upgrading from version 5.0x, all user settings are retained.

Symantec Mail Security 5.x for Exchange does not contain a separate multiserver console. Single and multiple servers are administered from the same console. Multiserver console settings do not migrate to the new version. You must add any existing servers to be upgraded to an asset group (for example, Global). You can use the Install/Upgrade servers feature to upgrade the selected server. Once all of the servers are upgraded, you can uninstall the console from the prior version using the Add/Remove Programs feature in the Control Panel.

Custom policies, content filtering rules, and report templates do not migrate to the new version.

Table 2-5 lists the data and settings that migrate from version 4.x to the new version.

Table 2-5 Version 4.x migration settings

Category Migration status

Auto-protect Migrates to the new version as the standard policy

Auto-protect statistics Migrates as is

Mass-Mailer Rule Only the enable/disable setting migrates

Basic Virus Rule Migrates as is

Virus subpolicy Only the enable/disable setting migrates

Filtering subpolicy Migrates to the new version as the standard policy

Enable/disable setting migrates

Exception subpolicy All existing exceptions rules and settings migrate

60 Installing Symantec Mail Security for Microsoft ExchangeUninstalling Symantec Mail Security

Uninstalling Symantec Mail SecurityWhen you uninstall Symantec Mail Security in a clustered environment, you are prompted to unregister the Symantec Mail Security resource DLL that was configured during install. This needs to be done only once and can be done on any of the cluster nodes.

You must delete all instances of the Symantec Mail Security resource from every EVS group before unregistering the cluster resource.

See “Considerations before you install on a Microsoft Exchange cluster” on page 46.

Stop Microsoft Internet Information Service (IIS) before you uninstall the product. This ensures that all of the files that are installed with the product are removed.

To stop Microsoft IIS

1 On the Windows menu, click Start > Administrative Tools > Services.

2 In Services window, right-click IIS Admin Service and select Stop.

3 Close the Services window.

Certificate, license files, and registry keys

Migrate as is

Quarantine files Migrate as is

Quarantine settings Migrate as is

Spam settings Migrate as is

“Clear” outbreak settings Migrate as is

Alerting/Notification settings

All settings migrate except the AMS and Messenger settings

LiveUpdate/Rapid Release settings

All settings migrate

Match lists Migrate as is

Spam XML file Migrates as is

Table 2-5 Version 4.x migration settings (Continued)

Category Migration status

61Installing Symantec Mail Security for Microsoft ExchangeUninstalling Symantec Mail Security

To uninstall Symantec Mail Security

1 On the server on which Symantec Mail Security is installed, on the Windows menu, click Start > Control Panel.

2 In the Windows Control Panel, click Add or Remove Programs.

3 Click Symantec Mail Security 5.0 for Exchange, and then click Remove.

4 In the confirmation dialog box, click Yes.

5 In the Information dialog box, click OK to confirm that you have stopped IIS.

6 When the uninstallation is complete, click OK.

62 Installing Symantec Mail Security for Microsoft ExchangeUninstalling Symantec Mail Security

Chapter
3
Activating licenses


■ About licensing

■ How to activate a license

■ If you want to renew a license

About licensingKey features for Symantec Mail Security, which include definition updates and Symantec Premium AntiSpam, are activated by a license. When a license expires or no license is installed, limited functionality is available. To regain product functionality when your license expires, you must renew and reactivate your license subscription.

Table 3-1 describes the licenses that are required.

Table 3-1 Symantec Mail Security Licenses

License Description

Content license A content license is required to update Symantec software with the latest associated content (such as new definitions) through LiveUpdate and Rapid Release. A valid content license enables your servers to stay protected.

When the content license is missing or invalid, you cannot download definition updates to keep protection current.


64 Activating licensesHow to activate a license

Definition updates and updates to Symantec Premium AntiSpam are limited to the period of time that is specified by the license. The start and end dates of the license period depend on the terms of your license agreement.

See “If you want to renew a license” on page 69.

You must install one license file on each server that is running Symantec Mail Security or on each member of an Exchange cluster. You cannot replicate license files.

Note: If you are upgrading from versions 4.x, existing licenses are automatically recognized and do not need to be reinstalled.

How to activate a licenseSymantec issues a serial number for each type of license that you purchase. Each serial number must be registered (individually or at the same time) to receive a license key for the associated license. License keys are delivered in a Symantec license file (.slf). The serial number is provided on a license certificate, which is mailed separately and arrives in the same time frame as your software. For security reasons, the license certificate is not included in the Symantec Mail Security software distribution. If you are upgrading from a previous version of the product and you have an active maintenance contract, you might receive the serial number certificate with an upgrade insurance letter.

See “If you want to renew a license” on page 69.

Symantec Premium AntiSpam license

This license is required to enable Symantec Premium AntiSpam. Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available.

When the Symantec Premium AntiSpam license is missing or invalid, the premium antispam service does not function, but the heuristic antispam feature is available.


Table 3-1 Symantec Mail Security Licenses (Continued)

License Description

65Activating licensesHow to activate a license

License activation involves the following process:

If you do not have a serial numberYour license certificate, which contains the serial numbers for the licenses that you have purchased, should arrive within three to five business days of when you receive your software or subscribe to Symantec Premium AntiSpam. If you do not receive the license certificate, contact Symantec Customer Service at 800-721-3934 or your reseller to check the status of your order. If you have lost your license certificate, contact Symantec License Administration.

See “Where to get more information about Symantec Mail Security” on page 27.

Obtaining a license fileTo request a license file, you must have the serial number that is required for activation. (Each license has a separate serial number.) The serial number is used to request a license file and to register for support.

The serial number is printed on the license certificate that was mailed to you. The format of a serial number is a letter followed by 10 digits, for example, F2430482013.

See “If you do not have a serial number” on page 65.

If you purchased multiple types of licenses but registered them separately, Symantec sends you a separate license file for each license. You must install each license file separately. If you registered multiple licenses at the same time, Symantec sends you a single license file that contains all of your licences.

Obtain a license file from Symantec.

To request a license file, you must have the license serial number for each license that you want to activate. After you complete the registration process, Symantec sends you the appropriate license file by email.

See “Obtaining a license file” on page 65.

Install the license file.

You must install the product licenses on each server on which you run Symantec Mail Security or on each member of an Exchange cluster.

If you purchased a subscription for Symantec Premium AntiSpam, you must install the Symantec Premium AntiSpam license on the servers on which you intend to use the premium antispam service.

See “Installing license files” on page 68.


The license file that Symantec sends to you is contained within a .zip file. The .slf file that is contained within the .zip file is the actual license file. Ensure that your inbound email environment permits .zip email message attachments.

Warning: License files are digitally signed. If you try to edit a license file, you will corrupt the file and render it invalid.

To obtain a license file

1 In a Web browser, type the following address:

https://licensing.symantec.com

Your Web browser must use 128-bit encryption to view the site.

2 If a Security Alert dialog box appears, click OK.

3 In the Serial Number box, type the 11-digit serial number that is provided on the license certificate, and then click Next.

If you are registering multiple types of licenses, type one of the serial numbers.

4 If you have an additional license that you want to register, in the Number 2 box, type the serial number.

5 Click Enter another serial number to add additional serial numbers, and in the serial number box, type the serial number.

Repeat this step until you have added the serial numbers for all of the licenses that you want to register.

6 Click Next.

7 In the Email Address box, type the email address where you want Symantec to send the license file.

8 In the Confirm Email Address box, type the email address again, and then click Next.

https://licensing.symantec.com

67Activating licensesHow to activate a license

9 Provide your contact information in the boxes available, and then click Next.

First name, last name, work phone, and email address fields must be completed to continue the registration process.

10 Confirm that the license registration information is accurate, and then click Complete this registration.

Symantec sends you an email message that contains the license file in an attachment. If the email message does not arrive within two hours, an error might have occurred, such as an invalid email address entry. Try again to obtain the license file through the Symantec Web site. If the problem continues, contact Symantec Technical Support.


About the Symantec Premium AntiSpam license fileTo enable Symantec Premium AntiSpam, you must activate the Symantec Premium AntiSpam license.

You must install the license file before you enable the premium antispam service. You only need to install the Symantec Premium AntiSpam license on the servers that receive email and on which you intend to use Symantec Premium AntiSpam.

When you install the Symantec Premium AntiSpam license, the heuristic spam detection feature is disabled.

See “Installing license files” on page 68.

If you register the Symantec Premium AntiSpam service license separately from the content license, you receive a separate license file. You must install this license file separately. If you register all of the licenses simultaneously, you receive one license file. You must install this license file on all servers that require any of the licenses that are contained in the license file.

See “Obtaining a license file” on page 65.

Internet access for the server is required to activate the license and to receive updated spam detection filters. Updates to the premium antispam service are handled through Symantec Premium AntiSpam and not through LiveUpdate.Symantec Premium AntiSpam does not support the installation of license files from path names that contain high ASCII or double-byte characters.

Note: When you install the Symantec Premium AntiSpam license, the heuristic spam detection settings are disabled.


Installing license filesYou must install the license file on each server on which Symantec Mail Security is installed. If you are running in a cluster configuration, you must install the license file on each cluster node.

You can install a license file on one or more servers within a server group at one time.

You can install your licenses during product installation or from the console. Symantec Mail Security issues periodic messages in the Event Log to notify you that your license is invalid or expired until a valid license is properly installed.


To install license files to a local server


2 In the sidebar under Views, click Licensing.

3 In the content area, do one of the following:

■ In Step 3, under Enter path to the license file, type the fully qualified path to the license file.

If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file.

■ Click Browse, select the license file, and then click Open.

If the license file does not reside on the same computer, you can locate the file using My Network Places.

4 Click Install.

5 Repeat steps 3 and 4 for each license that you have to install.

To install license files to a remote server or server group

1 In the console on the toolbar, click Change.

2 In the Select Asset window, select Global Group or a specific server or server group from the menu.

3 Click Select.

4 On the primary navigation bar, click Admin.


69Activating licensesIf you want to renew a license


■ In Step 3, under Enter path to the license file, type the fully qualified path to the license file.

If the license file does not reside on the same computer, you can specify a mapped drive or UNC path to the file.

■ Click Browse, select the license file, and then click Open.

If the license file does not reside on the same computer, you can locate the file using My Network Places.

7 Click Install.

If a server within a server group is already licensed, the license file is reapplied. The license file with the latest expiration date is applied.

8 Repeat steps 6 and 7 for each license that you have to install.

Checking the license status of a serverYou can check the status of your content and Symantec Premium AntiSpam licenses in the server view. You can use this information to verify that your licenses are current and that your product is protecting your computers.

To check the license status of a server



The licensing information appears in the content area.

If you want to renew a licenseWhen a server has an expired Symantec Premium AntiSpam license or when the Symantec Premium AntiSpam license is missing or invalid, Symantec Premium AntiSpam is disabled. When a server has an expired content license or when the content license is missing or invalid, content updates are not applied to your product, which can leave your server vulnerable to attacks. When a content license expires, you must renew your Maintenance Agreement to receive content updates.

70 Activating licensesIf you want to renew a license

The process for license renewal depends on how you purchased your software, as follows:

If you purchased Symantec Mail Security through the Symantec Value or Elite Enterprise Licensing programs

To determine whether your Maintenance Agreement has been renewed and if new licenses are available, contact your administrator, reseller, or Symantec account manager.

After your Maintenance Agreement is renewed, you receive new serial numbers that you can register to obtain your new license files.

If you purchased Symantec Mail Security Small Business Edition

For more information about license renewal, on the Internet, go to the following URL:

www.symantecstore.com/renew

http://www.symantecstore.com/renew

Chapter
4
Managing your Exchange servers


■ About managing your Exchange servers

■ Deploying settings to a server or group

■ How to manage servers and server groups

About managing your Exchange serversSymantec Mail Security can simplify the management of one or more Microsoft Exchange servers across your organization. You can create server groups that have a common purpose and, therefore, require the same protection. By grouping servers, you can apply a common set of protection settings once, rather than repeatedly to each server. In a large network with multiple servers that perform similar roles, the reduction in configuration time and maintenance costs can be considerable.

72 Managing your Exchange serversDeploying settings to a server or group

You can configure settings for each server individually. To configure and manage multiple servers, you can use the following groups:

See “Viewing the status of a server” on page 75.

Settings for an individual server are stored by the server. Symantec Mail Security saves the settings for groups in the following default file location:

\Documents and Settings\All Users\Application Data\Symantec\SMSMSE\5.0

When you delete a group, the associated files are automatically deleted.

Deploying settings to a server or groupSymantec Mail Security lets you make changes to multiple pages before you apply those settings. When the Deploy changes icon on the toolbar is active, it indicates that you have made changes that you need to apply.

Global Group All of the servers that you manage through the Symantec Mail Security console are part of the Global server group. This group includes servers that are added to user-defined groups as well as servers that are added to multi-server management control but are not assigned to a specific server group.

When you configure and apply Global Group settings, the changes are propagated to all servers in all groups. Changes that are made at the Global Group level overwrite all individual server and user-defined server group settings.

User-defined server groups

A user-defined server group is a grouping of servers that have common roles and, therefore, require similar configurations. Configuring settings for a group simplifies server management. For example, a server group might be all of the mail servers that are used by a department (for example, marketing) or the physical location of a group of mail servers (for example, third floor servers in Building A).

A managed server can only belong to one user-defined group. All servers belong to the Global Group.

See “Moving a server to another group” on page 78.

73Managing your Exchange serversDeploying settings to a server or group

You can manage change deployment using the following toolbar icons:

After you deploy your changes, the Operation Status window indicates which changes were successfully applied.

To deploy pending changes to a server or group

1 In the console on the toolbar, click Deploy changes.

2 In the Pending changes window, click Deploy changes.

3 In the Operation Status window, click Close when the operation is complete.

To apply pending changes (if any) and deploy group settings to each server in the group

1 In the console on the toolbar, click Deploy all settings.

The Deploy all settings icon is only enabled in group view.

2 In the confirmation dialog box, click OK.


To cancel pending changes

1 In the console on the toolbar, click Discard changes.


Deploy changes

Lets you deploy your changes.

If you are in the server view, deploys your changes to the server.

If you are in the group view, deploys your changes to each server in the group.

Discard changes

Lets you cancel pending changes.

When you cancel pending changes, settings are returned to their configuration as of the last time changes were successfully deployed.

Deploy all settings

If changes are pending, lets you apply pending changes to the group settings, and then pushes out the group settings to all of the servers in the group.

If no changes are pending, pushes out the group settings to all of the servers in the group.

Note: Any configuration settings that were made to an individual server within the group are overwritten.

This option is only available in group view.

74 Managing your Exchange serversHow to manage servers and server groups

How to manage servers and server groupsYou can manage servers and server groups by doing any of the following:

■ Modifying or viewing server or server group settings

■ Viewing the status of a server

■ Creating a server group

■ Adding servers to a group

■ Moving a server to another group

■ Synchronizing group settings to a server

■ Restoring default settings to a server or group

■ Removing a server from group management

■ Removing a server group

■ Importing and exporting settings

■ Modifying the port and communication properties of a server

Modifying or viewing server or server group settings Symantec Mail Security lets you manage one or more servers from a single console. The Server/group box on the toolbar indicates the server or group that is currently selected. The settings that you make and deploy are applied to that server or group.

You can view and modify the settings of a different server or group by selecting the server or group in the Select Asset window.

To modify or view server or server group settings

1 In the console on the toolbar, click Change.

2 In the Select Asset window, select the server or group whose settings you want to modify or view.

3 Click Select.

75Managing your Exchange serversHow to manage servers and server groups

Viewing the status of a server Symantec Mail Security provides server status information on the Home page. You can view more detailed information about the status of a server on the Monitors > Server Status page.

The server status details appear in the Server Status preview pane. If you are in a group view, the Server Status list contains all of the servers in the group. (The first time that you access the Server Status in a group view, you must refresh the page for the list of servers to appear.) If are in a single server view, the Server Status list contains just the server that you selected.

Table 4-1 provides a description of the information that is provided in the Server Status preview pane.

Table 4-1 Server Status preview pane information

Label Description

Auto-Protect state Whether auto-protect scanning is started or stopped

Auto-Protect status Whether auto-protect scanning is enabled or disabled

Installed version The version of Symantec Mail Security that is installed on the server

Latest update for installed version

The latest available update, if any, for the version of Symantec Mail Security that is installed

Sunset date for installed version

The date after which no further updates are available for the version of Symantec Mail Security that is installed

Currently available version

The version of Symantec Mail Security that is currently available, if different from the version that is installed

Virus definition date The date of definition files that are on the server

Virus definition revision

The revision number of the definition files on the server

Virus definitions count

The number of definitions in the definition file

Latest virus definitions update attempt

The date of most recent attempt to update definitions

Exchange store state Whether the Exchange store is started or stopped

SMSMSE service state

Whether the Symantec Mail Security service is started or stopped


To view the status of a server

1 In the console on the primary navigation bar, click Monitors.

2 In the sidebar under Views, click Server Status.

3 In the Server Status list pane, select the server whose status you want to view.

If you are in a server view, the server is already selected.

4 Press F5 to refresh the list.

Refreshing the list might take several minutes for a large group.

Creating a server groupThere are two general categories of server groups: the Global Group and user-defined groups.

The Global Group is the default server group. You can keep all of your Microsoft Exchange servers that run Symantec Mail Security in the Global Group. If your network contains a large number of Exchange servers, you can create server groups in addition to the Global Group, add servers to these groups, and administer all of your servers that run Symantec Mail Security on a group basis.

SMSMSE service start time

If the service is started, indicates the date and time Symantec Mail Security was last started

If the service is not started, indicates that the service is not started


Whether Symantec Premium AntiSpam is enabled or disabled

Virus definition license status

Whether the content license is valid or invalid

Symantec Premium AntiSpam license status

Whether the Symantec Premium AntiSpam license is valid or invalid

Auto-Protect state Whether auto-protect scanning is started or stopped

Number of items in quarantine

The number of items in the local quarantine

Table 4-1 Server Status preview pane information (Continued)

Label Description


To create a server group


2 In the Asset Management window, in the sidebar under Tasks, click Add group.

3 In the Add New Management Group window, type a name for the server group, and then click OK.

4 Click Close.

Adding servers to a groupYou can add servers to a server group that have a common purpose and, therefore, require the same protection. By adding a server to a group, you can apply a common set of protection settings once, rather than repeatedly to each server. In a large network with multiple servers that perform similar roles, the reduction in configuration time and maintenance costs can be considerable.

All servers are added to the Global Group. However, a server can only reside in one user-defined server group at a time. You can create a new server group dynamically when you add a server to a group.

You can install or upgrade Symantec Mail Security on servers that you are adding to a server group. All servers must be running Symantec Mail Security 5.0x to be managed from the console.


To add servers to a group


2 In the Asset Management window, in the sidebar under Tasks, click Add servers.

3 In the Add Server(s) window, under Management group, do one of the following:

To select an existing group

Click Select group, select the existing group in which you want to add the server, and then click OK.

To create a new group

In the Group box, type the name of the new server group name that you want to create.


4 Under Servers to add, do one of the following:

■ In the Available servers list, select one or more servers, and then click the >> command icon.

■ In the Server name or IP box, type the server name or IP address of the server that you want to add, and then click the >> command icon.

5 Under Server options, in the TCP port number box, type the TCP port number for the server or group of servers that you want to add.

The default port number is 8081. The port number must be the same for all servers that you want to add. The port number and SSL setting must be identical for the console to communicate with the server.

See “Modifying the port and communication properties of a server” on page 83.

6 Check Send group settings to apply group settings to the newly added server.

If unchecked, existing server settings are retained. Future changes that are made to the server group are applied to the server.

7 Check Install SMSMSE to install Symantec Mail Security to the newly added server.

8 Check Keep installation files on server(s) to maintain the installation files on the server.


Moving a server to another groupYou can move a server from one group to another group. You can choose to retain the server’s settings or apply the settings of the new group.

Move a server to another group

If you have already created the group to which you want to move the server and you do not want to apply the group’s settings, you can move the server by dragging it to the group.

If you need to create a new group, if you are moving multiple servers, or if you want to apply group settings to the newly added server, you can use the Move Server window.


To drag a server to another group


2 In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary.

3 Select the server that you want to move and drag it into the new server group.


5 Click Close.

To move a server to another group using the Move Server window


2 In the Asset Management window, in the Assets list, expand the group that contains the server that you want to move and the group you want to move the server to, if necessary.

3 Do one of the following:

■ Select the server that you want to move, and then under Tasks, click Move server.

■ Right-click on the server that you want to move, and then click Move server.

4 In the Move Server window, do one of the following:

■ Select the server group to which you want to add the server.

■ In the Select a group or add a new group box, type the name of a new server group.

5 Click Send group settings to server to apply the settings of the targeted server group to the server.



Synchronizing group settings to a serverSettings on a particular server might not be synchronized with its server group settings. This can occur, for example, if a server is configured in the server view.

To synchronize group settings to a server


2 In the Asset Management window, under Assets, select the server to which you want to apply group settings.

3 In the sidebar under Tasks, click Send group settings to server.

This applies the settings of the server group to the selected server.


5 In the Asset Management window, click Close.

Restoring default settings to a server or groupYou can restore all of the settings for a server or group to their initial, default settings. Restoring default settings also deletes any custom content filtering rules, match lists, report templates, and scheduled scans that you have created. It does not delete existing reports.

When you restore default settings, the Symantec Mail Security service is restarted. The process could take several minutes to complete. While the service is restarting, the console might not accurately reflect the correct settings. You should log off and log back into the console.

To restore default settings to a server or group


2 In the Asset Management window, under Assets, select the server that you want to restore to the default settings.

3 In the sidebar under Tasks, click Reset to factory defaults.



6 In the Asset Management window, click Close.

7 In the console on the menu bar, click File > Exit to close the console.


Removing a server from group managementWhen you remove a server from the Global Group, you can no longer manage the server through the Symantec Mail Security console. Removing a server does not uninstall Symantec Mail Security from the server. Symantec Mail Security continues to provide protection. However, you cannot modify server settings or view the server status from the Symantec Mail Security console.

To remove a server from group management


2 In the Asset Management window, under Assets, in the Global Group list, select one or more servers that you want to remove.

3 In the sidebar under Tasks, click Remove servers.


5 Click Close.

Removing a server groupIf a user-defined server group is no longer needed, you can remove it. The server group settings are retained on the servers that are in the group until new settings are applied.

If you remove a user-defined server group, the servers that belong to the group can be managed through the Global Group.

Note: You cannot remove the Global Group.

To remove a server group


2 In the Asset Management window, under Assets, select the group that you want to remove.

The Global Group cannot be removed.

3 In the sidebar under Tasks, click Remove group.


5 Click Close.


Importing and exporting settingsSymantec Mail Security provides a feature that lets you export the settings for a server or group to an .xml file. This lets you save the settings as a backup file or import the settings to another computer.

When you import settings, you can view the setting configurations in the console. However, the settings are not applied until you deploy them. You can only deploy settings for Symantec Premium AntiSpam if the computer on which you are importing the settings has a valid Symantec Premium AntiSpam license.

You can only export setting configurations, not data such as items in the Event Log.

Before you export settings, ensure that you deploy all pending changes.

To export settings

1 In the console on the menu bar, click File > Export.


3 In the Select the file to save exported settings window, choose the location where you want to save the file.

4 In the File name box, type the file name.

5 Click Save.


To import settings

1 In the console on the menu bar, click File > Import.


3 In the Select the file to save exported settings window, locate the file that you want to import.

4 Click Open.

5 In the console on the toolbar, click Deploy changes to apply your changes.



Modifying the port and communication properties of a server After a server is added to management control, you can change the Transmission Control Protocol (TCP) port and specify whether to use Secure Socket Layer (SSL) for communication between the console and a server.

