Symantec Mail Security for Microsoft® Exchange Server...

Symantec™ Mail Security forMicrosoft® Exchange Server2007/Server 2010

Implementation Guide

v6.5.5

Symantec Information Foundation

Symantec™ Mail Security for Microsoft® ExchangeImplementation Guide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version 6.5.5

Legal NoticeCopyright © 2011 Symantec Corporation.

All rights reserved.

Federal acquisitions: Commercial Software - Government Users Subject to Standard LicenseTerms and Conditions.

Symantec, the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarksof their respective owners.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be "commercial computer software"and "commercial computer software documentation" as defined in FAR Sections 12.212 andDFARS Section 227.7202.

Symantec Corporation350 Ellis Street Mountain ViewCA 94043 USA

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product feature andfunction, installation, and configuration. The Technical Support group also authorscontent for our online Knowledge Base. The Technical Support group workscollaboratively with the other functional areas within Symantec to answer yourquestions in a timely fashion. For example, the Technical Support group workswith Product Engineering and Symantec Security Response to provide alertingservices and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ A telephone and web-based support that provides rapid response andup-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week worldwide.Support is provided in a variety of languages for those customers that areenrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’s Maintenance Programs, you can visit our Website at the following URL:

www.symantec.com/techsupp/ent/enterprise.html

Select your country or language under Global Support. The specific features thatare available may vary based on the level of maintenance that was purchased andthe specific product that you are using.

Contacting Technical SupportCustomers with a current maintenance agreement may access Technical Supportinformation at the following URL:


Select your region or language under Global Support.

Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer on which the problem occurred, in case it is necessary to recreatethe problem.



When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Select your region or language under Global Support, and then select the Licensingand Registration page.

Customer serviceCustomer service information is available at the following URL:


Select your country or language under Global Support.

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade insurance and maintenance contracts

■ Information about the Symantec Value License Program



■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:

■ Asia-Pacific and Japan: [email protected]

■ Europe, Middle-East, and Africa: [email protected]

■ North America and Latin America: [email protected]

Additional Enterprise servicesSymantec offers a comprehensive set of services that allow you to maximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.Enterprise services that are available include the following:

These solutions provide early warning of cyberattacks, comprehensive threat analysis, andcountermeasures to prevent attacks before they occur.

Symantec Early Warning Solutions

These services remove the burden of managing andmonitoring security devices and events, ensuringrapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-sitetechnical expertise from Symantec and its trustedpartners. Symantec Consulting Services offer a varietyof prepackaged and customizable options that includeassessment, design, implementation, monitoring andmanagement capabilities, each focused on establishingand maintaining the integrity and availability of yourIT resources.

Consulting Services

Educational Services provide a full array of technicaltraining, security education, security certification,and awareness communication programs.

Educational Services

[email protected]

[email protected]

[email protected]

To access more information about Enterprise services, please visit our Web siteat the following URL:

www.symantec.com

Select your country or language from the site index.

www.symantec.com

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 1 Introducing Symantec Mail Security for MicrosoftExchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

About Symantec Mail Security for Microsoft Exchange Server2007/Server 2010 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

About Symantec Mail Security for Microsoft Exchange Server2007/Server 2010 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

What's new in Mail Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Components of Mail Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19How Mail Security works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22What you can do with Mail Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Manage your Exchange environment using policies ... . . . . . . . . . . . . . . . . . . . 23Scan your Exchange server for risks and violations .... . . . . . . . . . . . . . . . . . . 23Protect against threats ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Keep your protection up-to-date ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Identify spam email ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Filter undesirable message content and attachments ... . . . . . . . . . . . . . . . . . 26Apply X-headers to messages for archiving .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Manage outbreaks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Quarantine infected message bodies and attachments ... . . . . . . . . . . . . . . . . 29Monitor Mail Security events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Generate reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Send notifications when a threat or violation is detected .... . . . . . . . . . . . 30Manage single and multiple Exchange servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Where to get more information about Mail Security ... . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 2 Installing Symantec Mail Security for MicrosoftExchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Software component locations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35About security and access permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Server system requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Console system requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Contents

Port requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Installation options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Installing Mail Security on a local server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Installing the Mail Security console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47About installing Mail Security on remote servers ... . . . . . . . . . . . . . . . . . . . . . . 48Silently installing Mail Security using an automated installation

tool ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52About installing Mail Security in a Microsoft Cluster ... . . . . . . . . . . . . . . . . . 53About installing Mail Security on a Veritas Cluster Server ... . . . . . . . . . . 58

Post-installation tasks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Implementing SSL communications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Accessing the Mail Security console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65About using Mail Security with other antivirus products ... . . . . . . . . . . . . 68Setting scanning threads and number of scan processes ... . . . . . . . . . . . . . 69

Uninstalling Mail Security ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Removing the Mail Security resource instance from the Veritas

Cluster Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Chapter 3 Activating licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

About licensing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73How to activate a license .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

If you do not have a serial number .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Obtaining a license file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Installing license files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

If you want to renew a license .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 4 Managing your Exchange servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

About managing your Exchange servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Deploying settings and changes to a server or group .... . . . . . . . . . . . . . . . . . . . . . . . 81How to manage servers and server groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Logging onto servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Configuring Symantec Mail Security for Exchange 2010 on DAG

setup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Modifying or viewing server or server group settings ... . . . . . . . . . . . . . . . . . 86Viewing the status of a server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Creating a user-defined server group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Adding servers to a group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Moving a server to another user-defined server group .... . . . . . . . . . . . . . . 89Synchronizing group settings to a server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Restoring default settings to a server or group .... . . . . . . . . . . . . . . . . . . . . . . . . 91Removing a server from group management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Removing a server group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Contents8

Exporting and importing settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Modifying the port and communication properties of a

server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Chapter 5 Quarantining messages and attachments . . . . . . . . . . . . . . . . . . . . . 95

About the quarantine .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Forwarding quarantined items to the Quarantine Server ... . . . . . . . . . . . . . . . . . . 96Establishing local quarantine thresholds ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Viewing the contents of the local quarantine .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99How to release messages from the local quarantine .... . . . . . . . . . . . . . . . . . . . . . . 100

Releasing messages from the local quarantine by email ... . . . . . . . . . . . . 100Releasing messages from the local quarantine to a file ... . . . . . . . . . . . . . 102

Deleting items from the local quarantine .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 6 Protecting your server from risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

About protecting your server from risks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105How Mail Security detects risks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring threat detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Configuring security risk detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Configuring file scanning limits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Configuring rules to address unscannable and encrypted files ... . . . . . . . . . 114

Chapter 7 Identifying spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

About spam detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117How Mail Security detects and processes spam .... . . . . . . . . . . . . . . . . . . . . . . 118

Configuring whitelists ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119How to detect spam using Symantec Premium AntiSpam .... . . . . . . . . . . . . . . . 120

About registering Symantec Premium AntiSpam through an ISAserver ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuring your proxy server to download spam definitionupdates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuring Symantec Premium AntiSpam to detect spam .... . . . . . . . 122

Chapter 8 Filtering content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

About filtering content ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133About default content filtering rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

About creating a content filtering rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Configuring the conditions of a content filtering rule ... . . . . . . . . . . . . . . . 135Specifying the users and groups to which the rule applies ... . . . . . . . . . 144Specifying who to notify if a content filtering rule is

violated .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

9Contents

Configuring rule actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147What you can do with content filtering rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Enabling or disabling content filtering for auto-protectscanning .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Prioritizing content filtering rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Deleting a content filtering rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Specifying inbound SMTP domains .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Refreshing the Active Directory group cache .... . . . . . . . . . . . . . . . . . . . . . . . . . 158

How to enforce email attachment policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Blocking attachments by file name .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Configuring multimedia file detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Configuring executable file detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Managing match lists ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168About DOS wildcard style expressions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171About regular expressions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Chapter 9 Scanning your Exchange servers for threats andviolations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

About the types of scanning that you can perform .... . . . . . . . . . . . . . . . . . . . . . . . . 177How Mail Security scans messages on Exchange Server 2007/2010

roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178How Mail Security offloads Mailbox server scanning for Exchange

Server 2007/2010 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183How Mail Security optimizes scanning performance for Exchange

Server 2007/2010 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Configuring auto-protect scanning .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Configuring background scanning .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Configuring advanced scanning options for auto-protect and

background scanning .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187About manual scans .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Configuring the manual scan parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Performing a manual scan .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Stopping manual scans .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Viewing manual scan results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

About scheduling a scan .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Creating a scheduled scan .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Editing a scheduled scan .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Configuring scheduled scan options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Enabling a scheduled scan .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Deleting a scheduled scan .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Configuring notification settings for scan violations .... . . . . . . . . . . . . . . . . . . . . . 200

Contents10

Chapter 10 Managing outbreaks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

About outbreak management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201About the criteria that defines an outbreak .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 202About outbreak triggers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Best practices for managing outbreak conditions .... . . . . . . . . . . . . . . . . . . . . 205

Enabling outbreak management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Configuring outbreak triggers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Configuring outbreak notifications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Clearing outbreak notifications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Chapter 11 Logging events and generating reports . . . . . . . . . . . . . . . . . . . . . . . . 211

About logging events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Viewing the Mail Security Event log .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Specifying the duration for storing data in the Reports

database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214Purging the Reports database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215About logging performance counters to the MMC Performance

console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215About report templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

About report output formats ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Creating or modifying a Summary report template ... . . . . . . . . . . . . . . . . . . 218Creating or modifying a Detailed report template ... . . . . . . . . . . . . . . . . . . . . 223Deleting a report template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

What you can do with reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Configuring the initial set up of the report consolidation

feature ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Generating a consolidated report ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Generating a report on demand .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Accessing a report ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Printing a report ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Saving report data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Deleting a report ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Resetting statistics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Chapter 12 Keeping your product up to date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Monitoring your version support status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235About keeping your server protected .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

About setting up your own LiveUpdate server ... . . . . . . . . . . . . . . . . . . . . . . . . . 238Configuring a proxy server to permit LiveUpdate

definitions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238How to update definitions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

11Contents

Updating definitions on demand .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240Scheduling definition updates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

About enhancing performance when updating definitions ... . . . . . . . . . . . . . . 242Distributing definitions to multiple servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Appendix A Using variables to customize alerts andnotifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

About alert and notification variables ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Appendix B Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Why a file triggers the Unscannable File Rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Reducing the incidence of malformed MIME false positives ... . . . . . . . . . . . . . 251Common error messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Resolving installation issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Contents12

Introducing Symantec MailSecurity for MicrosoftExchange

This chapter includes the following topics:

■ About Symantec Mail Security for Microsoft Exchange Server 2007/Server2010

■ About Symantec Mail Security for Microsoft Exchange Server 2007/Server2010

■ What's new in Mail Security

■ Components of Mail Security

■ How Mail Security works

■ What you can do with Mail Security

■ Where to get more information about Mail Security

About SymantecMail Security forMicrosoft ExchangeServer 2007/Server 2010

Symantec™ Mail Security for Microsoft® Exchange Server 2007/Server 2010 (MailSecurity), a member of the Symantec Information Foundation™ product family,is a complete, customizable, and scalable solution that scans email that passesthrough or resides on the Microsoft Exchange server.

Mail Security protects your Exchange server from the following:

1Chapter

■ Threats (such as viruses, Trojan horses, worms, and denial-of-service attacks)

■ Security risks (such as adware and spyware)

■ Unwanted content

■ Unwanted file attachments

■ Unsolicited email messages (spam)

Mail Security also lets you manage the protection of one or more Exchange serversfrom a single console.

See “What you can do with Mail Security” on page 22.

The Exchange environment is only one avenue by which a threat or security riskcan penetrate a network. For complete protection, ensure that every computerand workstation is protected by an antivirus solution.

See “About using Mail Security with other antivirus products” on page 68.

About SymantecMail Security forMicrosoft ExchangeServer 2007/Server 2010

Symantec™ Mail Security for Microsoft® Exchange Server 2007/Server 2010 (MailSecurity), a member of the Symantec Information Foundation™ product family,is a complete, customizable, and scalable solution that scans email that passesthrough or resides on the Microsoft Exchange server.

Mail Security protects your Exchange server from the following:

■ Threats (such as viruses, Trojan horses, worms, and denial-of-service attacks)

■ Security risks (such as adware and spyware)

■ Unwanted content

■ Unwanted file attachments

■ Unsolicited email messages (spam)

Mail Security also lets you manage the protection of one or more Exchange serversfrom a single console.

See “What you can do with Mail Security” on page 22.

The Exchange environment is only one avenue by which a threat or security riskcan penetrate a network. For complete protection, ensure that every computerand workstation is protected by an antivirus solution.


Introducing Symantec Mail Security for Microsoft ExchangeAbout Symantec Mail Security for Microsoft Exchange Server 2007/Server 2010

14

What's new in Mail SecurityTable 1-1 lists the new and the enhanced features in Mail Security.

Table 1-1 New and enhanced features

DescriptionFeature

■ Improved Defences Against Targeted Attacks

A new antispam module applies machinelearning to better target distributed lowvolume attacks such as 419 spam (scams)and phishing attacks.

■ Real Time Updates

New streaming architecture that lets youdownload antispam rule micro updates asfrequently as every second, to better defendagainst new threats and improve overalleffectiveness.

Enhanced Premium AntiSpam for betterspam protection

Mail Security version 6.5.5 lets you determinethe content that triggered content filteringpolicy. It identifies violating terms and thematch lists that these violating terms belong to.It highlights them in the event log and in theAdmin notification, which reports contentfiltering violation. Also, for files enclosed in acontainer, the event log and Admin notificationhighlights the name of the file within thecontainer.

Content filtering - match highlighting

15Introducing Symantec Mail Security for Microsoft ExchangeWhat's new in Mail Security

Table 1-1 New and enhanced features (continued)

DescriptionFeature

Symantec Protection Center (SPC) is anappliance that simplifies security managementby centralizing security reporting andmanagement across Symantec and otherthird-party products. SPC aggregates securitydata from multiple products and makes this dataavailable on a dashboard and in cross-productreports. From version 6.5.5 onward, SymantecMail Security for Microsoft Exchange is readyfor integration with Symantec Protection Center2.0.

Mail Security version 6.5.5 includes theSymantecMailSecurityManagementService.This service remains dormant until SPC 2.0 isdeployed in the Exchange environment. OnceSPC 2.0 is deployed, this service is used to makeMail Security version 6.5.5 available to integratewith SPC.

Symantec Protection Center 2.0 ready

Mail Security version 6.5.5 provides improvedlogs with status of the background scan. Itgenerates an event when background scan iseither halted or is complete. In this event, it alsoprovides the count of number of items that werescanned so far during this scan. In thebackground scan completion event, it providesthe total time that is taken for completing thescan.

Background Scan status logs

Introducing Symantec Mail Security for Microsoft ExchangeWhat's new in Mail Security

16


DescriptionFeature

Mail Security leverages in-memory scanning toaccelerate email scans during transport andreduce disk I/O.

By default, the in-memory scanning feature isenabled. The default size of attachments ormessage body that can be scanned usingmemory-based scanning is 5 MB. You can usethe registry key SharedMemBufSizeInMB tochange the default size of attachments ormessage body for memory-based scanning. Ifyou set the value of the registry keySharedMemBufSizeInMB to zero, the in-memoryscanning feature is disabled. To specify a valuefor the registry key SharedMemBufSizeInMB,you must first create this registry key at thefollowing location in the Registry Editor window:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\6.5\Server\Components\SMTP\

Support for in-memory scanning duringtransport

Mail Security sends notifications when virusdefinitions are older than the configured numberof days. You can specify the frequency ofsending notifications when old definitions arefound. You can also configure the number ofdays an outdated virus definition can remain onthe system after which a notification is sent.This configuration is done using registrysettings.

See “Distributing definitions to multiple servers”on page 242.

Support for alert notifications forout-of-date virus definitions

Mail Security supports Exchange Server 2010on the following roles:

■ Edge Transport

■ Hub Transport

■ Mailbox

Support for Exchange Server 2010

17Introducing Symantec Mail Security for Microsoft ExchangeWhat's new in Mail Security


DescriptionFeature

Global Group consists of all the servers that aremanaged through Mail Security console. Whenyou configure and apply Global Group settings,the changes are propagated to all the servers inall the groups. Changes that are made at theGlobal Group level overwrites group settings ofall individual and user-defined servers.

Addition of a Global Group for ExchangeServer 2010

Manual scans run on-demand and scan publicfolders and mailboxes. Scheduled scans rununattended usually at off-peak periods. Allpolicies apply to manual and to scheduled scans,except antispam. You can specify which filefolders and mailboxes to scan during a manualor scheduled scan. You can also specify thecontent filtering rules that you want to enablefor the manual or scheduled scan.

Support for manual and scheduled scanfor Exchange 2010

Mail Security provides comprehensive contentfiltering for messages and attachment content.It supports more than 300 attachment types.Mail Security lets you create the contentfiltering rules that apply to SMTP inbound andoutbound mails and the Exchange InformationStore. Content filtering rules let you filtermessages for attachment names, attachmentcontent, specific words, phrases, subject lines,and senders or recipients. Mail Security providespre-cooked match list and let you define yourown matchlist. You can also set content filteringrules for attachment size.

Support for filtering contents inExchange 2010

Web links are provided in the product installerthat assist and guide you to troubleshoot thefailures that are encountered during installation.These links provide more information about thefailure or a similar failure and the resolutionsteps and recommendations.

Troubleshooting installation issues withcommon error dialog

Introducing Symantec Mail Security for Microsoft ExchangeWhat's new in Mail Security

18


DescriptionFeature

■ Through AntiSpam processing

Mail Security version 6.5 has a provision toreduce the processing time that is requiredfor processing AntiSpam. The Fastpassfeature conserves resources by providing atemporary exemption from spam scanningfor senders with a demonstrated history ofsending no spam messages. Thus senderswith the best local reputation are exemptedfrom spam scanning. Mail Securityautomatically collects local senderreputation data to support Fastpassdeterminations and regularly re-evaluatesthe senders that are granted a pass.

■ By turning off performance counters forlogging

Mail Security version 6.5 lets you configureperformance counters for logging. By default,this counter is enabled. However, to improveMail Security's scanning performance, theseperformance counters for logging can beturned off by adding following registry keyand setting its value to 1.

Registry key for 32-bit platform:HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.5\Server\TurnOffPerfCounters

Registry key for 64-bit platform:HKEY_LOCAL_MACHINE\ SOFTWARE\Wow6432Node\Symantec\SMSMSE\6.5\Server\TurnOffPerfCounters

Restart Mail Security service after settingthis registry key.

Performance improvements

Note:Mail Security 6.5 does not support Windows 2000 and Exchange Server2000.

Components of Mail SecurityTable 1-2 lists the components of Mail Security.

19Introducing Symantec Mail Security for Microsoft ExchangeComponents of Mail Security

Table 1-2 Product components

Location on the productCD

DescriptionComponent

\SMSMSE\Install\This software protects yourExchange servers fromthreats (such as viruses anddenial-of-service attacks),security risks (such asadware and spyware). It alsodetects spam email messagesand unwanted emailattachments.

Symantec Mail Security forMicrosoft Exchange

\ADMTOOLS\LUA\This utility lets you configureone or more intranet FTP,HTTP, or LAN servers to actas internal LiveUpdateservers. LiveUpdate letsSymantec products downloadprogram and definition fileupdates directly fromSymantec or from aLiveUpdate server.

For more information, seethe LiveUpdateAdministratordocumentation on the MailSecurity product CD in thefollowing location:

\DOCS\LUA\

LiveUpdate™ AdministrationUtility

Introducing Symantec Mail Security for Microsoft ExchangeComponents of Mail Security

20

Table 1-2 Product components (continued)

Location on the productCD

DescriptionComponent

\ADMTOOLS\DISThis utility lets Mail Securityforward infected messagesand messages that containcertain types of violationsfrom the local quarantine tothe Central Quarantine,which acts as a centralrepository.

For more information, seethe Symantec CentralQuarantine Administrator'sGuide on the Mail Securityproduct CD in the followinglocation:

\DOCS\DIS\CentQuar.pdf

Symantec CentralQuarantine

\ADMTOOLS\Mgmt_PackThis component lets youintegrate Symantec MailSecurity for MicrosoftExchange events withMicrosoft OperationsManager 2005 (MOM).Pre-configured ComputerGroups, Rule Groups, andProviders are automaticallycreated when you import themanagement pack. Theserules monitor specificSymantec Mail Security forMicrosoft Exchange eventsin the Windows Event Logand the WindowsPerformance Monitor.

For more information, seethe Symantec Mail Securityfor Microsoft ExchangeManagement Pack.

Mail Security for MicrosoftExchange Management Pack

21Introducing Symantec Mail Security for Microsoft ExchangeComponents of Mail Security

How Mail Security worksMail Security can scan messages and their attachments to detect the following:

■ RisksRisks are comprised of threats and security risks

■ Threats

Threats include viruses, worms, and Trojan horsesSee “Configuring threat detection” on page 107.

■ Security risksSecurity risks include adware, spyware, and malwareSee “Configuring security risk detection” on page 110.

■ SpamSee “About spam detection” on page 117.

■ Email attachment violations

■ Content filtering rule violationsSee “About filtering content” on page 133.

Mail Security takes the actions that you specify in the respective policies when aviolation is detected.

See “Manage your Exchange environment using policies” on page 23.

Mail Security contains a decomposer that extracts container files so that they canbe scanned. The decomposer continues to extract container files until it reachesthe base file or until it reaches its extraction limit. If the decomposer reaches theset limit before the base file is reached, the scanning process stops. Mail Securitythen logs the violation to the specified logging destinations, and the file is handledaccording to Unscannable File Rule.

See “Configuring rules to address unscannable and encrypted files” on page 114.

What you can do with Mail SecurityMail Security lets you do the following:

■ Manage your Exchange environment using policies

■ Scan your Exchange server for risks and violations

■ Protect against threats

■ Keep your protection up-to-date

■ Identify spam email

Introducing Symantec Mail Security for Microsoft ExchangeHow Mail Security works

22

■ Filter undesirable message content and attachments

■ Apply X-headers to messages for archiving

■ Manage outbreaks

■ Quarantine infected message bodies and attachments

■ Monitor Mail Security events

■ Generate reports

■ Send notifications when a threat or violation is detected

■ Manage single and multiple Exchange servers

Manage your Exchange environment using policiesMail Security scans email messages and their attachments for violations to policies.A policy is a set of rules that are designed to detect potential risks to your MicrosoftExchange mail system.

Mail Security contains the following policies:

Contains the rules controlling scanning limits, exceptions,and outbreak management

General

Contains the rules for detecting threats in messages andattachments with viruses, virus-like characteristics, orsecurity risks, such as adware or spyware

Antivirus

Contains the rules for the following:

■ Detecting spam

■ Allowing specified senders to bypass antispam scanning

■ Specifying the recipients whose email messages are notscanned for spam

Antispam

Contains the rules for filtering inappropriate content inmessage bodies and attachments.

Also contains file filtering rules and match the lists that letyou detect and block messages by file name and file type.

Content Enforcement

Scan your Exchange server for risks and violationsYou can keep your server protected by performing any of the following types ofscans:

23Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Mail Security

When enabled, auto-protect scanning runs constantly and detects threatsand violations in real-time. Auto-protect scanning applies to all policies,except antispam detection. Antispam scanning occurs continuously, inreal-time as email traffic flows through your Exchange server.

Auto-protect scans apply to everything on the Exchange server (that is,items in all public folders and mailboxes and messages that are routed byMicrosoft Exchange).

See “Configuring auto-protect scanning” on page 184.

Auto-protectscans

Manual scans run on-demand and scan public folders and mailboxes. Allpolicies apply to manual scans, except antispam. Antispam scanning occurscontinuously , in real-time as email traffic flows through your Exchangeserver.

You can specify which file folders and mailboxes to scan during a manualscan. You can also specify the content filtering rules that you want toenable for the manual scan.

See “About manual scans” on page 189.

Manual scans

Scheduled scans run unattended, usually at off-peak periods. All policiesapply to scheduled scans, except antispam. Antispam scanning occurscontinuously, in real-time as email traffic flows through your Exchangeserver.

You can specify which file folders and mailboxes to scan during a scheduledscan. You can also specify the content filtering rules that you want toenable for the scheduled scan.

See “About scheduling a scan” on page 193.

Scheduledscans

Background scanning is a scan of the message store. You can performbackground scanning during off-peak periods to enhance performance.

See “Configuring background scanning ” on page 184.

Backgroundscanning

When Mail Security detects a security risk or a violation during a scan, it takesthe action that you specify for that policy. For example, when a threat is detected,Mail Security takes the action that you specify in the Antivirus Settings policy.