See “Implementing SSL communications” on page 51.

To modify the port and communication properties of a server


2 In the Asset Management window, under Assets, select a server.

3 In the sidebar under Tasks, click Server properties.

4 In the Properties window, in the Port number box, type the new port number.

The default port number is 8081.

5 Check Use SSL to use SSL for communication between the console and server.


Chapter
5
Quarantining messages and attachments


■ About the quarantine

■ Forwarding quarantined items to the Quarantine Server

■ Establishing local quarantine thresholds

■ Viewing the contents of the local quarantine

■ Release messages from the quarantine

■ Deleting an item from the quarantine

About the quarantine Symantec Mail Security provides the following options for quarantining messages:

Local quarantine When you configure Symantec Mail Security policies, you can choose to send infected messages and attachments to the local quarantine. You can also configure policies to quarantine messages that trigger violations.

See “Establishing local quarantine thresholds” on page 87.

See “Viewing the contents of the local quarantine” on page 88.

See “Deleting an item from the quarantine” on page 93.

86 Quarantining messages and attachmentsForwarding quarantined items to the Quarantine Server

Forwarding quarantined items to the Quarantine Server

If you have installed the Quarantine Server, you can configure Symantec Mail Security to forward local quarantine events to the Quarantine Server.

To forward quarantined items to the Quarantine Server


2 In the sidebar under Views, click Quarantine Settings.

3 In the content area, under Quarantine Server, check Send quarantined items to Quarantine Server.

4 Check Delete local quarantined items after forwarding to Quarantine Server to remove items from the local quarantine.

5 In the Server Address box, type the IP address of the Quarantine Server.

6 In the Server Port box, type the port number for the Quarantine Server.

Quarantine Server You can forward infected files that are in the local quarantine to the Quarantine Server, if one has been set up on your network. When you send quarantined files to the Quarantine Server, the files are forwarded to Symantec for analysis in real-time using HTTPS communications. Symantec automatically distributes updated definitions to the Quarantine Server when they are available.

The Quarantine Server is a component of Symantec AntiVirus Central Quarantine. Symantec Mail Security supports version 3.3 or later of the Symantec AntiVirus Central Quarantine Server. Version 3.3 is provided on the Symantec Mail Security CD in the following location and must be installed separately:

\ADMTOOLS\DIS

For more information about the Symantec AntiVirus Central Quarantine, see the Symantec Central Quarantine Administrator’s Guide, which is located on the product CD in the following location:

\DOCS\DIS\CentQuar.pdf

Note: Files that contain non-viral threats, are unscannable, or violate content filtering rules are not forwarded to the Quarantine Server.

87Quarantining messages and attachmentsEstablishing local quarantine thresholds

7 In the Network Protocol list, click the drop-down menu and select the appropriate network protocol.



Establishing local quarantine thresholdsYou can specify the thresholds for the local quarantine and how you want Symantec Mail Security to respond when a threshold is met.

When you establish the quarantine thresholds for the local quarantine, you can specify the following limits:

You can also specify the actions that you want Symantec Mail Security to take when a threshold is met.

To establish local quarantine thresholds


2 In the sidebar under Views, click Quarantine Settings.

3 In the content area, under Quarantine Thresholds, check Maximum number of items to limit the number of quarantined items, and then type the maximum number of messages or attachments to retain in the quarantine.

This item is checked by default. The default value is 1000.

4 To limit the maximum size of the quarantine, do the following:

■ Check Maximum size of quarantine.

This item is checked by default

■ Type the maximum size of the quarantine.


■ Click the drop-down menu and select MB or GB.

The default value is MB.

Maximum number of items

The maximum number of messages or attachments

Maximum size of quarantine

The maximum file size (in megabytes or gigabytes) of the quarantine

Retain items in quarantine

The maximum number of days to retain a message or attachment in the quarantine

88 Quarantining messages and attachmentsViewing the contents of the local quarantine

5 Check Retain items in quarantine to limit how long an item is quarantined, and then type the number of days.


To specify an action to take when a quarantine threshold is met

1 Under When a threshold is met, check Notify Administrator to send notification messages to an administrator list.


2 Check Notify others to send notification messages to additional people.

3 In the Notify others box, type the email addresses of the people to whom you want notifications sent.

Separate email addresses with commas.

4 Check Delete oldest items to remove items that meet a threshold.

This option is not enabled by default.

If Delete oldest items is not checked and a quarantine size threshold is reached, the event is logged. Symantec Mail Security sends a notification to the recipients that are specified on the Quarantine Settings page.

5 Under Administrator Notification, in the Subject Line box, type your subject line text.

6 In the Message Body box, type the administrator notification message body.

You can use variables in the message body.

See “About alert and notification variables” on page 225.



Viewing the contents of the local quarantineYou can view the contents of the local quarantine for a server. You must be in the server view.

See “Modifying or viewing server or server group settings” on page 74.

89Quarantining messages and attachmentsViewing the contents of the local quarantine

Table 5-1 lists the information that is found in the Quarantine list pane.

When you select an item in the Quarantine, details about the message (and attachments, if any) appear in the preview pane.

Table 5-2 lists the detailed information that is shown in the preview pane.

Table 5-1 Quarantined file summary information

Item Description

Time encrypted Date and time when Symantec Mail Security intercepted and encrypted the file

Recipient Intended recipient(s) of the message

Sender Address of the sender of the message

Message part The part of the message that triggered the violation

Location Location in the system where the file was intercepted

Rule violated Policy or rule that was violated

Quarantine Id Alpha-numeric identifier that Symantec Mail Security assigns to the quarantined file

Sent to QServer Whether the file was sent to the Quarantine Server

Table 5-2 Quarantined file detailed information

Item Description

Time encrypted Date and time when Symantec Mail Security intercepted and encrypted the file

Attachment Name The name of the attachment that triggered the violation

If the message body triggered the violation, this entry is: Message Body.

Rule violated Policy or rule that was violated

Location Location in the system where the file was intercepted

Sender Address of the sender of the message

Recipient(s) Intended recipient(s) of the message

Sent to QServer Whether the file was sent to the Quarantine Server

Virus Name If a virus was detected, the name of the virus

90 Quarantining messages and attachmentsRelease messages from the quarantine

To view the contents of the local quarantine


2 In the sidebar under Views, click Quarantine.

This option is not available in group view.

3 In the list pane, click an item to view the item’s details.

The data appears in the preview pane.

4 Press F5 to refresh the display.

Release messages from the quarantineYou can release messages from the local quarantine by doing the following:

■ Releasing messages from the quarantine by email

■ Releasing messages from the quarantine to a file

Messages that are released from the quarantine are rescanned for threats. Remove or repair the threat before you release the message from the local quarantine. Otherwise, if your virus policy is to quarantine threats, Symantec Mail Security returns the message to the quarantine.

Messages released from the quarantine are not filtered for spam, content filtering, or file filtering rules.

Releasing messages from the quarantine by emailYou can send quarantined files to specified destinations by email. When you release a file from the quarantine by email, you remove it from the quarantine.

To release messages from the quarantine by email




91Quarantining messages and attachmentsRelease messages from the quarantine


■ In the sidebar under Tasks, click Select all to select all of the items in the quarantine.

■ In the list pane under Quarantine, select the items that you want to release.

To select multiple items, press CTRL and select the items that you want to release.

To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.

4 In the sidebar under Tasks, click Release by mail.

5 In the Releasing by mail window, select one of the following:

6 Click OK.


Send to original intended recipient(s)

Sends the message to the intended recipient. The names of the original recipients are listed in the Original recipient(s) list. This list cannot be modified.

This option is enabled by default.

Send to administrators

Sends the selected file to the administrator whose address appears in the Administrators list.

The administrator address cannot be modified in the Releasing by mail window. You can modify the address on the Monitors > Notification/Alerts Settings page.


Send to thefollowing

Sends the selected file to the addresses that appear in the Alternate recipients list.

In the Alternate recipients list, type the email address to which you want to email the selected quarantined item. Type each entry on a separate line.

92 Quarantining messages and attachmentsRelease messages from the quarantine

Releasing messages from the quarantine to a fileYou can move quarantined messages to a folder for review or analysis. The folder is in the following location:

\Program Files\Symantec\SMSMSE\5.0\Server\Quarantine\Release

The file location cannot be modified.

To release messages from the quarantine to a file


2 Under Views, click Quarantine.




■ In the list pane under Quarantine, select the items that you want to release.

To select multiple items, press CTRL and select the items that you want to release. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.

4 In the sidebar under Tasks, click Release to file (Save).

5 In the Releasing to file and delete dialog box, select one of the following:



Yes Removes the item from the quarantine after it has been saved to the Release folder.

No The item remains in the quarantine after it has been saved to the Release folder.

Cancel Cancels the file release operation.

93Quarantining messages and attachmentsDeleting an item from the quarantine

Deleting an item from the quarantineYou can delete one or more items from the quarantine at a time.

To delete an item from the quarantine





■ In the list pane under Quarantine, select the items that you want to remove.

To select multiple items, press CTRL and select the items that you want to delete. To unselect all of the selected items, in the sidebar under Tasks, click Deselect all.

4 In the sidebar under Tasks, click Delete.

94 Quarantining messages and attachmentsDeleting an item from the quarantine

Chapter
6
Protecting your server from risks


■ About protecting your server from risks

■ Configuring threat detection

■ Configuring security risk detection

■ Configuring file scanning limits

■ Configuring rules to address unscannable container files

About protecting your server from risks Symantec Mail Security can detect risks in all major file types (for example, Windows®, DOS, Microsoft® Word, and Microsoft® Excel files).


Table 6-1 describes the risks that Symantec Mail Security protects your Exchange server against.

Table 6-1 Risks that can threaten your Exchange server

Risk Description

Threats Symantec Mail Security detects viruses, worms, and Trojan horses in all major file types.


96 Protecting your server from risksAbout protecting your server from risks

Symantec Mail Security also helps you detect and block potential risks from entering your network, such as unscannable and encrypted container files.


When a risk is detected, the incident is logged to the locations that you specify. You can also configure Symantec Mail Security to issue alerts when risks are detected or when an outbreak occurs.


See “How Symantec Mail Security detects risks” on page 97.

Mass-mailer worms Symantec Mail Security detects that an email message is a mass-mailer worm or virus. It automatically deletes the infected email message and any attachments.


Denial-of-service attacks

Symantec Mail Security protects your network from file attachments that can overload the system and cause denial-of-service attacks. This includes container files that are overly large, that contain large numbers of embedded, compressed files, or that are designed to maliciously use resources and degrade performance. To reduce your exposure to denial-of-service threats, you can impose limits to control how Symantec Mail Security handles container files.

See “Configuring file scanning limits” on page 102.

Security risks Symantec Mail Security detects security risks, such as adware, dialers, hack tools, joke programs, remote access programs, spyware, and trackware.

See “Configuring security risk detection” on page 100.

Table 6-1 Risks that can threaten your Exchange server (Continued)

Risk Description

97Protecting your server from risksAbout protecting your server from risks

How Symantec Mail Security detects risksSymantec Mail Security uses the following tools to detects risks:

Definitions Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, worms) to identify new threats. After a threat is identified, information about the threat (a signature) is stored in a definition file. This file contains information to detect and eliminate the threat. When Symantec Mail Security scans for threats, it searches for these signatures.

Heuristics Symantec Mail Security uses Symantec Bloodhound™ heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behaviors, such as self-replication, to target potentially infected message bodies and attachments. Bloodhound technology is capable of detecting upwards of 80 percent of new and unknown executable file threats. Bloodhound-Macro technology detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only message bodies and attachments that meet stringent prerequisites. In most cases, Bloodhound can determine in microseconds whether a message or attachment is likely to be infected. If it determines that a file is not likely to be infected, it moves to the next file.

Container file decomposer

Symantec Mail Security contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule.

98 Protecting your server from risksConfiguring threat detection

Configuring threat detectionTo configure threat detection, do the following:

To configure threat detection

1 In the console on the primary navigation bar, click Policies.

2 In the sidebar under Antivirus, click Antivirus Settings.

3 In the content pane under Antivirus Settings, check Enable virus scanning.

Virus scanning is enabled by default.

Enable threat detection scanning

Symantec Mail Security detects viruses, worms, and Trojan horses in all major file types. Antivirus scanning must be enabled for Symantec Mail Security to detect threats.

When you enable threat detection scanning, it applies to all types of scans.


Set the Bloodhound detection level

To supplement the detection of threats by signature, Symantec Mail Security uses Bloodhound technology.

You can customize your level of protection against new threats, from zero protection to a high level of protection. A high level of protection increases protection of your network; however, server performance might be affected. At lower levels of protection, an unknown threat might escape detection, but the trade-off between system performance decreases. In most cases, the default (Medium) setting is appropriate.

See “How Symantec Mail Security detects risks” on page 97.

Enable mass-mailer worm-infected message detection

When it is enabled and Symantec Mail Security detects that an email message is a mass-mailer worm or virus, Symantec Mail Security deletes the infected email message and any attachments. When the mass-mailer detection feature is not enabled, an infected mass-mailer email message is treated the same as an infected message.

Modify default threat detection rules, as needed

Symantec Mail Security provides default antivirus rules, which are always enabled. You can modify these rules.

99Protecting your server from risksConfiguring threat detection

4 In the Bloodhound detection list, select one of the following:

5 Check Delete mass-mailer worm-infected messages (no notifications) to automatically delete mass-mailer messages.

This feature is enabled by default.

6 In the Rules table, select any of the following rules to view or modify:

The settings for the rule that you select appear in the preview pane.

7 In the preview pane, in the Action to take list, select the action to take when a threat is detected.

8 In the Replacement text box, type your customized message if you are replacing the message or attachment body with a text message.

You can use variables in your customized text.


9 Check one or more of the following to send email notifications about the detection:

■ Notify administrators

■ Notify internal sender

■ Notify external sender

Off Disables Bloodhound detection.

Low Optimizes server performance, but might not detect potential threats.

Medium Provides a balance between threat detection and server performance.

The default setting is Medium.

High Increases the detection of threats, but might impact server performance.

Basic Virus Rule Applies to messages or attachments that contain threats that can be repaired.

This option is always enabled.

Unrepairable Virus Rule

Applies to messages or attachments that contain threats that cannot be repaired.

This option is always enabled.

100 Protecting your server from risksConfiguring security risk detection

10 Next to each of the items that you selected, click the down arrow and do the following:

■ In the Subject line box, type your customized text.

■ In the Message body box, type your customized text.





Configuring security risk detectionSymantec Mail Security can detect security risks. Security risks are programs that do any of the following:

■ Provide unauthorized access to computer systems

■ Compromise data integrity, privacy, confidentiality, or security

■ Present some type of disruption or nuisance

These programs can put your employees and your organization at risk for identity theft or fraud by logging keystrokes, capturing email and instant messaging traffic, or harvesting personal information, such as passwords and login identifications.

Security risks can be introduced into your system unknowingly when users visit a Web site, download shareware or freeware software programs, click links or attachments in email messages, or through instant messaging clients. They can also be installed after or as a by-product of accepting an end user license agreement from another software program related to or linked in some way to the security risk.

You must enable the Security Risk Rule for Symantec Mail Security to detect security risks.

101Protecting your server from risksConfiguring security risk detection

Table 6-2 lists the categories of security risks that Symantec Mail Security detects.

To configure security risk detection


2 In the sidebar under Antivirus, click Antivirus Settings.

3 In the content area, in the Rules table, on the Security Risk Rule row, click the field under the Enabled column, and then click Enabled.

This rule is disabled by default.

Table 6-2 Security risk categories

Category Description

Adware Stand-alone or appended programs that gather personal information through the Internet and relay it back to a remote computer without the user’s knowledge.

Adware might monitor browsing habits for advertising purposes. It can also deliver advertising content.

Hack tools Programs used to gain unauthorized access to a user’s computer.

For example, a keystroke logger tracks and records individual keystrokes and sends this information to a remote computer. The remote user can perform port scans or vulnerability scans. Hack tools might also be used to create viruses.

Dialers Programs that use a computer, without the user’s permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges.

Joke programs Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or bothersome.

For example, a joke program might move the Recycling Bin away from the mouse when the user tries to click on it.

Remote access programs

Programs that let a remote user to gain access to a computer over the Internet to gain information, attack, or alter the host computer.

Spyware Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and then relay the information back to a remote computer.

Trackware Stand-alone or appended applications that trace a user’s path on the Internet and relay the information to a remote computer.

102 Protecting your server from risksConfiguring file scanning limits

4 In the preview pane, in the Action to take list, select the action to take when a security risk is detected.















Configuring file scanning limits Symantec Mail Security imposes limits on file extraction. These limits protect against denial-of-service attacks that are associated with overly large or complex container files that take a long time to decompose. These limits also enhance scanning performance.

Symantec Mail Security contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer continues to extract container files until it reaches the base file. When a container file reaches a set limit, the scanning process stops, the violation is logged to the specified logging destinations, and the file is handled according to Unscannable File Rule.


103Protecting your server from risksConfiguring file scanning limits

To configure file scanning limits


2 In the sidebar under General, click Scanning Limits.

3 In the content area, in the Maximum scan time (in seconds) box, type the maximum time that Symantec Mail Security can spend extracting a single container file.

You can enter a value from 10 to 500000. The default value is 300.

4 In the Maximum archive scan depth (number of levels) box, type the maximum number of nested levels of files that are decomposed within a container file.


5 In the Maximum size of one extracted file (in MB) box, type the maximum file size, in megabytes, for individual files in a container file.


6 In the Maximum total size of all extracted files (in MB) box, type the maximum size, in megabytes, of all extracted files.


7 In the Maximum number of files extracted box, type the maximum allowable number of files to be extracted.




104 Protecting your server from risksConfiguring rules to address unscannable container files

Configuring rules to address unscannable container files

A container file that cannot be scanned can put your network at risk if it contains a threat. Symantec Mail Security provides the following default rules to address unscannable container files:

These rules are always enabled.

To configure rules to address unscannable container files


2 In the sidebar under General, click Exceptions.

3 In the list pane, select the rule that you want to view or modify.

4 In the preview pane, in the Action to take list, select the action to take when an unscannable file is detected.




Unscannable File Rule

Symantec Mail Security must be able to decompose and scan a container file to detect risks. An unscannable container file that contains a threat that could pose a risk to your network. Unscannable files are those that meet a scanning limit, are a partial container file, or that generate a scanning error.

You can specify how you want Symantec Mail Security to process container files that cannot be scanned. The default setting for the Unscannable File Rule is to quarantine the file and replace it with a text description.

Note: Objects inserted in email messages as links are unscannable and trigger the Symantec Mail Security Unscannable File Rule.

Encrypted File Rule

Infected files can be intentionally encrypted. Encrypted files cannot be decrypted and scanned without the appropriate decryption tool. You can configure how you want Symantec Mail Security to process encrypted container files to protect your network from threats.

The default setting for the Encrypted File Rule is to quarantine the file and replace it with a text description.

105Protecting your server from risksConfiguring rules to address unscannable container files












106 Protecting your server from risksConfiguring rules to address unscannable container files

Chapter
7
Identifying spam


■ About spam detection

■ Blocking spam using real-time blacklists

■ Configuring whitelists

■ How to detect spam using Symantec Premium AntiSpam

■ Configuring heuristic antispam protection

About spam detectionSymantec Mail Security protects your servers from unwanted email messages, such as spam. Spam is usually defined as junk or unsolicited email from a third party. The spam message sender has no discernible relationship with all or some of the message recipients. Often times, the message headers are forged or altered to conceal the origination point of the sender. Spam is not only an annoyance to users and administrators, it is also a serious security concern. Spam can be used to deliver viruses, Trojan horses, and in phishing attempts. In addition, high volumes of spam can create denial-of-service conditions in which email systems are so overloaded that legitimate email and network traffic are unable to get through. Symantec Mail Security can detect if an incoming email message is spam with a high level of accuracy.

108 Identifying spamAbout spam detection

You can use one of the following features to identify spam:

You can adjust heuristic or premium antispam detection by specifying domains that are automatically permitted to bypass antispam scanning. You can also specify email addresses to which inbound emails are permitted to bypass real-time blacklist (RBL) blocking and antispam scanning.

See “Blocking spam using real-time blacklists” on page 112.

See “Configuring whitelists” on page 113.


Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available.


You must have a valid Symantec Premium AntiSpam license to enable the Symantec Premium AntiSpam service.


Heuristic antispam Heuristic antispam uses a pattern-matching, heuristics engine to compare the contents of incoming email messages to a list of spam characteristics. You can select the antispam engine sensitivity level.


109Identifying spamAbout spam detection

How Symantec Mail Security detects and processes spam When antispam detection is enabled, Symantec Mail Security analyzes incoming SMTP email messages for key characteristics of spam. It weighs its findings against characteristics of legitimate email messages and does the following based on the version of Microsoft Exchange Server that you are using:

Exchange Server 2000

Symantec Mail Security addresses spam based on the detection tool that you use as follows:

■ Heuristic antispam When you use heuristic spam detection, Symantec Mail Security computes a spam confidence level (SCL) that the message is spam. You can create antispam policies to specify how you want Symantec Mail Security to process messages that are detected by the heuristic antispam engine based on the computed SCL values.

■ Symantec Premium AntiSpamWhen you use Symantec Premium AntiSpam, Symantec Mail Security calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, the message is defined as spam. You can define a suspected spam threshold between 25 and 89. You can also specify the actions for handling spam and suspected spam separately.You can take advantage of the Symantec Spam Folder Agent for Exchange to automatically route spam messages to a spam folder in the recipient’s mailbox. The spam folder agent works with Symantec Spam Plug-in for Outlook, which lets users to submit missed spam to Symantec Security Response for analysis. The Outlook plug-in also gives users the option to administer their own Blocked Senders and Allowed Senders lists and to specify languages in which they do or do not want to receive email. The Symantec Spam Folder Agent for Exchange and the Symantec Spam Plug-in for Outlook are on the product CD.

See “About the Symantec Spam Folder Agent for Exchange” on page 119.

See “About the Symantec Spam Plug-in for Outlook” on page 124.

110 Identifying spamAbout spam detection

See “About spam confidence level (SCL) values” on page 110.

About spam confidence level (SCL) valuesSpam confidence level values range from -1 to 9. Microsoft Exchange reserves the value of -1. Symantec Mail Security assigns a value of 0 to messages that are not spam. Messages that are determined to be spam are assigned a SCL value of 1 (extremely low likelihood that the message is spam) to 9 (extremely high likelihood that the message is spam).

Some messages are exceptions to the rule and fall into the N/A category. A message is classified in the N/A category under the following circumstances:

■ The message is an internal Microsoft Exchange message that has already been assigned the SCL value of -1.

■ The message was whitelisted by Symantec Mail Security on the server.

■ The message was whitelisted by another entity (either another antispam product or Symantec Mail Security running on a different server).

■ The message was delivered by an authenticated SMTP session, and the DoAntiSpamOnAuthSessionsBool registry key is either missing or set to non-zero.

■ An internal error occurred. This can happen if the SPAM.NET or SPAM.DAT files are missing or corrupt.


When you enable antispam detection (heuristic or premium), Symantec Mail Security stamps messages with a SCL value.

The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with the SCL value that is stamped on an email message to determine the destination of the message.When the SAT value is not set, Exchange sends all messages with a SCL value to the user’s Junk E-mail folder. If the SAT value is set and a message has a SCL value that is higher than the SAT threshold, Exchange sends the message to the user’s Junk E-mail folder. If the SCL value is lower than or equal to the SAT value, the message goes into the user’s Inbox.

See “Configuring the Store Action Threshold (SAT) setting” on page 111.

111Identifying spamAbout spam detection

About comparing Symantec Mail Security SCL values to other screening toolsIf you are using Microsoft Exchange 2003 and are using heuristic antispam detection, you can configure Symantec Mail Security to compare the Symantec SCL to the SCL that is provided by another mail screening tool.

To have Symantec Mail Security compare its SCL to that of another screening tool, the other tool must be configured not to take action based on its SCL. For example, if the other mail-screening tool is Microsoft Intelligent Message Filter (IMF), IMF must be set to “No Action” for the SCL comparison to take place.

You can specify one of the following options to use when either or both SCL values do not exceed the threshold:

■ Highest SCL

■ Lowest SCL

■ Average SCL

■ Symantec’s SCL

■ Existing SCL (the SCL that is provided by another mail screening tool)


Configuring the Store Action Threshold (SAT) setting The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with the SCL value that is stamped on an email message to determine the destination of the message. By default, the SAT value is not set. You must configure the SAT value.

You can change and view the SAT setting from the Windows command prompt.

To change the SAT setting

1 Open the command prompt window.

2 At the command prompt, type the following:

cd <server folder>

where <server folder> is the path to the server folder.

The default location is: \Program Files\Symantec\SMSMSE\5.0\Server

3 Press Enter.

112 Identifying spamBlocking spam using real-time blacklists


SMSMSESAT <value> symantec.com

where <value> is the value that you want to set for the SAT. The domain name is optional.

5 Press Enter.

To view the current SAT setting


cd <server folder>

where <server folder> is the path to the server folder.

The default location is: \Program Files\Symantec\SMSMSE\5.0\Server.

2 Press Enter.

3 In the Command Prompt window, type the following

SMSMSESAT

4 Press Enter.

The current SAT appears.

Blocking spam using real-time blacklistsOne way to prevent spam is to reject connections that come from mail servers known or believed to send spam. To limit potential spam, Symantec Mail Security supports real-time blacklist (RBL) blocking. RBL blocking works by denying mail servers access to your system if those servers are identified as permitting spam to originate or relay through them.

Symantec Mail Security refuses the connection attempt of mail servers that are identified on RBLs. You must subscribe to a third-party real-time blacklist provider before configuring Symantec Mail Security to perform RBL blocking. Symantec does not provide a list of RBL providers.

Symantec Mail Security queries RBL providers in the order in which you list them. When Symantec Mail Security identifies a match, it stops any further processing and takes the actions that you specify.

To block spam using real-time blacklists


2 In the sidebar under Antispam, click Blacklist and Whitelist.

113Identifying spamConfiguring whitelists

3 Under Real-time Blacklist, in the real-time blacklist domains box, type the domains of the RBL providers.

List each entry on a separate line.



Configuring whitelists To minimize false positives, you can enable and populate the following whitelists:

If the Allowed Senders and Unfiltered Recipients lists are both enabled, Symantec Mail Security processes the Allowed Senders list first.

Email messages that are permitted to bypass antispam scanning and RBL blocking are still scanned for risks and content violations.

To configure whitelists


2 In the sidebar under Antispam, click Blacklist and Whitelist.

3 In the content area, under Allowed Senders, check Bypass real-time blacklist and spam detection for messages sent from the following.

4 In the Email and domain addresses box, type the domains and email addresses (one per line) that are permitted to bypass spam processing.

Domain names must begin with either @ (at symbol) or an asterisk before the at symbol (for example, @mail.com or *@mail.com).

You can use DOS wildcard characters.

See “About DOS wildcard style expressions” on page 154.

5 Under Unfiltered Recipients List, check Bypass real-time blacklist and spam detection for messages sent to the following.

Allowed Senders Lets you list the sender domains that are permitted to bypass RBL blocking and antispam scanning

Unfiltered Recipients Lets you list the email addresses to which inbound emails are permitted to bypass RBL blocking and antispam scanning

114 Identifying spamHow to detect spam using Symantec Premium AntiSpam

6 In the Email and domain addresses box, type the fully qualified email addresses (one per line) to which email messages are permitted to bypass spam processing and RBL blocking.

You can list up to 50 email addresses.



How to detect spam using Symantec Premium AntiSpam

Symantec Premium AntiSpam is a subscription service that provides enhanced spam detection. Continuous updates to the premium antispam filters ensure that your Exchange server has the most current spam detection filters that are available. Updates to the premium antispam service are handled automatically through the Symantec Premium AntiSpam service and not through LiveUpdate.

You must have an active Internet connection and permit outbound secure HTTP traffic through your firewall (port 443). If your connection uses an HTTP proxy, you must manually register the service. Once Symantec Premium AntiSpam is registered and enabled, spam rules are continually downloaded from Symantec. To keep your antispam service current, Symantec Mail Security checks for updates every minute and receives new rule sets every 10 - 15 minutes.

See “About registering Symantec Premium AntiSpam through an ISA server” on page 117.

See “Configuring your proxy server to download spam definition updates” on page 118.

115Identifying spamHow to detect spam using Symantec Premium AntiSpam

How the Symantec Premium AntiSpam service worksSymantec Premium AntiSpam uses the Symantec Probe Network, which is a global network of decoy email addresses that attracts and collects the latest spam. When spam is received, the email security unit within Symantec Security Response issues filters that isolate similar spam messages.

Table 7-1 lists the methods that Symantec Premium AntiSpam uses to identify spam.

Table 7-1 Symantec Premium AntiSpam detection methods

Method Description

URL filters Symantec builds its known-spammer list based on the URLs that appear in spam messages that are collected by the Symantec Probe Network.

Symantec downloads a list of MIME filters developed by Symantec Security Response email security unit and treats any message as spam if any MIME attachment in the message matches a Symantec MIME filter.

Symantec Premium AntiSpam also examines imbedded email links.

Header filters Header filters consist of regular expression-based filtering rules that exploit commonalities or trends that are present in spam messages. Examples of spam characteristics that the header filters identify include the following:

■ Watermarks of spammer tools Traces of information left in messages by some spammer tools, such as the name of the program used to send the message.

■ Modified time zonesTime zones that are off by more than 12 hours.

■ Spoofed received linesMessages that purport to be from a mail transfer agent at an organization that Symantec Security Response knows does not send outbound email.

Heuristics Heuristic filters analyze the header, body, and envelope of an incoming message and check the message for the presence of distinct spam characteristics.


BrightSig2 technology

Spam signatures work by distilling a specific spam attack down to a unique string of bits, or a signature. This is the fingerprint of a spam attack and can be used to identify variants of an attack. BrightSig2 technology characterizes spam attacks using proprietary algorithms, which are added to a database of known spam.

BrightSig2 also has defenses against HTML spam which identifies HTML noise (such as comments) that spammers use to evade filters.

Attachment signatures

Attachment signatures target specific MIME attachments (for example, a specific pornographic image that is used in a real-time spam attack) and stop that attachment from reaching users. Attachment signatures make it unnecessary to block entire categories of certain attachments.

Sender reputation service

Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the source’s reputation value as determined by Symantec.

Symantec uses the following lists to filter your messages:

■ Open Proxy list IP addresses that are either open proxies that are used byspammers or 'zombie' computers that are coopted by spammers.

■ Safe listContains IP addresses from which virtually no outgoing email is spam.

■ Suspect listA list of IP addresses from which virtually all of the outgoing email is spam.

Table 7-1 Symantec Premium AntiSpam detection methods (Continued)

Method Description


About spam folderingYou configure Symantec Mail Security to route spam and suspected spam messages directly to users’ spam folders based on the version of Microsoft Exchange Server that you are using, as follows:

The Symantec Spam Plug-in for Outlook makes it easy for Outlook users to submit missed spam and false positives to Symantec. You can also configure the plug-in to send user submissions automatically to a local system administrator. The Symantec Spam Plug-in for Outlook also gives users the option to administer their own Blocked Senders and Allowed Senders lists and to specify languages in which they do or do not want to receive email.

See “About the Symantec Spam Plug-in for Outlook” on page 124.

About registering Symantec Premium AntiSpam through an ISA server

Symantec Premium AntiSpam requires the ability to communicate by HTTPS (Port 443). If your connection uses an HTTP proxy, you must manually register the service so that spam rules can be automatically downloaded from Symantec. To register Symantec Premium AntiSpam through an ISA server that is filtering traffic for your Exchange server, do one of the following:

■ If the ISA server is installed on the same computer as the Exchange server, create a Host Based protocol rule to allow “Any Request” for the HTTPS and HTTPS server protocols.


You can use the Symantec Spam Folder Agent for Exchange to folder messages that are identified as spam or suspected spam. The spam folder agent creates a spam subfolder and a server-side filter in each user’s mailbox. This filter is applied to messages that Symantec Premium AntiSpam identifies as spam or suspected spam, routing spam into each user’s spam folder. The spam folder agent relieves users and administrators of the burden of using their mail clients to create filters.



You can use the Store Action Threshold (SAT) settings to determine the destination of the message.



■ If the ISA server is installed on a different computer from the Exchange server, create a Host Based protocol rule that specifically allows traffic for the IP Address of the Exchange server for the HTTPS and HTTPS server protocols.

Configuring your proxy server to download spam definition updatesTo keep your antispam service current, Symantec Mail Security checks for updates every minute and receives new rule sets every 10 - 15 minutes. You must configure your proxy to permit updates.

To configure your proxy server to download spam definition updates

1 At the command prompt, change directories to the Symantec Mail Security installation directory.

The default directory is: \Program Files\Symantec\SMSMSE\5.0\Server

2 Type the following:

register -c SpamPrevention/bmiconfig.xml -l Spam

Prevention\SPAlicense.slf -p <proxyserver:proxyport>

where <proxyserver:proxyport> is the IP address of your proxy server and the port.

Symantec Premium AntiSpam licenses are placed in the SpamPrevention folder.

3 On the Windows Start menu, click Start > Run.

4 In the Run dialog box, type the following:

regedit

5 Click OK.

6 In the Registry Editor window, in the left pane, browse and locate the following folder:

HKEY-LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\5.0\Licensing\



8 Save the file and close the Registry Editor window.

About the Symantec Spam Folder Agent for ExchangeIf you are using Symantec Premium AntiSpam on Exchange Server 2000, you can take advantage of the Symantec Spam Folder Agent for Exchange. The agent creates a spam subfolder and a server-side filter in each user’s mailbox. This filter is applied to messages that Symantec Premium AntiSpam identifies as spam and routes the spam into each user’s spam folder. The spam folder agents relieve users and administrators of the burden of using their mail clients to create filters.

See “How spam foldering works” on page 120.

The Symantec Spam Folder Agent for Exchange can only be used when Symantec Premium AntiSpam is licensed and enabled.


See “Configuring Symantec Premium AntiSpam to identify spam” on page 130.

Install the agent on the Exchange mail servers on which your mailboxes reside. This includes the server on which Symantec Mail Security is installed. The Symantec Spam Folder Agent should only be installed to Exchange 2000 servers. If you are using Exchange Server 2003, setting the SCL and SAT is the best method for routing spam messages to a spam folder.


Before you install Symantec Spam Folder Agent, you must set up a Service Account on the Exchange server.

See “Creating a service account for the Symantec Spam Folder Agent” on page 120.

If the file SPARunRegister does not exist

In the right pane, right-click on any blank space, and select New > DWORD Value. In the name field, type:

SPARunRegister

If the file SPARunRegister exists

In the right pane, right-click on the file, and select Modify. In the Edit DWORD Value dialog box, in the Value data field, change the value to 0, and then click OK.


How spam foldering worksWhen you enable the option to send spam messages to the recipient’s spam folder in Symantec Mail Security (Deliver the message to the recipient's Spam folder), Symantec Premium AntiSpam adds a special X-header (x-bmiFolder: 1) to messages that are identified as spam or suspected spam.

Once installed and configured on the mail server, the Symantec Spam Folder Agent for Exchange creates a server-side rule that searches for the X-header. It also creates a spam subfolder in each user’s mailbox. During its hourly maintenance schedule, the agent sends the messages that are identified as spam or suspected spam to the recipient’s spam folder. If the agent detects that the spam folder for the recipient has been deleted or moved, it recreates the subfolder. The rule runs as a high sequence number (1001), which ensures that it executes after rules with lower sequence numbers or client-side rules that your users may have created. If you have a MTA configuration that is not supported, you can create your own rule or application to take action based on this header.

Creating a service account for the Symantec Spam Folder Agent The Symantec Spam Folder Agent requires a service account. You can use an existing account or you can create one specifically for the agent (recommended). The service account cannot be hidden from the Exchange address list.

The service account that you create must include the following:

■ Exchange Administrator rights on the mail server on which you are installing the agent

■ Full access to a mailbox on the local server

■ Local system rights to act as part of the operating system and to run as a service

To create the service account for the Symantec Spam Folder Agent, you must do the following:

■ Create a user name

■ Add a folder agent

■ Delegate control of the account

To create a user name

1 On the taskbar, click Start > All Programs > Administrative Tools, and then click Active Directory Users and Computers.

2 If it is not already selected, select the Users folder.


3 On the toolbar, click the Create a new user in the current container icon.

4 In the New Object – User wizard, enter the following:

■ First name

■ Initials

■ Last name

■ User logon name

5 Click Next.

6 Type a password for the service account, configure the password options, and then click Next.

7 Click Next until the Finish icon appears.

8 Click Finish.

To add a folder agent

1 In the Users folder, right-click on the user that you just created.

2 Click Properties.

3 In the Properties dialog box, on the Member Of tab, click Add.

4 In the text field, type domain admins, and then click OK.

5 Click OK to close the properties dialog box.

6 On the Windows Start menu, click All Programs > Microsoft Exchange > System Manager.

7 In the Exchange System Manager window, in the left pane, right-click the top node in the tree.

8 Click Delegate control.

9 On the Exchange Administration Delegation Wizard welcome screen panel, click Next.

10 On the Users or Groups panel, click Add.

To delegate control of the account

1 In the Delegate Control window, click Browse.

2 In the Select Users, Computers, or Groups window, under Enter the object name to select, type of the name of the service account that you created, and then click OK.

3 In the Delegate Control window, ensure that the Role drop-down box is set to Exchange Administrator, and then click OK.


4 Click Next, and then click Finish.

5 Close the Exchange System Manager window.

Installing the Symantec Spam Folder Agent for ExchangeThe Symantec Spam Folder Agent for Exchange is configured to run as a Windows service. It is recommended that you install the Symantec Spam Folder Agent on each back-end Exchange mail server.

Before you install the Symantec Spam Folder Agent for Exchange, ensure that the computer meets the following software and configuration requirements:

■ Your operating system is Windows 2000 (SP 2) or higher or Windows 2003

■ You are installing the agent on Microsoft Exchange 2000

You can install the agent on Microsoft Exchange 2003, but using the Exchange SAT is the recommended method.


■ You have full access to a mailbox on the local Exchange server

The Symantec Spam Folder Agent does not send email to or from this mailbox.

■ You have Exchange Administrator permission on the local server

■ You have a proper service account

See “Creating a service account for the Symantec Spam Folder Agent” on page 120.

■ You have activated the Symantec Premium AntiSpam license

See “How to activate a license” on page 64.

To install the Symantec Spam Folder Agent for Exchange, you must first start the agent installation wizard. During installation, you can configure the spam folder agent settings.

If a previous version of Symantec Spam Folder Agent for Exchange is installed, the install wizard automatically uninstalls it before installing the current version.


To start the installation wizard


The installation program launches automatically. If it does not, run cdstart.exe from the product CD.

2 Click Install Spam Folder Agent.

3 In the welcome panel, click Next.

4 In the License Agreement panel, click I accept the terms of this license agreement, and then click Next.

To configure administrative settings

1 In the Setup Type panel, select one of the following, and then click Next:

2 Under Service Account, type the Active Directory or NT Domain, user name, and password to be used by the Symantec Spam Folder Agent for Exchange.

3 In the Mailbox box, type the mailbox alias of a valid mailbox for the

Symantec Spam Folder Agent to use.

4 In the Spam folder name box, type the name of the folder in each user’s mailbox where spam will be stored.

5 In the Spam expiration box, type the number of days to retain spam messages.

The default period is 30 days. You might need to adjust this setting based on the volume of spam that your organization receives.

6 Click Next, and then click OK.

If the installation process is unable to verify the existence of the spam folder because you have insufficient user rights, a dialog box appears with the message that the “Act as part of the Operating System” user right is required to verify these settings.

Complete Installs the agent in a predefined set of folders and files

Custom Lets you tailor installation options


7 Click No, and then add the administrator account that you want the agent to use to the following security policy settings:

■ Act as part of the operating system

■ Log on as a service

For more information, see the Microsoft Exchange 2000 Server documentation.

8 Click Install, and then click Finish.

About the Symantec Spam Plug-in for Outlook The Symantec Spam Plug-in for Outlook makes it easy for Outlook users to submit missed spam and false positives to Symantec. You can also configure the plug-in to send user submissions automatically to a local system administrator. The Symantec Spam Plug-in gives users the option to administer their own Blocked Senders and Allowed Senders Lists and to specify languages in which they do or do not want to receive email.

If you are using Symantec Spam Folder Agent for Exchange, the plug-in retrieves the name of the spam folder from the Spam Folder Agent Inbox Rule. If you are not using the Symantec Spam Folder Agent for Exchange, the plug-in retrieves the Spam Folder Name value from the Windows registry. If there is no Spam Folder Name value in the Windows registry, it creates a Spam folder during installation.

You can install the Symantec Spam Plug-in using any of the following methods:

■ Email users a link to the setup.exe file with instructions for running the file.

■ Use remote distribution software to install the setup.exe file on your users’ computers.

■ Silently install the plug-in.

If you plan to install the plug-in on multiple computers, you can modify the system-wide variables before you initiate installation.

See “Modifying Symantec Spam Plug-in for Outlook variables” on page 125.


After the plug-in is installed, users have a new toolbar in their Outlook window.The toolbar contains the following elements:

Note: For more information on using the Symantec Spam Plug-in, see the online help that is included in the plug-in.

Modifying Symantec Spam Plug-in for Outlook variablesYou can modify the set up variables before you initiate installation. These settings are used during each installation of the Symantec Spam Plug-in to modify the Windows registry on each user’s computer.

This is Spam Users click this option to submit the message to the email security unit within Symantec Security Response and move it from their Inbox to their Spam folder.

This is Not Spam Users click this option to submit the message to Symantec Security Response and move it from their Spam folder to their Inbox.

Empty Spam Folder Users click this option to empty their Spam folder (if configured).

Symantec By choosing an item from this pull-down menu, users can get information on using the plug-in, view a report (if configured), and administer their personal Blocked Senders and Allowed Senders Lists.

The following options are available from the Symantec pull-down menu:

■ Symantec HelpLaunches a help page for the Symantec Spam Plug-in using your default Web browser

■ Spam ReportLets users view spam statistics (if configured)

■ OptionsSets plug-in properties, administers the user’s Blocked Senders and Allowed Senders lists, and lets users specify the languages in which they do or do not want to receive email

■ About SymantecProvides information on the current version of the software


Table 7-2 describes the plug-in variables that you can modify.

Table 7-2 Symantec Spam Plug-in Setup Variables

Variable Name Description

ADMIN_FALSE_ADDRESS The email address of the administrator to receive a copy of the false-positive submission. The default for this is an empty string. If this value is empty, then the message is not sent to the administrator.

ADMIN_JUNK_ADDRESS The email address of the administrator to receive a copy of the missed spam submission. The default for this is an empty string. If this value is empty, then the message is not sent to the administrator.

ALLOWED_CONTACTS If set to 1 (the default) or any non-zero value, treats all entries of the Outlook Contacts folder as members of the Allowed Senders List.

If set to 0, does not treat any members of the Outlook Contacts folder as members of the Allowed Senders List.

AUTO_ADD_BLOCKED If set to 1 (default), adds the sender of the message to the Blocked Senders list when submitting a spam message to the email security unit within Symantec Security Response.

AUTO_ADD_ALLOWED If set to 1 (the default) or any non-zero value, automatically generates the Allowed Senders list.

If set to 0, does not automatically generate the Allowed Senders list.

CHECK_ALLOWED If set to 1 (the default) or any non-zero value, moves messages directly to the Spam folder. If a message is in the user’s Allowed Senders List or (optionally) Outlook Contacts list, or if any of the message’s recipients are in the user’s Allowed Recipients List, the message is moved to the Inbox. Otherwise, the message remains in the Spam folder.

If set to 0, messages are delivered normally (to the Inbox).

CHECK_BLOCKED If set to 1 (the default) or any non-zero value, does not process the message. If a message sender is in the user’s Blocked Senders List or (optionally) Outlook Contacts list, or if any of the message’s recipients are in the user’s Blocked Senders list, the message is not processed. Otherwise, the message remains in the Spam folder. If set to 0, messages are delivered normally (to the Inbox).


DELETE_SPAM If set to 1 or any non-zero value, spam messages are deleted. If set to 0 (the default value), spam messages are moved to the Spam folder.

DELETE_X_DAYS Deletes messages in the Spam folder that are more than x days old. The default is 7 days. Set this value to 0 to disable this feature.

DISPLAY_ARE_YOU_SURE_MSGS

Specifies whether the confirmation dialog for deleting spam appears after a message is submitted. If this variable is set to 1 (the default value) the confirmation message appears. If this variable is set to any other value or left empty, the message does not appear.

DISPLAY_CONFIRMATION_MSG

Specifies whether the submission complete dialog appears after a message is submitted. If this variable is set to 1 (the default value) the submission complete message appears. If this variable is set to any other value or left empty, the message does not appear.

EMPTY_SPAM_FOLDER If set to 0 (the default), the Empty Spam Folder option does not appear. If set to 1 or any non-zero value, the Empty Spam Folder option appears. This option lets users delete the contents of their Spam folders.

HIDE_NOT_SPAM Specifies whether the This is Not Spam option is hidden. The default is 0 (appears). Any non-zero value, including an empty value, hides the option.

HIDE_SPAM Specifies whether the This is Spam option appears. The default is 0 (appears). Any non-zero value, including an empty value, hides the option.

MANUAL_ALLOWED If set to 1 (the default) or any non-zero value, lets users add entries to the Allowed Recipients list. If set to 0, does not let users add entries.

MANUAL_BLOCKED If set to 1 (the default) or any non-zero value, lets users add entries to the Blocked Senders list. If set to 0, does not let users add entries.

MARK_AS_READ If set to 1 (the default) or any non-zero value, messages are marked as Read when moved to the Spam folder. If set to 0, messages are not marked as Read when moved to the Spam folder.

Table 7-2 Symantec Spam Plug-in Setup Variables (Continued)



MODIFY_OPTIONS If set to 1 (the default) or any non-zero value, lets users view or edit the Submissions and Preferences tabs.

If set to 0, does not let users view or edit the Submissions and Preferences tabs.

MULTI_CONFIRM_MSG This option lets you edit the confirmation message for multiple successful submissions.

The default value for this string is: “Thank you for submitting messages to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.”

SENDER_NOT_IN_ ALLOWED

Specifies the action to take if the message sender is not in the Allowed Senders List.

Normal (default): Moves the message to the Inbox.

Delete: Deletes the message.

Spam Folder: Moves the message to the Spam folder.

SINGLE_CONFIRM_MSG The confirmation message for a single successful submission.