See “About the types of scanning that you can perform” on page 177.

Protect against threatsSymantec engineers track reported outbreaks of threats (such as viruses, Trojanhorses, and worms) to identify new risks. After a threat is identified, informationabout the threat (a signature) is stored in a definition file. This file containsinformation to detect and eliminate the threat. When Mail Security scans for

Introducing Symantec Mail Security for Microsoft ExchangeWhat you can do with Mail Security

24

threats, it searches for these signatures. Definition files are downloaded usingLiveUpdate or Rapid Release.

See “About keeping your server protected” on page 236.

Mail Security also uses Symantec Bloodhound heuristics technology to scan forthreats for which no known definitions exist. Bloodhound heuristics technologyscans for unusual behaviors, such as self-replication, to target potentially infectedmessage bodies and attachments.

See “Configuring threat detection” on page 107.

Keep your protection up-to-dateMail Security relies on up-to-date information to detect and eliminate risks. Oneof the most common reasons computers are vulnerable to attacks is that definitionfiles are out-of-date. Symantec regularly supplies updated definition files.

Using LiveUpdate, Mail Security connects to a Symantec server over the Internetand automatically determines if definitions need to be updated. If they do, thedefinition files are downloaded to the proper location and installed. If you needa quicker response for emerging threats, you can enable Rapid Release to get themost current definitions that are available.

If your organization has both front-end and back-end Exchange servers, you mightwant to consider using Rapid Release definitions on the front-end for the fastestresponse to new threats and certified Live Update definitions on the back-endmailbox servers.



You must have a valid license to update definitions.

See “About licensing” on page 73.

Identify spam emailSpam is unsolicited bulk email, which most often advertises messages for a productor service. It wastes productivity, time, and network bandwidth.

Symantec Premium AntiSpam provides continuous updates to the premiumantispam filters to ensure that your Exchange server has the most current spamdetection filters that are available.

See “How to detect spam using Symantec Premium AntiSpam” on page 120.


See “Configuring whitelists” on page 119.

You must have a valid Symantec Premium AntiSpam license to enable SymantecPremium AntiSpam.


Filter undesirable message content and attachmentsMail Security lets you filter undesirable content using the following features:

Mail Security lets you create content filteringrules that apply to SMTP inbound and SMTPoutbound mail and the Exchangeinformation store. Content filtering rules letyou filter messages for attachment names,attachment content, specific words, phrases,subject lines, and senders. Mail Securitytakes the action that you specify in the rulewhen it detects a violation.

See “What you can do with content filteringrules” on page 155.

Content filtering rules

Mail Security lets you use file filtering rulesto filter email messages based on attachedfile names or file types, such as multimediaor executable files.

Mail Security uses file filtering rules toenforce email attachment policies. MailSecurity provides the following pre-definedfile filtering rules: File Name Rule,Multimedia File Rule, and Executable FileRule. These rules let you block attachmentsby file name and type. You can customizethe File Name Rule by associating it with amatch list to block attachments with specificnames included in the match list.

Mail Security handles file filtering violationsaccording to the action that you configurefor the rule. Mail Security can notifyadministrator and senders (internal andexternal) of file filtering violations. You cancustomize the notification message.

See “How to enforce email attachmentpolicies” on page 159.

File filtering rules


26

Mail Security uses match lists to filter emailmessages and attachments for specificwords, terms, and phrases. In order toimplement a match list, you must associateit with a content or file filtering rule. Whenthe rule is applied to scan messages, it alsoscans for the terms in the match list.

Mail Security provides pre-configured matchlists for use with the File Name Rule or withcontent filtering rules. You can create newmatch lists and delete or edit words in anexisting match list. Match lists supportliteral strings, DOS wildcard-styleexpressions, or regular expressions.

See “About regular expressions” on page 172.

See “About DOS wildcard style expressions”on page 171.

See “Managing match lists” on page 168.

You can also use match lists to help manageoutbreaks.

See “About outbreak management”on page 201.

Match lists

Apply X-headers to messages for archivingMail Security lets you apply X-headers to email messages that contain contentfiltering rule violations or are spam or suspected spam. The X-headers can beused by Symantec Enterprise Vault™ to search for and retrieve messages that arearchived in the vault. Enterprise Vault is a data warehouse that provides secure,centralized archiving and retrieval of information.

Note: X-headers can only be applied to SMTP transported email messages.X-headers cannot be applied to messages that are scanned in the message store.

Mail Security provides default X-headers that are commonly used by EnterpriseVault. You can modify the default X-headers, or you can create your own. You canapply up to 25 X-headers for a single violation.

When a message triggers one or more violations and the disposition for any ofthe violations is to delete the message, no X-headers are applied. For example, amessage is identified as spam, and the disposition is to reject the message. NoX-header is applied to the message.


Table 1-3 describes how Mail Security handles multiple content filtering violationsbased on where the violations occur within the message.

Table 1-3 How X-headers are applied for multiple violations

ExamplesWhich X-headers areapplied

Scenario

A single message violates acontent filtering rule formessage body and a separatecontent filtering rule forsubject. Mail Security appliesthe X-headers that youspecify for the message bodyrule and the X-headers thatyou specify for the subjectrule.

In this example, the messagecan have up to 50 X-headersapplied to it (up to 25X-headers for the messagebody violation and up to 25X-headers for the subjectviolation).

Mail Security appliesX-headers for each rule thatis violated for each messagepart.

Message parts include:

■ Message body

■ Subject

■ Sender

■ Attachment name

■ Attachment content

Multiple violations indifferent parts of a message

A message triggers violationsfor two different attachmentcontent rules. Mail Securityonly applies the X-headersfor first rule that wasviolated.

Note: X-headers are appliedto the message even whenthe disposition is to deletethe attachment but not themessage body.

When a message triggersmultiple violations for thesame message part, MailSecurity applies only theX-headers that you specifyfor the first rule that istriggered.

Multiple violations for thesame message part

See “Processing spam messages” on page 124.

See “About creating a content filtering rule” on page 135.

Manage outbreaksAn outbreak occurs when the number of threats to the Microsoft Exchange systemthat are detected over a period of time exceeds a specified limit. Mail Security lets


28

you manage outbreaks quickly and effectively by setting outbreak rules andsending notifications when an outbreak is detected.

You can also select an action to take when an outbreak is detected, such as thefollowing:

■ Delete the entire message

■ Delete the attachment or message body

■ Quarantine the attachment or message body

■ Log the event

■ Add Tag to the beginning of the subject line

You can set rules to define an outbreak based on event. For example, the samethreat occurs a specified number of times within a specified time period. You canalso configure Mail Security to send notifications and alerts in the case of anoutbreak.

See “About outbreak management” on page 201.

Quarantine infected message bodies and attachmentsMail Security for Microsoft Exchange includes a local quarantine that can storeinfected message bodies and attachments that are detected during scans. You canconfigure Mail Security to quarantine threats and security risks, and file filteringviolations in the local quarantine.

Quarantined items that contain threats can be forwarded to the Symantec CentralQuarantine, if it is installed. The Symantec Central Quarantine program is availableon the Mail Security product CD.

See “About the quarantine” on page 95.

Monitor Mail Security eventsMail Security logs events to the Windows Application Event Log. You can viewevents that are logged to the Windows Application Event Log from the console.

See “Viewing the Mail Security Event log” on page 212.

Mail Security logs extensive report data on threats, security risks, violations,spam, and server information to the reports database. You can use this data togenerate summary or detailed reports based on different subsets of the data.

See “About logging events” on page 211.

See “Creating or modifying a Summary report template” on page 218.

See “Creating or modifying a Detailed report template” on page 223.


Generate reportsMail Security collects and saves scan data on your Exchange servers. You cancreate reports from the data, which gives you a history of risk detection activityand filtering violations. You can create a report for an individual server, or youcan create a single Summary report that consolidates data for all of the serversin a server group.

See “Configuring the initial set up of the report consolidation feature” on page 227.

Report templates let you define a subset of the raw report data that is collectedby Mail Security for a single server. Report templates can include differentcategories or combinations of security-related statistics.

You can create different report templates to describe different subsets of the rawreport data. After you create a report template, you use it to generate reports.

Mail Security provides two pre-configured report templates that you can modify.You can also create your own report templates. When you create or modify areport template, Mail Security provides a wizard to guide you through theconfiguration process.

The types of report templates that you can create are as follows:

■ SummarySee “Creating or modifying a Summary report template” on page 218.

■ DetailedSee “Creating or modifying a Detailed report template” on page 223.

Send notifications when a threat or violation is detectedMail Security provides several options for notifying administrators, internalsenders, and email recipients of threats and violations.

Mail Security lets you define the conditions in which to send an alert. You canalso customize the alert message text for each alert condition that you define.



See “Configuring notification settings for scan violations” on page 200.

Manage single and multiple Exchange serversMail Security can protect one or more Exchange servers. If your organization hasmultiple Exchange servers, you can manage all of the servers from the sameconsole that you use to manage a single server. By switching between server viewand group view, you can manage the configuration settings for individual servers,


30

a logical grouping of servers (such as all front-end servers), or all servers in aspecific location.

See “About managing your Exchange servers” on page 79.

Where to get more information about Mail SecurityMail Security includes a comprehensive help system that contains conceptual,procedural, and context-sensitive information.

Press F1 to access information about the page on which you are working. If youwant more information about features that are associated with the page, select aMore Information link in the Help page, or use the Table of Contents, Index, orSearch tabs in the Help viewer to locate a topic.

You can visit the Symantec Web site for more information about your product;the following online resources are available:

■ Provides access to the technical support Knowledge Base, newsgroups, contactinformation, downloads, and mailing list subscriptionswww.symantec.com/techsupp/ent/enterprise.html

■ Provides information about registration, frequently asked questions, how torespond to error messages, and how to contact Symantec LicenseAdministrationwww.symantec.com /licensing/els/help/en/help.html

■ Provides product news and updateswww.symantec.com/enterprise/index.jsp

■ Provides access to the Threat Explorer, which contains information about allknown threatswww.symantec.com/enterprise/security_response/threatexplorer/azlisting.jsp

31Introducing Symantec Mail Security for Microsoft ExchangeWhere to get more information about Mail Security

http://www.symantec.com/techsupp/ent/enterprise.html

http://www.symantec.com/licensing/els/help/en/help.html

http://www.enterprisesecurity.symantec.com

http://www.symantec.com/enterprise/security_response/threatexplorer/azlisting.jsp

Introducing Symantec Mail Security for Microsoft ExchangeWhere to get more information about Mail Security

32

Installing Symantec MailSecurity for MicrosoftExchange


■ Before you install

■ System requirements

■ Installation options

■ Post-installation tasks

■ Uninstalling Mail Security

Before you installEnsure that you meet all system requirements before you install Mail Security.Select the installation plan that best matches your organization's needs, andensure that you have met the pre-installation requirements.

See “System requirements” on page 39.

See “Installation options” on page 42.

See “Uninstalling Mail Security” on page 70.

Install Mail Security on all of the following server roles in your organization:

■ Edge Transport servers, if available

■ Hub Transport servers

■ Mailbox servers

2Chapter

You must uninstall and reinstall the product if you change the server role onwhich Mail Security is installed.

Mail Security automatically installs custom transport agents when you install theproduct on Hub Transport or Edge Transport servers. The Mail Security transportagents consist of an antispam transport agent and an antivirus transport agent.By default, the Mail Security transport agents are installed with a lower prioritythan the Exchange transport agents. If you modify your transport agent priorities,ensure that the Mail Security transport agents remain a lower priority than theExchange transport agents.

Do the following before you install the product:

■ If you are running Symantec Brightmail™ AntiSpam on the same server onwhich you want to install Mail Security, you must uninstall SymantecBrightmail AntiSpam before you install Mail Security. It is recommended thatyou not run Mail Security on the same server as Symantec BrightmailAntiSpam.

■ If you are using the optional email tools feature of Symantec EndpointProtection (SEP) or Symantec AntiVirus™ Corporate Edition (SAV-CE), youmust uninstall the feature before you install Mail Security. These email toolsare not compatible with Mail Security or Microsoft Exchange.

■ If you are running any antivirus software that is on the server on which youwant to install Mail Security, you must disable it before you install MailSecurity.After installation but before you re-enable the antivirus protection, configureyour other antivirus programs to exclude certain folders from scanning.See “About using Mail Security with other antivirus products” on page 68.

■ Log on as a Windows domain administrator to install Mail Security componentscorrectly.See “Software component locations” on page 35.

■ Modify your screen resolution to a minimum of 1024 x 768. Mail Security doesnot support a resolution less than 1024 x 768.

■ Configure the default receive connector for the Exchange Hub Transport serverto permit connections from anonymous users.

Before you install Mail Security on Exchange 2010 mailbox role, you must specifya domain user account. The domain user account must fulfill the following criteria.

■ Mail Security uses the domain user account as a service account and thisaccount must have a mailbox.

■ The user must be a member of Organization Management group under theMicrosoft Exchange Security Groups Organizational Unit.

Installing Symantec Mail Security for Microsoft ExchangeBefore you install

34

■ By default, Organization Management group is a member of the localAdministrators group on all the exchange servers in the organization. If not,then add the user to the local Administrators group.

■ You may use different user account for installations of Mail Security on otherExchange 2010 mailbox servers within that domain for better performance.

■ When the user updates the password, the same password must be provided tothe Mail Security Service on all Exchange 2010 mailbox role servers.

Note: While installing Mail Security on local Exchange 2010 Mailbox server, inthe Logon Information screen, specify the domain user credentials in the Username and Password fields. Mail Security provides this user account ApplicationImpersonation and Logon as service rights.

Ensure that the following IIS Role Service components are installed when youinstall Mail Security on Windows Server 2008 for Exchange 2010 and 2007 servers.This installation is applicable for both remote installation and local installation.

■ Application Development - ASP.NET

■ Security - Windows Authentication, Basic Authentication, DigestAuthentication

■ Management Tools - IIS management console, IIS 6 Scripting Tools

Software component locationsTable 2-1 lists the default locations in which Mail Security installs softwarecomponents.

Table 2-1 Software component locations

LocationComponent

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server

Mail Security program files

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \Quarantine

Quarantined items in encrypted format

Note: Configure all antivirus file system scanners to excludethe quarantine directory from scanning. The systemscanners might try to scan and delete Mail Security filesthat are placed in the quarantine directory.

35Installing Symantec Mail Security for Microsoft ExchangeBefore you install

Table 2-1 Software component locations (continued)

LocationComponent

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \Reports

Reporting data

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \Reports\<reportname>

Data files for reports that are generated

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \Reports\Templates

Report templates

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \MatchLists

Match list files

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \SpamPrevention

Allowed senders files and Symantec Premium AntiSpamconfiguration files

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \Temp

Location where Mail Security scans items

Note: Configure all antivirus products that scan files toexclude the Temp directory from scanning. The systemscanners might try to scan and delete Mail Security filesthat are placed in the Temp directory during the scanningprocess.

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \bin

Dynamic-link libraries for Symantec Premium AntiSpam

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \Config

Manual and scheduled scan mailbox configuration data

C:\Program Files(x86)\Symantec\SMSMSE\6.5\Server \etc

Configuration files for allowed and blocked senders forSymantec Premium AntiSpam

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \logs

Component logs for Symantec Premium AntiSpam


36


LocationComponent

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \stats

Statistical information on the effectiveness of SymantecPremium AntiSpam rules

C:\Program Files (x86)\Symantec\CMaF\2.1

Console files

C:\Program Files (x86)\Symantec\LiveUpdate

Component to update virus definitions

Windows Server 2003 (x64)- C:\Program Files(x86)\CommonFiles\SymantecShared\SymcData\virusdefs32

Definitions

C:\ProgramData\SymantecShared\Licenses

This license file location onlyapplies to Windows Server2008.

C:\Program Files (x86)\Common Files\SymantecShared\Licenses

License files

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\Verity\bin

Verity content extraction component

C:\Program Files(x86)\Symantec\CMaF\2.1\bin

Mail Security Web service components

C:\Program Files(x86)\Symantec\SMSMSE\6.5\Server \Policies

Content filtering rules

C:\Program Files(x86)\Symantec\SMSMSE\6.5\Server\ScanJobs

Scan job configuration

37Installing Symantec Mail Security for Microsoft ExchangeBefore you install


LocationComponent

C:\Program FilesSymantec Mail Security Management ServiceComponent(x86)\Symantec\SMSMSESPC\1.0

About security and access permissionsMail Security automatically creates the following user groups and assigns themaccess when you install the product:

Permits read and write access to all MailSecurity components and features.

Users in this group can change settings forMail Security through the console.

The user who installs Mail Security isautomatically added to the SMSMSE Adminsgroup.

SMSMSE Admins

Permits read-only access to Mail Securitycomponents and features.

Users in this group cannot change settingsfor Mail Security. Users can view reports,event logs, and settings throughconsole-only installations.

See “Installing the Mail Security console”on page 47.

SMSMSE Viewers

The user groups are domain-wide for Active Directory. You can use the ActiveDirectory Users and Computers Microsoft Management Console (MMC) snap-into change membership in the groups.

Users must be designated in one of the SMSMSE user groups to access the product.For example, administrators who are not in one of the SMSMSE user groups arenot granted access to Mail Security. Adding a user to the SMSMSE Admins groupdoes not automatically grant the user Windows Local Administrator, WindowsDomain Administrator, or Exchange administrator rights.

Security is also set for the Mail Security registry key and file folders during thesecurity set-up process. You must have administrator access to the local serversand domain administrator rights for the security set-up to proceed.


38

System requirementsEnsure that you meet the appropriate system requirements for the type ofinstallation that you are performing.

If you do not have Internet connection on your system, then installing MailSecurity may take a long time to complete. Mail Security tries to examine thecertificate revocation list (CRL) to verify the code signing certificate each timethat Mail Security compiles an assembly into managed code. When Mail Securityis not connected to the Internet, each CRL request may time out before theinstallation can continue and increases the installation time.

To reduce installation time

1 Start Internet Explorer.

2 On the Tools menu, click Internet Options.

3 Click the Advanced tab, and then locate the Security section.

4 Uncheck Check for publisher’s certificate revocation and then click OK.

5 After the installation is complete, check Check for publisher’s certificaterevocation.

Note: The Check for publisher's certificate revocation option is set on aper-account basis.


Server system requirementsYou must have domain administrator-level privileges to install Mail Security.

The server system requirements are as follows:

The operating system requirements for Microsoft Exchange 2010 are asfollows:

■ Windows Server 2008 with SP2 (64-bit) Standard or Enterprise Edition

■ Windows Server 2008 R2 (64-bit) Standard or Enterprise Edition

The operating system requirements for Microsoft Exchange 2007 are asfollows:

■ Windows Server 2008 with SP1or later (64-bit) Standard or EnterpriseEdition

■ Windows Server 2003 with SP2 (64-bit) Standard or Enterprise Edition

■ Windows Server 2003 R2 (64-bit) Standard or Enterprise Edition

Operatingsystem

39Installing Symantec Mail Security for Microsoft ExchangeSystem requirements

■ Exchange Server 2007 SP1/SP2

■ Exchange Server 2010

Exchangeplatform

■ x64 architecture-based processor that supports Intel Extended Memory64 Technology (Intel EM64T)

x64 architecture-based computer with AMD 64-bit processor thatsupports AMD64 platform

■ Only for Exchange 2007 Mailbox server role, Exchange Server MAPIclient and Collaboration Data Objects 1.2.1

■ 1 GB of memory for Mail Security besides the minimum requirementsfor the operating system and Exchange. Approximately 4GB or moreof memory is required.

■ 500-MB disk space is required for Mail Security. This space does notinclude disk space required for items such as quarantined messagesand attachments, reports, and log data.

■ .NET Framework version 2.0

■ MDAC 2.8 or higher

■ DirectX 9 or higher

■ Microsoft Internet Information Services (IIS) Manager

■ Only for Exchange Server 2010, Microsoft .NET Framework 3.5 andMicrosoft Windows Powershell 2.0

Minimumsystemrequirements

Ensure that the components.NET Framework, MDAC, and DirectX are installedbefore you install Mail Security.

Adobe Acrobat Reader is not a requirement to install and run Mail Security.However, it is required to view the reports that are generated in .pdf format. Youcan download Adobe Acrobat Reader from www.adobe.com.

See “Installing Mail Security on a local server” on page 43.

See “Silently installing Mail Security using an automated installation tool”on page 52.

See “About installing Mail Security on remote servers” on page 48.

See “About installing Mail Security in a Microsoft Cluster” on page 53.

Console system requirementsYou can install the Mail Security console on a computer on which Mail Securityis not installed. The console system requirements are as follows:

Installing Symantec Mail Security for Microsoft ExchangeSystem requirements

40

http://www.adobe.com

Table 2-2 Console system requirements

Minimum system requirements64-bit32-bitOperating system

■ 512 MB RAM

■ 162 MB available disk space

This does not include the space requiredfor items such as quarantined messagesand attachments, reports, and log data.

■ .NET Framework version 2.0

Ensure that .NET Framework is installedbefore you install Mail Security.

■ Microsoft Internet Information Services(IIS) Manager is required only to installMail Security Console on a 64-bit operatingsystem.

YesYesWindows Server2003

YesYesWindows Server2003 R2

NoYesWindows XP

YesYesWindows Vista

YesYesWindows Server2008

YesYesWindows Server2008 R2

YesYesWindows 7

Adobe Acrobat Reader is not a requirement to install and run the Mail SecurityConsole. However, it is required to view the reports that are generated in .pdfformat. You can download Adobe Acrobat Reader from www.adobe.com.

See “Installing the Mail Security console” on page 47.

Port requirementsSymantec Mail Security for Microsoft Exchange scans SMTP mail traffic thatpasses through Exchange servers on port 25. Mail Security does not interact withMAPI or any other mail protocols, such as POP3 on port 110 or IMAP on port 143.

Some of the components of Mail Security require certain ports for communication.

Table 2-3 lists the ports that Mail Security components use by default.

Table 2-3 Ports used by Mail Security components

PurposeProcessPortMail Securitycomponent

Frequent antivirusdefinition updates

ftp.exe21Rapid ReleaseDefinitions

Continuous PremiumAntiSpam updates

Conduit.exe443Conduit

41Installing Symantec Mail Security for Microsoft ExchangeSystem requirements

http://www.adobe.com

Table 2-3 Ports used by Mail Security components (continued)

PurposeProcessPortMail Securitycomponent

Consolecommunications

Process ID: 0 or 4(System)

8081DEXL Service

Reporting databaseCmafReportSrv.exe58081CmafReportSrv

Note: If Symantec Premium AntiSpam is enabled, ensure that you open port 443on the firewall for bi-directional traffic to aztec.brightmail.com. If SymantecPremium AntiSpam is not licensed and enabled, Mail Security will not initiateactivity on port 443. Similarly, if the optional Rapid Release feature is not enabled,Mail Security will not initiate activity on port 21.

The port used for communication with Mail Security Console can be configuredduring installation or at any time after the installation. Activity will only be seenon these ports when using the console to administer a remote server.

Note: There are no port conflicts or incompatibility between Mail Security andSymantec Endpoint Protection 11.x or the Symantec Endpoint Protection Manager.

Installation optionsUse any of the following installation procedures, depending on the type ofinstallation that you want to perform:

You can install or upgrade Mail Security on a local computer thatis running the Microsoft Exchange server.

See “Installing Mail Security on a local server” on page 43.

Local server

You can install Mail Security on remote servers through the productconsole.


Remote server

You can install the product console on a computer that is notrunning Mail Security. This lets you manage your servers from anycomputer that has access to your Exchange servers.

See “Installing the Mail Security console” on page 47.

Console

Installing Symantec Mail Security for Microsoft ExchangeInstallation options

42

You can install Mail Security using automated installation tools.

See “Silently installing Mail Security using an automatedinstallation tool” on page 52.

Silent/automatedinstallation

You can install Mail Security in a Microsoft Cluster environment.

See “About installing Mail Security in a Microsoft Cluster”on page 53.

Microsoft clusterserver

You can install Mail Security in a Veritas cluster environment.

See “About installing Mail Security on a Veritas Cluster Server”on page 58.

Veritas cluster server

Installing Mail Security on a local serverEnsure that you have met the system requirements before you begin theinstallation process.


Note: Symantec automatically installs MSXML 6.0 during installation if theinstaller does not detect this component.

You must be logged on as a member of the administrator group on the localcomputer and have domain administrator privileges on the computer on whichyou want to install Mail Security.

Computers must support 8dot3 formatted filenames for all NTFS file systems.