The default value for this string is: “Thank you for submitting a message to Symantec for review. We appreciate your help in improving our antispam service. This will be your only acknowledgement.”

SPAM_FOLDER The name of the Spam folder. The default is Spam.

SPAM_QUARANTINE_URL If specified, this setting causes the Spam Quarantine option to appear in the toolbar. Clicking the option displays the Spam Quarantine login page in a Web browser. If unspecified (the default), the Spam Quarantine option does not appear in the toolbar.

REPORT_URL If specified, the Spam Report option appears in the toolbar. Clicking the option displays the Spam Report application. If unspecified (the default), the Spam Report option does not appear in the toolbar.

Table 7-2 Symantec Spam Plug-in Setup Variables (Continued)



To modify Symantec Spam Plug-in for Outlook variables

1 In WordPad or a similar text editing tool, open the following file on the Symantec Mail Security product CD:

\ADMTOOLS\SPA\BMOP\Setup.ini

This file contains the initial settings for launching the Outlook Plug-in installation package.

2 All of the required settings can be set on the CmdLine attribute in the [Startup] section at the beginning of the setup.ini file.

3 Change the settings in Outlook Plug-in Setup Variables.

For example:

CmdLine=SPAM_FOLDER="Junk"

ADMIN_FALSE_ADDRESS="[email protected]"

See Table 7-2, “Symantec Spam Plug-in Setup Variables,” on page 126.

4 Save your changes to the setup.ini file and close the file.

Installing the Symantec Spam Plug-in for OutlookTo use the Symantec Spam Plug-in, ensure that the computer meets the following requirements:

■ Outlook 2000/2002/2003

■ Windows 2000/XP/2003

You can install the Symantec Spam Plug-in using any of the following methods:

■ Install the plug-in using the installation wizard.

■ Perform a silent installation.

To install the Symantec Spam Plug-in for Outlook using the installation wizard

1 Close Outlook by clicking File > Exit.

If you close Outlook in any other way, Outlook may continue to run in memory and return an error.


The installation program launches automatically. If it does not, run cdstart.exe from the product CD.

3 Click Install Outlook Plug-in.

4 In the welcome panel, click Next.

5 In the License Agreement panel, click I accept the terms of this license agreement, and then click Next.


6 In the Setup Type panel, select one of the following, and then click Next:

7 Click Install.

8 Click Finish.

To perform a silent installation

1 On the computer on which you want to install the plug-in, insert the Symantec Mail Security product CD into the computer’s CD-ROM drive.

2 Open the Windows command prompt.


cd <CD-ROM drive>:\ADMTOOLS\SPA\BMOP

4 At the command prompt, type the following to run the setup.exe with the following switches: setup.exe /s /v"/qn"

If you run setup.exe with the command /s /v"/qn", the silent installation option ignores the changes made to setup.ini. To preserve your changes, add /qn to the end of the CmdLine attribute in setup.ini, and then run the silent install using the following:

setup.exe /s

Configuring Symantec Premium AntiSpam to identify spamBefore you configure Symantec Premium AntiSpam, ensure that you have done the following:

■ If you have an ISA server, register Symantec Premium AntiSpam through the ISA server.

See “About registering Symantec Premium AntiSpam through an ISA server” on page 117.

■ Configure your proxy server to permit downloads for Symantec Premium AntiSpam.

See “Configuring your proxy server to download spam definition updates” on page 118.

■ Install the Symantec Premium AntiSpam license.


Complete Installs the plug-in in a predefined set of folders and files

Custom Lets you tailor installation options


When you enable Symantec Premium AntiSpam, you can configure the following settings to identify and handle spam:

To configure Symantec Premium AntiSpam to identify spam


2 In the sidebar under Antispam, click Premium AntiSpam Settings.

3 In the content area, under Symantec Premium AntiSpam Settings, check Enable Symantec Premium AntiSpam.

4 Under Reputation Services, check any of the following lists that you want to use:

■ Open proxy list

■ Safe list

Suspect List is enabled by default and cannot be disabled.

Reputation service Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate. Email from those sources can then be blocked or allowed based on the source’s reputation value as determined by Symantec.

Symantec uses the following lists to filter your messages:

■ Open Proxy list IP addresses that are either open proxies that are used byspammers or 'zombie' computers that are coopted by spammers.

■ Safe listContains IP addresses from which virtually no outgoing email is spam.

■ Suspect listA list of IP addresses from which virtually all of the outgoing email is spam.

These lists work like antispam rules but do not create delays like those that can occur with third-party lists. Nor do these lists require any special setup.

Suspected spam threshold

Symantec calculates a spam score from 1 to 100 for each message. If a message scores from 90 to 100, it is defined as spam. You can define a suspected spam threshold between 25 and 89. You can also specify the actions for handling spam and suspected spam separately.

Language identification

Symantec can determine the language in which a message is written. If you use Microsoft Outlook, you can use the Symantec Plug-in for Outlook to specify that email that is written in certain languages be treated as spam.


5 Under Spam Scoring, select whether you want messages flagged as suspected spam.

6 Under Spam Threshold, in the Lower spam threshold box, type the suspected spam threshold level if you choose to identify suspected spam.

You can enter a value between 25 and 89. The default value is 72.

7 Under Language ID, select whether or not you want to enable language identification.



What you can do with spam and suspected spam messages After you configure Symantec Premium AntiSpam settings, you can configure the actions that you want Symantec Mail Security to take for spam and suspected spam messages.

You can configure Symantec Mail Security to process spam messages based on the following criteria:

Spam Messages You can specify how to dispose of messages that are identified as spam by the Symantec Premium AntiSpam service.

See “Processing spam messages” on page 133.

Suspected Spam and SCL

Configure the Suspected Spam and SCL settings if you meet all of the following conditions:

■ You are using Exchange Server 2003

■ You use a mail screening tool that stamps messages with SCL values

If the premium antispam service identifies the message as suspected spam, Symantec Mail Security examines the SCL value. If the SCL value exceeds the threshold that you specify, the message is handled according the settings that you configure.

See “Processing suspected spam messages that exceed a SCL threshold” on page 135.


Processing spam messagesYou can configure Symantec Mail Security to block spam messages or permit them.

You can log all spam events to the specified logging destinations.


If you choose to reject spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message.

If you permit spam messages, you can configure the following message delivery options:

■ Prevent the messages from being sent to the intended recipient

■ Save the spam message to the folder location that you specify


■ Deliver the spam message to an alternate recipient

■ Add your customized subject line text to the message

■ Add your customized X-header to the message

■ Tag the message as spam for the Spam Folder Agent

Use this option if you have installed the Spam Folder Agent.


■ Assign a SCL value to the message

Use this option if you are using Exchange 2003 and are using Exchange’s SAT values to route spam messages.

Suspected Spam Configure the Suspected Spam settings if you meet any of the following conditions:

■ You are using Exchange Server 2000.

■ You are using Exchange Server 2003, and you do not use a mail screening tool.

■ You are using Exchange Server 2003 with a mail screening tool, and you want to configure settings for suspected spam messages that fall below the threshold that you configured for Suspected Spam and SCL.

If the premium antispam service identifies the message as suspected spam, the message is handled according the settings that you configure.

See “Processing suspected spam messages” on page 138.


To reject spam messages


2 In the sidebar under Antispam, click Premium AntiSpam Actions.

3 In the content area, under Spam Messages, under If message is Spam, check Reject the message.

4 Check Log to log spam messages to the specified logging destinations.



To accept spam messages



3 In the content area, under Spam Messages, under If message is Spam, check Accept the message.

4 Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving spam messages.

5 To save spam messages to a folder, do all of the following:

■ Check Save to folder.

■ In the Folder name box, type a folder name or click the browse [...] command icon and select a folder name from the list.

This option is only available if Prevent delivery to original recipient(s) is checked.


6 To add an X-header to messages sent to a folder, do all of the following:

■ Check Add X-header.

■ In the X-header name box, type the name for the X-header.

The default name is X-Bulk.

■ In the X-header value box, type the X-header value.

The default value is Spam.

This option is only available if Save to folder is checked.

7 Check Deliver to alternate recipient to send spam messages to a different recipient, and type the address to which spam messages are delivered.

You can only enter one address. This option is not available if Prevent delivery to original recipient(s) is checked.


8 Check Add to subject line to prepend the subject line of spam messages, and in the subject line box, type your customized text.

The default text is Spam.

9 To add an X-header to spam messages, do all of the following:


■ In the X-header name box, type the name of the X-header.

The default text is X-Bulk.

■ In the X-header value box, type the value for the X-header.


10 Check Tag for Spam Folder Agent Delivery to send spam messages to the Symantec Spam Folder Agent.

You must have the Symantec Spam Folder Agent installed. Using the Spam Folder Agent is recommended for Exchange 2000 installations only.

11 Check Assign SCL value to message to assign a SCL value to spam messages, and in the drop-down list, select the threshold value.

You can choose a value from 1 to 9. The default value is 9.

This option is available only for Exchange 2003. The value that you specify replaces the existing SCL values of incoming messages.




Processing suspected spam messages that exceed a SCL thresholdIf you are using Exchange Server 2003 with a mail screening tool, you can configure Symantec Mail Security to block or permit suspected spam messages that exceed a SCL threshold. You must assign the SCL threshold for which the Suspected Spam and SCL settings apply.

You can log all spam events to the specified logging destinations.


Note: These settings do not apply for Exchange Server 2000.

You can specify how you want Symantec Mail Security to process messages that are identified as suspected spam and that exceed the SCL threshold that you specify.


If you reject suspected spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message.

If you permit suspected spam messages that exceed the threshold, you can configure the following message delivery options:










■ Reassign the SCL value of the message


To reject suspected spam messages that exceed a SCL threshold



3 In the content area, under Suspected Spam and SCL, in the If message is Suspected Spam and SCL is list, select the SCL value threshold.

You can choose a value from >0 to > 8. The default value is >5.

4 Check Reject the message.

5 Check Log to log suspected spam messages to the specified logging destinations.



To accept suspected spam messages that exceed a SCL threshold



3 In the content area, under Suspected Spam and SCL, in the If message is Suspected Spam and SCL is list, select the SCL value threshold.



4 Check Accept the message.

5 Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages.

6 To save suspected spam messages to a folder, do all of the following:










The default value is Suspected Spam.


8 Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered.

You can only specify one recipient.

9 Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text.


10 To add an X-header to suspected spam messages, do all of the following:






11 Check Tag for Spam Folder Agent Delivery to send suspected spam messages to the Symantec Spam Folder Agent.



12 Check Assign SCL value to message to assign a SCL value to suspected spam messages, and in the drop-down list, select the threshold value.






Processing suspected spam messages You can configure Symantec Mail Security to block or permit suspected spam messages. You can log all spam events to the specified logging destinations.


Configure the Suspect Spam options if you meet any of the following conditions:

■ You are using Exchange Server 2000.

■ You are using Exchange Server 2003, and you do not use a mail screening tool.

■ You are using Exchange Server 2003 with a mail screening tool, and you want to configure settings for suspected spam messages that fall below the threshold that you configured for Suspected Spam and SCL.

If you reject suspected spam messages, the message is not accepted by the SMTP server for delivery. The SMTP service that sends the message receives an error message for each rejected message. If you choose to reject the message, the message delivery options are disabled.

If you permit suspected spam messages, you can use the following message delivery options:










■ Reassign the SCL value of the message



To reject suspected spam messages



3 In the content area, under Suspected Spam, under If message is Suspected Spam, check Reject the message.




To accept suspected spam messages



3 In the content area, under Suspected Spam, under If message is Suspected Spam, check Accept the message.

4 Check Prevent delivery to original recipient(s) to prevent the intended recipients from receiving suspected spam messages.

5 To save suspected spam messages to a folder, do all of the following:













7 Check Deliver to alternate recipient to send suspected spam messages to a different recipient, and type the address to which suspected spam messages are delivered.


8 Check Add to subject line to prepend the subject line of suspected spam messages, and in the subject line box, type your customized text.


9 To add an X-header to suspected spam messages, do all of the following:






10 Check Tag for Spam Folder Agent Delivery to send suspected spam messages to the Symantec Spam Folder Agent.


11 Check Assign SCL value to message to reassign the SCL value, and in the drop-down list, select the threshold value.






141Identifying spamConfiguring heuristic antispam protection

Configuring heuristic antispam protectionYou can enable the heuristic antispam engine to detect spam. You can use the SCL values that Symantec Mail Security assigns to each message to specify how you want Symantec Mail Security to process the message.

To configure heuristic antispam protection, do the following:

Enable heuristic antispam detection.

You must enable heuristic spam detection. This option is disabled by default.

If you are using Exchange Server 2003, you can also specify how you want Symantec Mail Security to address multiple SCL values.

See “About comparing Symantec Mail Security SCL values to other screening tools” on page 111.

Configure options for messages to reject.

You can reject messages based on their SCL values. For example, if Symantec Mail Security assigns a message a SCL value of 9, there is a high likelihood that the message is spam. You can configure Symantec Mail Security to reject messages that have a SCL value greater than 8. Rejecting messages that have a high likelihood of being spam can help you conserve scanning resources.

If you are using Exchange 2000, configure the option: Reject message if SCL is.

If you are using Exchange 2003, configure the following options:

■ Reject message if Symantec’s SCL and existing SCL are

■ Reject message if SCL is This provides a backup configuration in the event your other mail screening tool fails to assign a SCL value.

See “About comparing Symantec Mail Security SCL values to other screening tools” on page 111.

You can also specify whether you want to log spam messages that are rejected.

142 Identifying spamConfiguring heuristic antispam protection

To enable heuristic antispam detection


2 In the sidebar under Antispam, click Heuristic Detection.

3 In the content area, under Heuristic Anti-Spam Settings, check Enable heuristic spam detection.

4 In the Use list, select one of the following:

■ Highest SCL

This is the default option.

■ Lowest SCL

■ Average SCL

■ Symantec’s SCL

■ Existing SCL

This option is only available for Exchange Server 2003.

To configure actions to take for rejected messages

1 Under Rejected Messages, check Reject message if Symantec’s SCL and existing SCL are to reject messages that receive a SCL value from Symantec and another mail screening tool, and in the drop-down list, select the threshold value.


This option is only available for Exchange Server 2003.

2 Check Reject message if SCL is to reject messages based on SCL value, and in the drop-down list, select the threshold value.


Configure this option if you use Exchange 2000 (which does not support mail screening tools). Configure this option if you use Exchange 2003 to provide a backup configuration in the event your other mail screening tool fails to assign a SCL value.

Configure optionsfor messages to accept.

You can configure which messages to accept and how you want Symantec Mail Security to process the messages. For example, if Symantec Mail Security assigns a message a SCL value of 7, there is a medium likelihood that the message is spam. You can configure Symantec Mail Security to accept messages that fall below a specified SCL value.

You can specify to whom the message should be delivered, or you can save the message to a file location. You can prepend the subject text and add an X-header. You can also log messages that are accepted.

143Identifying spamConfiguring heuristic antispam protection

3 Check Log rejected messages to log rejected messages to the specified logging destinations.


To configure actions to take for accepted messages

1 Under Accepted Messages, check Prevent delivery to original recipient if SCL is to prevent the original recipient from receiving messages with a given SCL, and in the drop-down list, select the threshold value.


2 To save messages to a folder, do all of the following:


■ Type a folder name in the Folder name box or click the browse [...] command icon and select a folder name from the list.

This option is only available if Prevent delivery to original recipient if SCL is is checked.





The default value is X-SMSMSE-SCL.


4 To send messages with a given SCL to a different recipient, do all of the following:

■ Check Deliver to alternative recipient if SCL is.

■ Click the drop-down list and select the threshold value.


■ In the Alternative recipient box, type the address to which messages that meet the SCL criterion are delivered.


This option is only available if “Deliver to alternative recipient if SCL is” is checked. This option is not available if the Save to folder option is checked.

144 Identifying spamConfiguring heuristic antispam protection

5 To prepend the subject line of messages with a given SCL, do all of the following:

■ Check Add subject tag if SCL is.

■ In the drop-down list, select the threshold value.


■ In the Prepend subject text box, type your customized text.


6 Check Add X-header, containing SCL value, if SCL is to add an X-header to messages with a given SCL, and then in the drop-down list, select the threshold value.


7 Check Log if SCL is to log messages with a given SCL to the specified logging destinations, and in the drop-down list, select the threshold value.





Chapter
8
Filtering content using content filtering rules


■ About filtering content

■ Working with match lists

■ Working with content filtering rules

■ How to enforce email attachment policies

About filtering contentSymantec Mail Security enhances mail security protection by filtering email messages and attachments. Symantec Mail Security can scan email messages and their attachments for offensive language, confidential information, and content with potential legal consequences. Symantec Mail Security can also block file types that could potentially contain threats.

Content filtering rules let you filter messages for specific words, phrases, subject lines, senders, attachment names, attachment size, and attachment content, and take action when the specified content is found.

You can apply content filtering scanning when you perform auto-protect scans, manual scans, and scheduled scans. The rules provide a front-end defense against spam email messages and new or unidentified threats.


146 Filtering content using content filtering rulesAbout filtering content

You can also use content filtering rules with outbreak management. You can configure Symantec Mail Security to automatically add the names of outbreak triggered attachments and outbreak triggered subject text to match lists. Symantec Mail Security uses these match lists in pre-configured content filtering rules that automatically block suspicious file attachments or subjects. You can also use these match lists to create your own content filtering rules.


You can create as many content filtering rules as needed. Each rule specifies the email message part to search (for example, message body, subject, sender, attachment name, or attachment content), and defines the condition that should trigger a content violation. You can enable or disable filtering for each rule.



Note: The content filtering engine does not evaluate any file extension names that are inside the outer-most attachment, for example, the compressed files in a .zip file.

Symantec Mail Security handles content violations according to the action that you configure for the rule. Symantec Mail Security can notify administrators and senders (internal and external) of content filtering violations. You can customize the notification message.

Note: A message can trigger a single content filtering rule violation multiple times. This occurs if the mail client from which the message originated used RTF or HTML encoding. In that case, both the plain text and formatted versions of the message body are sent by the mail client to the Exchange server. Symantec Mail Security scans the plain text and formatted versions of the message body as separate message bodies.

147Filtering content using content filtering rulesAbout filtering content

About default content filtering rulesTable 8-1 describes the pre-configured content filter rules that Symantec Mail Security provides.

You must enable the default content filtering rules that you want to use. You can modify the rules as needed.

About content evaluationEmail or their attachments that match an expression in a filtering rule might violate that rule, depending on whether the rule contains AND expressions or OR expressions. Specifically, if the rule contains AND expressions, then all expressions must evaluate to true to trigger a content violation for the entire rule. However, if the rule contains OR expressions, only one expression must evaluate to true to trigger a content violation for the rule.

See “Elements of a content filtering rule” on page 149.

You can specify a filtering rule to apply to SMTP inbound messages, SMTP outbound messages, and/or internal (store) messages.

See “Specifying inbound SMTP domains” on page 157.

A content filtering rule consists of one or more conditions that you define. For example, a condition might be that an email subject line contains one or more words from a subject line match list. A rule can optionally contain one or more exceptions.

For example, UNLESS the subject line contains the word Rochester. The filtering rule triggers a violation if the subject line contains words from the selected

Table 8-1 Default content enforcement rules

Rule Description

Allow-Only Attachment Rule

Detects and filters files with attachment types that are not on a list of permitted attachment types

Blank Subject and Sender Detects and filters messages with blank subject line and blank sender line

Quarantine Triggered Attachment Names

Detects and filters files if the attachment name matches a list of outbreak-triggered attachment names

Quarantine Triggered Subjects

Detects and filters messages whose subject matches a list of outbreak-triggered subjects

Sample Executable File Detects and filters executable files based on the Sample Attachment Name match list


subject line match list, such as cellular, credit, debt, diploma, or phrases like “feel younger.” If the subject line contains Rochester, however, the message does not trigger a violation.

Symantec Mail Security evaluates a rule logically as either an OR or AND rule. By default, the entries in the Content box are OR (Match any term), which means that if any of the entries are present, the rule applies. If you check “Match all terms,” it becomes an AND, which means that the rule only applies if all the items in the list are present.

Checking the "Attachment size is" box makes the attachment size threshold another condition for the rule. For example, assume that you are filtering subject line content. You add “top secret" in the Content list. You check “Attachment size is,” and you select a value of >2 MB. If you check “Match any term,” Symantec Mail Security triggers a violation if it detects either “top” OR “secret” in the subject line OR if the message exceeds 2 MB. If you check “Match all terms,” Symantec Mail Security triggers a violation if it detects the words “top” AND “secret” in the subject line AND the message exceeds 2 MB.

Any rule can only test one part of a message. If you want to test all the parts of a message, you have to create separate rules. However, if a rule tests an attachment, you can add an additional if/unless condition related to the attachment size.


Elements of a content filtering ruleA rule consists of the following elements:

When you create or modify a rule, you can also specify the sender or recipients for whom the rule applies and who to notify if the rule is violated. The message part that you select determines which comparisons that you can use.

Message part You can specify the part of the email message that you want to scrutinize for violations.

Message flow You can select whether to apply the rule to any combination of inbound, outbound, or internal messages. You must select at least one.

Match Whole term: Applies the rule only if the exact term in the Content box or match list is found.

Case: Applies the rule only if the exact term in the same case in the Content box or match list is found. For example, if you type ACME in the Content box list, a message that contains the word Acme would not trigger a violation.

Type Literal string: Matches the exact text in the box.

Regular expression: Symbols and syntactic elements used to match patterns of text.

See “About regular expressions” on page 150.

Wildcards: Wildcard-style expressions provide a convenient way to specify file names.


Comparison Type the comparison that you want to make between the message part and the value that, when matched to the message part, constitutes a content violation. For example, Equals, Does Not Equal, Contains, or Does Not Contain.

Exception You can add an UNLESS condition to a rule to make exceptions to the overall requirement.

Value Type the numeric value or alphanumeric text string as the criteria to match. The “Attachment Size is” value a numeric value. The rest of the values are alphanumeric text strings.

Action You can specify the action that you want Symantec Mail Security to take when the rule is violated.


The Message body, Subject, and Attachment Name parts interpret their value boxes according to the user’s choice. If you chose regular expressions, even if you type a number in the value box, Symantec Mail Security considers it text, not a number. Text strings, because they allow for regular expressions, give you flexibility in extending your text searches to find more than just a direct match. Regular expressions include metacharacters to help you broaden the search capabilities of a given rule.


See “About metacharacters” on page 151.

About regular expressionsA regular expression is a set of symbols and syntactic elements that is used to match patterns of text. Symantec Mail Security performs matching on a line-by-line basis. It does not evaluate the line feed (newline) character at the end of each input expression phrase.

You can build regular expressions using a combination of normal alphanumeric characters and metacharacters. Regular expressions let you perform pattern matching in text. For example, many email messages contain a trailing number at the end of the subject line text, as in the following sample subject line:

Here’s a hot stock pick!43234

To write a rule to match email subject lines that have trailing numbers, compare the subject against the following regular expression:

^.+![0-9]+$

This regular expression contains the normal alphanumeric characters 0-9 and the metacharacters ^, ., +, and []. By using the subject attribute, the = operator, and the regular expression as the value, you can build a content filtering rule to catch any email messages whose subject lines end with a trailing number. This is a possible sign that the message is spam.


About metacharacters

Table 8-2 lists the metacharacters that you can use in regular expressions to build filtering rules. Some characters are not considered special unless you use them in combination with other characters.