To install Mail Security on a local server, do the following:

You can use the installation wizard to guide you though theinstallation process of selecting the product installation folderlocation and the type of installation that you want to perform.

You can choose to retain your existing settings or use the newdefault settings if you are upgrading from a prior version of MailSecurity.

When Mail Security detects a prior version of the product, itautomatically uninstalls the prior version and then installs the newversion.

Begin the installationprocess

You can specify if you want to automatically restart the ExchangeTransport Service after installation, specify the Web service set-upvalues, designate an email notification address and SMTP serveraddress, and review your setup configurations.

Configure additionalsetup options andconfirm settings

43Installing Symantec Mail Security for Microsoft ExchangeInstallation options

You can install your licenses during installation.


If you install a valid license, Mail Security lets you perform aLiveUpdate to obtain the most current definitions.


Install your licenses

To begin the installation process

1 Insert the Mail Security product CD in the CD-ROM drive.

The installation program launches automatically. If it does not, run cdstart.exefrom the product CD.

2 Click Install Symantec Mail Security for Microsoft Exchange.

3 In the InstallShield welcome panel, click Next.

4 Click Next until you reach the License Agreement panel.

5 In the License Agreement panel, click I accept the terms in the licenseagreement, and then click Next.

You must accept the terms of the license agreement for the installation tocontinue.

6 In the Existing Settings panel, select one of the following:

Retains the existing settings that aresupported for migration to the newversion.

This is the default setting.

Retain existing settings

Installs the product with the defaultsettings, as if you were installing MailSecurity for the first time.

Install with default settings

This panel only appears if you are upgrading from a prior version of MailSecurity.

7 In the Destination Folder panel, do one of the following:

■ To install the product in the default location, click Next.

The default directory is as follows:

C:\Program Files (x86)\Symantec\

■ To install the product in a different location, click Change, select thelocation of the installation folder, click OK, and then click Next.


44

Mail Security does not support directory names that contain multi-bytecharacters. If you intend to use the Symantec Premium AntiSpam, youcannot install the product to a directory whose name contains high ASCIIcharacters.

8 In the Setup Type panel, click Complete, and then click Next.

9 In the Symantec Endpoint Protection or Symantec AntiVirus Corporate EditionUsers warning dialog box, click OK.

To configure additional setup options

1 In the Exchange Transport Service Reset Options panel, click Next to acceptthe default setting to automatically restart the Exchange Transport Serviceafter installation.

If you choose not to automatically restart the Exchange Transport Serviceafter installation, you must do so manually. Otherwise, Mail Security will notfunction properly.

2 In the Web Service Setup panel, do one of the following:

■ Click Next to accept the default values.

■ Modify the following settings, and then click Next:

By default, the computer name resolves to the primary externalnetwork identification card (NIC). You can also use an IP address.

The IP address validates the availability of the port.

IP/Name

By default, port 8081 is the port number for the Web service thatis used by Mail Security. A different default port number appearsif port 8081 is being used by another application.

Use a port number that is not used by another application if youchange the port number. You should not use port 80. Port 80 isthe port number that is used by the default Web service, whichis hosted by IIS.

Port #

3 In the Notification Email Address panel, do one of the following to specifythe email address from which email notifications are sent and to whichnotifications to the administrator are sent:

■ Click Next to accept the default value.The default value is: Administrator

■ Modify the originator email address, and then click Next.The Edge Transport server does not have access to Active Directory, soabbreviated email addresses cannot be resolved. If you are installing Mail


Security on the Edge Transport server role, type a fully qualified emailaddress (for example, [email protected]).

You can modify the address after installation is complete.


4 In the SMTP Server Host panel, specify the SMTP server address for sendingemail messages.

If you are installing Mail Security on a Mailbox server only, you must specifya SMTP Transport server address. The Hub Transport server and EdgeTransport server contain an SMTP transport that can receive email.

The default server address is as follows: localhost.

5 In the Setup Summary panel, review the information, and then click Next.

If you need to make any modifications, click Back to return to the appropriatepanel.

6 In the Ready to Install the Program panel, click Install.

To install a license and update definitions

1 In the Install Content License File panel, do one of the following:

Do the following:

■ Click Browse, locate the license file, and then clickOpen.

■ Click Install, and in the confirmation dialog box,click OK.

■ Click Next.

To install a license file

Click Skip, and then click Next.


To install a license file laterthrough the console

2 In the LiveUpdate panel, do one of the following:

Click Yes, and then click Next.

In the LiveUpdate Options window, click Start.

When LiveUpdate is complete, click Close.

To perform a LiveUpdate

Click No, and then click Next.


To perform a LiveUpdate at alater time

This panel only appears if you installed a valid license.


46

3 Click Finish.

The option “Show the readme file” is checked by default. The Readme filecontains information that is not available in the product documentation.

A Mail Security icon is placed on the computer desktop when installation iscomplete.

4 In the User Credential Refresh Required panel, click OK.

5 Log off and log on again.

See “Post-installation tasks ” on page 63.

Installing the Mail Security consoleThe Mail Security console is a Windows application. The console lets you managelocal and remote installations of Mail Security from a single computer. You caninstall and use the console on a computer on which Mail Security is not installed.This lets you manage Mail Security from a convenient location.

Ensure that you meet the system requirements before you install the console.

See “Console system requirements” on page 40.

A Mail Security icon is placed on the computer desktop when installation iscomplete.

To install the Mail Security console

1 Insert the Mail Security product CD in the CD-ROM drive.

The installation program launches automatically. If it does not, run cdstart.exefrom the Mail Security product CD.

2 Click Install Multiserver Console.

If the installation program detects that you have Windows XP or that thereis no version of the Exchange server installed, the installation programdefaults to console only installation options.

3 Click Next until you reach the License Agreement panel.

4 In the License Agreement panel, check I accept the Terms in the licenseagreement, and then click Next.

5 In the Destination Folder panel, do one of the following:

■ To install the product in the default location, click Next.

The default destination directory is as follows:C:\Program Files (x86)\Symantec\


■ To install the product in a different location, click Change, select thelocation of the installation folder, click OK, and then click Next.

Mail Security does not support directory names that contain multi-bytecharacters. If you intend to use the Symantec Premium AntiSpam service,you cannot install the product to a directory whose name contains highASCII characters.

6 Click Next until you reach the Notification Email Address panel.

7 In the Notification Email Address panel, do one of the following to specifythe email address from which email notifications are sent and to whichnotifications to the administrator are sent:

■ Click Next to accept the default value.The default value is: Administrator

■ Modify the originator email address, and then click Next.The Edge Transport server does not have access to Active Directory, soabbreviated email addresses cannot be resolved. If you are installing MailSecurity on the Edge Transport server role, type a fully qualified emailaddress (for example, [email protected]).

You can modify the address after installation is complete.


8 In the Setup Summary panel, review the information, and then click Next.

If you need to make any modifications, click Back to return to the appropriatepanel.

9 Click Finish.

The option “Show the readme file” is checked by default. The Readme filecontains information that is not available in the product documentation.

10 In the User Credential Refresh Required panel, click OK.

11 Log off and log on again.


About installing Mail Security on remote serversAfter you install Mail Security on a local server or install the console, you caninstall the Mail Security server component on remote servers.

Review the pre-installation information and system requirements before youinstall the product on remote servers.

See “Before you install” on page 33.


48


To install Mail Security on remote servers, do the following:

■ Customize installation settings, if needed.

Remote servers are installed with default installation settings. If you want tocustomize the installation settings and apply them to a remote server, you canadd the custom features to the vpremote.dat file.See “Customizing remote server installation settings” on page 49.

■ Install Mail Security on remote servers.See “Installing Mail Security on a remote server” on page 51.

Note: Installing Mail Security remotely on cluster servers is not recommendedfor Exchange 2007 cluster, but is supported on Exchange 2010 DAG setup.

Customizing remote server installation settingsThere may be cases in which you want to customize the installation of Mail Securityon a remote Exchange server. For example, you might want to change the followingsettings:

■ Installation location

■ Default email address for notifications

■ Stop/start of IIS

Table 2-4 lists the remote customization options that you can modify.

Table 2-4 Remote customization options

Optional valueDefault valueDescriptionProperty

(Email address ofdomainadministrator)

N/AServes as the address of thedomain administrator for the“Address of sender” and“Administrator and others tonotify” Notification/Alertsettings.

EMAIL ADDRESS=

RestoreRetainControls whether to retain aprevious version's settingsor apply the default settingsof the new version.

EXISTINGSETTING GROUP=


Table 2-4 Remote customization options (continued)

Optional valueDefault valueDescriptionProperty

NoYesControls whether to stop andrestart Microsoft ExchangeTransport Service duringinstallation. This setting isonly available if theExchange Transport Serviceis installed.

IIS_RESET

(Any valid path)\Program Files(x86)\Symantec\CMaF\2.1\

Serves as the default productinstallation directory.

INSTALLDIR=

(Any valid port)8081Serves as the port that isused by the product for Webservices.

PORTNUMBER=

(Any valid host)localhostServes as the host throughwhich notifications are sentusing SMTP.

SMSMSE_SMTP_SERVER_HOST

Set to 1 to performa consoleinstallation.

0Specifies that installationshould be for the consoleonly.

CONSOLE_ONLY

Set to 1 to performa silentinstallation.

0Controls whether the consoleappears during installation.

REMOTEINSTALL

Set to voums toperform a silentinstallation.

N/AControls the mechanism forre-install.

REINSTALLMODE

Set to 1 to performa silentinstallation.

ALLControls what features toinstall during re-install.

REINSTALL

Warning: The following entry should not be changed: {setup.exe /s /v"

NOT_FROM_ARP=1 REMOTEINSTALL=ALL REINSTALLMODE=voums REINSTALL=ALL”}.You can append the entry. For example, setup.exe /s /v" NOT_FROM_ARP=1

REMOTEINSTALL=1 REINSTALLMODE=voums REINSTALL=ALL PORTNUMBER=1010”


50

To customize remote server installation settings

1 Locate the folder that contains the Mail Security console files. The defaultlocation is as follows:

\Program Files (x86)\Symantec\CMaF\2.1\bin\Products\SMSMSE\6.5\RemoteInstall Files\vpremote.dat

2 Using WordPad or a similar tool, open the following file:

vpremote.dat

3 Insert one or more properties by doing the following:

■ Type a space after the previous or existing entry inside the quotationmarks.

■ Type the new property.

The property portion of each entry is case sensitive.

■ Type the value immediately after the = sign with no space.

The values are not case sensitive.

For example, to specify a silent installation, the entry would appear as follows:

{setup.exe /s /v" NOT_FROM_ARP=1 REMOTEINSTALL=1

REINSTALLMODE=voums REINSTALL=1”}

Installing Mail Security on a remote serverDuring remote installation, the Windows Login screen prompts you to provideadministrator or domain user credentials. The domain user must fulfill allpre-requisites before installing on a remote server. See “Before you install”on page 33.

When installation is complete, a Mail Security icon is placed on the computerdesktop.

You should not use the remote installation procedures if you are installing theproduct on cluster server nodes.

See “About installing Mail Security in a Microsoft Cluster” on page 53.

To install Mail Security on a remote server

1 In the console on the toolbar, click Assets.

2 In the Asset Management window, in the sidebar under Tasks, clickInstall/Upgrade server(s).


3 In the Select Server(s) window, in the Servers and server groups list, highlightone or more servers and click the >> command icon.

4 Under Server options, check Keep installation files on server(s) to maintainthe installation files on the server.

5 Check Send group settings to apply group settings.

If unchecked, existing server settings are retained. Future changes that aremade to the server group are applied to the server.

6 Click OK, and then click Close.

Note: Remote install must be performed from the computer which is part of thesame domain.


Silently installing Mail Security using an automated installation toolMail Security supports installing the product using automated installation tools,such as Microsoft Systems Management Server.

Ensure that you have met the system requirements before you perform a silentinstallation.


You can modify certain installation properties to configure Mail Securityinstallations, or you can provide command line properties during manual orautomated installation using an automated installation tool.

Modify the installation properties for Mail Security in the following file:

\Program Files (x86)\Symantec\CMaF\2.1\bin\Products\SMSMSE\6.5\RemoteInstall Files\vpremote.dat

Table 2-4 lists the customization options that you can modify.


52

To silently install Mail Security using an automated installation tool

1 Copy the installation media in its entirety to the location from whichinstallation will be launched.

For example: xcopy [Drive]:\*.* /s [DestinationDrive]

2 Launch setup.exe using the following command to initiate a silent installation:

[DestinationDrive]:\setup.exe /v"/lvx* “c:\smsmse_install.log”NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voumsREINSTALL=ALL" /s

Where "c:\smsmse_install.log" is the path of installation log file that getsgenerated during installation.

To silently install Mail Security using an automated installation tool on mailboxrole of Exchange 2010

1 Copy the installation media in its entirety to the location from whichinstallation will be launched.

For example: xcopy [Drive]:\*.* /s [DestinationDrive]

2 Launch setup.exe using the following command to initiate a silent installation:

[DestinationDrive]:\setup.exe /v"/lvx* "c:\smsmse_install.log"NOT_FROM_ARP=1 REMOTEINSTALL=1 REINSTALLMODE=voumsREINSTALL=ALL SMSMSE_RBAC_USERNAME=<username>SMSMSE_RBAC_PASSWORD=<password>" /s

where "c:\smsmse_install.log" is the path of installation log file that will begenerated during installation.

Note:Silent and remote installation on mailbox role will not start the Mail Securityservice "Symantec Mail Security for Microsoft Exchange" because the servicelogon password is not set. To start the service, you must set the service accountpassword for this service and start the service manually.

About installing Mail Security in a Microsoft ClusterYou can install Mail Security on the following types of Microsoft clusterconfigurations (these configuration types have different installation setups):

■ Single Copy Clusters (SCC)See “About installing Mail Security on a Single Copy Cluster node” on page 55.

■ Clustered Continuous Replication (CCR)See “Installing Mail Security on a Clustered Continuous Replication cluster”on page 58.


Note: Mail Security only supports clustering when the product is installed on aMailbox server role.

Install Mail Security individually on each node of the cluster when you install itin a cluster environment. The remote installation feature should not be used.

Do the following to install Mail Security in a cluster environment:

■ Ensure that your environment meets the pre-installation requirements.See “Considerations before you install on a Microsoft Exchange cluster”on page 54.

■ Install Mail Security using the procedures for your cluster configuration.See “About installing Mail Security on a Single Copy Cluster node” on page 55.See “Installing Mail Security on a Clustered Continuous Replication cluster”on page 58.

■ Configure the cluster resource if you are using a single copy clusterconfiguration only.See “Configuring the cluster resource ” on page 56.

Considerations before you install on a Microsoft ExchangeclusterTable 2-5 describes the items that you should consider before you install MailSecurity in a cluster environment.


54

Table 2-5 Cluster installation considerations

ConsiderationsConfiguration

Mail Security must be installed on all active and passivenodes of a cluster.

Only one Clustered Mailbox Server (CMS) can run on anycluster node at any time. If two CMSs try to run on the samenode, the results are undefined.

Ensure that the following requirements are met before youinstall Mail Security on an Exchange cluster with one ormore passive nodes:

■ There must be an available passive node to fail to.Multiple failovers are supported only if multiple passivenodes are available.

■ Mail Security must be installed with the sameconfiguration and in the same locations on all nodes ofthe cluster.

Mail Security checks for the presence of a clusterenvironment during installation. You are prompted toregister a cluster resource DLL(SMSMSEClusterResource.dll) if the installation is runningin a cluster environment. This DLL must be registered ononly one of the cluster nodes.

Mail Security runs on all of the nodes (even passive nodes)immediately after installation. After the first instance ofthe cluster resource is configured, the service runs on onlythe active node(s).

Single copy cluster

You do not need to configure a cluster resource for this typeof cluster.

Clustered continuousreplication

About installing Mail Security on a Single Copy Cluster nodeYou can install Mail Security on Exchange servers that are running MicrosoftSingle Copy Cluster.

Mail Security settings are stored in the registry and local hard drive of eachindividual server. The settings are duplicated on the hard drive of the sharedstorage that is used as a dependency for the Mail Security resource each timesettings are changed. The passive node checks for settings on the shared harddisk storage any time the active node goes down and control transfers to thepassive node. The settings are then downloaded to the passive node (which is nowactive) and applied.


Mail Security is Microsoft cluster aware and does not require any specific settingsprior to installing the product on a cluster with one or more passive nodes. MailSecurity requires its own cluster resource.

You must use IP addresses or names of the Clustered Mailbox Server nodes insteadof the actual server IP addresses or names for managing Mail Security throughthe console.

When the CMS group and Mail Security cluster resource move from one node toanother, the following items are not transferred:

■ Virus definitions and spam rules

■ Report database and generated reports

■ Spam statistics

■ Mailbox and public folder lists

The Mail Security quarantine is stored on the shared storage. Exclude thequarantine from all antivirus scanning. Settings are copied to the shared storagewhen you deploy your changes. Ensure there is sufficient room on the volume forthe Mail Security shared settings and quarantine.

Configure LiveUpdate to perform regularly scheduled updates on each node inthe cluster to ensure that your definitions stay current. Definitions are updatedand stored locally, not on the shared storage.

Configuring the cluster resource

Create a new resource after Mail Security is installed on each node of the cluster.This resource provides high availability by monitoring and controlling MailSecurity. Create the resource in each Clustered Mailbox Server group. You mustadd the cluster service account to the SMSMSE Admins Group before the clusterservice is restarted on the cluster nodes. The cluster service must be restarted onall the nodes of the cluster before the SMSMSE Resource is brought online. If itis not, the SMSMSE Resource may not start. For more information about how toadd a cluster service to a group, see your Microsoft server documentation.


The Mail Security service on all nodes is stopped and service startup is changedto manual as the Mail Security resource is created. This occurs because the serviceis running under the control of the Mail Security cluster resource.

The Mail Security cluster resource is responsible for all of the following tasks:

■ Handling cluster events

■ Saving Mail Security settings for each Clustered Mailbox Server to sharedstorage


56

■ Retrieving settings from shared storage and making them active on a givencluster node

■ Managing the Mail Security service

To configure the cluster resource

1 On the Windows taskbar, click Start > Programs > Administrative Tools >Cluster Administrator.

2 Select the CMS group and launch the New Resource Wizard.

3 Name the resource.

You must assign a unique name to each resource.

4 Select Mail Security for Microsoft Exchange as the resource type, and thenclick Next.

5 Choose the nodes for which the resource is being created, and then click Next.

The nodes must be the same as those on which CMS can operate.

6 Choose the dependencies for this resource.

The required dependencies are as follows:

■ Physical Disk Resource (disk on which the settings are saved)

■ CMS Network Name resource

7 Repeat steps 2 through 6 for each CMS server group.

To configure the cluster resource on Windows 2008 Server

1 On the Windows taskbar, click Start > Programs > Administrative Tools >Failover Cluster Management.

2 Right click the CMS group and select Add a resource > More resources >Add Symantec Mail Security for Microsoft Exchange.

3 Select Mail Security for Microsoft Exchange as the resource type.

4 Choose the dependencies for this resource.

The required dependencies are as follows:

■ Physical Disk Resource (disk on which the settings are saved)

■ CMS Network Name resource

5 To set dependencies and nodes, right click the resource and select Properties.

6 Under the Dependencies tab, add Physical Disk Resource and CMS NetworkName Resource.


7 Under the Advanced Policies tab, select the nodes for which the resource isbeing created

The nodes must be the same as those on which CMS can operate.

8 Select Apply and OK.

9 Repeat steps 2 through 8 for each CMS server group.

InstallingMail Security on a Clustered Continuous ReplicationclusterYou can install Mail Security on a Clustered Continuous Replication cluster.

To install Mail Security on a Clustered Continuous Replication cluster

1 Log on to a node using an Administrator account that is a member of theDomain and Local Admin groups.

2 Insert the Mail Security product CD into the CD-ROM drive.

The installation directory should be on a local node (non-shared drive).

3 In the Web Service wizard, type the IP address of the externally accessiblenetwork card of the current node (if not already present).

The Virtual Server IP address, the cluster IP address, or name of the node areinvalid entries.

4 Repeat steps 2 and 3 to install Mail Security on the remaining node.

5 Restart the cluster service after you install Mail Security on each node of thecluster.

6 Add each node to asset management so that you can manage the node fromthe console.

Mail Security does not automatically detect the nodes in a cluster. Nodesmust be added to asset management using their IP address.

See “Adding servers to a group” on page 88.

See “Configuring the cluster resource ” on page 56.


About installing Mail Security on a Veritas Cluster ServerMail Security is integrated with the active/passive Veritas Cluster Serverenvironment. When you install Mail Security, the product detects that it is beinginstalled in a Veritas Cluster Server environment. The product automaticallyregisters a cluster resource with the Veritas Cluster Server.


58

The corresponding Mail Security cluster agent does the following:

■ Monitors the Mail Security service

■ Stops and restarts the service, as necessary

■ Ensures that the product settings and quarantine data are copied to theSMSMSE folder on the shared storage

Mail Security supports the following Veritas Cluster Server configurations:

■ Active/passive N-to-1

■ Active/passive N+1

■ Active/passive N-to-N

Some considerations about using the Veritas Cluster Server with Mail Securityare as follows:

■ Mail Security does not support active/active Veritas Cluster Serverconfigurations

■ Upgrades from Mail Security 5.0 to Mail Security 6.0 and 6.5 are not supportedon a Veritas Cluster Server configuration

■ Mail Security does not support Veritas Cluster Server on Exchange 2010.

Mail Security supports Veritas Cluster Server versions 5.0 with the latest servicepatch, and 5.1.

Before you install on a Veritas Cluster ServerConsider the following before you install Mail Security on a Veritas Cluster Server:

■ Ensure there is sufficient room on the volume for the Mail Security sharedsettings and quarantine.Settings are copied to the shared storage when you deploy your changes.

■ Exclude the quarantine from all scanning.The Mail Security quarantine is stored on the shared storage.

■ Install Mail Security on all of the nodes in the cluster.You are prompted to register the resource on only one node.

■ Use an IP address to specify the computer since the name of the server isusually used when installing to a cluster.If you are using IP addresses, use the IP address of the computer and not theIP address of the cluster or virtual server.

■ Install Mail Security on each of the passive nodes first. Then failover an activenode to a passive node and install Mail Security on it. Repeat this process untilyou install Mail Security on all of the active nodes and passive nodes.


This process lets you install the product cleanly on all of the nodes.Uninstallation of the product should be handled the same way.See “Uninstalling Mail Security” on page 70.

■ You can install Mail Security in any of the following types of Veritas ClusterServer environments:

■ Local clusters

■ Campus/metropolitan clusters

■ Replicated data clusters

■ Wide area clusters

■ Global clusters

■ Configure LiveUpdate to perform regularly scheduled updates on each nodein the cluster to ensure that your definitions stay current.Definitions are updated and stored locally, not on the shared storage.

■ You should not use the remote installation procedures when you are installingthe product on cluster server nodes.

Configuring Mail Security in the Exchange Service Group

Do the following to properly configure Mail Security in the Exchange ServiceGroup:

■ Create a MountV resource.Create a mount resource if you are using NetApps.

■ Create a Mail Security resource.

■ Specify dependencies.

■ Bring the resources online.

Note: You do not need to cluster the Symantec Mail Security Utility service. TheMail Security cluster agent does not monitor the Symantec Mail Security Utilityservice.

Figure 2-1 diagrams the typical Mail Security resource type, resource instance,and resource dependency with other resources within the Exchange service group.


60

Figure 2-1 Resource dependencies

SMSMSEVCSClusterResource

Lanman

IP

MountV

NIC

VMDg

SMSMSEVCSClusterResource-Instance

SMSMSEMountV-Instance

Lanman-ExchangeServiceGrp

IP-ExchangeServiceGrp

NIC-ExchangeService

Grp

VMDg-ExchangeServiceGrp

For more information, see the Veritas Cluster Server documentation.

To create a MountV resource

1 Add a new MountV resource.

MountV resource is an option in the Resource Type list.

2 Type a name for the resource.

3 Assign the following resource attributes:

The drive letter or the folder name of thevolume that you created

MountPath

The volume name that you createdVolumeName

The name of the volume managerdiskgroup resource on which the MountVresource depends

VMDGResName

4 Ensure that the resource is not set to "Critical."

This ensures that the Exchange service group will not failover to anothernode if either of the resources fail during setup.


To create a Mail Security resource

1 Add a new SMSMSEVCSClusterResource.

SMSMSEVCSClusterResource is an option in the Resource Type list.

2 Type a name for the resource.

3 Assign the following resource attributes:

The resource name of the Lanmanresource that exists in the Exchangeservice group

LanmanResName

The resource name of the MountV thatyou created

MountResName

4 Ensure that the resource is not set to "Critical."

This ensures that the Exchange service group will not failover to anothernode if either of the resources fail during setup.

To specify dependencies

◆ Create the following dependencies:

■ SMSMSEVCSClusterResource is a parent to the MountV resource that youcreated.

■ SMSMSEVCSClusterResource is a parent to the Lanman resource.

■ The MountV resource that you created is a parent to the VMDg resource.

To bring the resources online

1 Enable the MountV resource that you created.

2 Set the resource back to "Critical," if desired.

3 Online the MountV resource on the active Exchange node.

4 Enable the SMSMSEVCSClusterResource.

5 Set the resource back to "Critical," if desired.

6 Bring the SMSMSEVCSClusterResource on the active Exchange node online.

7 Save and close the configuration.

Creating the shared storage volume

Create the shared storage volume after you install Mail Security on all of the nodesin a cluster using the Veritas Enterprise Administrator. See your Veritas Cluster


62

Server documentation for more information about the Veritas EnterpriseAdministrator.

To create a shared storage volume

1 In the Veritas Enterprise Administrator, create a new volume for Mail Securitydata as part of the existing clustered Exchange Disk Group.

This shared storage volume needs enough space to contain product settingsand quarantine data.

2 Assign the volume a drive letter or a New Technology File System (NTFS)folder name and a volume name.

A drive letter or NTFS folder name and the volume name are necessary tocreate a MountV resource.

Post-installation tasksAfter you install Mail Security, you can perform the following post-installationtasks:

■ Implement SSL communications.See “Implementing SSL communications” on page 63.

■ Install license files if they were not installed during setup.See “About licensing” on page 73.

■ Update definitions if a LiveUpdate was not performed during setup.See “About keeping your server protected” on page 236.

■ Access the Mail Security console.See “Accessing the Mail Security console” on page 65.

■ Configure other antivirus products that are on the same computer as MailSecurity.See “About using Mail Security with other antivirus products” on page 68.

■ Configure the number of scanning threads and scan processes, if necessary.See “Setting scanning threads and number of scan processes” on page 69.

■ Reduce the launch time of Mail Security consoleSee “Resolving installation issues” on page 254.

Implementing SSL communicationsYou can configure Mail Security to use Secure Sockets Layer (SSL) communicationsby using a valid server certificate. You can create your own server certificate usingMicrosoft Certificate Services 2.0 or request one from a certificate authority.

63Installing Symantec Mail Security for Microsoft ExchangePost-installation tasks

After you implement SSL, you must enable SSL from the console and specify theSSL port for each server.

See “Modifying the port and communication properties of a server” on page 93.

To install a server certificate

1 On the computer on which Mail Security is installed, on the Windows menu,click Start > Administrative Tools > Internet Information Services (IIS)Manager.

2 In the server list, expand the folder for the server that is hosting Mail Security.

3 In the Web sites folder, right-click Symantec Mail Security for MicrosoftExchange, and then click Properties.

4 Under Secure communications, select the DirectorySecurity tab, and clickServer Certificate.

5 Follow the instructions in the Web server Certificate wizard to install theserver certificate.

To implement SSL communications

1 Ensure that a valid server certificate is installed. See “To install a servercertificate” on page 64.

2 Under SecureCommunications, select the DirectorySecurity tab, and clickEdit.

3 In the Secure Communications dialog box, check Require secure channel(SSL), and then click OK.

4 On the Web Site tab, under Web site identification, in the IP Address textbox, type the IP address of the Mail Security server.

5 In the SSL Port text box, type the port to use for SSL communications.

6 Click OK to close the Mail Security Properties window.

To implement SSL communications on Windows 2008 Server

1 On the local computer, ensure that a valid server certificate is installed inTrusted Root Certification Authorities. See “To install a server certificate”on page 64.

2 Click Start > Administrative Tools > Internet Information Services (IIS)Manager.

3 In the Web sites folder, right-click Symantec Mail Security for MicrosoftExchange, click Edit Bindings and select Add.

4 From the drop-down list, select https and All Unassigned for Type and IPaddresses respectively.

Installing Symantec Mail Security for Microsoft ExchangePost-installation tasks

64

5 In the SSL Port text box, type the port number, for instance, 8082, to use forSSL communications.

Note: To avoid port conflict, do not use the ports used by exchange server,like TCP port 80 and SSL port 443.

6 From the SSL certificate, select the certificate installed and restart theSymantec Mail Security for Microsoft Exchange Web site.

7 In the right pane, double-click Authentication and ensure that WindowsAuthentication and ASP.NET Impersonation are enabled.

8 From the Web sites folder, select Symantec Mail Security for MicrosoftExchange. In the right pane, double-click SSL Settings, check Require SSLand Require 128-bit SSL.

9 Click Apply to apply the changes.

To implement SSL communications on client computer

1 Export the server certificate from the server and install it to the clientcomputer where Mail Security console is installed in Trusted RootCertification Authorities.

2 Open the Certificatesnap-in and ensure that the certificate resides in TrustedRoot Certification Authorities.

3 On the Mail Security console, click the Assets tab and click Add server(s) toadd a server.

4 Right click on the server added, click Properties. Provide the SSL port numberconfigured on the server.

5 Check the UseSSL checkbox, and click OK. You can now connect to the serverfrom the console using the SSL connection.

Accessing the Mail Security consoleYou can access the Mail Security console from the Windows Start menu or fromyour desktop. You must have the appropriate administrator or viewer rights toopen the console. If you do not, the following error message appears:

"You either have insufficient permissions to access this application or your usercredentials are not refreshed. Try logging off and logging in again to reload theuser credentials. You either have insufficient permissions to access this applicationor your user credentials are not refreshed. Try logging off and logging in againto reload the user credentials."


You can only access servers that are running Mail Security 6.5 from the MailSecurity 6.5 console.

See “About security and access permissions” on page 38.

To access the Mail Security console

◆ Do one of the following:

■ On the desktop, click the SMSMSE 6.5 icon.

■ On the Windows menu, click Start > Programs > SymantecMailSecurityfor Microsoft Exchange > Server Management Console.

See “About the Mail Security console” on page 66.

About the Mail Security consoleFigure 2-2 shows the Mail Security console.

Figure 2-2 Mail Security Server Home page view

Menu bar

Content area

Tool bar

Primarynavigationbar

Figure 2-3 shows additional console elements.


66

Figure 2-3 Additional console elements

Sidebar

Resizing bars

List pane

Previewpane

About the primary navigation barManagement operations are grouped into the following categories on the primarynavigation bar:

Lets you view server status, recent activities, and violations statisticsHome

Lets you create and configure sets of rules that are implemented by specificscans

Policies

Lets you configure notification addresses and quarantine settings and monitorquarantine data and events

Monitors

Lets you create, configure, schedule, and run scansScans

Lets you view and print data collected by Mail SecurityReports

Lets you update definitions, configure system settings, and install licensesAdmin


Refreshing the consoleYou might periodically need to refresh the console to view changes or updatedstatuses.

To refresh the console

1 On any page in the console, click F5.

2 Click OK to log onto the current asset group.

This message only appears if you are not logged onto the current asset group.

See “Logging onto servers” on page 82.

About using Mail Security with other antivirus productsIf you are using Mail Security version 6.0.8 or earlier and you have SymantecEndpoint Protection version 11.x or Symantec AntiVirus™ Corporate Editioninstalled on the same computer as Mail Security, configure Symantec EndpointProtection version 11.x or Symantec AntiVirus Corporate Edition to performdefinition updates.

Warning:Disable Rapid Release in Mail Security if you intend to update definitionsthrough Symantec Endpoint Protection version 11.x or Symantec AntiVirusCorporate Edition.


Configure your other antivirus programs to exclude certain folders from scanning.If another antivirus program scans the Exchange directory structure or the MailSecurity processing folder, it can cause false-positive threat detection, unexpectedbehavior on the Exchange server, or damage to the Exchange databases.

For information about how to prevent Symantec Endpoint Protection version 11.xor Symantec AntiVirus Corporate Edition from scanning the Exchange directory,go to the following Symantec Knowledge Base article:

http://www.symantec.com/docs/TECH85451

See “Components of Mail Security” on page 19.


If you are using Mail Security version 6.5 and you have Symantec AntiVirus™Corporate Edition or Symantec Endpoint Protection (SEP) version 11.x installedon the same computer as Mail Security, configure Symantec AntiVirus CorporateEdition or SEP version 11.x to perform definition updates. For Exchange Server2007/2010, you must also configure Mail Security to perform definition updates.


68

http://www.service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2000110108382454?Open&src=w

You can also use LiveUpdate Administrator to perform definition updates for boththe products.

See “About setting up your own LiveUpdate server” on page 238.

Setting scanning threads and number of scan processesMail Security lets you set the number of VSAPI scanning threads and the numberof scan processes to control scanning speed and performance. The default isconfigured using the following formula: (number of processors) x 2 + 1. Acceptthe default unless you have a compelling reason to do otherwise.

Mail Security considers a hyper-threaded processor as more than one processor.For example, if you have a dual hyper-threaded processor on your computer, MailSecurity calculates the number of scanning processes as follows:

Number or processors (4 ) x 2 + 1 = 9

When the load is heavy, all nine scanning processes are scanning messages.Increasing the number of scan processes can consume a lot of memory If theserver has few resources. This could severely impact the performance of yourExchange server.

Configure the number of scan processes based on the actual number of physicalprocessors if you have a hyper-threaded processor on your computer. For example,if you have a dual hyper-thread processor, configure the number of scan processesas follows:

Number of physical processors (1) x 2 +1 = 3

Note: If you are using Intel Xeon processors, you must set this value using theformula based on the number of physical processors, instead of the numberreported by the operating system.

To set scanning threads and number of scan processes

1 In the console on the primary navigation bar, click Admin.

2 In the sidebar under Views, click System Settings.

3 In the Number of VSAPI scanning threads box, type the number of threadsto use for VSAPI scanning.

The default value is 3.


4 In the Number of scan processes box, type the number of scan processes.

The default is configured during installation using the formula 2 times thenumber of processors plus 1.

5 On the toolbar, click Deploy changes to apply your changes.

See “Deploying settings and changes to a server or group” on page 81.

Uninstalling Mail SecurityWhen you uninstall Mail Security in a clustered environment, you are promptedto unregister the Mail Security resource DLL that was configured during install.This needs to be done only one time and can be done on any of the cluster nodes.

See “Removing the Mail Security resource instance from the Veritas ClusterServer” on page 71.

Stop Microsoft Internet Information Service (IIS) before you uninstall the product.This ensures that all of the files that are installed with the product are removed.

To stop Microsoft IIS

1 On the Windows menu, click Start > Administrative Tools > Services.

2 In Services window, right-click IIS Admin Service and select Stop.

3 Close the Stop Other Services window.

To uninstall Mail Security

1 On the server on which Mail Security is installed, on the Windows menu, clickStart > Control Panel.

2 In the Windows Control Panel, click Add or Remove Programs.

3 Click Symantec Mail Security for Microsoft Exchange, and then clickRemove.

4 In the confirmation dialog box, click Yes.

5 In the Information dialog box, click OK to confirm that you have stopped IIS.

6 When the uninstallation is complete, click OK.

After you uninstall Mail Security, the users you added and the groups to whichyou assigned them will remain in the Active Directory. You can remove themmanually in the Active Directory.

Installing Symantec Mail Security for Microsoft ExchangeUninstalling Mail Security

70

Removing the Mail Security resource instance from the Veritas ClusterServer

Before you uninstall Mail Security from the nodes in the cluster, you must removethe Mail Security instance and the MountV resource from the Veritas ClusterServer. You must remove the Mail Security shared storage volume to remove thedata on the shared storage.

You perform the following tasks from the Veritas Cluster Explorer and the VeritasEnterprise Administrator. See your Veritas Cluster Server documentation formore information about using these tools.

To remove the Mail Security instance from the Veritas Cluster Server

1 In the Veritas Cluster Explorer, take the SMSMSEVCSClusterResource instanceoffline on all of the cluster nodes.

This ensures that Mail Security stops running in the background.

2 Unlink all of the dependencies from the instance of theSMSMSEVCSClusterResource.

3 Delete the instance of the SMSMSEVCSClusterResource from the ExchangeService Group.

To remove the MountV resource from the Veritas Cluster Server

1 In the Veritas Cluster Explorer, unlink the Mail Security MountV (or Mountresource, if you are using NetApps) from its dependencies.

2 Delete the resource from the Exchange Service Group.

To remove data from the shared storage volume

1 In the Veritas Enterprise Administrator, mount the Mail Security sharedstorage volume.

2 Delete the Mail Security volume.

This removes the shared volume and frees up the space in shared storage.

3 Uninstall Mail Security from each node in the cluster.

See “Uninstalling Mail Security” on page 70.

71Installing Symantec Mail Security for Microsoft ExchangeUninstalling Mail Security

Installing Symantec Mail Security for Microsoft ExchangeUninstalling Mail Security

72

Activating licenses


■ About licensing

■ How to activate a license

■ If you want to renew a license

About licensingKey features for Symantec Mail Security, which include definition updates andSymantec Premium AntiSpam, are activated by a license. When a license expiresor no license is installed, limited functionality is available. To regain productfunctionality when your license expires, you must renew and reactivate yourlicense subscription.

Table 3-1 describes the licenses that are required.

Table 3-1 Symantec Mail Security Licenses

DescriptionLicense

A content license is required to update Symantec softwarewith the latest associated content (such as new definitions)through LiveUpdate and Rapid Release. A valid contentlicense enables your servers to stay protected.

When the content license is missing or invalid, you cannotdownload definition updates to keep protection current.


Content license

3Chapter

Table 3-1 Symantec Mail Security Licenses (continued)

DescriptionLicense

This license is required to enable Symantec PremiumAntiSpam. Symantec Premium AntiSpam is a subscriptionservice that provides enhanced spam detection. Continuousupdates to the premium antispam filters ensure that yourExchange server has the most current spam detection filtersthat are available.

When the Symantec Premium AntiSpam license is missingor invalid, Symantec Premium AntiSpam does not function.

See “How to detect spam using Symantec PremiumAntiSpam” on page 120.

Symantec PremiumAntiSpam license

Definition updates and updates to Symantec Premium AntiSpam are limited tothe period of time that is specified by the license. The start and end dates of thelicense period depend on the terms of your license agreement.

See “If you want to renew a license” on page 77.

You must install one license file on each server that is running Symantec MailSecurity or on each member of an Exchange cluster. You cannot replicate licensefiles.

Note: For Exchange Server (32-bit), if you are upgrading from versions 4.x andabove and for Exchange Servers 2007 and 2010, if you are upgrading from versions6.x and above, existing licenses are automatically recognized and need not bereinstalled.


You can view the status of your license on the Home page of the Mail Securityconsole.

How to activate a licenseSymantec issues a serial number when you purchase Mail Security. If you areupgrading from a previous version of the product and you have an activemaintenance contract, Symantec issues an upgrade voucher with a alpha-numericcode. Register the serial number or upgrade code to receive a license key for theassociated license file.

License keys are delivered in a Symantec license file (.slf). The serial number isprovided on a license certificate, which is mailed separately and arrives in the

Activating licensesHow to activate a license

74

same time frame as your software. For security reasons, the license certificate isnot included in the Mail Security software distribution.


License activation involves the following process:

To request a license file, you must have the license serial numberor upgrade voucher code. After you complete the registrationprocess, Symantec sends you the appropriate license file by email.

See “Obtaining a license file” on page 75.

Obtain a license filefrom Symantec

Install the license file on each server on which you run MailSecurity or on each node of a cluster.

See “Installing license files” on page 76.

Install the license file

If you do not have a serial numberYour license certificate or upgrade voucher, which contains the number for thelicense that you have purchased, should arrive within three to five business daysof when you receive your software. Contact Symantec Customer Service at800-721-3934 or your reseller to check the status of your order if you do notreceive the license certificate or upgrade voucher. Contact Symantec LicenseAdministration if you have lost your license certificate or upgrade voucher.

See “Where to get more information about Mail Security” on page 31.

Obtaining a license fileYou must have the serial number or upgrade voucher code to request a licensefile and to register for support.

See “If you do not have a serial number” on page 75.

The license file that Symantec sends to you is contained within a .zip file. The .slffile that is contained within the .zip file is the actual license file. Ensure that yourinbound email environment permits .zip email message attachments.

If you purchased multiple types of licenses but registered them separately,Symantec sends you a separate license file for each license. You must install eachlicense file separately. If you registered multiple licenses at the same time,Symantec sends you a single license file that contains all of your licenses.

Warning: License files are digitally signed. If you try to edit a license file, it willcorrupt the file and render it invalid.

75Activating licensesHow to activate a license

To obtain a license file

1 In a Web browser, type the following address:

https://licensing.symantec.com

Your Web browser must use 128-bit encryption to view the site.

2 If a Security Alert dialog box appears, click OK.

3 Follow the procedures on the Symantec Licensing Web site to register yourlicense and request your license file.

Symantec sends you an email message that contains the license file in anattachment. If the email message does not arrive within two hours, an errormight have occurred. Try again to obtain the license file through the SymantecWeb site. If the problem continues, contact Symantec Technical Support.


Installing license filesInstall the license file on each server on which Mail Security is installed. Installthe license file on each cluster node if you are running in a cluster configuration.

You can install your license file during product installation or in the console. MailSecurity issues periodic messages in the Event Log to notify you that your licenseis invalid or expired until a valid license is properly installed. You can view thestatus of your license on the Home page of the console.


The procedures for installing license files vary for a local server installation anda remote server or server group.

To install license files to a local server


2 In the sidebar under Views, click Licensing.

3 In the content area, do one of the following:

■ In Step 3, under Enter path to the license file, type the fully qualified pathto the license file.

You can specify a mapped drive or Universal Naming Convention (UNC)path to the file if the license file does not reside on the same computer.

■ Click Browse, select the license file, and then click Open.

Activating licensesHow to activate a license

76

You can locate the file using My Network Places if the license file does notreside on the same computer.

4 Click Install.

To install license files to a remote server or server group

1 In the console on the toolbar, click Change.

2 In the Select Asset window, select a server or server group from the menu.

3 Click Select.

4 On the primary navigation bar, click Admin.

5 In the sidebar under Views, click Licensing.

6 In the content area, do one of the following:

■ In Step 3, under Enter path to the license file, type the fully qualified pathto the license file.

You can specify a mapped drive or UNC path to the file if the license filedoes not reside on the same computer.

■ Click Browse, select the license file, and then click Open.

You can locate the file using My Network Places if the license file does notreside on the same computer.

7 Click Install.

If a server within a server group is already licensed, the license file isreapplied. The license file with the latest expiration date is applied.

If you want to renew a licenseContent updates and spam definition updates are not applied when a server hasan expired license or when the license is missing or invalid. A missing or invalidlicense can leave your server vulnerable to attacks. Renew your MaintenanceAgreement to receive content updates when your license expires.

The process for license renewal, which is specific to how you purchased yoursoftware, is as follows:

77Activating licensesIf you want to renew a license

Contact your administrator, reseller, or Symantecaccount manager to determine whether yourMaintenance Agreement has been renewed and if newlicenses are available.

After your Maintenance Agreement is renewed, youreceive new serial numbers that you can register toobtain your new license files.

If you purchased Mail Securitythrough the Symantec Value orElite Enterprise Licensingprograms

To find more information about license renewal on theInternet, go to the following URL:

www.symantecstore.com/renew

If you purchased Mail SecuritySmall Business Edition

Activating licensesIf you want to renew a license

78

http://www.symantecstore.com/renew

Managing your Exchangeservers


■ About managing your Exchange servers

■ Deploying settings and changes to a server or group

■ How to manage servers and server groups

About managing your Exchange serversMail Security can simplify the management of one or more Microsoft Exchangeservers across your organization. You can create server groups that have a commonpurpose and, therefore, require the same protection. By grouping servers, youcan apply a common set of protection settings once, rather than repeatedly toeach server. The reduction in configuration time and maintenance costs can beconsiderable in a large network with multiple servers that perform similar roles.

You can configure settings for each server individually. You can use the followinggroups to configure and manage multiple servers:

4Chapter

The Global Group consists of all of the servers that you manage throughthe Mail Security console.

The changes are propagated to all servers in all groups when you configureand apply Global Group settings. Changes that are made at the Global Grouplevel overwrite all individual server and user-defined server group settings.

Mail Security provides the following Global Groups:

■ Global Group - Exchange 2003

All Exchange 2003 servers belong to the Global Group - Exchange 2003.No other exchange server group other than Exchange 2003 Server issupported in this group.





Global Groups include servers that are added to user-defined groups as wellas servers that are added to multi-server management control but are notassigned to a specific server group.

You cannot create or delete Global Groups.

Global Group

A user-defined server group is a grouping of servers that have commonroles and, therefore, require similar configurations. You can create auser-defined server group and configure settings for the group to simplifyserver management. For example, a server group might be all of the mailservers that are used by a department (for example, marketing) or thephysical location of a group of mail servers (for example, third floor serversin Building A).

A managed server can only belong to one user-defined group.

See “Moving a server to another user-defined server group” on page 89.

User-definedservergroup(s)

See “Viewing the status of a server” on page 87.

Settings for an individual server are stored by that server. Mail Security savesthe settings for groups in the following default file location:

\Program Files (x86)\Symantec\CMaF\2.1\Settings\Groups

The associated files are automatically deleted when you delete a group.

Managing your Exchange serversAbout managing your Exchange servers

80

Deploying settings and changes to a server or groupMail Security lets you make changes to multiple pages before you apply thosesettings. When the Deploy changes icon on the toolbar is active, it indicates thatyou have made changes that you need to apply.

You can manage change deployment using the following toolbar icons:

Deploys your changes.

If you are in the server view, deploys your changes to the server.

If you are in the group view, deploys your changes to each serverin the group and to the group settings.

Deploy changes

Cancels pending changes.

When you cancel pending changes, settings are returned to theirconfiguration as of the last time changes were successfullydeployed .

Discardchanges

If changes are pending, applies pending changes to the groupsettings, and then pushes out the group settings to all of theservers in the group.

If no changes are pending, pushes out the group settings to all ofthe servers in the group.

Note:Any configuration settings that were made to an individualserver within the group are overwritten.

This option is only available in group view.

Deploy allsettings

After you deploy your changes, the Operation Status window indicates whetherchanges were successfully applied.

To deploy pending changes to a server or group

1 In the console on the toolbar, click Deploy changes.

2 In the Pending changes window, click Deploy changes.

3 In the Operation Status window, click Close when the operation is complete.

To apply pending changes (if any) and deploy group settings to each server in thegroup

1 In the console on the toolbar, click Deploy all settings.

The Deploy all settings icon is only enabled in group view.

2 In the confirmation dialog box, click OK.


81Managing your Exchange serversDeploying settings and changes to a server or group

To cancel pending changes

1 In the console on the toolbar, click Discard changes.


How to manage servers and server groupsYou can manage servers and server groups doing any of the following:

■ Logging onto servers

■ Modifying or viewing server or server group settings

■ Viewing the status of a server

■ Creating a user-defined server group

■ Adding servers to a group

■ Moving a server to another user-defined server group

■ Synchronizing group settings to a server

■ Restoring default settings to a server or group

■ Removing a server from group management

■ Removing a server group

■ Exporting and importing settings

■ Modifying the port and communication properties of a server

Logging onto serversMail Security must log onto a server to check its status or apply settings to theserver. By default, Mail Security automatically logs onto all of your managedservers when you open the console.

You might experience a delay when you open the console while Mail Security logsonto the managed servers. The length of the delay depends on the number ofmanaged servers that you have. If you frequently open the console to view settingsor to make changes without applying them, you can disable the automatic log onfeature. When you disable the automatic log on feature, the console opens morequickly.

If you disable the automatic log on feature, Mail Security logs onto your serversin the following ways:

Managing your Exchange serversHow to manage servers and server groups

82

Mail Security logs onto a single server when you do any ofthe following:

■ Open the console when a single server is the currentasset.

■ Select a single server as the current asset.

See “Modifying or viewing server or server group settings”on page 86.

Single server

Mail Security logs onto all of the servers in the current assetlist when you do any of the following:

■ Manually refresh the console.

See “Refreshing the console” on page 68.

■ Apply settings to a server group.

Mail Security logs onto all of the servers in a group whenyou apply settings to that group. If you apply settingsto a user-defined server group, Mail Security logs ontoall of the servers in the user-defined group. If you applysettings to a Global Group, Mail Security logs onto all ofthe servers in the Global Group. Mail Security also logsonto all of the servers in the user-defined groups withinthat Global Group.