Note: You can use metacharacters in regular expressions to search for both single-byte and multi-byte character patterns.

Table 8-2 Metacharacter descriptions

Metacharacter Description

. Period: Matches any single character of the input sequence.

^ Circumflex: Represents the beginning of the input line. For example, ^A is a regular expression that matches the letter A at the beginning of a line. The ^ character is only special at the beginning of a regular expression or after the ( or | characters.

$ Dollar sign: Represents the end of the input line. For example, A$ is a regular expression that matches the letter A at the end of a line. The $ character is only special at the end of a regular expression or before the ) or | characters.

* Asterisk: Matches zero or more instances of the string to the immediate left of the asterisk. For example, A* matches A, AA, AAA, and so on. It also matches the null string (zero occurrences of A).

? Question mark: Matches zero or one instance of the string to the immediate left of the question mark.

+ Plus sign: Matches one or more instances of the string to the immediate left of the plus sign.

\ Escape: Turns on or off the special meaning of metacharacters. For example, \. only matches a dot character. \$ matches a literal dollar sign character. Note that \\ matches a literal \ character.

| Pipe: Matches either expression on either side of the pipe. For example, exe|com|zip matches exe, com, or zip.


The order of metacharacters, from highest to lowest precedence, is as follows:

You can link several regular expressions to form a larger one to match certain content in email.

[string] Brackets: Inside the brackets, matches a single character or collating element, as in a list. The string inside the brackets is evaluated literally, as if an escape character (\) were placed before each character in the string.

If the initial character in the bracket is a circumflex (^), then the expression matches any character or collating element except those inside the bracket expression.

If the first character after any potential circumflex (^) is a dash (-) or a closing bracket (]), then that character matches only a literal dash or closing bracket.

(string)$string$

Parentheses: Groups parts of regular expressions, which gives the string inside the parentheses precedence over the rest.

() Precedence override

| OR

[] List

\ Escape

^ Start with

Table 8-2 Metacharacter descriptions (Continued)

Metacharacter Description

Table 8-3 lists examples of regular expressions that show how pattern matching is accomplished with the use of metacharacters and alphanumeric characters.

Table 8-3 Regular expressions

Regular expression Description

abc Matches any line of text that contains the three letters abc in that order.

Your results may differ depending on the comparison that you use to create the filtering rule. For example, if you build a rule to match the word Free and use the Contains comparison, then the filtering engine detects all words that contain the word Free instead of an exact match (for example, Freedom). However, if you use the Equal comparison, then the filtering engine detects only exact matches of the word Free with no other surrounding text. If you use the Contains comparison with Whole words only, then the filtering engine detects Free as a stand-alone word, even if there are other words present in the text that is being searched.

a.c Matches any string that begins with the letter a, followed by any character, followed by the letter c.

^.$ Matches any line that contains exactly one character. (The newline character is not counted.)

a(b*|c*)d Matches any string beginning with the letter a, followed by either zero or more instances of the letter b, or zero or more instances of the letter c, followed by the letter d.

.+\....\.... Matches any file name that has two, three-letter extensions (for example, Filename.gif.exe).

This regular expression is helpful in blocking email attachments with double extensions. For example:

If Attachment Name = .+\....\....

[0-9a-zA-Z]+[0-9a-zA-Z]+

Matches an embedded comment in the middle of meaningful HTML text. Embedding comments within HTML text is a trick that spam senders use to bypass some pattern-matching software.

\s* Matches a white space character zero or more times.

154 Filtering content using content filtering rulesWorking with match lists

About DOS wildcard style expressionsDOS wildcard style expressions (“*”, “.”, and “?”) provide a convenient way to specify file names, similar to the way in which DOS wildcard characters are used. For example, match lists of type DOS wildcard are typically used with the Attachment Name Attribute to specify file names such as *.exe. In addition, a DOS wildcard expression lets you easily specify files without extensions.

Table 8-4 describes the DOS wildcard style expressions.

Working with match lists You can create a match list that includes words, email addresses, or domains that you want to filter. Match lists provide a way to filter content that applies to a specific situation. Match lists support literal strings, DOS wildcard-style expressions, or regular expressions.



Table 8-4 DOS wildcard expressions

DOS wildcard expression

Equivalent regular expression

Description

* .* Zero or more of any character

? [^\.] Any one character except the period (.)

. \. Literal period character

*. [^\.]+\.? Does not contain a period, but can end with one

155Filtering content using content filtering rulesWorking with match lists

Table 8-5 lists the pre-configured match lists that are provided.

Table 8-5 Pre-configured match lists

Match list name Description

Outbreak Triggered Attachment Names

When you enable outbreak management, Symantec Mail Security adds the names of outbreak triggered attachments to the Outbreak Triggered Attachment Names match list. You can use this match list with the Quarantine Triggered Attachment Names content filtering rule. This rule lets you automatically quarantine files with attachment names that are found in the Outbreak Triggered Attachment Names match list.

You can edit the rule description and the text in the Filter list. Leave the match type as wild cards.

See “Configuring outbreak triggers” on page 193.

Outbreak Triggered Subject Lines

When you enable outbreak management, Symantec Mail Security adds the names of outbreak triggered subject lines to the Outbreak Triggered Subject Lines match list. You can use this match list with the Quarantine Triggered Subjects content filtering rule. This rule lets you automatically quarantine files with subject line text that is found in the Outbreak Triggered Subject Lines match list.

You can edit the rule description and the text in the Filter list. Leave the match type as literal.


Sample Attachment Name

This contains a list of attachment file names or extensions that might contain malicious code.

You can edit the rule description and add or remove file extensions in the Filter list. Leave the match type as wild cards.

Sample Executable File Names

This list contains file names or extensions that can potentially execute malicious code.

Leave the match type as wild cards.

Sample Message Body Words

This list contains key words and phrases typically found in the bodies of spam email messages.

You can edit the rule description, add or remove key words and phrases in the Filter list, and modify the match type. The default match type is literal.

Sample Multimedia File Names

This list contains file names or extensions of multimedia files.

Leave the match type as wild cards.

156 Filtering content using content filtering rulesWorking with match lists

You can create new match lists and delete or edit words in a match list. After you create a match list, you can define a content filtering rule that refers to the match list.

To create or edit a match list


2 In the sidebar under Content Enforcement, click Match Lists.


4 In the Add new match list window, in the Title box, type a name for the match list.

You can only configure the title when you are creating a new match list.

5 In the Description box, type a description for the match list.

6 In the Type box, select one of the following:

■ Literal string

■ Regular expression


■ Wild cards


7 In the Filter box, type a literal string, regular expression, or DOS wildcard-style expression.

Enter one expression per line. You can link several regular expressions to form a larger one to match certain content in email.

Sample Subject Line This list contains key words and phrases typically found in spam email message subject lines.

You can edit the rule description, add or remove key words and phrases in the Filter list, and modify the match type. The default match type is literal.

Create a match list In the sidebar under Tasks, click Add match list.

Edit an existing match list

In the content area under Match Lists, select the list that you want to edit, and then in the sidebar under Tasks, click Edit match list.

Table 8-5 Pre-configured match lists (Continued)

Match list name Description

157Filtering content using content filtering rulesWorking with content filtering rules

8 Click OK.



To delete a match list


2 In the sidebar under Content Enforcement, click Match Lists.

3 In the content area, under Match Lists, select the match list that you want to delete.

4 In the sidebar under Tasks, click Delete match list.




Working with content filtering rulesThe following list describes what you can do with content filtering rules:

■ Specifying inbound SMTP domains

■ Enabling or disabling content filtering for auto-protect scanning

■ Creating a new rule

■ Editing an existing rule

■ About configuring a content filtering rule

■ Prioritizing content filtering rules

■ Deleting a content filtering rule

■ Refreshing the Active Directory groups cache

Specifying inbound SMTP domains By default, inbound SMTP rules apply to messages that have at least one recipient who has a mailbox in the Exchange organization. Outbound SMTP rules apply to messages that have at least one recipient that does not have a mailbox in the Exchange organization.

158 Filtering content using content filtering rulesWorking with content filtering rules

You can modify these settings by specifying the domains that your organization considers local. By adding a domain to the domain list, emails with recipients for that domain are considered local, even if they do not have a mailbox locally.

Note: A single message can be considered both inbound and outbound. In this case, both inbound and outbound rules are applied to the message.

To specify inbound SMTP domains


2 In the sidebar under Views, click System Settings.

3 In the content area, under System Settings, check Use list below to specify inbound SMTP domains.

4 In the List of internal domains box, type the domain or domains that define which email messages domains are inbound.

Type only one domain per line.



Enabling or disabling content filtering for auto-protect scanningYou can enable or disable content filtering for auto-protect scanning. You enable content filtering scanning for manual and scheduled scans when you configure those scanning options.

See “About manual scans” on page 180.

See “About scheduling a scan” on page 183.

To enable or disable content filtering for auto-protect scanning


2 In the sidebar under Content Enforcement, click Content Filtering Rules.

3 In the content area under Content Filtering Rules, do one of the following:

■ Check Enable content filtering to enable content filtering for auto-protect scanning.

■ Uncheck Enable content filtering to disable content filtering for auto-protect scanning.




Creating a new rule You can create as many content filtering rules as you need.

To create a new rule



3 In the sidebar under Tasks, click Add new rule.

4 Configure the rule.




Editing an existing ruleYou can modify existing rules as needed.

To edit an existing rule




■ Click the rule that you want to edit, and in the sidebar under Tasks, click Edit rule.

■ Double-click the rule that you want to edit.

4 Modify the rule as needed.





About configuring a content filtering ruleYou can create and modify content filtering rules as needed. To create a content filtering rule, do the following:

■ Specify the rule name and provide a description.

See “Specifying a rule name and description” on page 160.

■ Specify the conditions of the rule.

See “Configuring rule conditions” on page 161.

■ Specify any exceptions to the rule.

See “Configuring exceptions to the rule” on page 163.

■ Configure the actions that you want Symantec Mail Security to take if the rule is violated.

See “Configuring rule actions” on page 164.

■ Specify the users and groups to whom the rule applies.

See “Specifying the users and groups in which the rule applies” on page 166.

■ Specify who to notify if the rule is violated.

See “Specifying who to notify if the rule is violated” on page 167.

Specifying a rule name and descriptionYou should provide a meaningful name for your content filtering rule so that you can easily identify the rule in the Content filtering rules table and in reports. Symantec Mail Security also lets you provide a detailed description of the rule.

To specify a rule name and description




4 In the Name box, type the name of the rule.

This is a required entry.

5 In the Description box, type a brief description of the rule.

Create a rule In the sidebar under Tasks, click Add new rule.

Modify an existing rule

In the content area, double-click the rule that you want to edit.


Configuring rule conditionsYou must configure the conditions in which the rule applies. Rule conditions specify what content triggers the violation. Enabling the “Attachment size is” box makes the attachment size threshold another condition for the rule.

See “About content evaluation” on page 147.

To configure rule conditions




4 On the Rule tab, in the Message part to scan box, select one of the following:

■ Message Body

■ Subject

■ Sender

■ Attachment Name

■ Attachment Content

5 Under Apply rule to, check one or more of the following:

■ Inbound messages

■ Outbound messages

■ Internal messages (store)

At least one of these boxes must be checked.

6 Under Rule Content, in the Match type box, select one of the following:

■ Literal string

■ Regular expression

■ Wild cards





7 Check one or more of the following options:

■ Whole term

This option is not available when you select the Regular expression match type.

■ Case

This option is not available when you select the Sender or Attachment Name message part options.

8 Under Content, select one of the following:

■ Equals

■ Does Not Equal

■ Contains

■ Does Not Contain

9 Select one of the following:

10 In the Content list, do one of the following:

■ Type words or phrases to be filtered.

Type each entry on a separate line.

■ Click Add match list if you want to select a match list for the rule, and then select a match list from the menu.


11 Check Attachment size is to add the attachment size as a condition of the rule, and then configure the comparison value and attachment size.

Match any term

Triggers a violation if any term in the list (including any term in selected match lists) is found

Match all terms

Triggers a violation if all of the terms in the list (including all of the terms in the selected match lists) are found


Configuring exceptions to the ruleYou can add an UNLESS condition to a rule to make exceptions to the overall requirement. You can also make file attachment size an exception to the rule.

See “About content evaluation” on page 147.

To configure exceptions to the rule




4 Configure the rule conditions.

See “Configuring rule conditions” on page 161.

5 On the Rule tab, under Unless, select one of the following:

■ Equals

■ Does Not Equal

■ Contains


■ Does Not Contain

6 In the Match any term list, do any of the following:

■ Type words or phrases that override the filtering of the entries in the Content list.

Type each entry on a separate line.

■ Click Add match list if you want to select a match list for the rule, and then select a match list from the menu.


7 Check Or attachment size is to add the attachment size as a condition of the Unless conditions, and then configure the comparison value and attachment size.





Configuring rule actionsRule actions let you specify the actions that you want Symantec Mail Security to take if a violation occurs.

Configure rule actions

Symantec Mail Security provides the following options for processing messages that trigger content filtering rule violations:

■ Delete entire message

■ Delete attachment/message body and replace with text

You can customize the replacement text.

■ Quarantine attachment/message body and replace with text

You can customize the replacement text.

■ Add tag to beginning of subject line

You can customize the text that you want to prepend the subject line. This rule action is not available if you apply the rule to the internal messages (store).

■ Save to folder

You can specify the folder in which you want to save the email message. You can also add an X-header to the message and customize and the X-header name and value. This rule action is not available if you apply the rule to the internal messages (store).


■ Log only

Logs the event to the specified logging destinations.


To configure rule actions to delete the message




4 On the Rule tab, under Rule Action, in the When a violation occurs box, select Delete entire message.





To configure rule actions to delete the attachment and message body and replace with text

1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Delete attachment/message body and replace with text.

2 In the Replacement text box, type your customized text.


To configure rule actions to quarantine the attachment and message and replace with text

1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Quarantine attachment/message body and replace with text.

2 In the Replacement text box, type your customized text.

To configure rule actions to prepend the subject line

1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Add tag to beginning of subject line.

This rule action is not available if you apply the rule to the internal messages (store).

2 In the Subject line tag box, type the customized text that you want to prepend to the subject line.

To configure rule actions to save the message to a folder

1 On the Rule tab, under Rule Action, in the When a violation occurs box, select Save to folder.

This rule action is not available if you apply the rule to the internal messages (store).

2 In the Folder name box, type the name of the folder or click the browse [...] command icon and select a folder name from the list.





To configure rule actions to only log the event

◆ On the Rule tab, under Rule Action, in the When a violation occurs box, select Log only.


Specifying the users and groups in which the rule appliesSymantec Mail Security lets you specify the users and groups in which the rule applies. You can also specify who is an exception to the rule. You can add users based on SMTP addresses, or you can select groups from Active Directory. If you do not specify users, the rule applies to all senders and recipients.

Note: You can select any Active Directory group except the Users group. Adding the Users group to Active Directory Groups list results in unintended behavior.

To specify the users and groups in which the rule applies




4 Click the Users tab.

5 Under Sender/recipient Selection, do one of the following:




To apply the rule based on the sender

Click Sender, and then select one of the following:

■ Apply if the sender of the message is in the list

■ Apply if the sender of the message is NOT in the list

To apply the rule based on the recipient

Click Recipient, and then select one of the following:

■ Apply if ANY of the recipients of the message are in the list

■ Apply if ANY of the recipients of the message are NOT in the list

■ Apply if ALL of the recipients of the message are in the list

■ Apply if ALL of the recipients of the message are NOT in the list


6 Under List of Users or Groups, in the SMTP addresses box, do one of the following:

■ Type the addresses of the users that you want to include or exclude.

Type one address per line.

■ To add a pre-configured match list that contains user addresses, click Add Match List and select a match list.

You can only insert one match list. You can combine a match list with typed addresses.


7 Under the Active Directory groups list, to select groups from Active Directory, click Add.

8 In the Active Directory domains and groups window, under Available groups, select the group that you want to add and click the >> command icon.

The group that you select appears in the Selected groups list. To deselect a group in the Selected groups list, click on the group entry, and then click the << command icon.

9 Click OK.

Specifying who to notify if the rule is violatedSymantec Mail Security lets you specify who you want to notify when a rule is violated.

To specify who to notify if the rule is violated




4 Click the Notifications tab.

5 Check any of the following:









■ In the Subject line box, type the subject line text.

■ In the Message body box, type the message body text.


7 Click OK.



Prioritizing content filtering rulesSymantec Mail Security evaluates all of the content filtering rules that you enable. If a message violates more than one rule, Symantec Mail Security applies the most severe disposition of all of the rules. For example, assume that you have two content filtering rules enabled: Rule A and Rule B. Rule A is the highest priority, and the rule action is “Log only.” Rule B is the lowest priority, and the rule action is to “Delete entire message.” A message that violates both rules is deleted.

If the message violates more than one rule and all of the rules have the same disposition, Symantec Mail Security uses the prioritization categorization to determine which rule to apply. For example, assume that you have two content filtering rules enabled: Rule C and Rule D. Rule C is the highest priority, the rule action is “Add tag to the beginning of subject line,” and your customized text is Spam. Rule D is the lowest priority, the rule action is “Add tag to the beginning of subject line,” and your customized text is Prohibited content. A message that violates both rules will have the subject line prepended with Spam.

The rule order does not change in the Content filtering rules table. You can only view and modify rule prioritization in the Rule prioritization window.

To prioritize content filtering rules



3 In the sidebar under Tasks, click Prioritize rules.

More than one rule must be enabled to prioritize rules.

4 In the Rule prioritization window, click a rule to select it.

5 Click Move up or Move down until the rule is at the priority that you want.

Rules are prioritized from top to bottom, with the top being the highest priority.


6 Click OK.



Deleting a content filtering ruleYou can delete a content filtering rule when it is no longer needed.

To delete a content filtering rule



3 In the content area, in the Content filtering rules table, select the rule that you want to delete.

4 In the sidebar under Tasks, click Delete rule.




Refreshing the Active Directory groups cacheSymantec Mail Security refreshes the Active Directory group cache when you create or edit a content filtering rule. You should manually update the cache if you modify the users in an Active Directory group that is used in a content filtering rule.

For example, you create a content filtering rule that applies to the Active Directory group Executives. After you deploy your changes, Symantec Mail Security updates the groups cache. Then you add a person to the Executives group. You must update the Active Directory groups cache so that the rule applies to the person that you just added to the group.

To update the Active Directory group cache, you must have access to Active Directory or be logged onto a client in the Active Directory domain.

To refresh the Active Directory groups cache



3 In the sidebar under Tasks, click Update Active Directory groups cache now.


170 Filtering content using content filtering rulesHow to enforce email attachment policies

How to enforce email attachment policies Symantec Mail Security contains the following default rules that let you enforce email attachment policies:

Blocking attachments by file nameYou can filter files by file name to protect your network during an outbreak. For example, in the case of a new email-borne threat, if you know the file name of the infected attachment, you can use this information to block any infected email messages.

You can configure Symantec Mail Security to match words and phrases that are in a match list against the names of files. Names of both noncontainer files (individual files without embedded files) and container files (files with embedded files) are examined.

If a match is found, the prohibited file is blocked. If the prohibited file is within a container file, the entire container file is blocked.

For example, if an incoming .zip file named sample.zip contains three executable files (a.exe, b.doc, and c.bat), sample.zip would be blocked if any of the following occurs:

■ The match list contains one of the literal strings: sample.zip, a.exe, b.doc, or c.bat

■ The match list contains one of the DOS wildcard expressions: *.zip, *.exe, *.doc, or *.bat

■ The match list contains one of the regular expressions: sample\.\w{3}, a\.\w{3}, b\.\w{3}, or c\.\w{3}


File Name Rule Lets you filter attachments by file name.

See “Blocking attachments by file name” on page 170.

Multimedia File Rule

Lets you block certain multimedia files, such as video and music files.

See “Configuring multimedia file detection” on page 172.

Executable File Rule

Lets you block executable files.

See “Configuring executable file detection” on page 175.

171Filtering content using content filtering rulesHow to enforce email attachment policies

To block attachments by file name, do the following:

■ Enable the File Name Rule.

■ Select the match list that contains the file name attachments that you want detected. You can create or modify match lists when you modify the File Name Rule.

You can only select one match list.

■ Specify the action to take if a violation is detected, who to notify of the violation, and the notification message text.

To enable the File Name Rule


2 In the sidebar under Content Enforcement, click File Filtering Rules.

3 In the content area, in the File Filtering Rules table, on the File Name Rule row, click the field under the Enabled column, and then click Enabled.


To select an existing match list that does not need to be modified

1 In the File Filtering Rules preview pane, click Select.

2 In the Select a match list window, in the Name table, select the match list, and then click Select.

To create a match list or modify an existing match list

1 In the File Filtering Rules preview pane, click Select.

2 In the Select a match list window, do one of the following:

■ To modify an existing match list, select the match list, and on the toolbar, click Edit match list.

■ To create a new match list, on the toolbar, click Add match list.


3 Under Filter, type the file attachment names that you want to add to the match list.

4 Click OK.

5 In the Select a match list window, click Select to select the match list that you just created or modified.


To specify the action to take if a violation is detected

1 In the File Filtering Rules preview pane, in the Action to take list, select one of the following:




■ Log only













Configuring multimedia file detectionYour organization might want to prohibit users from receiving email messages that contain multimedia file attachments, such as music and video files. When you enable the Multimedia File Rule, Symantec Mail Security detects the supported file extensions and types and takes the actions that you specify. Blocking multimedia file attachments not only helps your organization enforce content policies, it also conserves scanning and file storage resources.


Symantec Mail Security can determine if a file is a true multimedia file by analyzing the file contents, rather than just looking at the file name extension. If the file is a multimedia file, Symantec Mail Security takes the actions that you specify when you enable the Multimedia File Rule.

Note: Symantec Mail Security can determine the true file type of a well-formed binary file. The true file type of a binary file variant cannot always be accurately determined.

If you want to enhance multimedia file detection, you can create a content filtering rule that uses the Sample Multimedia File Names match list. When you enable the rule, Symantec Mail Security detects messages with the attachment extensions that are listed in the Sample Multimedia File Names match list and takes the actions that you specify. It does not perform an analysis to determine true file type.


Table 8-6 lists the multimedia file types that Symantec Mail Security supports (this list cannot be modified).

Table 8-6 Supported multimedia file types

File type File extension

Amiga MED/OctaMED Tracker Module Sound File *.MED

AU Audio File *.AU

Audacity Audio Block *.AU

Audio Interchange File *.AIFF, *.AIFC

Audio Video Interleave File *.AVI

Impulse Tracker Music Module *.IT

Microsoft Windows Media File *.WMV

MPEG AlbumWrap Wrapped Music File Archive *.MP3

MPEG Movie Clip *.MPEG

MultiTracker Music Module *.MTM

Musical Instrument Digital Interface *.MIDI

Postscript File *.PS

QuickTime Video Clip *.QT, *.MOV


To configure multimedia file detection



3 In the content area, in the File Filtering Rules table, click Multimedia File Rule.

4 In the content area, in the Content Filtering Rules table, on the Multimedia File Rule row, click the field under the Enabled column, and then click Enabled.


6 In the preview pane, in the Action to take list, select one of the following to specify the action to take when a multimedia file is detected:





■ Log only







RealMedia File *.RA

Scream Tracker Music Interface Kit Song/Module *.STX

ScreamTracker v3 Sound File *.S3M

Shorten Audio Compression File *.SHN

Waveform Audio *.WAV

Table 8-6 Supported multimedia file types (Continued)

File type File extension








Configuring executable file detectionRisks are only found in file types that contain executable code. You can enhance threat detection by identifying executable files. When you enable the Executable File Rule, Symantec Mail Security detects executable files and takes the actions that you specify.