For example, assume you have Global Group - Exchange- 2003 and Global Group - Exchange - 2007. WithinGlobal Group - Exchange - 2007, you have user-definedgroups named ServersEast and ServersWest.

If you apply settings to Global Group - Exchange - 2007,Mail Security logs onto all of the servers in theServersEast group and the ServersWest group. MailSecurity does not log onto any of the servers in theGlobal Group - Exchange - 2003.

Another example assumes that you apply settings to theServersEast group. Mail Security logs onto all of theservers in the ServersEast group. But Mail Security doesnot log onto any of the servers in the ServersWest group.

See “Deploying settings and changes to a server orgroup” on page 81.

See “About managing your Exchange servers”on page 79.

Server group (user-definedserver groups and GlobalGroups)

83Managing your Exchange serversHow to manage servers and server groups

To log onto servers when you open the console


2 In the Asset Management window in the Assets box, check Automaticallyconnect to the servers in the current group on startup.

Mail Security logs onto all of the servers that you have listed in the Assetsbox every time you open the console.

This option is enabled by default.

3 Click Close.

To log onto servers when you apply settings or refresh the console


2 In the Asset Management window in the Assets box, uncheck Automaticallyconnect to the servers in the current group on startup.

Mail Security only logs onto a server when you apply settings to that serveror when you view or modify the settings of that server.

3 Click Close.

Configuring Symantec Mail Security for Exchange 2010 on DAG setupYou must follow the configurations recommended for Exchange Server 2010 onDatabase Availability Group (DAG) setup.

■ From the SMSMSE console, under Assets, create a new group for exchange2010 DAG servers.

■ Add all DAG member servers to the new group.

■ Create and apply the same security policies to every server in the group toensure that all the mailboxes have the same SMSMSE settings in case a databasefailover occurs.

Note: Create separate groups for each DAG if there are multiple DAG groups.Also set up a quarantine server on each DAG group from the SMSMSE consoleso that quarantine data is available in case any DAG member server iscompletely unavailable.

See “Forwarding quarantined items to the Quarantine Server” on page 96.


84

Changing password of the domain user accountFor every installation of Mail Security on Exchange 2010 in the mailbox role, theuser credentials must be updated whenever the password of the domain useraccount is changed.

Note: The password must be changed before it expires or select the Passwordnever expires option for the user account.

To change password in Service Control Manager

1 From the Windows taskbar, click Start >Programs > Administrative Tools> Services.

2 Right-click SymantecMailSecurity forMicrosoftExchange and select Stopto stop the SMSMSE service.

3 Click Start >Programs >Administrative Tools > Services.

4 Right-click Symantec Mail Security for Microsoft Exchange and selectProperties.

5 From the Log On tab, enter new password and select Apply to change thepassword.

6 Start the SMSMSE service.

Changing the domain user account used by Mail SecurityserviceYou must manually change the domain user account used by Mail Security serviceevery time you install Mail Security on Exchange 2010 mailbox server.

To change the domain user account

1 From the Windows taskbar, click Start >Programs > Administrative Tools> Services.

2 Right-click SymantecMailSecurity forMicrosoftExchange and select Stopto stop the SMSMSE service.

3 Click Start >Programs > Microsoft Exchange Server 2010 > ExchangeManagement Shell.

4 Remove the RBAC right by typing the following command from the ExchangeManagement Shell.

remove-ManagementRoleAssignment SMSMSE_RBAC_domainname\username

5 Click Start >Programs > Administrative Tools > Active Directory Usersand Computers.


6 On the left pane, select MicrosoftExchangeSecurityGroups >OrganizationManagement.

7 Right-click Properties.

8 From the Member tab, select the user you want to remove and click Remove.

9 Click Start >Programs > Administrative Tools > Local Security Policy.

10 On the left pane, select Local Policies >User Rights Assignment.

11 On the right pane, select Log on as a Service and right-click Properties.

12 Select the user you want to remove and click Remove.

13 Assign the RBAC right to the new user by typing the following command fromthe same Exchange Management Shell:

new-ManagementRoleAssignment -name SMSMSE_RBAC_domainname\username

-role ApplicationImpersonation -user <username>

14 Click Start >Programs > Administrative Tools > Active Directory Usersand Computers.

15 On the left pane, select MicrosoftExchangeSecurityGroups >OrganizationManagement.

16 Right-click Properties, from the Member tab, select the user you want to addand click Add.

You must ensure that the user is a member of the Local Administrators Group.

17 On the left pane, select Local Policies >User Rights Assignment.

18 On the right pane, select Log on as a Service, select the user you want to addand click Add.

19 Go to Start >Programs > Administrative Tools > Services.

20 Right-click Symantec Mail Security for Microsoft Exchange and selectProperties.

21 From the Log On tab, enter the new user's credentials and click Apply toapply the settings.

22 Start the SMSMSE service.

Modifying or viewing server or server group settingsMail Security lets you manage one or more servers from a single console. TheServer/group box on the toolbar indicates the server or group that is currentlyselected. The settings that you make and deploy are applied to that server orgroup.


86


You can view and modify the settings of a different server or group by selectingthe server or group in the Select Asset window.

To modify or view server or server group settings

1 In the console on the toolbar, click Change.

2 In the Select Asset window, select the server or group whose settings youwant to modify or view.

3 Click Select.

Viewing the status of a serverMail Security provides server status information on the Home page. You can viewmore detailed information about the status of a server on the Monitors > ServerStatus page.

The server status details appear in the Server Status preview pane. If you are ina group view, the Server Status list contains all of the servers in the group. Thefirst time that you access the Server Status in a group view, you must refresh thepage to view the list of servers. If are in a single server view, the Server Status listcontains just the server that you selected.

To view the status of a server

1 In the console on the primary navigation bar, click Monitors.

2 In the sidebar under Views, click Server Status.

3 In the Server Status list pane, select the server whose status you want to view.

If you are in a server view, the server is already selected.

4 Press F5 to refresh the list.

Refreshing the list might take several minutes for a large group.

Creating a user-defined server groupIf your network contains a large number of Exchange servers, create user-definedgroups. Add servers to your user-defined groups that have a common purposeand, therefore, require the same protection This lets you administer all of yourservers that run Mail Security on a group basis.


To create a server group


2 In the Asset Management window, in the sidebar under Tasks, click Newgroup.

3 In the New Group window, under Group Name, type a name for theuser-defined server group.

4 Under Global Group, click the drop-down menu, choose a Global Group -Exchange 2007 and 2010, and then click OK.

5 Click Close.

Adding servers to a groupYou can add servers to the Global Group or to a user-defined server group withina Global Group. Group servers together that have a common purpose and,therefore, require the same protection. By adding a server to a group, you canapply a common set of protection settings once, rather than repeatedly to eachserver. In a large network with multiple servers that perform similar roles, thereduction in configuration time and maintenance costs can be considerable.

Mail Security automatically detects the Exchange servers that are within yourdomain. Identify servers outside of your domain and nodes in a cluster by theirname or IP address.

You can install Mail Security on servers that you are adding to a server group. Allservers must be running Mail Security 6.5 to be managed from the console.

Note:Exchange 2007 Servers must be grouped with other Exchange 2007 Servers,likewise for Exchange 2010 Servers. Groups having Exchange 2007/2010 Serversand Exchange 2003 Servers are not supported.


To add servers to a group


2 In the Asset Management window, in the sidebar under Tasks, click Addserver(s).


88

3 In the Add Server(s) window, under Management group, do one of thefollowing:

Click Select group, select the existing group in whichyou want to add the server, and then click OK.

To select an existing group

In the Group box, type the name of the new server groupthat you want to create.

To create a new group

4 Under Servers to add, do one of the following:

■ In the Available servers list, select one or more servers, and then click the>> command icon.

■ In the Server name or IP box, type the server name or IP address of theserver that you want to add, and then click the >> command icon.Use the full address and domain when Mail Security is installed on anEdge Transport server because Mail Security does not have access to ActiveDirectory from this role.

5 Under Server options, in the TCP port number box, type the TCP port numberfor the server or group of servers that you want to add.

The default port number is 8081. The port number must be the same for allservers that you want to add. The port number and SSL setting must beidentical for the console to communicate with the server.

See “Modifying the port and communication properties of a server”on page 93.

6 Check Sendgroupsettings to apply group settings to the newly added server.

If unchecked, existing server settings are retained, and future changes thatare made to the server group are applied to the server.

7 Check Install SMSMSE to install Mail Security to the newly added server.

8 Check Keep installation files on server(s) to maintain the installation fileson the server.


Moving a server to another user-defined server groupYou can move a server from one user-defined group to another user-defined group.You can choose to retain the server's settings or apply the settings of the newgroup.


If you have already created the user-defined group to which you want to movethe server and you do not want to apply the group's settings, you can move theserver by dragging it to the group.

Use the Move Server window to create a new user-defined group, move multipleservers, or apply group settings to the newly added server.

To drag a server to another user-defined server group

1 In the console on the menu bar, click Assets.

2 In the Asset Management window, in the Assets list, expand the group thatcontains the server that you want to move and the group you want to movethe server to, if necessary.

3 Select the server that you want to move and drag it into the new server group.


5 Click Close.

To move a server to another user-defined server group using the Move Serverwindow


2 In the Asset Management window, in the Assets list, expand the group thatcontains the server that you want to move and the group you want to movethe server to, if necessary.

3 Do one of the following:

■ Select the server that you want to move, and then under Tasks, click Moveserver.

■ Right-click on the server that you want to move, and then click Moveserver.

4 In the Move Server window, do one of the following:

■ Select the user-defined server group to which you want to add the server.

■ In the Select a group or add a new group box, type the name of a newuser-defined server group.

5 Click Send group settings to server to apply the settings of the targeteduser-defined server group to the server.



90

Synchronizing group settings to a serverSettings on a particular server might not be synchronized with its server groupsettings. This can occur, for example, if a server is configured in the server view.

To synchronize group settings to a server


2 In the Asset Management window, under Assets, select the server to whichyou want to apply group settings.

3 In the sidebar under Tasks, click Send group settings to server.

This applies the settings of the server group to the selected server.


5 In the Asset Management window, click Close.

Restoring default settings to a server or groupYou can restore all of the settings for a server or group to their initial, defaultsettings. Restoring default settings also deletes any custom content filtering rules,match lists, report templates, and scheduled scans that you have created. It doesnot delete existing reports.

Close and reopen the Mail Security console to see the updated settings.

To restore default settings to a server or group


2 In the Asset Management window, under Assets, select the server in whichyou want to restore the Mail Security default settings.

3 In the sidebar under Tasks, click Reset to factory defaults.

4 In the Reset to factory defaults confirmation dialog box, click OK.


6 In the Asset Management window, click Close.

Removing a server from group managementRemoving a server from group management does not uninstall Mail Security fromthe server. Mail Security continues to provide protection. However, you can nolonger manage a server through the Mail Security console when you remove itfrom the Global Group.


To remove a server from group management


2 In the Asset Management window, under Assets, in the Global Group -Exchange 2007 list, select one or more servers that you want to remove.

3 In the Asset Management window, under Assets, in the Global Group -Exchange 2010 list, select one or more servers that you want to remove.

4 In the sidebar under Tasks, click Remove server.


6 Click Close.

Removing a server groupRemove a server group when it is no longer needed. The server group settings areretained on the servers that are in the group until new settings are applied.

If you remove a user-defined server group, the servers that belong to the groupcan be managed through the Global Group.

Note: Global Groups cannot be removed.

To remove a server group


2 In the Asset Management window, under Assets, select the group that youwant to remove.

3 In the sidebar under Tasks, click Remove group.


5 Click Close.

Exporting and importing settingsMail Security provides a feature that lets you export the settings for a server orgroup to an .xml file. This lets you save the settings as a backup file or import thesettings to another computer.

You can view the setting configurations in the console when you import settings.However, the settings are not applied until you deploy them. You can only deploysettings for Symantec Premium AntiSpam if the computer on which you areimporting the settings has a valid Symantec Premium AntiSpam license.


92

You can only export setting configurations, not data such as items in the EventLog. Deploy pending changes before you export settings.

To export settings

1 In the console on the menu bar, click File > Export.


3 In the Select the file to save exported settings window, choose the locationwhere you want to save the file.

4 In the File name box, type the file name.

5 Click Save.


To import settings

1 In the console on the menu bar, click File > Import.


3 In the Select an SMSMSE settings file window, locate the file that you wantto import.

4 Click Open.

5 In the console on the toolbar, click Deploy changes to apply your changes.


Modifying the port and communication properties of a serverYou can change the Transmission Control Protocol (TCP) port if the default port(8081) is being used. You can change the TCP after the server is added tomanagement control. If you change the port number, use a number that is not inuse by another program or service.

You can also specify whether to use Secure Socket Layer (SSL) for communicationbetween the console and a server.

See “Implementing SSL communications” on page 63.

To modify the port and communication properties of a server


2 In the Asset Management window, under Assets, select a server.

3 In the sidebar under Tasks, click Server properties.

4 In the Properties window, in the Port number box, type the new port number.

The default port number is 8081.


5 Check UseSSL to use SSL for communication between the console and server.



94

Quarantining messages andattachments


■ About the quarantine

■ Forwarding quarantined items to the Quarantine Server

■ Establishing local quarantine thresholds

■ Viewing the contents of the local quarantine

■ How to release messages from the local quarantine

■ Deleting items from the local quarantine

About the quarantineMail Security provides the following options for quarantining messages:

You can choose to send infected messages and attachments to the localquarantine when you configure Mail Security policies. You can also configurepolicies to quarantine messages that trigger violations.

See “Establishing local quarantine thresholds” on page 97.

See “Viewing the contents of the local quarantine” on page 99.

See “Deleting items from the local quarantine” on page 102.

Localquarantine

5Chapter

You can forward infected files that are in the local quarantine to the SymantecQuarantine Server, if one has been set up on your network. Mail Securityforwards infected files to the Quarantine Server at 60 minute intervals.

Files that are sent to the Quarantine Server are then forwarded to Symantecfor analysis in real-time using HTTPS communications. Symantecautomatically distributes updated definitions to the Quarantine Server whenthey are available.

The Quarantine Server is a component of Symantec AntiVirus CentralQuarantine. Mail Security supports version 3.4 or later of the SymantecAntiVirus Central Quarantine Server. Version 3.4 is provided on the MailSecurity CD in the following location and must be installed separately:

\ADMTOOLS\DIS

See the Symantec Central Quarantine Administrator's Guide for moreinformation about the Symantec AntiVirus Central Quarantine, which islocated on the product CD in the following location:

\DOCS\DIS\CentQuar.pdf

Note: Files that contain non-viral threats, are unscannable, or violate contentor file filtering rules are not forwarded to the Quarantine Server.

QuarantineServer

Forwarding quarantined items to the QuarantineServer

You can configure Mail Security to forward local quarantine events to theQuarantine Server, if you have the Quarantine Server installed.

You can only forward events that contain threats to the Quarantine Server.

To forward quarantined items to the Quarantine Server


2 In the sidebar under Views, click Quarantine Settings.

3 In the content area, under Quarantine Server, check Sendquarantineditemsto Quarantine Server.

4 Check DeletelocalquarantineditemsafterforwardingtoQuarantineServerto remove items from the local quarantine.

5 In the Server Address box, type the IP address of the Quarantine Server.

6 In the Server Port box, type the port number for the Quarantine Server.

Quarantining messages and attachmentsForwarding quarantined items to the Quarantine Server

96

7 In the Network Protocol list, click the drop-down menu and select theappropriate network protocol.



Establishing local quarantine thresholdsYou can specify the thresholds for the local quarantine and how you want MailSecurity to respond when a threshold is met.

When you establish the quarantine thresholds for the local quarantine, you canspecify the following limits:

The maximum number of messages or attachments stored in thequarantine

Maximum numberof items

The maximum file size (in megabytes or gigabytes) of the quarantineMaximum size ofquarantine

The maximum number of days to retain a message or attachment inthe quarantine

Retain items inquarantine

You can also specify the actions that you want Mail Security to take when athreshold is met.

To establish local quarantine thresholds


2 In the sidebar under Views, click Quarantine Settings.

3 In the content area, under Quarantine Thresholds, check Maximumnumberofitems to limit the number of quarantined items, and then type the maximumnumber of messages or attachments to retain in the quarantine.

This item is checked by default. The default value is 1000.

4 To limit the maximum size of the quarantine, do the following:

■ Check Maximum size of quarantine.

This item is checked by default

■ Type the maximum size of the quarantine.


■ Click the drop-down menu and select MB or GB.

97Quarantining messages and attachmentsEstablishing local quarantine thresholds

The default value is MB.

5 Check Retain items in quarantine to limit how long an item is quarantined,and then type the number of days.


To specify an action to take when a quarantine threshold is met

1 In the console on the primary navigation bar, click Monitors

2 In the sidebar under Views, click Quarantine Settings

3 Under When a threshold is met, check Notify Administrator to sendnotification messages to an administrator list.


4 Check Notify others to send notification messages to additional people.

5 In the Notify others box, type the email addresses of the people to whom youwant notifications sent.

Separate email addresses with commas.

6 Check Delete oldest items to remove items that reach a threshold.

This option is not enabled by default.

If Delete oldest items is not checked and a quarantine size threshold isreached, the event is logged. Mail Security sends a notification to the recipientsthat are specified on the Quarantine Settings page.

7 Under Administrator Notification, in the Subject Line box, type your subjectline text.

The default text is: Administrator Alert: The Symantec Mail SecurityQuarantine has exceeded a set limit.

8 In the Message Body box, type the administrator notification message body.

The default text is: You should manage the Quarantine to remove files orchange the Quarantine settings. Details: %details%.

You can use variables in the message body.

See “About alert and notification variables” on page 245.



Quarantining messages and attachmentsEstablishing local quarantine thresholds

98

Viewing the contents of the local quarantineYou can view the contents of the local quarantine for a server. You must be in theserver view.

See “Modifying or viewing server or server group settings” on page 86.

Table 5-1 lists the information that is found in the Quarantine list pane.

Table 5-1 Quarantined file summary information

DescriptionItem

Date and time when Mail Security intercepted and encryptedthe file

Time encrypted

Intended recipient(s) of the messageRecipient

Address of the sender of the messageSender

Part of the message that was sent to the quarantineMessage part

Location where the file was interceptedLocation

Policy or rule that was violatedRule violated

Alpha-numeric identifier that Mail Security assigns to thequarantined file

Quarantine Id

Whether the file was sent to the Quarantine ServerSent to QServer

When you select an item in the Quarantine, details about the message (andattachments, if any) appear in the preview pane.

Table 5-2 lists the detailed information that is shown in the preview pane.

Table 5-2 Quarantined file detailed information

DescriptionItem

Date and time when Mail Security intercepted and encryptedthe file

Time encrypted

Name of the attachment that triggered the violation

If the message body triggered the violation, this entry is:Message Body.

Attachment Name

Policy or rule that was violatedRule violated

Location where the file was interceptedLocation

99Quarantining messages and attachmentsViewing the contents of the local quarantine

Table 5-2 Quarantined file detailed information (continued)

DescriptionItem

Address of the sender of the messageSender

Intended recipient(s) of the messageRecipient(s)

Whether the file was sent to the Quarantine ServerSent to QServer

Name of the virus, if a virus was detectedVirus Name

To view the contents of the local quarantine


2 In the sidebar under Views, click Quarantine.

This option is not available in group view.

3 In the list pane, click an item to view the item's details.

The data appears in the preview pane.

4 Press F5 to refresh the display.

How to release messages from the local quarantineYou can release messages from the local quarantine by using the following options:

■ Releasing messages from the local quarantine by email

■ Releasing messages from the local quarantine to a file

Note: By default, Mail Security version 6.5.5 does not re-scan the items that arequarantined due to antivirus and file filtering violations, once they are released.However, if the items were quarantined due to content filtering violations, thenMail Security version 6.5.5 scans these items only for virus policies and file filteringconditions. This behavior is configurable through registry.

Messages that are released from the quarantine are not filtered for spam andcontent filtering rules.

Releasing messages from the local quarantine by emailYou can send quarantined files to specified destinations by email. When yourelease a file from the quarantine by email, you remove it from the quarantine.

Quarantining messages and attachmentsHow to release messages from the local quarantine

100

The released email is then sent with revised sender information to the recipientsspecified in the "to" box. Rather than being sent from the original sender's emailaddress, it is sent from the email account that you specify on the NotificationSettings page. The email is not delivered to the recipients specified in the "cc" or"bc" boxes.


To release messages from the quarantine by email





■ In the sidebar under Tasks, click Select all to select all of the items in thequarantine.

■ In the list pane under Quarantine, select the items that you want to release.

To select multiple items, press CTRL and select the items that you wantto release.

To unselect all of the selected items, in the sidebar under Tasks, click Deselectall.

4 In the sidebar under Tasks, click Release by mail.

5 In the Releasing item(s) by mail window, select from the mail options thatMail Security provides.

Mail Security provides the following mail options:

Sends the message to the originalintended recipient(s).

Send to original intended recipient(s)

Sends the message to administrators.

List administrators' email addresses inthe Administrators box. Separate multipleemail addresses with commas.

Send to administrators

Sends the message to alternate recipients.

List recipients' email addresses one perline in the Alternate recipients box.

Send to the following

6 Click OK.


101Quarantining messages and attachmentsHow to release messages from the local quarantine

Releasing messages from the local quarantine to a fileYou can move quarantined messages to a folder for review or analysis. The folderis in the following location:

\Program Files (x86)\Symantec\SMSMSE\6.5\Server\Quarantine\Release

The file location cannot be modified.

To release messages from the quarantine to a file


2 Under Views, click Quarantine.




■ In the list pane under Quarantine, select the items that you want to release.

To select multiple items, press CTRL and select the items that you wantto release. To unselect all of the selected items, in the sidebar under Tasks,click Deselectall.

4 In the sidebar under Tasks, click Release to file (Save).

5 In the Releasing to file and delete dialog box, select one of the following:

Removes the item from the quarantine after it has been saved to the Releasefolder

Yes

Keeps the item in the quarantine after it has been saved to the Release folderNo

Cancels the file release operationCancel



Deleting items from the local quarantineYou can delete one or more items from the quarantine at a time.

To delete items from the quarantine



Quarantining messages and attachmentsDeleting items from the local quarantine

102



■ In the list pane under Quarantine, select the items that you want to remove.

To select multiple items, press CTRL and select the items that you wantto delete. To unselect all of the selected items, in the sidebar under Tasks,click Deselect all.

4 In the sidebar under Tasks, click Delete.

103Quarantining messages and attachmentsDeleting items from the local quarantine

Quarantining messages and attachmentsDeleting items from the local quarantine

104

Protecting your server fromrisks


■ About protecting your server from risks

■ Configuring threat detection

■ Configuring security risk detection

■ Configuring file scanning limits

■ Configuring rules to address unscannable and encrypted files

About protecting your server from risksMail Security can detect risks in all major file types (for example, Windows®, DOS,Microsoft® Office Word, and Microsoft® Office Excel files).

Table 6-1 describes the risks against which Mail Security protects your Exchangeserver.

Table 6-1 Risks that can threaten your Exchange server

DescriptionRisk

Mail Security detects viruses, worms, and Trojan horses inall major file types.


Threats

6Chapter

Table 6-1 Risks that can threaten your Exchange server (continued)

DescriptionRisk

Mail Security detects that an email message is a mass-mailerworm. It automatically deletes the infected email messageand any attachments.


Mass-mailer worms

Mail Security protects your network from file attachmentsthat can overload the system and cause denial-of-serviceattacks. This includes container files that are overly large,that contain large numbers of embedded, compressed files,or that are designed to maliciously use resources anddegrade performance. You can impose limits to control howMail Security handles container files to reduce yourexposure to denial-of-service threats.

See “Configuring file scanning limits” on page 113.

Denial-of-service attacks

Mail Security detects security risks, such as adware, dialers,hack tools, joke programs, remote access programs, spyware,and trackware.

See “Configuring security risk detection” on page 110.

Security risks

Mail Security also helps you detect and block other potential risks from enteringyour network, such as unscannable and encrypted container files.


When a risk is detected, the incident is logged to the locations that you specify.You can also configure Mail Security to issue alerts when risks are detected orwhen an outbreak occurs.



How Mail Security detects risksMail Security uses the following tools to detects risks:

Symantec engineers track reported outbreaks of threats (such as viruses,Trojan horses, worms) to identify new threats. After a threat is identified,information about the threat (a signature) is stored in a definition file. Thisfile contains information to detect and eliminate the threat. Mail Securitysearches for these signatures when it scans for threats.