Symantec Mail Security can determine if a file is a true executable file by analyzing the file contents, rather than just looking at the file name extension. If the file is an executable file, Symantec Mail Security takes the actions that you specify when you enable the Executable File Rule.

Note: Symantec Mail Security can determine the true file type of a well-formed binary file. The true file type of a binary file variant cannot always be accurately determined.

If you want to enhance executable file detection, you can create a content filtering rule that uses the Sample Executable File Names match list. When you enable the rule, Symantec Mail Security detects messages with the attachment extensions that are listed in the Sample Executable File Names match list and takes the actions that you specify. It does not perform an analysis to determine true file type.


The Executable File Rule recognizes X86 32-bit Windows/DOS *.EXE executables.

To configure executable file detection



3 In the content area, in the File Filtering Rules table, on the Executable File Rule row, click the field under the Enabled column, and then click Enabled.




5 In the preview pane, in the Action to take list, select one of the following to specify the action to take when an executable file is detected:





■ Log only



7 To send email notifications about the detection, check one or more of the following:










Chapter
9
Scanning your Exchange servers for threats and violations


■ About the scanning process

■ Configuring auto-protect scanning

■ About manual scans

■ About scheduling a scan

■ Configuring notification settings for scan violations

178 Scanning your Exchange servers for threats and violationsAbout the scanning process

About the scanning processTo detect risks, spam, and content filtering rule violations, you can perform the following types of scans:

When Symantec Mail Security detects a security risk or a violation during a scan, it takes the action that you specify for that policy. For example, when a threat is detected, Symantec Mail Security takes the action that you specify in the Antivirus Settings policy.

Auto-protect scans

When enabled, auto-protect scanning runs constantly.

In this mode, Symantec Mail Security scans and detects threats and violations in real-time. Auto-protect scans apply to everything on the Exchange server (that is, items in all public folders and mailboxes and messages that are processed by the Microsoft Exchange SMTP service).

Auto-protect scanning applies to all policies.

See “Configuring auto-protect scanning” on page 179.

Manual scans A manual scan is an on-demand scan of public folders and mailboxes. Manual scanning applies to all policies, except antispam.

You can specify which file folders and mailboxes to scan during a manual scan. You can also specify the content filtering rules that you want enabled for the manual scan.

See “About manual scans” on page 180.

Scheduled scans Scheduled scans run unattended, usually at off-peak periods. Scheduled scanning applies to all policies, except antispam.

You can specify which file folders and mailboxes to scan during a scheduled scan. You can also specify the content filtering rules that you want enabled for the scheduled scan.


179Scanning your Exchange servers for threats and violationsConfiguring auto-protect scanning

Configuring auto-protect scanningAuto-protect scanning provides continuous risk, spam, and content filtering rule violation detection. When you enable auto-protect scanning, Symantec Mail Security scans email messages as they pass through the Exchange server. Infected message bodies and attachments, spam messages, and content filtering rule violations are detected on a real-time basis, based on the settings that you enable and configure.

When background scanning is enabled, Microsoft Exchange creates a background thread for each message database in the Exchange store. These threads run at a lower priority to minimize the impact on other Exchange server actions. As each thread reads through the messages in the database, it detects the messages that have not been scanned by the latest definitions and scans them with Symantec Mail Security. This is useful if you have updated your definitions and need to re-scan the entire store with these new definitions.

When you select the “On virus definition update, force rescan before allowing access to information store” setting for auto-protect scanning, Microsoft Exchange does not allow access to any messages in the store until Symantec Mail Security re-scans them.

Warning: The “Scan message bodies” option is enabled by default to provide the greatest level of protection. If you disable this option, Symantec Mail Security can not detect risks in inbound message bodies nor scan message bodies for content filtering rules as they pass through the Exchange server.

To configure auto-protect scanning

1 In the console on the primary navigation bar, click Scans.

2 In the sidebar under Views, click Auto-Protect.

3 In the content area, check any of the following auto-protect options that you want to enable:

■ Enable Auto-protect

■ Enable background scanning

■ On virus definition update, force rescan before allowing access to information store

■ Scan message bodies

■ Virus scan messages during SMTP transport



180 Scanning your Exchange servers for threats and violationsAbout manual scans

About manual scansYou can perform manual scans when you want to scan messages for specific purposes. For example, you can create a content filtering rule to detect a particular category of subject-line violations that are associated with a new threat, and then run the scan immediately.

To perform a manual scan, do the following:

■ Configure the manual scan parameters.

You can configure basic scanning options and specify the mailboxes and public folders that you want to scan. You can also enable content filtering scanning and enabled the content filtering rules that you want to apply to the scan.

See “Configuring the manual scan parameters” on page 180.

■ Run the manual scan.

See “Running a manual scan” on page 182.

■ View the manual scan results.

See “Viewing manual scan results” on page 183.

Configuring the manual scan parametersBefore you run a manual scan, you must configure the parameters for the scan. When you deploy your changes, the parameters remain the same until you change them.

Configure the manual scan parameters

Symantec Mail Security lets you specify the following parameters for a manual scan:

Basic scanning options

Basic scanning options include the following:

■ The number of minutes that the scan should run When the next scan is performed, it starts where the prior scan left off.

■ To scan only items that have been modified since the last scanScanning only items that have been modified decreases overall scanning time.

■ Scan message bodiesScanning message bodies increases the overall scanning time.

Scan location You can specify the mailboxes and public folders that you want included or excluded from the scan.

This option is not available if you are in a group view.

181Scanning your Exchange servers for threats and violationsAbout manual scans

To configure basic scanning options


2 In the sidebar under Views, click Manual Scan.

3 Under Tasks, click Edit manual scan.

4 In the Manual scan wizard, under Scan Options, check one or more of the following:

■ Stop scanning after __ minutes.

If you select this option, type the number of minutes you want the scan to run.


■ Only scan items modified since last scan.

■ Scan message bodies.

5 Click Next.

To configure the scan location

1 Under Scan Location, to specify mailboxes to scan, select one of the following:

2 To specify public folders to scan, select one of the following:

Content filtering Content filtering scanning is enabled by default, but you can disable the feature. If content filtering is enabled, you must also enable the rules that you want to apply to the scan.

All mailboxes Scans all mailboxes.


Exclude mailboxes No mailboxes are scanned.

Specific mailboxes Only the mailboxes that you select in the Mailboxes list are scanned.

All public folders Scans all public folders.


Exclude public folders

No public folders are scanned.

Specific public folders

Only the public folders that you select in the Public Folders list are scanned.

182 Scanning your Exchange servers for threats and violationsAbout manual scans

3 Click Next.

To disable content filtering scanning

1 Uncheck Enable content filtering.


2 Click Finish.



To enable content filtering scanning

1 Check Enable content filtering.


2 Do any of the following:

■ To add a new content filtering rule, on the toolbar, click Add new rule.

■ To modify an existing content filtering rule, on the toolbar, click Edit rule.

■ To delete an existing content filtering rule, click Delete rule.


3 Click the field under the Enable column and select Enable to enable the rules that you want to apply to the scan.

4 Click Finish.



Running a manual scanAfter you configure the manual scan parameters, you can perform the manual scan.

See “Viewing manual scan results” on page 183.

To run a manual scan


2 In the sidebar under Views, click Manual Scan.

3 Under Tasks, click Run now.

To stop the scan before it finishes, in sidebar under Tasks, click Stop.


183Scanning your Exchange servers for threats and violationsAbout scheduling a scan

Viewing manual scan resultsThe Manual Scan page shows the results of the most recent manual scan.

To view scan results


2 In the sidebar under Views, select Manual Scan.

3 Press F5 to refresh the page.

This process might take several minutes for large server groups.

About scheduling a scanIn addition to auto-protect scanning and manual scanning, you can schedule scans to look for different types of policy violations.

See “Creating a scheduled scan” on page 183.

See “Editing a scheduled scan” on page 184.

See “Configuring scheduled scan options” on page 184.

See “Enabling a scheduled scan” on page 187.

See “Deleting a scheduled scan” on page 187.

Creating a scheduled scanYou can create as many scheduled scans as you need. When you create a scheduled scan, it is disabled by default. You must enable the scan so that it runs according to the schedule that you specify.


To create a schedule scan


2 In the sidebar under Views, select Scheduled Scans.

3 Under Tasks, click Add new scan.

4 Configure the schedule scan options.




184 Scanning your Exchange servers for threats and violationsAbout scheduling a scan

Editing a scheduled scanYou can modify an existing scheduled scan as needed. You must enable the scan so that it runs according to the schedule that you specify.


To edit a schedule scan



3 In the content pane, do one of the following:

■ Select the scheduled scan that you want to modify, and in the sidebar under Tasks, click Edit scan.

■ Under the Name column, double-click the scheduled scan that you want to modify.

4 Modify the schedule scan options as needed.




Configuring scheduled scan optionsSymantec Mail Security provides a wizard that guides you through the process of configuring a scheduled scan.

After you configure the scheduled scan options, you must enable the scan so that it runs according to the schedule that you specify.


You can configure the following scheduled scan options:

■ Name of the scan and the basic scan options

■ Mailboxes and public folders that you want to scan

■ Content filtering rules that you want to apply to the scan

■ Scan schedule

To configure basic scanning options





4 In the Scan name box, type the name for the scan.

This option is only available if you are creating a new scheduled scan.

5 Under Scan Options, check Stop after scanning ___ minutes to limit the amount of time for the scan, and then type the maximum scanning time in minutes.

If Symantec Mail Security reaches this limit, it stops scanning. The next scheduled scan starts where the previous scan stopped.

6 Check Only scan items modified since last scan to exclude items that have not changed since the last scan.

7 Check Scan message bodies to scan message bodies.

8 Click Next.

To select what to scan

1 Under Scan Location, to specify mailboxes to scan, select one of the following:

2 To specify public folders to scan, select one of the following:

3 Click Next.

Create a new scan In the sidebar under Tasks, click Add new scan.

Modify an existing scan

In the content area, under the Name column, double-click the scan that you want to modify.

All mailboxes Scans all mailboxes.


Exclude mailboxes No mailboxes are scanned.

Specific mailboxes Only the mailboxes that you select in the Mailboxes list are scanned.

All public folders Scans all public folders.


Exclude public folders

No public folders are scanned.

Specific public folders

Only the public folders that you select in the Public Folders list are scanned.

186 Scanning your Exchange servers for threats and violationsAbout scheduling a scan

To scan for content filtering rules

1 Click Enable content filtering to enable content filtering rule scanning for the scheduled scan.

2 Do any of the following:

■ To add a new content filtering rule, on the toolbar, click Add new rule.

■ To modify an existing content filtering rule, on the toolbar, click Edit rule.

■ To delete an existing content filtering rule, click Delete rule.


3 Click the field under the Enable column and select Enable to enable the rules that you want to apply to the scan.

4 Click Next.

To specify the scanning schedule

1 In the Time of day to run box, select the time of day that you want Symantec Mail Security to perform the scan (in 24-hour format).

2 Under Days to run on, check the days of the week that you want the scan to run.

3 Under Dates of the month to run on, select any of the following:

4 Check Run scan at service start to perform a scan when the service starts.

Do not enable the Run scan at service start option in a cluster environment.

5 Check Run scan when virus definitions change to perform a scan when new definitions are received.

Leave this feature disabled if you update definitions at hourly intervals. If this option is enabled, the scheduled scan runs each time definitions are updated. Because definitions are delivered hourly, the scan might not complete before new definitions are available. This can impact overall mail throughput.

See “Scheduling definition updates” on page 221.

1st The scan runs on the first day of each month.

15th The scan runs on the 15th day of each month.

End of the month The scan runs on the last day of each month.


6 Click Finish.



Enabling a scheduled scanAfter you create or modify a scheduled scan, you must enable the scan so that it runs according to the schedule that you specify. Scheduled scans are disabled by default.

To enable a schedule scan



3 In the content pane, select the scheduled scan that you want to enable.

4 Click the field under the Enabled column, and then click Enabled.



Deleting a scheduled scanYou can delete a scheduled scan when it is no longer needed.

To delete a scheduled scan


2 In the sidebar under Views, click Scheduled Scans.

3 Select the scan that you want to delete.

4 In the sidebar under Tasks, click Delete scan.



188 Scanning your Exchange servers for threats and violationsConfiguring notification settings for scan violations

Configuring notification settings for scan violationsWhen you configure notification and alert settings, you specify the administrators, users, or computers that should receive email notifications. Restrict the issuing of alerts to a small list of interested administrators to avoid unnecessary interruptions.

Email notifications can be issued when a Symantec Mail Security scan detects a policy violation or an outbreak. An alert can also be sent to notify an administrator when a server experiences a critical service failure.

Note: Email notifications are sent only to names and addresses that can be resolved against Active Directory objects.

You specify the subject line and message text for each type of notification message when you configure policies and rules.

To configure notification settings for scan violations


2 In the sidebar under Views, click Notification/Alerts Settings.

3 In the content area, under Email notifications, in the Address of sender to use in email notification box, type the email address of the sender that you want to use for email notifications.

4 In the Administrators or others to notify box, type the email addresses of administrators and users to notify.

Separate each entry by commas. If you are including an email address that is not within your domain, type the fully qualified email address (for example, [email protected]).



Chapter
10
Managing outbreaks


■ About outbreak management

■ Enabling outbreak management

■ Configuring outbreak triggers

■ Configuring outbreak notifications

■ Clearing outbreak notifications

About outbreak managementAn outbreak situation occurs when an excessive number of threats or events that exhibit virus-like behavior occur on a network. When an outbreak occurs, prompt identification of the situation and notification of administrative staff is critical.

Symantec Mail Security lets you manage outbreaks by doing the following:

■ Enable Outbreak Management.

See “Enabling outbreak management” on page 192.

■ Specify the criteria for an outbreak.

The criteria consist of the number of times that an event must occur during a specified time interval.

See “What defines an outbreak” on page 190.

See “About outbreak triggers” on page 191.


190 Managing outbreaksAbout outbreak management

■ Define the email notifications to send to the administrator when an outbreak is detected.

See “Configuring outbreak notifications” on page 194.

■ End the outbreak event after the situation is managed.

See “Clearing outbreak notifications” on page 195.

What defines an outbreakWhen defining an outbreak, you must specify the number of occurrences of an event that must occur within a specified time frame. Although there are no standard numbers to use when specifying frequencies, take into consideration the following:

■ Threat potential of the event category that is being monitored

■ Size of your mail system

■ Amount of mail that is typically processed

■ Stringency with which you want to define an outbreak

Symantec Mail Security monitors your server at regular intervals to detect outbreaks (the default setting is every 2 minutes). When Symantec Mail Security checks your server for outbreaks, it checks the events that occurred within the specified period of time (the default setting is 20 minutes). If Symantec Mail Security detects an outbreak, it issues an outbreak notification.

For example, assume that you enable outbreak management, configure Symantec Mail Security to monitor for outbreaks every 2 minutes, and enable the “Same virus” outbreak trigger using the default configuration.

Figure 10-1 provides an explanation of the events that would occur if Symantec Mail Security detects 50 messages that contain the Eicar virus at 1:05 P.M. and 50 messages that contain the Eicar virus at 1:19 P.M.

191Managing outbreaksAbout outbreak management

Figure 10-1 Example of an outbreak event

About outbreak triggersThe set of defining criteria for an outbreak is called an outbreak trigger. Each outbreak trigger only monitors one type of event and defines an outbreak as the frequency of the specified event within a given time period.

For example, one outbreak trigger could be defined as the occurrence of 50 or more unscannable files within one hour. Another outbreak trigger could be defined as 30 or more filtering rule violations within 15 minutes.

192 Managing outbreaksEnabling outbreak management

If you enable multiple outbreak triggers and a message is received that violates more than one, Symantec Mail Security goes into outbreak mode and stops looking for additional outbreaks. Only one outbreak rule is triggered.

Outbreak triggers apply to auto-protect scans only.


Enabling outbreak managementOutbreak management is enabled by default. You can specify the interval during which you want Symantec Mail Security to check for outbreaks. By default, the interval is set to every two minutes.

Note: At least one outbreak trigger must be enabled for outbreak management to work.


To enable outbreak management


2 In the sidebar under General, click Outbreak.

3 In the content area under Outbreak, check Enable Outbreak Management.


4 In the Check for Outbreaks every ___ minutes box, type the interval in minutes that you want Symantec Mail Security to monitor your server for outbreaks.



193Managing outbreaksConfiguring outbreak triggers

Configuring outbreak triggersSymantec Mail Security provides the following outbreak triggers:

■ Same attachment name

■ Same subject

■ Same virus

■ Unrepairable viruses

■ Unscannable files

■ Filtering violations

■ Total viruses

You can enable or disable the triggers. You can also modify the number of occurrences for a violation and the span of time in which the events must occur to constitute an outbreak. You can specify whether to notify an administrator when an outbreak occurs.


When you enable outbreak management, you can also configure Symantec Mail Security to automatically add the names of outbreak triggered attachments to the Outbreak Triggered Attachment Names match list and outbreak triggered subject text to the Outbreak Triggered Subject Lines match list. Symantec Mail Security uses these match lists for pre-configured content filtering rules that automatically block suspicious file attachments or subjects. You can also use these match lists to create your own content filtering rules.


To configure outbreak triggers



3 In the content area, in the table, select the trigger that you want to modify.

The trigger that you select is highlighted in blue.

4 In the Enable column, click the drop down menu, and select Enabled or Disabled.

5 In the Occurrences column, type the number of instances that must occur to constitute an outbreak.


194 Managing outbreaksConfiguring outbreak notifications

6 In the Time column, type the span of time in which the instances must occur to constitute an outbreak.


7 In the Units column, click the drop down menu, and select one of the following:

■ Minutes

This is the default setting

■ Hours

■ Days

8 In the Notify Administrator column, check the box if you want to notify an administrator of the outbreak.


9 In the Update Match List column, check the box if you want to automatically add the attachment name or subject to the Outbreak Triggered Names match list or Outbreak Triggered Subjects match list. The trigger must be activated.

This option is only available for the Same attachment name and Same subject triggers.


10 In the Rule column, click View Rule to view or modify the associated content filtering rule.

This option is only available for the Same attachment name and Same subject triggers.




Configuring outbreak notificationsWhen you configure outbreak management settings, you can customize the notification subject line and message text that is sent to the administrator. You can use variables to customize your text.

See “What defines an outbreak” on page 190.


To configure outbreak notifications



195Managing outbreaksClearing outbreak notifications

3 In the content area, in the preview pane, under Initial Notification, in the Subject Line box, type your customized subject line text.

4 In the Message Body box, type your customized message body text.

5 Under Subsequent Notifications, in the Subject Line box, type your customized subject line text.

6 In the Message Body box, type your customized message body text.



Clearing outbreak notificationsDuring an outbreak, subsequent notifications are sent based on the Time and Units interval that you specify until the outbreak is no longer in effect. You can end subsequent outbreak notifications by clearing the current outbreak.



To clear outbreak notifications



3 Under Tasks, click Clear current outbreak.

196 Managing outbreaksClearing outbreak notifications

Chapter
11
Logging events and generating reports


■ About logging events

■ About report templates

■ What you can do with reports

About logging events Symantec Mail Security logs events to the following locations:

Windows Application Event Log

Server events and policy violations are reported in the Windows Application Event Log. Symantec Mail Security provides an Event Log that lets you view Windows Application Event Log entries in chronological order with the most current event at the top. The event log displays information, warning, and error events.

See “Viewing the Symantec Mail Security Event log” on page 198.

198 Logging events and generating reportsAbout logging events

Viewing the Symantec Mail Security Event logSymantec Mail Security reports server events and policy violations (such as threat detections and content filtering rule policy violations) to the Windows Application Event Log. You can access the Windows Application Event Log on the computer on which Symantec Mail Security is installed. For more information about how to access and use the Windows Application Event Log, see the documentation for your Exchange server.

The Symantec Mail Security Event Log lets you view and sort event data that is generated by Symantec Mail Security and written to the Windows Application Event Log. You can filter event data by categories. You can also select a start date from which to begin displaying event data. When you select an event in the Event Log table, details about the event appear in the preview pane.

The Symantec Mail Security Event Log displays the 5000 most recent Symantec Mail Security events from the Windows Application Event Log, per server. For example, if your group contains five servers, the event log can display up to 25,000 events.

Symantec Mail Security Reports database

Symantec Mail Security logs extensive report data on threats, security risks, content violations, spam, and server information to a reports database. You can use this data to generate summary or detailed reports based on different subsets of the data. When you define a report, you specify criteria such as the time span of the collected data, whether to show specific violations or all violations, and the output format of the report.

See “About report templates” on page 201.

You can specify how long Symantec Mail Security maintains data in the Reports database. You can also purge the database at any time.

See “Specifying the duration for storing data in the Reports database” on page 200.

See “Purging the Reports database” on page 201.

Symantec Enterprise Security Architecture (SESA)

If you have installed SESA, you can enable SESA alerts. Although SESA is not part of Symantec Mail Security, it logs information, such as threat detection and content enforcement violations, across an entire organization. Selecting Enable SESA Logging enables the reporting of security events to the SESA Manager, where the events are sent to the SESA DataStore.

When Enable SESA Logging is selected, you specify the IP address of the SESA server, which sends events to a designated SESA Manager computer.

See “About SESA” on page 227.

199Logging events and generating reportsAbout logging events

The Event Log displays the following information:

The Event Log does not refresh automatically. You must press F5 to refresh the display with the most recent list of events.

You can view the Symantec Mail Security Event Log from the console. You can sort and filter events by different criteria.

In group view, if the Event Log is blank, you can manually refresh the page. You can also refresh the page in a group or server view to view the most recent events. In a large group, refreshing the page might take several minutes.

To view the Symantec Mail Security Event Log


2 In the sidebar under Views, click Event Log.

3 Click the column headers to sort the list data by different criteria.

Server Name of the server on which the event occurred

Timestamp Date and time the event occurred

Severity Severity categories are: Warning, Information, and Error

Category Categories are as follows:

■ Auto-Protect

■ Content Filtering Engine

■ Content Filtering Rules

■ Encrypted

■ Error

■ Licensing

■ LiveUpdate/Rapid Release

■ Manual and Scheduled Scanning

■ Outbreak Management

■ Quarantine

■ Scanning

■ Service

■ Spam Filter Engine

■ Symantec Premium AntiSpam

■ Threat/Security Risk

■ Unscannable

■ VSAPI

Message Description of the event

200 Logging events and generating reportsAbout logging events

To populate and refresh the Symantec Mail Security Event Log

◆ Press F5.

To filter the Symantec Mail Security Event Log

1 Under the Event Log table, in the Number of items per page list, select a number of items that you want to view per page.


2 In the List field, select a category on which to filter the event data.

3 In the entries since list, select a start date from which to begin displaying event data.

4 Click Display to show the filtered data.

Specifying the duration for storing data in the Reports databaseSymantec Mail Security stores data on threat detection, definitions, spam, policy violations, scanning, and server events in a Reports database. You can use this data to generate reports that include subsets of this data.

You can configure Symantec Mail Security to retain this data for the period of time that you specify. Once the data is removed, it cannot be used in reports. For example, assume that you configure Symantec Mail Security to retain data for six months. If you generate a report for the past year, only the data for most recent six months appears in the report.

Symantec Mail Security provides a separate option to include spam data. Selecting this option increases the time that is required to generate reports, which could affect system performance. Consider using this option short-term (for example, a few weeks) to evaluate spam-related issues.