Definitions

Protecting your server from risksAbout protecting your server from risks

106

Mail Security uses Symantec Bloodhound™ heuristics technology to scanfor threats for which no known definitions exist. Bloodhound heuristicstechnology scans for unusual behaviors, such as self-replication, to targetpotentially infected message bodies and attachments. Bloodhound technologyis capable of detecting upwards of 80 percent of new and unknown executablefile threats.

Bloodhound-Macro technology detects and repairs over 90 percent of newand unknown macro viruses. Bloodhound requires minimal overhead sinceit examines only message bodies and attachments that meet stringentprerequisites. In most cases, Bloodhound can determine in microsecondswhether a message or attachment is likely to be infected. If it determinesthat a file is not likely to be infected, it moves to the next file.

Heuristics

Mail Security contains a decomposer that extracts container files so thatthey can be scanned for risks. The decomposer attempts to extract containerfiles until it reaches the base file or until it reaches its extraction limit. Ifthe decomposer reaches the set limit before the base file is reached, thescanning process stops. Mail Security then logs the violation to the specifiedlogging destinations, and the file is handled according to the UnscannableFile Rule.

Containerfiledecomposer

Configuring threat detectionTo configure threat detection, do the following:

Mail Security detects viruses, worms, and Trojan horses in all majorfile types. Antivirus scanning must be enabled for Mail Security todetect threats.

Threat detection scanning applies to all types of scans.

See “About the types of scanning that you can perform” on page 177.

Enable threatdetection scanning

Mail Security uses Bloodhound technology to supplement thedetection of threats by signature.

You can customize your level of protection against new threats,from zero protection to a high level of protection. A high level ofprotection increases protection of your network; however, serverperformance might be affected. At lower levels of protection, anunknown threat might escape detection, but the trade-off withserver performance decreases. In most cases, the default (Medium)setting is appropriate.

See “How Mail Security detects risks” on page 106.

Set the Bloodhounddetection level

107Protecting your server from risksConfiguring threat detection

Mail Security detects that an email message is a mass-mailer wormor virus when this feature is enabled. If Mail Security detects thatan email message is a mass-mailer worm or virus, it deletes theinfected email message and any attachments. Mail Security doesnot send notifications after deleting a mass-mailer worm or virusmessage and any attachments. When the mass-mailer detectionfeature is not enabled, an infected mass-mailer email message istreated the same as an infected message.

Enable mass-mailerworm-infectedmessage detection

Mail Security provides default antivirus rules, which are alwaysenabled. You can modify these rules.

Modify default threatdetection rules, asneeded

To configure threat detection

1 In the console on the primary navigation bar, click Policies.

2 In the sidebar under Antivirus, click Antivirus Settings.

3 In the content pane under Antivirus Settings, check Enable virus scanning.

Virus scanning is enabled by default.

4 In the Bloodhound detection list, select one of the following using thedrop-down menu:

Disables Bloodhound detection.Off

Optimizes server performance, but might not detect potential threats.Low

Provides a balance between threat detection and server performance.

The default setting is Medium.

Medium

Increases the detection of threats, but might impact server performance.High

5 Check Delete mass-mailer worm-infected messages (no notifications) toautomatically delete mass-mailer messages.

This feature is enabled by default.

Protecting your server from risksConfiguring threat detection

108

6 In the Rules table, select any of the following rules to view or modify themin the preview pane:

Applies to messages or attachments that contain threats thatcan be repaired.

This option is always enabled.

Basic Virus Rule

Applies to messages or attachments that contain threats thatcannot be repaired.

This option is always enabled.

Unrepairable VirusRule

Applies to messages that contain security risks, such asadware or spyware.

See “Configuring security risk detection” on page 110.


Security Risk Rule

The settings for the rule that you select appear in the preview pane.

7 In the preview pane, in the Action to take list, select the action to take whena threat is detected using the drop-down menu.

8 In the Replacement text box, type your customized message if you arereplacing the message or attachment body with a text message.

The default text is: Symantec Mail Security replaced %attachment% withthis text message. The original file contained %violation% and was %action%.

You can use variables in your customized text.


9 Check one or more of the following to send email notifications about thedetection:

■ Notify administratorsClick the down arrow and type your customized text in the Subject linebox and the Message body box. The default Subject line and Message bodytext is as follows:

■ Default Subject line text: Administrator Alert: Symantec Mail Securitydetected %violation%

■ Default Message body text: Location of the infected item: %location%Sender of the infected item: %sender% Subject of the message:%subject% The attachment(s) "%attachment%" was %action% for thefollowing reasons: %information% This was done due to the followingSymantec Mail Security settings: Scan: %scan% Rule: %rule%

109Protecting your server from risksConfiguring threat detection

■ Notify internal senderClick the down arrow and type your customized text in the Subject linebox and the Message body box. The default Subject line and Message bodytext is as follows:

■ Default Subject line text: Symantec Mail Security detected %violation%in a message sent from your address

■ Default Message body text: %subject% Recipient of the message:%recipient%

■ Notify external senderClick the down arrow and type your customized text in the Subject linebox and the Message body box. The default Subject line and Message bodytext is as follows:


■ Default Message body text: Subject of the message: %subject%Recipient of the message: %recipient%




Configuring security risk detectionMail Security can detect security risks. Security risks are programs that do anyof the following:

■ Provide unauthorized access to computer

■ Compromise data integrity, privacy, confidentiality, or security

■ Present some type of disruption or nuisance

These programs can put your employees and your organization at risk for thefollowing:

■ Identity theft or fraud by logging keystrokes

■ Capture of email and instant messaging traffic

■ Theft of personal information such as passwords and login identifications

Security risks can be introduced into your computer unknowingly when usersvisit a Web site, download shareware or freeware software programs, click linksor attachments in email messages, or through instant messaging clients. Theycan also be installed after or as a by-product of accepting an end user license

Protecting your server from risksConfiguring security risk detection

110

agreement from another software program related to or linked in some way tothe security risk.

Enable the Security Risk Rule for Mail Security to detect security risks.

Table 6-2 lists the categories of security risks that Mail Security detects.

Table 6-2 Security risk categories

DescriptionCategory

Stand-alone or appended programs that gather personalinformation through the Internet and relay it back to aremote computer without the user's knowledge.

Adware might monitor browsing habits for advertisingpurposes. It can also deliver advertising content.

Adware

Programs used to gain unauthorized access to a user'scomputer.

For example, a keystroke logger tracks and recordsindividual keystrokes and sends this information to a remotecomputer. The remote user can perform port scans orvulnerability scans. Hack tools might also be used to createviruses.

Hack tools

Programs that use a computer, without the user's permissionor knowledge, to dial out through the Internet to a 900number or FTP site, typically to accrue charges.

Dialers

Programs that alter or interrupt the operation of a computerin a way that is intended to be humorous or bothersome.

For example, a joke program might move the Recycling Binaway from the mouse when the user tries to click on it.

Joke programs

Programs that let a remote user to gain access to a computerover the Internet to gain information from, attack, or alterthe host computer.

Remote access programs

Stand-alone programs that can secretly monitor computeractivity and detect passwords and other confidentialinformation and then relay the information back to a remotecomputer.

Spyware

Stand-alone or appended applications that trace a user'spath on the Internet and relay the information to a remotecomputer.

Trackware

111Protecting your server from risksConfiguring security risk detection

To configure security risk detection


2 In the sidebar under Antivirus, click Antivirus Settings.

3 In the content area, in the Rules table, on the Security Risk Rule row, clickthe box under the Status column, and then select Enabled from the drop-downmenu.

This rule is enabled by default.

4 In the preview pane, in the Action to take list, use the drop-down menu toselect the action to take when a security risk is detected.






■ Notify administratorsClick the down arrow and type your customized text in the Subject linebox and the Message body box. The default Subject line and Message bodytext is as follows:

■ Default Subject line text: Administrator Alert: Symantec Mail Securitydetected %violation%

■ Default Message body text: Location of the infected item: %location%Sender of the infected item: %sender% Subject of the message:%subject% The attachment(s) "%attachment%" was %action% for thefollowing reasons: %information% This was done due to the followingSymantec Mail Security settings: Scan: %scan% Rule: %rule%



■ Default Message body text: %subject% Recipient of the message:%recipient%

Protecting your server from risksConfiguring security risk detection

112







Configuring file scanning limitsMail Security imposes limits on file extraction. These limits protect againstdenial-of-service attacks that are associated with overly large or complex containerfiles that take a long time to decompose. These limits also enhance scanningperformance.

Mail Security contains a decomposer that extracts container files so that they canbe scanned for risks. The decomposer continues to extract container files until itreaches the base file. When a container file reaches a set limit, the scanningprocess stops, the violation is logged to the specified logging destinations, andthe file is handled according to Unscannable File Rule.


To configure file scanning limits


2 In the sidebar under General, click Scanning Limits.

3 In the content area, in the Maximum scan time (in seconds) box, type themaximum time that Mail Security can spend extracting a single containerfile.

You can enter a value from 10 to 500000. The default value is 300.

4 In the Maximum archive scan depth (number of levels) box, type the maximumnumber of nested levels of files that are decomposed within a container file.


113Protecting your server from risksConfiguring file scanning limits

5 In the Maximum size of one extracted file (in MB) box, type the maximumfile size, in megabytes, for individual files in a container file.


6 In the Maximum total size of all extracted files (in MB) box, type the maximumsize, in megabytes, of all extracted files.


7 In the Maximum number of files extracted box, type the maximum allowablenumber of files to be extracted.




Configuring rules to address unscannable andencrypted files

A file that cannot be scanned can put your network at risk if it contains a threat.Mail Security provides the following default rules to address unscannable andencrypted files:

Mail Security must be able to decompose and scan a container file todetect risks. An unscannable container file is a file that contains a threatthat could pose a risk to your network. An unscannable file is one thatexceeds a scanning limit, is a partial container file, or that generates ascanning error.

You can specify how you want Mail Security to process container filesthat cannot be scanned. The default setting for the Unscannable File Ruleis to quarantine the file and replace it with a text description.

UnscannableFile Rule

Infected files can be intentionally encrypted. Encrypted files cannot bedecrypted and scanned without the appropriate decryption tool. You canconfigure how you want Mail Security to process encrypted containerfiles to protect your network from threats.

The default setting for the Encrypted File Rule is to log the violation only.

Encrypted FileRule

These rules are always enabled.

To configure rules to address unscannable and encrypted files


2 In the sidebar under General, click Exceptions.

Protecting your server from risksConfiguring rules to address unscannable and encrypted files

114

3 In the list pane, select one of the following rules that you want to view ormodify:

■ Unscannable File Rule

■ Encrypted File Rule

4 In the preview pane, in the Action to take list, use the drop-down menu toselect the action to take when a violation is detected.


The default text is: Symantec Mail Security replaced %attachment% withthis text message. The original file was unscannable and was %action%.




■ Notify administratorsClick the down arrow and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:

■ Default Subject line text: Administrator Alert: Symantec Mail Securitydetected a message with an unscannable attachment or body

■ Default Message body text: Location of the message: %location%Sender of the message: %sender% Subject of the message %subject%The attachment(s) "%attachment%" was %action%. This was donedue to the following Symantec Mail Security settings: Scan: %scan%Rule: %rule%

■ Notify internal senderClick the down arrow and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:

■ Default Subject line text: Symantec Mail Security detected unscannablecontent in a message sent from your address

■ Default Message body text: Subject of the message: %subject%Recipient of the message % recipient%

■ Notify external sender

115Protecting your server from risksConfiguring rules to address unscannable and encrypted files

Click the down arrow and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:

■ Default Subject line text: Symantec Mail Security detected unscannablecontent in a message sent from your address

■ Default Message body text: Subject of the message: %subject%Recipient of the message %recipient%




Protecting your server from risksConfiguring rules to address unscannable and encrypted files

116

Identifying spam


■ About spam detection

■ Configuring whitelists

■ How to detect spam using Symantec Premium AntiSpam

About spam detectionMail Security protects your servers from unwanted email messages, such as spam.Spam is usually defined as junk or unsolicited email from a third party. The spammessage sender has no discernible relationship with all or some of the messagerecipients. Often times, the message headers are forged or altered to conceal theorigination point of the sender. Spam is not only an annoyance to users andadministrators, it is also a serious security concern. Spam can be used to deliverviruses, Trojan horses, and in phishing attempts. In addition, high volumes ofspam can create denial-of-service conditions in which email servers are sooverloaded that legitimate email and network traffic are unable to get through.Mail Security can detect if an incoming email message is spam with a high levelof accuracy.

You can adjust antispam detection by specifying domains that are automaticallypermitted to bypass antispam scanning.

See “Configuring whitelists” on page 119.

Spam detection is only available on Mail Security when it is installed on EdgeTransport or Hub Transport server roles.



7Chapter

How Mail Security detects and processes spamWhen antispam detection is enabled, Mail Security analyzes SMTP email messagesfor key characteristics of spam. It weighs its findings against characteristics oflegitimate email messages.

When you enable antispam detection, Mail Security stamps messages with a SCLvalue when the following conditions are true:

■ Mail Security determines that the message is spam, suspected spam, orsuspected and the message meets an SCL threshold.

■ The "Assign SCL value to message" option is enabled.

The SCL Junk E-mail Folder Threshold in Microsoft Exchange 2007/2010 workswith the SCL value that is stamped on an email message to determine thedestination of the message. When the SCL value is not set, Exchange sends allmessages with a SCL value to the user's Junk E-mail folder. When the messagehas a SCL value that is higher than the SCL Junk E-mail Folder Threshold, Exchangesends the message to the user's Junk E-mail folder. If the SCL value is lower thanor equal to the SCL Junk E-mail Folder Threshold, the message is routed to theuser's Inbox.

When you enable antispam detection, Mail Security stamps messages with a spamconfidence level (SCL) value.

The Store Action Threshold (SAT) in Microsoft Exchange 2003 works with theSCL value that is stamped on an email message to determine the destination ofthe message. When the SAT value is not set, Exchange sends all messages with aSCL value to the user's Junk E-mail folder. If the SAT value is set and a messagehas a SCL value that is higher than the SAT threshold, Exchange sends the messageto the user's Junk E-mail folder. If the SCL value is lower than or equal to the SATvalue, the message goes into the user's Inbox.

See “About spam confidence level values” on page 119.

Note:Mail Security scans all SMTP messages regardless of the mail flow direction.You can configure your Hub Transport internal SMTP servers to include the IPaddresses or range of IP address of your internal servers. Email messages thatare sent from these servers bypass whitelisting and spam processing, whichenhances scanning performance. See your Microsoft documentation for moreinformation about how to configure the Hub Transport server to designate internalservers.

Identifying spamAbout spam detection

118

About spam confidence level valuesExchange assigns a spam confidence level (SCL) value to email messages. Spamconfidence level values range from -1 to 9. Microsoft Exchange reserves the valueof -1. If the message is assigned a value of -1, the message bypasses antispamscanning.

Messages that are determined to be spam are assigned a SCL value of 1 (extremelylow likelihood that the message is spam) to 9 (extremely high likelihood that themessage is spam).

Mail Security detects the SCL value when it scans a message at the Edge Transportrole or Hub Transport role. If you enable the "Assign SCL value to message" option,Mail Security reassigns the SCL value that was assigned by Exchange with thevalue that you specify. Mail Security does not replace or modify any X-headervalues assigned by Exchange.

When the Mailbox server receives the message, it compares the SCL value of themessage to the SCL Junk E-mail Folder Threshold that is stored in Active Directory.Messages that exceed the SCL Junk E-mail Folder Threshold are sent to the users'Junk E-mail folder. The SCL Junk E-mail Folder Threshold is set to 8 by default.

You can view or modify the SCL Junk E-mail Folder Threshold value using WindowsPowerShell.

For more information, see the Microsoft documentation.

See “Processing spam messages” on page 124.

Configuring whitelistsYou can enable and populate the following whitelists to minimize false positives:

Lets you list the sender domains that are permitted to bypassantispam scanning

Allowed Senders

Lets you list the email addresses to which inbound emails arepermitted to bypass antispam scanning

Unfiltered Recipients

If the Allowed Senders and Unfiltered Recipients lists are both enabled, MailSecurity processes the Allowed Senders list first.

Email messages that are permitted to bypass antispam scanning are still scannedfor risks and file filtering violations.

119Identifying spamConfiguring whitelists

To configure whitelists


2 In the sidebar under Antispam, click Whitelist.

3 In the content area, under Allowed Senders, check Bypass spam detectionfor messages sent from the following.

4 In the Email and domain addresses box, type the domains and email addresses(one per line) that are permitted to bypass spam detection.

Domain names must begin with either @ (at symbol) or an asterisk before theat symbol (for example, @mail.com or *@mail.com).

You can use DOS wildcard characters.

See “About DOS wildcard style expressions” on page 171.

5 Under Unfiltered Recipients List, check Bypassspamdetectionformessagessent to the following.

6 In the Fully qualified email addresses box, type the fully qualified emailaddresses (one per line) to which email messages are permitted to bypassspam detection.

You can list up to 50 email addresses.



How to detect spam using Symantec PremiumAntiSpam

Symantec Premium AntiSpam provides continuous updates to the premiumantispam filters to ensure that your Exchange server has the most current spamdetection filters that are available. Updates to the premium antispam service arehandled automatically through the Symantec Premium AntiSpam service and notthrough LiveUpdate.

You must have an active Internet connection and permit outbound secure HTTPtraffic through your firewall (port 443). Manually register the service if yourconnection uses an HTTP proxy. After Symantec Premium AntiSpam is registeredand enabled, spam rules are continually downloaded from Symantec. Mail Securitychecks for updates every minute and receives new rule sets every 10 - 15 minutes.

See “About registering Symantec Premium AntiSpam through an ISA server”on page 121.

Identifying spamHow to detect spam using Symantec Premium AntiSpam

120

See “Configuring your proxy server to download spam definition updates”on page 121.

About registering Symantec Premium AntiSpam through an ISA serverSymantec Premium AntiSpam requires the ability to communicate by HTTPS(Port 443). If your connection uses an HTTP proxy, manually register the serviceso that spam rules can be automatically downloaded from Symantec. To registerSymantec Premium AntiSpam through an ISA server that is filtering traffic foryour Exchange server, do one of the following:

■ If the ISA server is installed on the same computer as the Exchange server,create a Host Based protocol rule to allow “Any Request” for the HTTPSprotocol and HTTPS server protocols.

■ If the ISA server is installed on a different computer from the Exchange server,create a Host Based protocol rule that specifically allows traffic for the IPAddress of the Exchange server for the HTTPS protocol and HTTPS serverprotocols.

Configuring your proxy server to download spam definition updatesMail Security checks for updates to antispam filters every minute and receivesnew rule sets every 10 - 15 minutes. Configure your proxy server to permit updates.

To configure your proxy server to download spam definition updates

1 Open the command prompt window by clicking Start > Programs >Accessories > Command Prompt.

2 At the command prompt, change directories to the Mail Security installationdirectory.

The default directory is: \Program Files (x86)\Symantec\SMSMSE\6.5\Server

3 Type the following:

register -c SpamPrevention\bmiconfig.xml -l SpamPrevention\SPAlicense.slf -p <proxyserver:proxyport>

where <proxyserver:proxyport> is the IP address of your proxy server andthe port.

Symantec Premium AntiSpam licenses are placed in the SpamPreventionfolder.

4 On the Windows Start menu, click Start > Run.

5 In the Run dialog box, type the following:

regedit

121Identifying spamHow to detect spam using Symantec Premium AntiSpam

6 Click OK.

7 In the Registry Editor window, in the left pane, browse and locate the followingfolder:

HKEY-LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\6.5\Licensing\


In the right pane, right-click on any blank space, andselect New > DWORD Value. In the name box, type:

SPARunRegister

If the file SPARunRegisterdoes not exist

In the right pane, right-click on the file, and selectModify. In the Edit DWORD Value dialog box, in theValue data box, change the value to 0, and then clickOK.

If the file SPARunRegisterexists

9 Save the file and close the Registry Editor window.

Configuring Symantec Premium AntiSpam to detect spamBefore you configure Symantec Premium AntiSpam, ensure that you have donethe following:

■ If you have an ISA server, register Symantec Premium AntiSpam through theISA server.See “About registering Symantec Premium AntiSpam through an ISA server”on page 121.

■ Configure your proxy server to permit downloads for Symantec PremiumAntiSpam.See “Configuring your proxy server to download spam definition updates”on page 121.

■ Install the Symantec Premium AntiSpam license.See “About licensing” on page 73.

Configure the following settings to detect and handle spam:


122

Symantec monitors email sources to determine how much of the emailmessages that are sent from those sources is legitimate. Email from thosesources can then be blocked or allowed based on the source's reputationvalue as determined by Symantec.

Symantec uses the following lists to filter your messages:

■ Open Proxy list

Contains IP addresses that are either open proxies that are used byspammers or 'zombie'computers that are co-opted by spammers

■ Safe list

Contains IP addresses from which virtually no outgoing email is spam

■ Suspect list

Contains IP addresses from which virtually all of the outgoing email isspam

■ Fastpass

Bypasses AntiSpam filtering of email messages that are received fromverified senders

These lists work like antispam rules but do not create delays like those thatcan occur with third-party lists. these lists do not require any additionalsetup procedures.

Reputationservice

Symantec calculates a spam score from 1 to 100 for each message. If amessage scores from 90 to 100, it is defined as spam. You can define asuspected spam threshold between 25 and 89. You can also specify theactions for handling spam and suspected spam separately.

Suspectedspamthreshold



To configure Symantec Premium AntiSpam to detect spam


2 In the sidebar under Antispam, click Premium AntiSpam Settings.

3 In the content area, under Symantec Premium AntiSpam Settings, checkEnable Symantec Premium AntiSpam.

4 Under Reputation Services, check any of the following that you want to use:

■ Open proxy list

■ Safe list

Suspect List is enabled by default and cannot be disabled.

■ Fastpass


5 Under Spam Scoring, select whether you want messages flagged as suspectedspam.

6 Under Spam Threshold, in the Lower spam threshold box, type the suspectedspam threshold level if you choose to identify suspected spam.

You can enter a value between 25 and 89. The default value is 72.



Processing spam messagesYou can configure Mail Security to reject or accept spam messages. You can alsoconfigure whether you want Mail Security to log spam events to the specifiedlogging destinations.


If you configure Mail Security to reject spam messages, then a spam message isnot accepted by the SMTP server for delivery. The connection is closed and noerror message is sent to the SMTP service that sent the message.

If you configure Mail Security to accept spam messages, you can specify thefollowing message delivery options:

■ Prevent the message from being sent to the intended recipient.

■ Deliver the spam message to an alternate recipient.

■ Add your customized subject line text to the message.

■ Add one or more X-headers to the message.See “Apply X-headers to messages for archiving” on page 27.

■ Assign a SCL value to the message.See “About spam confidence level values” on page 119.

To reject spam messages


2 In the sidebar under Antispam, click Premium AntiSpam Actions.

3 In the content area, under Spam Messages, under If message is Spam, checkReject the message.

4 Check Log to log spam messages to the specified logging destinations.





124

To accept spam messages



3 In the content area, under Spam Messages, under If message is Spam, checkAccept the message.

4 Check Prevent delivery to original recipient(s) to prevent the intendedrecipients from receiving spam messages.

5 Check Deliver to alternate recipient to send spam messages to a differentrecipient, and type the address to which spam messages are delivered.

You can only enter one address.

6 Check Add to subject line to prepend the subject line of spam messages, andin the subject line box, type your customized text.

The default text is Spam.

7 Check AddX-header(s) to add one or more X-headers to messages that triggerthe violation, and then do any of the following:

Do the following:

■ Click Add X-header.

■ In the X-header name column, use thedrop-down menu to select theX-header that you want to use.

You can modify the existing X-headerby clicking on the text and typing thenew content.

■ In the X-header value column, type theX-header value.

You can type up to 127 characters. Thefollowing characters are not supportedin X-header values:

~ |

Add an existing X-header


Do the following:


■ In the X-header box, type the name ofthe X-header.

You can type up to 127 characters. Thename must begin with "x-" or X-". Thefollowing characters are not supportedin X-header names:

, . ; < > : ? / = ( )[ ] @ | ;~

■ In the X-header box, type the X-headervalue.


~ |

Create a new X-header

Do the following:

■ Select the X-header that you want toremove by clicking to the left of theX-header name column.

■ Click Delete X-header(s).

Remove an existing X-header

8 Check AssignSCLvalue tomessage to assign a SCL value to spam messages,and in the drop-down list, select the threshold value.

You can choose a value from 1 to 9. The default value is 9.



Spam messages are identified in the Windows Event Log as information orevents.