See “Resetting statistics” on page 216.

201Logging events and generating reportsAbout report templates

To specify the duration for storing data in the Reports database

1 In the console on the primary navigation bar, click Reports.

2 In the sidebar under Views, click Report Settings.

3 In the content area, select one of the following:

4 Check Include Spam Data to include all spam-related events.



Purging the Reports database In addition to configuring the period of time that you want Symantec Mail Security to store data in the Reports database, you can purge the Reports database at any time. When you purge the Reports database, all data is removed. There is no data from which to generate a report up to the time it is purged.

To purge the Reports database



3 Under Tasks, click Reset database statistics.

About report templatesReport templates let you define a subset of the raw report data that is collected by Symantec Mail Security for a single server. The goal of creating a template is to describe a set of data that summarizes threats, security risks, content violations, spam, and server information, which can be saved and used to generate on-demand or scheduled reports. Report templates can include different categories or combinations of security-related statistics.

Store all data Keeps all data indefinitely.

Store no data No data is retained. Selecting this options means there is no data from which to generate reports.

Store data for __ months

The data is cleared after the specified time period. If you select this option, type the number of months of data to store.

Only summary spam data is stored unless you check enable the Include Spam Data option.

The default option is 12.

202 Logging events and generating reportsAbout report templates

You can create different report templates to describe different subsets of the raw report data. After you create a report template, you can use it to generate reports.

Note: Reports cannot be generated with a new or updated report template until you deploy your changes.

Symantec Mail Security provides two pre-configured reports that you can modify. You can also create your own report templates. When you create or modify a report template, Symantec Mail Security provides a wizard to guide you through the configuration process.

The types of report templates that you can create are as follows:

■ Summary

See “Creating or modifying a Summary report template” on page 203.

■ Detailed

See “Creating or modifying a Detailed report template” on page 208.

About report output formatsWhen you generate a Summary report, the only report format option that is available is HTML. You can configure Symantec Mail Security to send copies of the report to the people that you specify. The recipients’ email client must support and permit HTML-based attachments.

If you use Outlook Express, you need to modify the following settings:

■ On the Security tab, deselect the option “Do not allow attachments to be saved or opened that could potentially be a virus.”

■ On the Read tab, deselect the option “Read all messages in plain text.”

When you generate a Detailed report, Symantec Mail Security can save the report in HTML format or comma-separated value (.csv) format. The benefit of generating reports in .csv format are as follows:

■ You can view or print the complete report data in an application, such as Microsoft Excel.

If you have Microsoft Excel on your computer, a .csv file opens automatically as an Excel spreadsheet.

■ You can import the data into a third-party reporting application to generate custom charts and reports.

See “Accessing a report” on page 212.


Creating or modifying a Summary report templateYou can customize the Summary report template to contain the information that you want to include in a report.

After you create the Summary template, it appears in the Report Templates table. You can modify the template at any time.

If you configure the template to create reports on demand, you can generate the report from the Reports > Report Templates page. If you configure the template to generate a scheduled report, Symantec Mail Security automatically generates the report based on the schedule that you specify.

See “Generating a report on demand” on page 211.

Note: Symantec Mail Security does not support emailing reports that are larger than 5 MB. When Symantec Mail Security generates a report that is larger than 5 MB, it logs the event to the Windows Application Event Log. You can view the report on the Reports page.

Symantec Mail Security provides a wizard that helps you configure your report template.

To identify the report to be created or modified


2 In the sidebar under Views, click Report Templates.


To configure the report template options

1 Under Report Template Options, in the Template name box, type a name for the report template.

This option is only available if you are creating a new report template.

2 In the Description box, type a description for the template.

Create a new Executive Summary report template

In the sidebar under Tasks, click Add new template.

Modify an existing report template.

In the content pane, in the Report Templates table, double-click the template that you want to modify.


3 Under Report type, click Executive summary.

When you select Executive summary, the Report format is automatically configured for HTML.

4 Check Email report to the following recipients and type one or more addresses to which the report should be delivered.

Separate entries with semicolons.

5 Click Next.

To configure the report time range

1 Under Report Time Range, in the Time range list, select the time range for the report.

The default setting is Past Day.

2 In the Start time and End time boxes, select the dates and times for the start and end of the report time range.

This option is only available if you selected the Customized time range.

To configure on demand report generation

1 Under Report Generation Option, click On demand.

2 Click Next.

To configure scheduled report generation

1 Under Report Generation Option, click Scheduled.

2 In the Generate report at list, select the time of day to generate the report.

3 Click Daily, Weekly, or Monthly.

If you select Weekly or Monthly, select the day of the week or month to generate the report.

4 Click Next.

To configure the report chart options

1 Under Report Chart Options, select any of the following

■ Total violations chart

■ Threats and security risks chart, and then select the chart granularity.

The default setting is Week.

■ Content violation chart, and then select the chart granularity.


■ Spam pie chart

2 Click Next.


To configure report content

1 Under Executive Summary Template Options, select the options that you want to appear in the Summary report.

Data selections are as follows:

■ Show scan summary

The data that is included in the report is as of the last time the statistics were reset.


■ Threats and security risks

Files scanned by SMTP

Total number of files that were processed by SMTP during the current reporting period

Messages scanned by SMTP

Total number of messages that were processed by SMTP during the current reporting period

Files scanned by VSAPI

Total number of files that were processed by VSAPI during the current reporting period

Total threats Total number of threats that were detected during the current reporting period

Top threats table Table of top threats that were detected during the current reporting period

Number to include Number of threats to include in the Top Threats Table

Unrepairable threats Total number of unrepairable threats that were detected during the current reporting period

Unscannable files Total number of unscannable files that were detected during the current reporting period

Mass-mailer threats Number of messages in which mass-mailer threats were detected during the current reporting period

Total security risks Number of security risks that were detected during the current reporting period


■ Infection disposition

2 Click Next.

3 Under Executive Summary Template Options, select the data that you want to appear in the Executive Summary report.

Data selections are as follows:

■ Current options

Threats repaired Number of threats that were repaired during the current reporting period

Threats deleted Number of threats that were deleted during the current reporting period

Threats quarantined Number of threats that were quarantined during the current reporting period

Total attachments blocked Total number of attachments that were blocked during the current reporting period

Total content violations Total number of messages containing inappropriate content that were detected during the current reporting period

Total multimedia/exe attachments blocked

Total multimedia/executable attachments that were blocked during the current reporting period

Total encrypted attachments blocked

Total encrypted attachment that were blocked during the current reporting period

Table of top content violations

Table of top content violations that were detected during the current reporting period

No. of items to include Number of items to include in the Table of Top Content Violations

Table of top attachments blocked

Table of top attachments that were blocked during the current reporting period

No. of items to include Number of items to include in the Table of Top Attachments Blocked


■ Spam options



■ Real-time blacklist options



4 Click Next.

5 Under Executive Summary Template Options, check Show server information.

6 Select the data that you do want to appear in the Executive Summary report.

7 Click Finish.



Table of top spammers Table of top spam sources that were identified during the current reporting period

No. of items to include Number of items to include in the Table of Top Spammers

Spam by category Total number of spam categories that were identified during the current reporting period

SCL to consider as spam Type an SCL level.


Spam by domain Total number of spam domains that were identified during the current reporting period

No. of items to include Number of domains to include in the Spam by Domain list

RBL rejected Total number of messages that were rejected by Real-time blacklists

RBL total checks Total number of messages that were checked against Real-time blacklists


Creating or modifying a Detailed report templateAfter you create the Detailed template, it appears in the Report Templates table. You can modify the template at any time.

If you configure the template to create reports on demand, you can generate the report from the Reports > Report Templates page. If you configure the template to generate a scheduled report, Symantec Mail Security automatically generates the report based on the schedule that you specify.

See “Generating a report on demand” on page 211.

Note: When you create a Detailed report, you might want to limit your date range to less than 30 days. Generating a Detailed report over 30 days might consume large amounts of system memory, depending on the number of violations that are in the report database.

Note: Symantec Mail Security does not support emailing reports that are larger than 5 MB. When Symantec Mail Security generates a report that is larger than 5 MB, it logs the event to the Windows Application Event Log. You can view the report on the Reports page.

Symantec Mail Security provides a wizard that helps you configure your report template.

To identify the report to be created or modified




Create a new Detailed report template

In the sidebar under Tasks, click Add new template.

Modify an existing report template.

In the content pane, in the Report Templates table, double-click the template that you want to modify.


To configure the report template options

1 In the Under Report Template Options panel, in the Template name box, type a name for the report template.

This option is only available if you are creating a new template.

2 In the Description box, type a description for the template.

3 Under Report type, click Detailed.

4 Under Report format, select the report format.

See “About report output formats” on page 202.

5 Check Email report to the following recipients and type one or more addresses to which the report should be delivered.

Separate entries with semicolons.

6 Click Next.

To configure the report time range

1 Under Report Time Range, in the Time range list, select the time range for the report.

The default setting is Past Day.

2 In the Start time and End time boxes, select the dates and times for the start and end of the report time range.

This option is only available if you selected the Customized time range.

To configure on demand report generation

1 Under Report Generation Option, click On demand.

2 Click Next.

To configure scheduled report generation

1 Under Report Generation Option, click Scheduled.

2 In the Generate report at list, select the time of day to generate the report.

3 Click Daily, Weekly, or Monthly.

If you select Weekly or Monthly, select the day of the week or month to generate the report.

4 Click Next.


To configure the report chart options

1 Under Report Chart Options, select any of the following

■ Total violations chart

■ Threats and security risks chart, and then select the chart granularity.


■ Content violation chart, and then select the chart granularity.


■ Spam pie chart

2 Click Next.

To configure report content

1 Under Detailed Template Options, in the Type of violation list, select the type of violation that you want to appear in the report.

2 In the Sender filter box, type an identifying characteristic of the sender whose messages will appear in the report.

This can be the domain name or address of the sender, or a name or word, or a wildcard expression.

3 In the Violation filter list, do one of the following:

■ Select a pre-defined violation filter.

The list consists of the default rules (for example, Basic Virus Rule ) that are provided when you install the product. Filter selections vary based on the type of violation that you choose.

■ Click User Defined Rule, and in the Rule name box, type the name of a content filtering rule that you created.

This option is only available if you select the violation types “All” or “Content Enforcement.”

4 Select the columns that you want to appear in the detailed report.

5 Click Finish.



211Logging events and generating reportsWhat you can do with reports

Deleting a report templateYou can delete a report template when it is no longer needed.

To delete a report template



3 In the content area, select the template that you want to delete.

4 In the sidebar under Tasks, click Delete template.




What you can do with reportsThe following lists the tasks that you can do to reports:

■ Generating a report on demand

■ Accessing a report

■ Printing a report

■ Saving report data

■ Deleting a report

■ Resetting statistics

Generating a report on demandAfter you create a report template, you can use it to generate reports of policy violation information. Symantec Mail Security automatically appends the current date and time to the name of your report template when it names the report. This lets you run the same report on different dates and compare the data.


To generate a report on demand



3 In the Report Templates table, select the report that you want to generate.

212 Logging events and generating reportsWhat you can do with reports

4 In the sidebar under Tasks, click Generate Report.


Accessing a report You can view a report from the console or from the Symantec Mail Security Reports folder. If you view a report from the console, you must be in a server view.

The Reports page in the console displays the following information:

When Symantec Mail Security generates a report (scheduled or on demand), the report is also automatically saved in its own folder in the Symantec Mail Security Reports folder. You can browse to the folder location and view the report file.

Note: When you delete a report in the console, the file is automatically deleted from the Symantec Mail Security Reports folder.

See “Deleting a report” on page 215.

Name Name of report

Type Detailed or Summary

Date Created Date and time the report was generated

Format Format output (HTML or CSV)

Template Name Template from which the report was generated

Status Current status of the report generation

The report statuses are as follows:

■ Ready: The report is generated and can be viewed.

■ Generating: The report is currently being generated.

■ Failed: The report generation has failed. The event is logged to the Windows Application Event Log.

A report can only be viewed when its status is Ready.


To access a report from the console


2 In the sidebar under Views, click Reports.

3 In the content pane in the Reports table, do one of the following:

■ Select the report that you want to view, and in the sidebar under Tasks, click View Report.

■ Double-click the report.

4 Click F5 To refresh the page.

See “Printing a report” on page 214.

See “Saving report data” on page 214.

To access a report from the Symantec Mail Security Reports folder

1 Right-click on the Windows Start menu and select Explore.

2 Browse to the Symantec Mail Security Reports folder.

The default location is as follows:

\Program Files\Symantec\SMSMSE\5.0\Server\Reports

3 Double-click the report folder that contains the report that you want to view.


See “About report output formats” on page 202.

For a report in .html format

Double-click the file to view it. The report appears the same as if it were accessed from the console.

For a report in .csv format

Open the .csv file in a program such as Microsoft Excel to view it.

Files created in .csv format contain raw data and must be viewed in a program that can interpret the data.


Printing a reportIf you have a printer configured, you can print a report. Symantec Mail Security provides features that let you configure the page set up and preview the report. Print reports in landscape mode to prevent the data from being cut off at the right margin.

To print a report






4 On the toolbar, do any of the following:

5 Click OK.

Saving report dataYou can save reports to the destination of your choice. This lets you manage and maintain your reports. It also lets you email reports or lets users access the reports that they want to view.

To save report data






Configure printer options

Click Page Setup.

Preview the report

Click Print Preview.

You can print the report from the Print Preview window.

Print the report

Click Print.


4 On the toolbar, click Save.

5 In the Save Web Page window, do the following:

■ In the File name box, type the name of the file.

■ In the Save as type box, select the file type.

The default value is Web Page, complete (*.htm, *.html)

■ In the Encoding box, select the encoding that you want to use.

The default value is Unicode.

6 Click Save.

7 Click OK.

Deleting a reportYou can delete a report when it is no longer needed or after you have saved the report to a file location. This lets you manage the volume of reports on the Reports page.

See “Saving report data” on page 214.

Note: When you delete a report in the console, the file is automatically deleted from the Symantec Mail Security Reports folder.


To delete a report



3 In the content pane in the Reports table, select the report that you want to delete.

4 In the sidebar under Tasks, click Delete Report.


Resetting statisticsYou can reset statistics for reporting purposes. Resetting statistics also resets the Activity Summary information on Home page.

To reset statistics



3 Under Tasks, select one of the following:

■ Reset Auto-Protect statistics

■ Reset spam statistics

■ Reset database statistics

Selecting this option purges all data from the Reports database.

See “Purging the Reports database” on page 201.

■ Reset all statistics

Chapter
12
Updating your protection


■ About keeping your server protected

■ How to update definitions

■ Distributing definitions to multiple servers

About keeping your server protected Symantec Mail Security relies on up-to-date information to detect and eliminate risks. One of the most common reasons that problems occur is that definition files are not up-to-date. Symantec regularly supplies updated definition files that contain the necessary information about all newly discovered risks. Regular updates of that information maximize security and guard your organization’s Exchange mail system against infections and the downtime that is associated with an outbreak.

Symantec Mail Security lets you update your protection from threats and security risks using the following tools:

LiveUpdate When LiveUpdate runs, it downloads and installs available definitions from the Symantec LiveUpdate server. LiveUpdate certified definitions undergo stringent testing and are updated daily.

LiveUpdate is enabled by default with a recommended daily schedule. However, you can modify the schedule.

Rapid Release Rapid Release definitions provide the fastest response to emerging threats and are updated approximately every hour. Rapid Release definitions are delivered by FTP and provide reliable first-line protection.

218 Updating your protectionAbout keeping your server protected

Both methods let you update definitions on demand and automatically, based on the schedule that you specify. You can run Rapid Release definition updates instead of or in addition to LiveUpdate updates. For example, you can schedule daily LiveUpdates, and then manually run Rapid Release when a new threat emerges.

If your organization has both front-end and back-end Exchange Servers, you might want to consider using Rapid Release definitions on the front-end for the fastest response to new threats and leverage certified Live Update definitions on the Exchange back-end mailbox servers.

Note: If you have Symantec AntiVirus Corporate Edition installed, you must let Symantec AntiVirus update definitions.


You must have a valid content license to update definition files. A content license is a grant by Symantec Corporation for you to update Symantec corporate software with the latest associated content, such as new definitions. When you do not have a content license or your license expires, your product does not receive the most current definitions, and your servers are vulnerable to risks.


Configuring a proxy server to permit LiveUpdate definitions Some organizations use proxy servers to control connections to the Internet. To use LiveUpdate, you might need to specify the address and port of the proxy server as well as a user name and password. If needed, you can modify the proxy server configuration settings through LiveUpdate.

LiveUpdate can use an HTTP, FTP, or ISP proxy server.

To configure FTP settings for LiveUpdate

1 On the Windows menu, click Start > Control Panel.

2 In the Control Panel window, double-click Symantec LiveUpdate.

3 In the LiveUpdate Configuration dialog box, on the FTP tab, click I want to customize my FTP settings for LiveUpdate.

When this setting is checked, the Use a proxy server for FTP connections option appears and is checked by default.

4 In the Address box, type the IP address of the FTP proxy server.

219Updating your protectionAbout keeping your server protected

5 In the port box, type the port number.

Typically, the port number for FTP is 21.

6 Click OK.

To configure HTTP settings for LiveUpdate



3 In the LiveUpdate Configuration dialog box, on the HTTP tab, click I want to customize my HTTP settings for LiveUpdate.

When this setting is checked, the Use a proxy server for HTTP connections option appears and is checked by default.

4 In the Address box, type the IP address of the HTTP proxy server.

5 In the port box, type the port number.

Typically, the port number for HTTP is 80.

6 Click I need authorization to connect through my firewall or proxy server when a user name and password are required to access the HTTP proxy server, under HTTP Authentication, and then type the user name and password.

7 Click OK.

To use an ISP dial-up connection for LiveUpdate



3 In the LiveUpdate Configuration dialog box, in the ISP tab, click Customized settings for LiveUpdate.

4 Under Use this Dial-up Networking connection, do one of the following:

■ In the drop-down list, select the appropriate connection.

■ If the connection that you want to use is not found in the drop-down list, click Add, and then follow the Location Information Wizard instructions to add a connection.

5 Type your ISP user name and password.

6 Click OK.

220 Updating your protectionHow to update definitions

About setting up your own LiveUpdate serverThe LiveUpdate Administration Utility lets you set up an intranet HTTP, FTP, or LAN server, or a directory on a standard file server to handle LiveUpdate operations for your network.

The LiveUpdate Administration Utility is available on the Symantec Mail Security product CD in the following location:

\ADMTOOLS\LUA

For more information, see the LiveUpdate Administrator’s Guide on the Symantec Mail Security product CD in the following folder location:

\DOCS\LUA

If you set up your own LiveUpdate server, you must edit the LiveUpdate configuration for Symantec Mail Security to point to the local LiveUpdate server.

For more information, contact Symantec Service and Support.


How to update definitions You can update definitions using any of the following methods:

■ Perform updates on demand

See “Updating definitions on demand” on page 220.

■ Schedule automatic updates

See “Scheduling definition updates” on page 221.

Updating definitions on demand You can use LiveUpdate for Rapid Release to download the most current definitions on demand.

You must be in a server view to perform an on-demand definitions update.

To update definitions on demand


2 In the sidebar under Views, click LiveUpdate/Rapid Release Status.

221Updating your protectionHow to update definitions

3 Under Tasks, select one of the following:

■ Run LiveUpdate Certified Definitions

■ Run Rapid Release Definitions (via FTP)


Scheduling definition updates You can schedule Symantec Mail Security to perform definition updates automatically. If you have multiple servers that you want to perform their own updates using the same settings, you can configure the settings in the Global Group view or a user-defined group view. When you deploy your changes, the settings are deployed to all of the servers in the group. If you configure LiveUpdate to run on a schedule and deploy the changes to a group, it runs at the specified time in the local time zone of each server.

If auto-protect scanning is enabled and you are updating definitions at hourly intervals (using Rapid Release or LiveUpdate), disable at least one of the following auto-protect features on servers that have a message store:

■ Enable background scanning

■ On virus definition update, force rescan before allowing access to information store

When both of these options are enabled, the message store is rescanned each time definitions are updated. If you update definitions at hourly intervals, this can impact overall mail throughput.

See “Configuring auto-protect scanning” on page 179.

Also disable the “Run scan when virus definitions change” feature for all scheduled scans if you update definitions at hourly intervals. If this option is enabled in a scheduled scan, the scheduled scan runs each time definitions are updated. Because definitions are delivered more frequently, the scan might not complete before new definitions are available. This can impact overall mail throughput.


To schedule definition updates


2 In the sidebar under Views, click LiveUpdate/Rapid Release Schedule.

3 In the content pane, under LiveUpdate/Rapid Release Schedule, check Enable automatic virus definitions updates.


222 Updating your protectionDistributing definitions to multiple servers

4 Select one of the following:

■ Use Rapid Release definitions

■ Use Certified LiveUpdate definitions


5 Under Schedule, do one of the following:

■ Select Run every [ ] hours, and then select the interval in hours that you want to run LiveUpdate or Rapid Release.

The default value is 1 hour.

■ Select Run at a specific time, and then type the time of day (in 24-hour format) and check the day or days of the week that you want LiveUpdate to run.

This option is not available for Rapid Release.



Distributing definitions to multiple serversYou can update LiveUpdate definitions on multiple servers by doing the following:

Note: Symantec Mail Security does not support distributing Rapid Release definitions to multiple servers.

To distribute definitions to multiple servers, you must be in a group view.

To distribute definitions to multiple servers


2 In the sidebar under Views, click Group LiveUpdate Status.

3 Under Tasks, click Run LiveUpdate.

4 In the LiveUpdate options panel, click Start.

Performing a LiveUpdate

You can run LiveUpdate so that you can distribute the most up-to-date definitions that are available.

Push the updated definitions to the servers in the group

When you distribute definitions to multiple servers, you must have a valid license for each server or the definitions are not be applied.


223Updating your protectionDistributing definitions to multiple servers

5 When LiveUpdate is complete, click Close.

6 In the sidebar under Tasks, click Send virus definitions to servers.

224 Updating your protectionDistributing definitions to multiple servers

Appendix
A
Using variables to customize alerts and notifications

This chapter includes the following topic:

■ About alert and notification variables

About alert and notification variablesSymantec Mail Security lets you customize notification and alert messages using variables.

Note: The percent (%) sign is used to surround variables in the replacement text and email notification fields. However, when a single percent sign (%) is placed in the text, it is filtered out and does not appear in the email notifications.

Table A-1 lists the variables that you can use and their descriptions.

Table A-1 Replacement variables for alerts and notifications

Use Variable Description

Multiple notifications

%n% Starts a new line in the notification message

%server% Autofills with the name of the server on which a violation was discovered

226 Using variables to customize alerts and notificationsAbout alert and notification variables

Rule violation notifications

%action% Autofills with the description of the action taken in response to a rule violation

%attachment% Autofills with the name of the attachment in which a rule violation has been found

%datetime% Autofills with the date and time of a violation

%information% Autofills with any general information available about the violation

%location% Autofills with the name of the location at which a violation was discovered, for example, inbox, outbox, public folder

%policy% Autofills with the name of the policy of which the violated rule is a part

%recipient% Autofills with the name of the intended recipient of a message in which a violation was discovered

%rule% Autofills with the name of the rule that was violated

%scan% Autofills with the name of the scan that discovered a violation

%sender% Autofills with the name of the sender of a message in which a violation was discovered

%subject% Autofills with the contents of the subject line

%violation% Autofills with the name of the violation detected

Outbreak notifications

%count% Autofills with the number of messages that violate the outbreak trigger

%threshold% Autofills with the threshold level of an identified outbreak trigger

%trigger% Autofills with the name of the outbreak trigger that detected an outbreak

Table A-1 Replacement variables for alerts and notifications (Continued)

Use Variable Description

Appendix
B
Integrating Symantec Mail Security with SESA


■ About SESA

■ Interpreting Symantec Mail Security events in SESA

■ Configuring logging to SESA

■ About uninstalling SESA

About SESAIn addition to using the Symantec Mail Security Event Log and the Windows Application Event Log, you can also log events to the Symantec Enterprise Security Architecture (SESA). SESA integrates multiple Symantec Enterprise Security products and third-party products to provide a central point of control of security within an organization. It provides a common management framework for SESA-enabled security products, such as Symantec Mail Security, that protect your IT infrastructure from malicious code, intrusions, and blended threats. SESA increases your organization’s security posture by simplifying the task of monitoring and managing the multitude of security-related events and products that exist in today’s corporate environments.

The event categories and classes include threats, security risks, content filtering, network security, spam, and systems management. The range of events varies depending on the Symantec applications that are installed and managed by SESA.

228 Integrating Symantec Mail Security with SESAAbout SESA

Table B-1 lists the versions of SESA that Symantec Mail Security supports.

Table B-1 Supported versions of SESA

Version Description

2.1 This version of SESA is a software-only solution.

You can monitor and manage security-related events through the SESA Console. The SESA Console is the common console that provides manageable integration of security technologies (Symantec or otherwise), Symantec Security Services, and Symantec Security Response. You can query, filter, and sort data to reduce the security-related events that you see through the SESA Console. This lets you focus on threats that require your attention. You can configure alert notifications in response to events, and generate, save, and print tabular and graphical reports of event status, based on filtered views that you create.

SESA is purchased and installed separately. SESA must be installed and working properly before you can configure Symantec Mail Security to log events to SESA.

For more information, see the SESA 2.1 documentation.

2.5 This version of SESA is a software component of the Symantec Security Information Manager 4.0 appliance.

SESA is seamlessly integrated with Symantec Incident Manager, the software component for the Symantec Security Information Manager appliance. Together, these tools provide you with an open, standards-based foundation for managing security events from Symantec clients, gateways, servers, and Web servers.

SESA Agents collect events from security products and send the events to the SESA Manager. The SESA Manager sends the events to the Correlation Manager, which uses a sophisticated set of rules to filter, aggregate, and correlate the events into security incidents. The Correlation Manager sends the incidents to Symantec Incident Manager for evaluation, tracking, and response.

Symantec Incident Manager evaluates the impact of incidents on the associated systems and assigns incident severities. A built-in Knowledge Base provides information about the vulnerabilities that are associated with the incident. The Knowledge Base also suggests tasks that you can assign to a help desk ticket for resolution.

Symantec Security Information Manager is purchased and installed separately. The appliance must be installed and working properly before you can configure Symantec Mail Security to log events to SESA.

For more information, see the Symantec Security Information Manager documentation.

229Integrating Symantec Mail Security with SESAInterpreting Symantec Mail Security events in SESA

Note: Refer to the SESA/Symantec Security Information Manager documentation for the latest recommended version of the Java Runtime Environment.

Interpreting Symantec Mail Security events in SESASESA provides extensive event management capabilities, such as common logging of normalized event data for SESA-enabled security products like Symantec Mail Security. The event categories and classes include threats (such as viruses), security risks (such as adware and spyware), content filtering rule violations, network security, spam, and systems management.

For more information about interpreting events in SESA and on the event management capabilities of SESA, see the SESA or Symantec Security Information Manager documentation.

Table B-2 lists the events that are logged to SESA.

Table B-2 Security events that are logged to SESA

Event ID

(SES_EVENT_<Unique ID>)

Severity Event Class Rule Description

(Reason sent)

GENERIC_CONTENT Warning DATA_INCIDENT Content filtering rule name

SPAM_CONTENT Warning DATA_INCIDENT Heuristic antispam: Spam score: [ ] percent

Premium antispam: [spam] or [suspected spam]

UNSCANNABLE_VIOLATION

Warning DATA_INCIDENT Scan error

VIRUS Warning: Deleted/Repaired

Minor: Quarantined

Major: Infected (log only)

DATA_VIRUS_INCIDENT

Threats

Mass-mailer clean up

DATA_GREYWARE_CONTENT

Warning DATA_INCIDENT Security risk (category, such as adware)

230 Integrating Symantec Mail Security with SESAConfiguring logging to SESA

Configuring logging to SESAThe logging of events to SESA is in addition to logging events in the Symantec Mail Security Event Log and the Windows Application Event Log. Logging to SESA is activated independently of the Symantec Mail Security Event Log. You can send a subset of the events that are logged by Symantec Mail Security to SESA.

To configure logging to SESA, you must complete the following steps:

Configure SESA torecognize Symantec Mail Security

For SESA to receive events from Symantec Mail Security, you must run the SESA Integration Wizard that is specific to Symantec Mail Security for Microsoft Exchange. The SESA Integration Wizard installs the appropriate integration components for identifying the individual security product (in this case, Symantec Mail Security for Microsoft Exchange) to SESA.

See “Configuring SESA 2.1 to recognize Symantec Mail Security” on page 231.

See “Configuring SESA 2.5 to recognize Symantec Mail Security” on page 232.

Install a local SESA Agent on the computer that is running Symantec Mail Security

The local SESA Agent handles the communication between Symantec Mail Security and SESA.

See “Installing the local SESA Agent” on page 235.

Configure the Windows hosts file

If you are using the Symantec Security Information Manager, you must add server name and IP address of the information manager to the Windows hosts file.

See “Updating the Windows hosts file to log events to SESA 2.5” on page 235.

Configure Symantec Mail Security to send logging events to SESA

You use the console to configure Symantec Mail Security to communicate with the local SESA Agent and to log events to SESA.

See “Configuring Symantec Mail Security to log events to SESA” on page 236.

231Integrating Symantec Mail Security with SESAConfiguring logging to SESA

Configuring SESA 2.1 to recognize Symantec Mail SecurityTo configure SESA to receive events from Symantec Mail Security, run the SESA Integration Wizard on each computer that is running the SESA Manager. The SESA Integration Wizard installs the appropriate integration components for identifying Symantec Mail Security to SESA. You must run the SESA Integration Wizard for each SESA Manager computer to which you are forwarding events from Symantec Mail Security.

To configure SESA 2.1 to recognize Symantec Mail Security, you must first launch the SESA Integration Wizard. The wizard guides you through the installation procedures.

To start the SESA 2.1 Installation Wizard

1 On the computer on which the SESA Manager is installed, create a folder for the datapackage.sip file, for example:C:\Datapackage


3 Copy the following file to the newly created folder:ADMTOOLS\SIPI\smsmse50.sip

4 On the computer on which the SESA Manager is installed, insert the SESA CD1 - SESA Manager CD into the CD-ROM drive.

5 At the command prompt, change directories on the CD to the following location:

\SIPI

6 To start the SESA Integration Wizard, at the command prompt, type:

java -jar setup.jar

To configure SESA 2.1 to recognize Symantec Mail Security

1 In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information window.

2 In the SESA Directory Domain Administrator Information window, type the specific information about the SESA Domain Administrator and the SESA Directory.

SESA Directory Domain Administrator Name

Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain.

SESA Directory Domain Administrator Password

Type the Directory Domain Administrator password.


3 In the SESA Integration Package to Install window, type or browse to the location in which the SESA Integration Package is located, and then click OK.

4 Click Next, and then follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard.

5 Repeat steps 1 through 4 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.

Configuring SESA 2.5 to recognize Symantec Mail SecurityThe Symantec Security Information Manager Web configuration interface provides a link that you can use to download and install the SESA Integration Wizard. The wizard installs SESA Integration Packages (SIPs) for Symantec Mail Security. The SIP contains the configuration settings and event schemas that SESA requires to recognize and log events from Symantec Mail Security.

You must run the SESA Integration Wizard for each Symantec Security Information Manager to which you are forwarding events from Symantec Mail Security.

Log on to domain (in dotted notation)

Type the SESA administrative domain. An example of dotted notation is:

NorthAmerica.SES

Host Name or IP Address of SESA Directory

Do one of the following:

■ If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer).

■ If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer.

For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide.

Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).


To configure SESA 2.5 to recognize Symantec Mail Security, you must first download the SESA Integration Wizard from the Symantec Security Information Manager. The wizard guides you through the installation procedures.

To download the SESA 2.5 SIP Integration Wizard


2 Copy the following file to your local computer:ADMTOOLS\SIPI\smsmse50.sip

3 Open a Web browser, and in the address bar, type the IP address of the appliance.

4 If prompted, type the Log on name, password, and domain, and then click Log On.

5 In the Symantec Security Information Manager console, in the left pane, click Register SIPs.

6 Click Download SIP Integration Wizard.

7 In the File Download dialog box, click Save.

8 Type or browse to the location in which you want to save the SESA Integration Wizard installation file.

SIPI.zip is the file that is downloaded.

9 In the Download complete dialog box, click Close.

10 Locate the SIPI.zip file, double-click it, and unpack the file to the desired folder.

To configure SESA 2.5 to recognize Symantec Mail Security

1 In the folder where you unpacked the SIPI.zip file, double-click setup.jar.

The SESA Integration Wizard appears.

2 In the SESA Integration Wizard, click Next until you see the SESA Directory Domain Administrator Information panel.


3 In the SESA Directory Domain Administrator Information panel, type the specific information about the SESA Domain Administrator and the SESA Directory.

4 In the SESA Integration Package to Install panel, type or browse to the location in which you saved the SESA Integration Package (smsmse50.sip), and then click Next.

5 Click Next and follow the on-screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard.

6 Repeat steps 1 through 5 on each SESA Manager computer to which you are forwarding Symantec Mail Security events.

SESA Directory Domain Administrator Name

Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain.

SESA Directory Domain Administrator Password

Type the Directory Domain Administrator password.

Log on to domain (in dotted notation)

Type the SESA administrative domain. An example of dotted notation is:

NorthAmerica.SES

Host Name or IP Address of SESA Directory

Do one of the following:

■ If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer).

■ If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer.To change the IP address, you must use the SESA console, not the Symantec Mail Security console.

For more information about SESA default, anonymous SSL and upgrading to authenticated SSL, see the Symantec Enterprise Security Architecture Installation Guide.

Secure Directory Port Type the number of the SESA Directory SSL port (by default, 636).


Installing the local SESA Agent The local SESA Agent handles the communication between Symantec Mail Security and SESA and is installed on the same computer that is running Symantec Mail Security. The local SESA Agent is provided as part of the software distribution package for Symantec Mail Security. Ordinarily, the local SESA Agent is installed automatically when the user elects to enable logging and alerting to SESA. This can be done at installation or at any time afterward.

When you have more than one SESA-enabled product installed on a single computer, these products can share a local SESA Agent. However, each product must register with the Agent. Thus, even if an Agent has already been installed on the computer for another SESA-enabled security product, you must run the installer to register Symantec Mail Security for Microsoft Exchange.

To install the SESA Agent using the SESA Agent Installer that Symantec Mail Security provides, run the Installer on all computers on which Symantec Mail Security is installed.

You install the SESA Agent when you install Symantec Mail Security.


Updating the Windows hosts file to log events to SESA 2.5You must add the IP address and server name of the Symantec Security Information Manager to your Windows hosts file.

To update the Windows hosts file to log events to SESA 2.5

1 On the computer on which you have installed Symantec Mail Security, open the following file:

<Windows>\System32\Drivers\Etc\Hosts

2 Add the following entry:

<sesa-server-ip> <sesa-server-name>

3 Save and close the file.

236 Integrating Symantec Mail Security with SESAAbout uninstalling SESA

Configuring Symantec Mail Security to log events to SESAAfter you have installed the local SESA Agent to handle communications between Symantec Mail Security and SESA, you must ensure that logging to SESA is activated. These settings are located on the Symantec Mail Security Settings database.

After you configure Symantec Mail Security to log events to SESA, check the server status to confirm that logging to SESA is enabled. If it is not, you can start the SESA Agent using Windows Services.

To configure Symantec Mail Security to log events to SESA


2 In the sidebar click Notifications/Alerts Settings.

3 Under SESA Alerts, check Enable Logging and Alerting to SESA Server.

4 Type the IP address in the IP address of the SESA server box.



To start the SESA AgentStart service using the Windows Services

1 On the the Windows menu, click Start > Control Panel > Administrative Tools > Services.

2 Under Name, right-click SESA AgentStart, and then click Start.

About uninstalling SESAWhen Symantec Mail Security is no longer forwarding messages to SESA, you can uninstall the SESA components.

About uninstalling the SIPYou uninstall the SESA Integration Package from the SESA Manager computer. If you are using SESA version 2.5, you must first purge all items in the event log for all products, not just Symantec Mail Security.

For more information about how to uninstall the SIP, see the SESA documentation.

237Integrating Symantec Mail Security with SESAAbout uninstalling SESA

About uninstalling the SESA AgentThe local SESA Agent is automatically uninstalled when you uninstall Symantec Mail Security. When more than one product is using the Agent, the uninstall script removes only the Symantec Mail Security for Microsoft Exchange registration and leaves the Agent in place. When no other security products are using the Agent, the uninstall script uninstalls the Agent as well.

See “Uninstalling Symantec Mail Security” on page 60.

238 Integrating Symantec Mail Security with SESAAbout uninstalling SESA

Index

Symbols.csv (comma-separated value) report format 202.NET Framework 33, 34, 35, 40.zip files. See container files

AActive Directory 16, 17, 166, 169Active Summary 216Adobe Acrobat Reader 19adware. See security risksAllowed Senders list 113antispam filtering

about 107configuring heuristic antispam 141configuring real-time blacklists 112configuring Symantec Premium AntiSpam 131configuring the SAT value 111configuring whitelists 113how it works 109licensing requirements 64SCL values, about 110

antivirusBasic Virus Rule 99detecting mass-mailer viruses 98enabling detection 98how Symantec Mail Security detects viruses 97logging detections 197modifying virus policies 99quarantining viruses 85setting Bloodhound detection level 98Unrepairable Virus Rule 99updating protection against 217

antivirus definitions. See definitionsantivirus products, other 57attachments

Allow-Only Attachment Rule 147blocking by attachment name 170detecting executables 175detecting multimedia files 172enforcing email attachment policies 170Executable File Rule 170

attachments (continued)filtering 145making attachment size a rule condition 148Outbreak Triggered Attachment Names match

list 155Quarantined Triggered Attachment Names

Rule 147Sample Attachment Name match list 155Sample Executable File Names match list 155Sample Multimedia File Names match list 155

auto-protect scans 158, 179

Bbackground scanning 179Basic Virus Rule 99Bloodhound heuristics technology 97

Cclusters

configuring the cluster resource 48considerations before installing on 46installing on 45installing on an active/active cluster 49Veritas cluster server 50

consoleabout 53accessing 52Home page 54installing console only 43primary navigation bar 54system requirements 34

container filesblocking unscannable 104configuring limits 102decomposing 97denial-of-service attacks 102encrypted 96, 104unscannable 96

content area 53

240 Index

content filtering rulesabout 145blocking attachments by name 170configuring 160configuring exceptions 163configuring rule conditions 161creating 159deleting 169detecting executable files 175detecting multimedia file types 172editing 159elements of 149enabling for auto-protect scanning 158enforcing attachment policies 170evaluating content 147literal string 149managing 157managing match lists 154metacharacters 151multiple violations 146notifying when rules are violated 167pre-configured rules 147prioritizing 168refreshing Active Directory groups 169regular expressions 150rule names and descriptions 160specifying actions 164specifying local domains 157specifying users to whom rules apply 166wildcards 149

content license 63

Ddefinitions 220

about 97distributing to multiple servers 222licensing requirements 63, 218LiveUpdate Administration Utility, about 220updating 217

denial-of-service attacks 96, 102deploy all settings 72deploy changes 72Detailed. See templatesdialers. See security risksDirectX 33, 35, 40discard changes 72domains, specifying local 157DOS wildcard expressions 154

EEncrypted File Rule 104Event Log

about 197contents 199filtering contents 200viewing 198

Executable File Rule 170executable files, detecting 155, 175Executive Summary. See templatesexpressions

regular 150wildcard 154

Ffeatures

new and enhanced 16protecting and managing your server 20

filtering. See content filtering rulesformats, report output 202FTP proxy server, LiveUpdate connection 218

GGlobal Group 72

Hhack tools. See security riskshelp 27heuristic antispam. See antispam filteringheuristics 97Home page 54, 55, 216HTML

encoding 146report output format 202

HTTP proxy server, LiveUpdate connection 218hyper-threaded processor 58

IIIS (Internet Information Services) 51impersonation 34, 51inbound/outbound settings 157installation

before you install 29customizing remote server installation

settings 40installation options 34

241Index

installation (continued)installing on a cluster 45installing on a local server 35installing on a remote server 40installing the console only 43installing the SESA Agent 235post-installation tasks 50security and access permissions 32system requirements 33uninstalling 60upgrading 59

Intel Xeon processors 58ISA server, registering Symantec Premium

AntiSpam through 117ISP proxy server, LiveUpdate connection 218IWAM account 34, 51

Jjoke programs. See security risks

Llanguages 131license

activating 64content license 63expiration 64installing license files 68locating the serial number 65obtaining a license file 65renewing 69requirements 63software updates 63status 69Symantec Premium AntiSpam license 64, 67upgrading 64

list pane 54literal string 149LiveUpdate

about 217distributing definitions to multiple

servers 222licensing requirements 63updating definitions

on demand 220scheduled 221

using proxy servers 220LiveUpdate Administration Utility 18, 220local domains, specifying 157

local quarantineabout 85establishing thresholds 87forwarding events to the Quarantine Server 86purging 93releasing messages

by mail 90to file 92

viewing contents 88logs

See also reportsEvent Log

about 197contents 199filtering contents 200

logging destinations 197Reports database

about 198purging 201storing data 200

SESA 198Windows Application Event Log 197

Mmanual scans

about 178configuring 180running 182viewing results 183

mass-mailer worms 96match lists

about 154pre-configured 155

MDAC 33, 35, 40menu bar 53messages

See also risksSee also scansarchiving 24

metacharacters 151Microsoft Certificate Services 2.0 51Microsoft Excel 202Microsoft IMF (Intelligent Message Filter) 111migration 59multimedia file type detection 172multiserver console settings 59

242 Index

Nnotifications settings 188

OOpen Proxy list 116, 131outbreak management

aboutadding outbreak items to pre-configured match

lists 193clearing 195configuring notifications 194configuring triggers 193defining an outbreak 190enabling 192triggers, about 191

outbreaks. See outbreak management

Ppolicies 21post-installation tasks 50premium antispam service. See Symantec Premium

AntiSpampreview pane 54primary navigation bar 53, 54Probe Network 115processing limits 102protection, server 217proxy server

LiveUpdate 220Symantec Premium AntiSpam 118

QQuarantine Server

See also local quarantineabout 86forwarding events to 86

RRapid Release

about 217licensing requirements 63updating definitions

on demand 220scheduled 221

RBL. See real-time blacklistsreal-time blacklists 112, 113

regular expressions 150regulatory requirements 24remote access programs. See security risksreplacement variables 225reports

See also templatesaccessing 212creating or modifying 203, 208deleting 212, 215email notification limitations 203, 208generating on demand 211managing 211printing 214Reports page display information 212resetting statistics 216saving data 214viewing with third-party tools 202

Reports databaseabout 198purging 201storing data 200

reputation service 131resizing bars 54risks

See also security risksSee also threatsBloodhound heuristics technology 97categories of 95configuring security risk detection 100configuring threat detection 98decomposing container files 97how risks are detected 97setting container file limits 102

RTF encoding 146

SSafe list 116, 131SAT (Store Action Threshold) 111scan processes 58scanning limits 102scanning threads 58scans

auto-protect 178, 179background scanning 179blocking unscannable files 104manual 180notifying of violations 188scheduled 183

243Index

scheduled scansabout 178configuring scan options 184creating 183deleting 187editing 184enabling 187

SCL (spam confidence level) values 110screen resolution, recommended 30security and access permissions 32security risks

See also risksabout 96categories of 101configuring detection 100

serial numbers, licensing 65server domain controller 34, 51server groups

See also serversadding servers 77applying definitions 222creating 76deleting 81deploying all settings 72deploying changes 72Global 72managing, about 74pushing out settings to servers 80restoring default settings 80server settings file location 72user-defined 72viewing settings 74

server protection 217servers

See also server groupsadding to groups 77deploying changes 72importing and exporting settings 82managing, about 74modifying communication properties 83moving to another group 78removing from group management 81restoring default settings 80synchronizing settings 80viewing settings 74viewing the status 75

SESAabout 198, 227configuring logging to 230

SESA (continued)configuring to recognize Symantec Mail

Security 231, 232installing Agent 235Integration Wizard 231, 232uninstalling 236versions 228

settings, importing and exporting 82sidebar 54spam foldering 117spam. See antispam filteringspyware. See security risksSSL (Secure Socket Layer) communications 51, 83statistics, resetting 216string, literal 149Suspect list 116, 131Symantec AntiVirus Corporate Edition

email tools feature 30updating definitions 57, 218

Symantec Brightmail AntiSpam 30Symantec Elite Enterprise Licensing program 70Symantec Mail Security for Microsoft Exchange

about 15accessing the console 52configuring Symantec AntiVirus on the same

computer 57features 16, 20getting more information 27locating software components 30

Symantec Mail Security Reports folder 212Symantec Premium AntiSpam

See also antispam filteringabout 114configuring 131configuring your proxy server 118how it works 115identifying languages 131methods for detecting spam 115Outlook plug-in 124processing spam 132registering through an ISA server 117reputation service 131scoring suspected spam 131spam folder agent 119spam foldering 117

Symantec Probe Network 115Symantec Spam Folder Agent for Exchange

See also Symantec Premium AntiSpamSee also Symantec Spam Plug-in for Outlook

244 Index

Symantec Spam Folder Agent for Exchange (continued)

about 119creating a service account 120installing 122

Symantec Spam Plug-in for OutlookSee also Symantec Premium AntiSpamSee also Symantec Spam Folder Agent for

Exchangeabout 124identifying languages 131installing 129modifying variables 125toolbar elements 125

system requirements 33

Ttemplates

about 201creating or modifying 203, 208deleting 211Detailed 202output formats 202Summary 202

threatsSee also risksBloodhound technology 98configuring detection 98detecting mass-mailer infected messages 98types detected 95

toolbar 53trackware. See security risksTrojan horses 95

UUnfiltered Recipients list 113uninstalling

SESA 236Symantec Mail Security for Microsoft

Exchange 60Unrepairable Virus Rule 99Unscannable File Rule 104updates. See definitionsupgrade product version 59

Vvariables, replacement 225Veritas cluster server 50virus

See also risksBasic Virus Rule 99configuring detection 98detecting mass-mailer viruses 98enabling detection 98how Symantec Mail Security detects 97logging detections 197modifying virus policies 99quarantining 85setting Bloodhound detection level 98Unrepairable Virus Rule 99updating protection against 217

virus definitions. See definitions

Wwhitelists 113wildcard expressions, DOS 154Windows Application Event Log

about 197viewing contents of in Symantec Mail

Security 198worms 95

SMS Implementation Guide

Business

Transcript of SMS Implementation Guide