Processing suspected spam messages that exceed a SCLthresholdIf you are using a mail screening tool, you can configure Mail Security to rejector accept suspected spam messages that exceed a SCL threshold. Assign the SCLthreshold for which the Suspected Spam and SCL settings apply.


126

You can log all spam events to the specified logging destinations.


You can specify how you want Mail Security to process messages that are identifiedas suspected spam and that exceed the SCL threshold that you specify.


If you configure Mail Security to accept suspected spam messages that exceed thethreshold, you can configure the following message delivery options:





■ Re-assign the SCL value of the message.See “About spam confidence level values” on page 119.

To reject suspected spam messages that exceed a SCL threshold



3 In the content area, under Suspected Spam and SCL, in the "If message isSuspected Spam and SCL is" list, select the SCL value threshold.

You can choose a value from >0 to >8. The default value is >5.

4 Check Reject the message.

5 Check Log to log suspected spam messages to the specified loggingdestinations.




To accept suspected spam messages that exceed a SCL threshold




3 In the content area, under Suspected Spam and SCL, in the "If message isSuspected Spam and SCL is" list, select the SCL value threshold.

You can choose a value from >0 to >8. The default value is >5.

4 Check Accept the message.

5 Check Prevent delivery to original recipient(s) to prevent the intendedrecipients from receiving suspected spam messages.

6 Check Deliver to alternate recipient to send suspected spam messages to adifferent recipient, and type the address to which suspected spam messagesare delivered.

You can only specify one recipient.

7 Check Add to subject line to prepend the subject line of suspected spammessages, and in the subject line box, type your customized text.



Do the following:






~ |



128

Do the following:




, . ; < > : ? / = ( )[ ] @ | ;~



~ |


Do the following:




9 Check AssignSCLvalue tomessage to assign a SCL value to suspected spammessages, and in the drop-down list, select the threshold value.




Suspected spam messages that meet or exceed an SCL value are identified inthe Windows Event Log as information or events.




Processing suspected spam messagesYou can configure Mail Security to reject or accept suspected spam messages. Youcan log all spam events to the specified logging destinations.




If you configure Mail Security to accept suspected spam messages, you can specifythe following message delivery options:





■ Re-assign the SCL value of the message.See “About spam confidence level values” on page 119.

To reject suspected spam messages



3 In the content area, under Suspected Spam, under If message is SuspectedSpam, check Reject the message.





To accept suspected spam messages



3 In the content area, under Suspected Spam, under If message is SuspectedSpam, check Accept the message.

4 Check Prevent delivery to original recipient(s) to prevent the intendedrecipients from receiving suspected spam messages.

5 Check Deliver to alternate recipient to send suspected spam messages to adifferent recipient, and type the address to which suspected spam messagesare delivered.

You can only specify one recipient.


130

6 Check Add to subject line to prepend the subject line of suspected spammessages, and in the subject line box, type your customized text.



Do the following:






~ |


Do the following:




, . ; < > : ? / = ( )[ ] @ | ;~



~ |


Do the following:





8 Check Assign SCL value to message to reassign the SCL value, and in thedrop-down list, select the threshold value.




Suspected spam messages are identified in the Windows Event Log asinformation or events.





132

Filtering content


■ About filtering content

■ About creating a content filtering rule

■ What you can do with content filtering rules

■ How to enforce email attachment policies

■ Managing match lists

About filtering contentMail Security can filter messages and their attachments using the followingfeatures:

Content filtering rules filter messages and their attachments for thespecific content that you specify (for example, offensive language orsensitive information).

Mail Security can scan for content within the following message parts:message body, subject, sender, attachment name, and attachmentcontent.

You can use the default content filtering rules that Mail Securityprovides or you can create your own rules. You can individually enableand disable each rule.


See “About default content filtering rules” on page 134.

Content filteringrules

8Chapter

Mail Security uses file filtering rules to enforce email attachmentpolicies.

Mail Security provides the following pre-defined file filtering rules:

■ File Name Rule

Blocks attachments based on the file name that you specify

■ Multimedia File Rule

Blocks specific multimedia file attachments

■ Executable File Rule

Blocks specific executable file attachments

See “How to enforce email attachment policies” on page 159.

File filtering rules

Mail Security uses match lists to filter email messages and attachmentsfor specific words and phrases. You use match lists with contentfiltering rules or the File Name file filtering rule. When the rule isenabled, Mail Security scans for the criteria that you specify in therule, including the words and phrases that are in the associated matchlist.

Match lists support literal strings, DOS wildcard-style expressions,or regular expressions.


You can also use match lists to help manage outbreaks. You canconfigure Mail Security to automatically add the names ofoutbreak-triggered attachments and outbreak-triggered subject textto match lists. Mail Security uses these match lists with content orfile filtering rules to automatically block suspicious file attachmentsor subjects.


Match lists

You can specify the action that you want Mail Security to take when it detects acontent filtering rule or file filtering rule violation. You can also configure MailSecurity to notify the administrator and senders (internal and external) of aviolation with a message that you can customize.

About default content filtering rulesTable 8-1 describes the pre-configured content filtering rules that Mail Securityprovides.

Filtering contentAbout filtering content

134

Table 8-1 Default content filtering rules

DescriptionRule

Detects and filters files with attachment typesthat are not on a list of permitted attachmenttypes

This rule is only available if you upgrade from aprevious version of Mail Security. This rule is notavailable if you perform a clean installation ofMail Security 6.0.6.

Allow-Only Attachment Rule

Detects and filters messages with blank subjectline and blank sender line

Blank Subject and Sender

Detects and filters files whose attachment namematches a list of outbreak-triggered attachmentnames


Quarantine Triggered AttachmentNames

Detects and filters messages whose subjectmatches a list of outbreak-triggered subjects


Quarantine Triggered Subjects

Detects and filters executable files based on theSample Attachment Name match list

Sample Executable File

Enable the default content filtering rules that you want to use. You can modifythe rules as needed.

About creating a content filtering ruleCreating a content filtering rule involves the following process:

■ Configuring the conditions of a content filtering rule

■ Specifying the users and groups to which the rule applies

■ Specifying who to notify if a content filtering rule is violated

■ Configuring rule actions

Configuring the conditions of a content filtering ruleA content filtering rule consists of one or more conditions that you define. Forexample, a condition might be that an email subject line contains one or more

135Filtering contentAbout creating a content filtering rule

words from a subject line match list. A rule can optionally contain one or moreexceptions.

Mail Security uses OR ("Match any term") and AND ("Match all terms") conditionsto create a framework in which to evaluate email messages or email messages andtheir attachments. By default, content filtering rules are set to "Match any term"for the entries in the Content list. This means that the rule triggers a violation ifany of the entries are present and all of the other criteria that you configured aremet. If you check "Match all terms," then the rule only triggers a violation if allthe items in the Content list are present and all other rule criteria that youconfigure are met. "Match any terms" is the only condition available for the entriesin the Unless list.

Figure 8-1 shows the rule elements that you can configure on the content filteringrule tab.

Filtering contentAbout creating a content filtering rule

136

Figure 8-1 Content filtering rule tab

Contentlist

Unlesslist

Table 8-2 describes the rule elements that you can configure on the contentfiltering rule tab.


Table 8-2 Elements of a content filtering rule

DescriptionRule condition

Lets you provide a unique name for the content filteringrule that you can easily identify in the list of rules and inreports in the event log.

Name

Lets you provide a unique description for the contentfiltering rule. The description should provide enough detailto remind you what the rule is configured to detect.

Description

Lets you specify the part of the email message that you wantMail Security to scan for violations.

Use the "Message part to scan" drop-down list to choosefrom the following message parts:

■ Message Body

■ Subject

■ Sender

■ Attachment Name

■ Attachment Content

Note:When the message part to scan is Attachment Name,Mail Security does not evaluate the file names that are insidea container file, for example, the compressed files in a .zipfile.


See “What you can do with content filtering rules”on page 155.


Message part to scan

Lets you specify the messages to which you want the ruleto apply. You can choose to apply the rule to anycombination of inbound, outbound, or internal messages.You must select at least one of these options.

The default setting is Internal messages.

Note: To allow content filtering of internal messages, youmust select Inbound messages option along with Internalmessages.

The "Apply rule to" element only applies to auto-protectscanning. Manual and scheduled scans automatically scaninternal messages.

See “Specifying inbound SMTP domains ” on page 158.

Apply rule to


138

Table 8-2 Elements of a content filtering rule (continued)


Lets you determine how words and phrases in the Contentlist and Unless list are interpreted.

Note: The content filtering rule "Match type" element doesnot determine how the match lists that you use in theContent list and Unless list are interpreted. A match list canhave a different match type than the content filtering rule.


The Match Type options are as follows:

■ Literal string: Matches the exact text in the Content andUnless lists

■ Regular expression: Matches patterns of text usingsymbols and syntactic elements


■ Wild cards: Specifies file names using wild card-styleexpressions


Match type

Lets you select from the following match options:

■ Whole term: Applies the rule only if the exact term inthe Content list and Unless list or match list is found.

■ Case: Applies the rule only if the exact term is in thesame case as in the Content list and Unless list or in thematch list. For example, if you type ACME in the Contentlist, a message that contains the word Acme will nottrigger a violation.

Options

Content Pane




Lets you specify the Contains condition for a contentfiltering rule.

The Contains conditions are as follows:

■ Contains: The message part to scan contains the termsin the Content list.

■ Does not contain: The message part to scan does notcontain the terms in the Content list.

■ Equals: The message part to scan equals the terms in theContent list.

■ Does not equal: The message part to scan does not equalthe terms in the Content list.

The Equals and Does not equal options only apply to theSubject, Sender, and Attachment Name message parts.

Contains

Lets you specify a match list to use in your content filteringrule. You can also create a new match list or edit an existingmatch list.

Using a match list in content filtering rule is optional.


Add match list

Lets you evaluate the specified message part for any termcontained in the Content list.

For example, assume the Content list contains the terms:free, confidential, and money. If Mail Security detects anyone of these terms in the specified message part, it triggersa violation.

Match any term

Lets you evaluate the specified message part for all of theterms contained in the Content list.

The "Match all terms" option is only available to use withthe terms in the Content list.

For example, assume that the Content list contains theterms: free, confidential, and money. Mail Security mustdetect all of these terms in the specified message part totrigger a violation.

Match all terms


140



Lets you specify the words or phrases for which you wantto evaluate the specified message parts.

The format of the terms that you type in the Content listshould mirror that of the match type that you select. Forexample, if you select literal string from the match type list,format your Content list entries as literal strings.

Content list

Lets you specify "Attachment size is" as a condition of thecontent filtering rule. The "Attachment size is" option canbe applied to all message parts to scan, except message body.You can also use "Attachment size is" by itself if you wantMail Security to detect attachments of a certain size.

When you select the sender or subject message parts andthe "Match any terms" or "Match all terms" conditions, therule action is applied to the message or the attachment basedon the violation that is detected.

For example, assume that you have specified Sender, chosenthe "Match any terms" condition, and specified the"Attachment size is" as = 2MB. Since Mail Security scansmessages in parts, if there is a Sender match, dispositionsare applied to the message body and the attachment. If theattachment size is the only match, the disposition onlyapplies to the attachment.

Assume for the same example that you change the conditionto "Match all terms." Mail Security applies a disposition tothe attachment only if it detects all of the terms in theContent list AND the specified attachment size.

Attachment size is

Unless Pane




Lets you specify the Contains condition for a contentfiltering rule.

The Contains conditions are as follows:

■ Contains: The message part to scan contains the termsin the Unless list.

■ Does not contain: The message part to scan does notcontain the terms in the Unless list.

■ Equals: The message part to scan equals the terms in theUnless list.

■ Does not equal: The message part to scan does not equalthe terms in the Unless list.

The Equals and Does not equal options apply only to theSubject, Sender, and Attachment Name message parts.

Contains

Lets you specify a match list to use in your content filteringrule Unless condition. You can also create a new match listor edit an existing match list.

Using a match list is optional.


Add match list

Lets you create exceptions to content filtering rules. Youcan add words and phrases to the Unless list which MailSecurity evaluates as exceptions to the content filteringrule.

All entries in the Unless list are automatically designatedwith the "Match any terms" (OR condition) option.

The format of the terms that you type in the Unless listshould mirror that of the match type that you select. Forexample, if you select Literal string from the Match Typemenu, you should format your Unless list entries as literalstrings.

Unless list


142



Lets you specify "Attachment size is" as a condition of thecontent filtering rule. The "Attachment size is" option canbe applied to all message parts to scan, except message body.You can also use "Attachment size is" by itself if you wantMail Security to detect attachments of a certain size.

When you select the sender or subject message parts, therule action is applied to the message or the attachment basedon the violation that is detected. (All Unless conditions areapplied as OR conditions between the message part and theattachment.) And the "Match any term" condition alwaysapplies to all Unless conditions.

For example, assume that you have specified Sender andspecified the "Attachment size is" as = 2MB. Since MailSecurity scans messages in parts, if there is a Sender match,dispositions are applied to the message body and theattachment because "Match any term" makes this rule anOR condition. However, if the attachment size is the onlymatch, the disposition only applies to the attachment.

Or attachment size

To configure the conditions of a content filtering rule


2 In the sidebar under Content Enforcement, click Content Filtering Rules.


In the sidebar under Tasks, click New rule.Create a rule

In the content area, double-click the rule that you want toedit.

Modify an existing rule

4 On the Rule tab, define the conditions for the content filtering rule.

See Table 8-2 for a description of the content filtering rule conditions.

5 Do any of the following:

■ Configure the remaining components of the content filtering rule.See “Specifying the users and groups to which the rule applies” on page 144.See “Specifying who to notify if a content filtering rule is violated”on page 146.See “Configuring rule actions” on page 147.


■ Click OK and then click Deploy Changes.See “Deploying settings and changes to a server or group” on page 81.

Specifying the users and groups to which the rule appliesMail Security lets you specify the users and groups to which the rule applies. Youcan also specify which users and groups are exceptions to the rule.

Note: This feature is not available for the Edge Server role.

You can select groups from Active Directory. You can also add users based onSMTP addresses.

Table 8-3 shows the SMTP address formats that Mail Security supports.

Table 8-3 Supported SMTP address formats

ExampleAddress

@symantecdomain.com@<domain name>

*@symantecdomain.com*@<domain name>

[email protected]<name>@<domain name>

[email protected]<name>@<subdomain.domain name>

Note: Using regular expressions for SMTP addresses is not supported

When you use the address formats from the table above, sub-domains areautomatically supported. For example, when you use the address format<name>@<domain name>, Mail Security will support [email protected], as wellas [email protected].

If you do not specify users, the rule applies to all senders and recipients.

If you are using Exchange 2003, and you want to specify a user or group whosedomain is not in the Exchange server domain, specify the domain name in theInternal Domains list.

See “Specifying inbound SMTP domains ” on page 158.


144

Note: You can select any Active Directory group except the Users group. Addingthe Users group to Active Directory Groups list results in unintended behavior.On Exchange 2010 mailbox server role, for content filtering rules based on ActiveDirectory group, you must add SMSMSE service account user (RBAC user) to theSMSMSE Admins Active Directory group.

To specify the users and groups to which the rule applies







4 Click the Users tab.

5 Under Sender/Recipient Selection, do one of the following:

Click Sender, and then select one of the following optionsfrom the drop-down list:

■ Apply if the sender of the message is in the list

■ Apply if the sender of the message is NOT in the list

To apply the rulebased on the sender

Click Recipient, and then select one of the following optionsfrom the drop-down list:

■ Apply if ANY of the recipients of the message are in thelist

■ Apply if ANY of the recipients of the message are NOT inthe list

■ Apply if ALL of the recipients of the message are in thelist

■ Apply if ALL of the recipients of the message are NOT inthe list

To apply the rulebased on the recipient

6 Under List of Users or Groups, in the SMTP addresses box, do one of thefollowing:

■ Type the addresses of the users that you want to include or exclude.

Type one address per line.


■ To add a preconfigured match list that contains user addresses, click AddMatch List and select a match list.

You can only insert one match list. You can combine a match list withtyped addresses.See “Managing match lists” on page 168.

7 Under the Active Directory groups list, to select groups from ActiveDirectory, click Add.

8 In the ActiveDirectorydomainsandgroups window, under Available groups,select the group that you want to add and click the >> command icon.

The group that you select appears in the Selected groups list. To deselect agroup in the Selectedgroups list, click on the group entry, and then click the<< command icon.


■ Configure the remaining components of the content filtering rule.See “Configuring the conditions of a content filtering rule” on page 135.See “Specifying who to notify if a content filtering rule is violated”on page 146.See “Configuring rule actions” on page 147.


Specifying who to notify if a content filtering rule is violatedMail Security lets you specify who you want to notify when a rule is violated.

To specify who to notify if a content filtering rule is violated







4 Click the Notifications tab.

5 Check any of the following:

■ Notify administrators


146

Click the down arrow, and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:

■ Default Subject line text: Administrator Alert: Symantec Mail Securitydetected a message containing prohibited content

■ Default Message body text: Location of themessage:%location%%n%Sender of themessage:%sender%%n%Subject of the message:%subject%n%%n%The message was %action%%n%%n%This wasdone due to the following Symantec Mail Security settings: %n%Scan:%scan%%n% Rule: %rule%%nViolating term(s): %violatingterm%

■ Notify internal senderClick the down arrow, and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody texts are as follows:

■ Default Subject line text: Symantec Mail Security detected prohibitedcontent in a message sent from your address

■ Default Message body text: Subject of the message:%subject%%n%Recipient of the message: %recipient%

■ Notify external senderClick the down arrow, and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody texts are as follows:

■ Default Subject line text: Symantec Mail Security detected prohibitedcontent in a message sent from your address

■ Default Message body text: Subject of the message:%subject%%n%Recipient of the message: %recipient%


6 Click OK.



Configuring rule actionsYou can specify the action that you want Mail Security to take when a violationoccurs.

Mail Security provides the following options for processing messages that triggercontent filtering rule violations:


■ Delete entire message

■ Delete attachment/message body and replace with text

You can customize the replacement text.

■ Quarantine attachment/message body and replace with text

You can customize the replacement text.

■ Add tag to beginning of subject line

You can customize the text that you want to prepend the subject line. Thisrule action is not available if you apply the rule to the internal messages (store).

■ Log onlySee “About logging events” on page 211.

You can also configure Mail Security to add one or more X-headers to messagesthat violate the content filtering rule. Mail Security provides five default X-headersfrom which you can choose. Mail Security also lets you create your own X-headers.You can specify up to 25 X-headers for each violation.

See “Apply X-headers to messages for archiving” on page 27.

To configure rule actions to delete the message







4 On the Actions tab, in the When a violation occurs box, use the drop-downmenu to select Delete entire message.

The default setting is: Quarantine attachment/message body and replace withtext.


■ Configure the remaining components of the content filtering rule.See “Configuring the conditions of a content filtering rule” on page 135.See “Specifying the users and groups to which the rule applies” on page 144.See “Specifying who to notify if a content filtering rule is violated”on page 146.


148


To configure rule actions to delete the attachment and message body and replacewith text







4 On the Actions tab, in the When a violation occurs box, use the drop-downmenu to select Delete attachment/message body and replace with text.


5 In the Replacement text box, type your customized text.

The default text is: Symantec Mail Security replaced %attachment% withthis text message. The original attachment content type was not allowed andwas %action%.



Do the following:






~ |



Do the following:




, . ; < > : ? / = ( )[ ] @ | ;~



~ |


Do the following:







To configure rule actions to quarantine the attachment and message and replacewith text








150

4 On the Actions tab, in the When a violation occurs box, select Quarantineattachment/message body and replace with text.

This setting is enabled by default.

5 In the Replacement text box, type your customized text.

The default text is: Symantec Mail Security replaced %attachment% withthis text message. The original attachment content type was not allowed andwas %action%.


Do the following:






~ |


Do the following:




, . ; < > : ? / = ( )[ ] @ | ;~



~ |



Do the following:







To configure rule actions to prepend the subject line







4 On the Actions tab, in the When a violation occurs box, use the drop-downmenu to select Add tag to beginning of subject line.


This rule action is not available if you apply the rule to the internal messages(store).

5 In the Subject line tag box, type the customized text that you want to prependto the subject line.

The default text is: Content Violation:



152

Do the following:






~ |


Do the following:




, . ; < > : ? / = ( )[ ] @ | ;~



~ |


Do the following:





■ Configure the remaining components of the content filtering rule.See “Configuring the conditions of a content filtering rule” on page 135.See “Specifying the users and groups to which the rule applies” on page 144.


See “Specifying who to notify if a content filtering rule is violated”on page 146.


To configure rule actions to only log the event







4 On the Actions tab, in the When a violation occurs box, use the drop-downmenu to select Log only.




Do the following:






~ |



154

Do the following:




, . ; < > : ? / = ( )[ ] @ | ;~



~ |


Do the following:







What you can do with content filtering rulesThe following describes the tasks that can perform with content filtering rules:

■ Enabling or disabling content filtering for auto-protect scanning

■ Prioritizing content filtering rules

■ Deleting a content filtering rule

■ Specifying inbound SMTP domains

155Filtering contentWhat you can do with content filtering rules

■ Refreshing the Active Directory group cache

Enabling or disabling content filtering for auto-protect scanningYou can enable or disable content filtering for auto-protect scanning on theContent Filtering Rules page. You can enable or disable content filtering for manualand scheduled scans when you configure those scans.



To enable or disable content filtering for auto-protect scanning



3 In the content area under Content Filtering Rules, do one of the following:

■ Check Enablecontentfiltering to enable content filtering for auto-protectscanning.

■ Uncheck Enable content filtering to disable content filtering forauto-protect scanning.



Prioritizing content filtering rulesMail Security evaluates messages using all of the content filtering rules that youenable. By default, Mail Security applies rules in the order in which you enablethem. For example, if you enable the Sample Executable File rule and then enablethe Quarantined Triggered Subjects rule, Mail Security priorities the SampleExecutable File rule first. However, you can specify the order in which you wantMail Security to apply the rules.

If a message violates more than one rule, Mail Security applies the most severedisposition of the rules that were violated to ensure that your environmentmaintains the highest level of protection.

The severity levels, from most severe to least severe, are as follows:




■ Add tag to beginning of subject line

Filtering contentWhat you can do with content filtering rules

156

■ Log only

For example, assume that you have two content filtering rules enabled: Rule Aand Rule B. Rule A is the higher priority, and the rule action is “Log only.” Rule Bis the lower priority, and the rule action is to “Delete entire message.” A messagethat violates both rules is deleted.

If the message violates more than one rule and all of the rules have the samedisposition, Mail Security uses the prioritization categorization to determinewhich rule action to apply.

For example, assume that you have two content filtering rules enabled: Rule Cand Rule D. Rule C is the higher priority, the rule action is “Add tag to the beginningof subject line,” and your customized text is "Spam." Rule D is the lower priority,the rule action is “Add tag to the beginning of subject line,” and your customizedtext is "Prohibited content." A message that violates both rules will have thesubject line prepended with "Spam."

The rule order does not change in the Content filtering rules table. You can onlyview and modify rule prioritization in the Rule prioritization window.

To prioritize content filtering rules



3 In the sidebar under Tasks, click Prioritize rules.

More than one rule must be enabled to prioritize rules.

4 In the Rule prioritization window, click a rule to select it.

5 Click Move up or Move down until the rule is at the priority that you want.

Rules are prioritized from top to bottom, with the top being the highestpriority.

6 Click OK.



Deleting a content filtering ruleDelete a content filtering rule when it is no longer needed.

To delete a content filtering rule



157Filtering contentWhat you can do with content filtering rules

3 In the content area, in the Content filtering rules table, select the rule thatyou want to delete.

4 In the sidebar under Tasks, click Delete rule.




Specifying inbound SMTP domainsBy default, content filtering rules for inbound SMTP messages apply to messagesthat have at least one recipient who has a mailbox in the Exchange organization.Rules for outbound SMTP messages apply to messages that have at least onerecipient that does not have a mailbox in the Exchange organization.

You can modify these settings by specifying the domains that your organizationconsiders local. By adding a domain to the domain list, emails with recipients forthat domain are considered local, even if they do not have local mailboxes.

Note: A single message can be considered both inbound and outbound. In thiscase, both inbound and outbound rules are applied to the message.

To specify inbound SMTP domains


2 In the sidebar under Views, click System Settings.

3 In the content area, under System Settings, check Enable list of internaldomains.

4 In the List of internal domains box, type the domain or domains that definewhich email message domains are inbound.

Type only one domain per line.



Refreshing the Active Directory group cacheMail Security does not refresh the Active Directory group cache when you createor edit a content filtering rule. Mail Security automatically updates the cacheupon startup and at 1 A.M. in the time zone to which your computer clock is set.You should manually update the cache if you modify the users in an Active

Filtering contentWhat you can do with content filtering rules

158

Directory group that is used in a content filtering rule. You should also manuallyupdate the cache if you create a content filtering rule that applies to the ActiveDirectory group Executives.

Note: This feature is not available for the Edge Server role.

For example, you create a content filtering rule that applies to the Active Directorygroup Executives and deploy your changes. Then you add a user to the Executivesgroup. After you deploy your changes, you should update the Active Directorygroup cache so that the rule applies to the user that you just added to the group.

You must have access to Active Directory or be logged onto a client in the ActiveDirectory domain to update the Active Directory group cache.

To refresh the Active Directory group cache



3 In the sidebar under Tasks, click UpdateActiveDirectorygroupscachenow.


How to enforce email attachment policiesMail Security contains the following default rules that enforce email attachmentpolicies:

Lets you filter attachments by file name

See “Blocking attachments by file name” on page 159.

File Name Rule

Lets you block certain multimedia files, such as video and musicfiles

See “Configuring multimedia file detection” on page 163.

Multimedia File Rule

Lets you block executable files

See “Configuring executable file detection” on page 166.

Executable File Rule

Blocking attachments by file nameYou can filter attachments by file name to protect your network during anoutbreak. For example, in the case of a new email-borne threat, if you know thefile name of the infected attachment, you can use this information to block anyinfected email messages.

159Filtering contentHow to enforce email attachment policies

You can configure Mail Security to match words and phrases that are in a matchlist against the names of files. Names of both non-container files (individual fileswithout embedded files) and container files (files with embedded files) areexamined.

The prohibited file is blocked if Mail Security detects a match. The entire containerfile is blocked if the prohibited file is within a container file.

For example, if an incoming .zip file named sample.zip contains three executablefiles (a.exe, b.doc, and c.bat), sample.zip is blocked if any of the following occurs:

■ The match list contains one of the literal strings: sample.zip, a.exe, b.doc, orc.bat

■ The match list contains one of the DOS wildcard expressions: *.zip, *.exe, *.doc,or *.bat

■ The match list contains one of the regular expressions: sample\.\w{3}, a\.\w{3},b\.\w{3}, or c\.\w{3}See “Managing match lists” on page 168.

To block attachments by file name, do the following:

■ Enable the File Name Rule.

■ Select the match list that contains the file name attachments that you wantdetected. You can create or modify match lists when you modify the File NameRule.

You can only select one match list.

■ Specify the action to take if a violation is detected, who to notify of theviolation, and the notification message text.

To enable the File Name Rule

1 In the console, on the primary navigation bar, click Policies.

2 In the sidebar, under Content Enforcement, click File Filtering Rules.

3 In the content area, in the File Filtering Rules table, on the File Name Rulerow, click the box under the Status column, and then click Enabled from thedrop-down menu.

This rule is disabled by default.

Filtering contentHow to enforce email attachment policies

160

To bypass scanning of container files


2 In the sidebar, under Content Enforcement, click File Filtering Rules.

3 In the content area, in the File Name Rule, select the Bypass scanning ofcontainer file(s) check box to bypass contents of files without scanning.However, other filtering rules and AV scanning are applicable to the contentsof the container.

This option is not selected by default.

To select an existing match list that does not need to be modified


2 In the sidebar under Content Enforcement, click File Filtering Rules.

3 In the File Filtering Rules table, select the rule that you want to modify.

4 In the File Filtering Rules preview pane, beside Match list for prohibited filenames, click Select.

5 In the Select a match list window, in the Name table, select the match list,and then click Select.

To create a match list or modify an existing match list





5 In the File Filtering Rules preview pane, beside Match list for prohibited filenames, click Select.

6 In the Select a match list window, do one of the following:

■ To modify an existing match list, select the match list, and on the toolbar,click Edit match list.

■ To create a new match list, on the toolbar, click New match list.See “Managing match lists” on page 168.

7 Under Filter, type the file attachment names, one per line, that you want toadd to the match list.

8 Click OK.

9 In the Select a match list window, click Select to select the match list thatyou just created or modified.


To specify the action to take if a file filtering rule violation is detected




4 In the File Filtering Rules preview pane, in the Action to take list, use thedrop-down menu to select one of the following:




■ Log only






■ Notify administratorsClick the down arrow, and then type your customized text in the Subjectline box and the Message body box.The default Subject line and Message body text is as follows:

■ Default Subject line text: Administrator Alert: Symantec Mail Securitydetected a message containing prohibited attachment

■ Default Message body text: Location of the message: %location%Senderof the message: %sender%Subject of the message: %subject% Theattachment(s) "%attachment%" and/or the message was %action%.This was done due to the following Symantec Mail Security settings:Scan: %scan% Rule: %rule%

■ Notify internal senderClick the down arrow, and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:


162

■ Default Subject line text: Symantec Mail Security detected a prohibitedattachment in a message sent from your address


■ Notify external senderClick the down arrow, and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:






Configuring multimedia file detectionYour organization might want to prohibit users from receiving email messagesthat contain multimedia file attachments, such as music and video files. Whenyou enable the Multimedia File Rule, Mail Security detects the supported fileextensions and types and takes the actions that you specify. Mail Security candetermine if a file is a true multimedia file by analyzing the file contents, ratherthan just looking at the file name extension. Blocking multimedia file attachmentsnot only helps your organization enforce content policies, it also conservesscanning and file storage resources.

Note: Mail Security can determine the true file type of a well-formed binary file.The true file type of a binary file variant cannot always be accurately determined.

Table 8-4 lists the multimedia file types that Mail Security supports (this listcannot be modified).

Table 8-4 Supported multimedia file types

File extensionFile type

*.MEDAmiga MED/OctaMED Tracker Module Sound File

*.AUAU Audio File, Audacity Audio Block


Table 8-4 Supported multimedia file types (continued)

File extensionFile type

*.AIFF, *.AIFC, *.AIFAudio Interchange File

*.AVIAudio Video Interleave File

*.ITImpulse Tracker Music Module

*.MP3, *.MP4MPEG AlbumWrap Wrapped Music File Archive

*.MPEGMPEG Movie Clip, MPEG-4 Audio Layer File

*.MTMMultiTracker Music Module

*.MIDIMusical Instrument Digital Interface

*.MEZMusicEase Audio File

*.QT, *.MOVQuickTime Video Clip

*.RARealMedia File

*.OGGOGG Vorbis Codec Compressed WAV File

*.STXScream Tracker Music Interface Kit Song/Module

*.S3MScreamTracker v3 Sound File

*.SWFShock Wave Flash

*.SHNShorten Audio Compression File

*.WAVWaveform Audio

*.WMVWindows Media File

To configure multimedia file detection



3 In the content area, in the File Filtering Rules table, click Multimedia FileRule.

4 In the content area, in the File Filtering Rules table, on the Multimedia FileRule row, click the box under the Status column, and then use the drop-downmenu to select Enabled.

This rule is disabled by default.


164

5 In the preview pane, in the Action to take list, use the drop-down menu toselect one of the following to specify the action to take when a multimediafile is detected:




This is the default option.

■ Log only






■ Notify administratorsClick the down arrow and then type your customized text in the Subjectline box and the Message body box.The default Subject line and Message body text is as follows:


■ Default Message body text: Symantec Mail Security replaced%attachment% with this text message. The original file contained%violation% and was %action%

■ Notify internal senderClick the down arrow and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:



■ Notify external sender


Click the down arrow and then type your customized text in the Subjectline box and the Message body box. The default Subject line and Messagebody text is as follows:






Configuring executable file detectionRisks can be found in file types that contain executable code. You can enhancethreat detection by identifying executable files. When you enable the ExecutableFile Rule, Mail Security detects executable files and takes the actions that youspecify. Mail Security determines if a file is a true executable file by analyzing thefile contents, rather than looking at the file name extension.

Note: Mail Security can determine the true file type of a well-formed binary file.The true file type of a binary file variant cannot always be accurately determined.

The Executable File Rule recognizes the following executables:

■ MSDOS/Windows *.exe files

■ MSDOS/Windows object library files

■ MSDOS/Windows programs

■ MSDOS device drivers

■ /x86-win-16-com

To configure executable file detection



3 In the content area, in the File Filtering Rules table, on the Executable FileRule row, click the box under the Status column, and use the drop-down menuto select Enabled.

This rule is enabled by default.


166

4 In the preview pane, in the Action to take list, use the drop-down menu toselect one of the following to specify the action to take when an executablefile is detected:




This is the default option.

■ Log only





6 To send email notifications about the detection, check one or more of thefollowing:

■ Notify administratorsClick the down arrow and type your customized text in the Subject linebox and the Message body box.The default Subject line and Message body text is as follows:


■ Default Message body text: Location of the message: %location%Sender of the message: %sender% Subject of the message: %subject%The attachment(s) "%attachment" and/or the message was %action%.This was done due to the following Symantec Mail Security settings:Scan %scan% Rule: %rule%



■ Default Message body text: Subject of the message: %subject%Recipient of the message %recipient%




■ Default Message body text: Subject of the message %subject% Recipientof the message %recipient%




Managing match listsMail Security uses match lists to filter email messages and attachments for specificwords, terms, and phrases. In order to implement a match list, you must associateit with a content filtering rule or file filtering rule. When the rule is applied toscan messages, it also scans for the terms in the match list.

Mail Security provides pre-configured match lists that you can use with contentfiltering rules and the File Name Rule file filtering rule. You can also create yourown match list or modify an existing match list. Match lists support literal strings,DOS wildcard-style expressions, or regular expressions.

Mail Security provides pre-configured match lists that you can use with the FileName Rule. You can also create your own match list or modify an existing matchlist.

Match lists support literal strings, DOS wildcard-style expressions, or regularexpressions.



Note:The pre-configured match lists are designed to be used with content filteringrules. However, you can modify and use the pre-configured match lists with theFile Name Rule.

Table 8-5 lists the pre-configured match lists that Mail Security provides.

Filtering contentManaging match lists

168

Table 8-5 Pre-configured match lists

DescriptionMatch list name

When you enable outbreak management, Mail Security addsthe names of outbreak-triggered attachments to theOutbreak Triggered Attachment Names match list.

You can use this match list with the Quarantine TriggeredAttachment Names content filtering rule. This rule lets youautomatically quarantine files with attachment names thatare found in the Outbreak Triggered Attachment Namesmatch list.

You can edit the rule description and the text in the Filterlist. Leave the match type as wild cards.

Note: The pre-configured match lists are designed to beused with content filtering rules. However, you can modifyand use the pre-configured match lists with the File NameRule.

See “Configuring outbreak triggers” on page 206.

Outbreak TriggeredAttachment Names

When you enable outbreak management, Mail Security addsthe names of outbreak-triggered subject lines to theOutbreak Triggered Subject Lines match list.

You can use this match list with the Quarantine TriggeredSubjects content filtering rule. This rule lets youautomatically quarantine files with subject line text that isfound in the Outbreak Triggered Subject Lines match list.

You can edit the rule description and the text in the Filterlist. Leave the match type as literal.

Note: The pre-configured match lists are designed to beused with content filtering rules.However, you can modifyand use the pre-configured match lists with the File NameRule.


Outbreak Triggered SubjectLines

This contains a list of attachment file names or extensionsthat might contain malicious code.

You can edit the rule description and add or remove fileextensions in the Filter list. Leave the match type as wildcards.

Sample Attachment Name

169Filtering contentManaging match lists

Table 8-5 Pre-configured match lists (continued)

DescriptionMatch list name

This list contains file names or extensions that canpotentially execute malicious code.

Leave the match type as wild cards.

Sample Executable FileNames

This list contains key words and phrases typically found inthe bodies of spam email messages.

You can edit the rule description, add or remove key wordsand phrases in the Filter list, and modify the match type.The default match type is literal.

Sample Message Body Words

This list contains file names or extensions of multimediafiles.

Leave the match type as wild cards.

Sample Multimedia FileNames

This list contains key words and phrases typically found inspam email message subject lines.

You can edit the rule description, add or remove key wordsand phrases in the Filter list, and modify the match type.The default match type is literal.

Sample Subject Line

To create or edit a match list


2 In the sidebar under Content Enforcement, click Match Lists.


In the sidebar under Tasks, click New match list.Create a match list

In the content area under Match Lists, select the list thatyou want to edit, and then in the sidebar under Tasks,click Edit match list.

Edit an existing match list

4 In the New Match List window, in the Title box, type a name for the matchlist.

You can only configure the title when you are creating a new match list.

5 In the Description box, type a description for the match list.

6 In the Match Type box, select one of the following:

■ Literal string


170

■ Regular expressionSee “About regular expressions” on page 172.

■ Wild cardsSee “About DOS wildcard style expressions” on page 171.The match type you select is specifically for this match list. It is notaffected by the match type that you choose when you add or edit a rule.

7 In the Filter box, type a literal string, regular expression, or DOS wildcard-styleexpression.

Enter one expression per line. You can link several regular expressions toform a larger one to match certain content in email.

8 Click OK.



To delete a match list


2 In the sidebar under Content Enforcement, click Match Lists.

3 In the content area, under Match Lists, select the match list that you want todelete.

4 In the sidebar under Tasks, click Delete match list.




About DOS wildcard style expressionsDOS wildcard style expressions (“*”, “.”, and “?”) provide a convenient way tospecify file names, similar to the way in which DOS wildcard characters are used.For example, match lists of type DOS wildcard are typically used with theAttachment Name Attribute to specify file names such as *.exe. In addition, a DOSwildcard expression lets you easily specify files without extensions.

Table 8-6 describes the DOS wildcard style expressions.


Table 8-6 DOS wildcard expressions

DescriptionEquivalent regularexpression

DOS wildcard expression

Zero or more of any character.**

Any one character except theperiod (.)

[^\.]?

Literal period character\..

Does not contain a period, butcan end with one

[^\.]+\.?*.

About regular expressionsA regular expression is a set of symbols and syntactic elements that Mail Securityuses to match patterns of text. Mail Security matches regular expressions on aline-by-line basis. It does not evaluate the line feed (newline) character at the endof each input expression phrase.

You can build regular expressions using a combination of normal alphanumericcharacters and metacharacters. For example, some email messages contain atrailing number at the end of the subject line text. Trailing numbers often indicatethat a message is spam. Consider the following sample subject line:

Here's a hot stock pick!43234

To write a rule to match email subject lines that have trailing numbers, comparethe subject against the following regular expression:

^.+![0-9]+$

This regular expression contains the normal alphanumeric characters 0-9 andthe following metacharacters: circumflex (^), period (.), plus (+), and open andclose brackets ([ , ]). By using the subject attribute, the = operator, and the regularexpression as the value, you can build a content filtering rule to catch any emailmessages whose subject lines end with a trailing number.

How to create regular expressionsTable 8-7 lists examples of regular expressions that show how pattern matchingis accomplished with the use of metacharacters and alphanumeric characters.

You can combine alphanumeric characters and metacharacters to create matchpatterns for rules that will block messages and attachments specifically designedto bypass file filtering rules.


172

Table 8-7 Regular expressions

DescriptionRegular expression

Matches any line of text that contains the three letters abcin that order.

Your results may differ depending on the comparison thatyou use to create the rule. For example, if you build a ruleto match the word Free and use the Contains condition, thenthe filtering engine detects all words that contain the wordFree instead of an exact match (for example, Freedom).However, if you use the Equal condition, then the filteringengine detects only exact matches of the word Free with noother surrounding text. If you use the Contains conditionwith Whole words only, then the filtering engine detectsFree as a stand-alone word, even if there are other wordspresent in the text that is being searched.

abc

Matches any string that begins with the letter a, followedby any character, followed by the letter c.

a.c

Matches any line that contains exactly one character. (Thenewline character is not counted.)

^.$

Matches any string beginning with the letter a, followed byeither zero or more instances of the letter b, or zero or moreinstances of the letter c, followed by the letter d.

a(b*|c*)d

Matches any file name that has two, three-letter extensions(for example, Filename.gif.exe).

This regular expression is helpful in blocking emailattachments with double extensions. For example:

If Attachment Name + .+\....\....

.+\....\....

Matches an embedded comment in the middle of meaningfulHTML text. Embedding comments within HTML text is atrick that spam senders use to bypass somepattern-matching software.

[0-9a-zA-Z]+[0-0a-zA-Z]+

Matches a white space character zero or more times.\s*

About metacharactersTable 8-8 lists the metacharacters that you can use in regular expressions to buildfiltering rules.

Some characters are not considered special unless you use them in combinationwith other characters.

Note: You can use metacharacters in regular expressions to search for bothsingle-byte and multi-byte character patterns.

Table 8-8 Metacharacter descriptions

DescriptionMetacharacter

Period: Matches any single character of the input sequence..

Circumflex: Represents the beginning of the input line. Forexample, ^A is a regular expression that matches the letterA at the beginning of a line. The ^ character is only a specialcharacter at the beginning of a regular expression, or afterthe [ or | characters.

^

Dollar sign: Represents the end of the input line. Forexample, A$ is a regular expression that matches the letterA at the end of a line. The $ character is only specialcharacter at the end of a regular expression or before the )or | characters.

$

Asterisk: Matches zero or more instances of the string tothe immediate left of the asterisk. For example, A* matchesA, AA, AAA, and so on. It also matches the null string (zerooccurrences of A).

*

Question mark: Matches zero or one instance of the stringto the immediate left of the question mark.

?

Plus sign: Matches one or more instances of the string tothe immediate left of the plus sign.

+

Escape: Turns on or off the special meaning ofmetacharacters. For example, \. only matches a dotcharacter. \$ matches a literal dollar sign character. Notethat \\ matches a literal \ character.

\

Pipe: Matches either expression on either side of the pipe.For example, exe|com|zip matches exe, com, or zip.

|


174

Table 8-8 Metacharacter descriptions (continued)

DescriptionMetacharacter

Brackets: Inside the brackets, matches a single character orcollating element, as in a list. Characters within bracketsare not case-sensitive.

The string inside the brackets is evaluated literally, as if anescape character (\) were placed before each character inthe string.

If the initial character in the bracket is a circumflex (^), thenthe expression matches any character or collating elementexcept those inside the bracket expression.

If the first character after any potential circumflex (^) is adash (-) or a closing bracket (]), then that character matchesonly a literal dash or closing bracket.

[string]

Parentheses: Groups parts of regular expressions, whichgives the string inside the parentheses precedence over therest.

(string) $string$

The order in which metacharacters are evaluated, from highest to lowestprecedence, is as follows:

\Escape

[ ]List

( )Precedence override

*

+

?

Single character

^

$

Start with

|Alternation



176

Scanning your Exchangeservers for threats andviolations


■ About the types of scanning that you can perform

■ How Mail Security scans messages on Exchange Server 2007/2010 roles

■ Configuring auto-protect scanning

■ Configuring background scanning

■ Configuring advanced scanning options for auto-protect and backgroundscanning

■ About manual scans

■ About scheduling a scan

■ Configuring notification settings for scan violations

About the types of scanning that you can performYou can perform the following types of scans to detect risks, spam, and violations:

9Chapter

When enabled, auto-protect scanning runs constantly and detects threatsand violations in real-time to everything that is on or passes through yourExchange server. Auto-protect scanning applies to all policies, except forantispam detection. Antispam scanning occurs continuously, in real-timeas email traffic flows through your Exchange server.


Auto-protectscans

Manual scans run on-demand and scan public folders and mailboxes. Allpolicies apply to manual scans, except antispam. Antispam scanningoccurs continuously , in real-time as email traffic flows through yourExchange server.

You can specify which file folders and mailboxes to scan during a manualscan. You can also specify the content filtering rules that you want toenable for the manual scan.


Manual scans

Scheduled scans run unattended, usually at off-peak periods. All policiesapply to scheduled scans, except antispam. Antispam scanning occurscontinuously, in real-time as email traffic flows through your Exchangeserver.

You can specify which file folders and mailboxes to scan during a scheduledscan. You can also specify the content filtering rules that you want toenable for the scheduled scan.


Scheduledscans

Background scanning is a scan of the message store. You can performscans of the message store during off-peak periods to enhanceperformance.


Backgroundscanning

When Mail Security detects a security risk or a violation during a scan, it takesthe action that you specify for that policy. For example, when a threat is detected,Mail Security takes the action that you specify in the Antivirus Settings policy.

How Mail Security scans messages on ExchangeServer 2007/2010 roles

When auto-protect scanning is enabled, Mail Security applies a stamp to messagesit scans at the Edge Transport or Hub Transport servers. The stamp indicates theversion of definitions that were used for the scan. Each time Mail Security scansthe message, it also scans for file filtering rule violations.


Scanning your Exchange servers for threats and violationsHow Mail Security scans messages on Exchange Server 2007/2010 roles

178

Mail Security searches for this stamp each time the message is routed throughthe mail flow to another server. Mail Security determines if the message has beenscanned and if the message was scanned with the most current definitions. Whenthe server in which the mail is routed contains more current definitions thanthose indicated in the stamp, the message is rescanned with the newer definitions.

Note: Messages that have been stamped are not rescanned for file filtering andcontent filtering rules.

The message is disposed of based on the settings that you configure when MailSecurity detects a violation. No stamp is applied to the message, even if themessage is repaired. If the message is routed to another server role, Mail Securitydetects that there is no stamp and rescans the message.

Figure 9-1 shows how an incoming email message is scanned as it enters yourExchange Server 2007/2010 environment.

179Scanning your Exchange servers for threats and violationsHow Mail Security scans messages on Exchange Server 2007/2010 roles

Figure 9-1 How incoming email messages are scanned

Server

Internet

Server

EdgeTransport

server

HubTransport

server

Server

Mailboxserver

The message is scanned

No virus or violation is detected

The message is stamped

A virus or violation is detected

The message is disposed of(no stamp is applied)

Delete entiremessage

QuarantineRepair

Delete attachment/message body

Log only

Hubdefinitions

are thesame as orolder thanthose usedat the Edge

Hubdefinitionsare morecurrent

The message is rescanned

A virus or violation isdetected


No virus or violation isdetected


Mailboxdefinitions

are thesame as orolder thanthose usedin stamp

Mailboxdefinitionsare morecurrent

The message is rescanned on access


The message is disposed of


The message isdelivered to the

recipient’s mailbox




QuarantineRepair


Log only




Definitions in stamp arecompared to Hub definitions

Definitions in stamp arecompared to Mailbox

definitions

Figure 9-2 shows how an outgoing email message is scanned as it leaves yourExchange Server 2007/2010 environment.


180

Figure 9-2 How outgoing email messages are scanned

Internet

Server

EdgeTransport

server

Server

HubTransport

server

Server

Mailboxserver







QuarantineRepair


Log only

Definitions in stamp arecompared to Edge definitions

Edgedefinitions

are thesame or

older thanthe Hub

definitions

Edgedefinitionsare morecurrent

The message is rescanned





QuarantineRepair


Log only

The outgoing message is routed tothe Hub Transport server

By default, the message is notscanned nor stamped.

Figure 9-3 shows how an internally routed email message is scanned.


Figure 9-3 How internal email messages are scanned

Server

HubTransport

server

Server

Mailboxserver







QuarantineRepair


Log only

The internal message isrouted to the HubTransport server

By default, the messageis not scanned nor

stamped.

Mailboxdefinitions

are thesame as orolder thanthose usedin stamp

Mailboxdefinitionsare morecurrent



Definitions in stamp arecompared to Mailbox

definitions

The message is rescanned on access




recipient’s mailboxDelete entire

messageThe message isdelivered to the


Server

Mailboxserver

No virus orviolation isdetected


182

How Mail Security offloads Mailbox server scanning for ExchangeServer 2007/2010

Mail Security lets you offload Mailbox server scanning to enhance serverperformance. Most of the scanning is performed on the Hub Transport and EdgeTransport servers.

Mail Security only scans email messages at the Mailbox when the following occurs:

■ An incoming email message does not have a stamp that indicates that it hasalready been scanned.

■ The Mailbox server has more current definitions than those used to scan themessage at the Hub Transport or Edge Transport servers.

■ You schedule background scanning.See “Configuring background scanning ” on page 184.

■ You disable the "Exclude outbound scanning on mailbox server" setting.This option is enabled by default.See “Configuring advanced scanning options for auto-protect and backgroundscanning” on page 187.

■ You send an Outlook Web Access message.

How Mail Security optimizes scanning performance for Exchange Server2007/2010

Mail Security is integrated with Exchange Server 2007/2010 to enhance scanningperformance. Scanning performance is enhanced by reducing the amount ofscanning that takes place as mail is routed through your Exchange environmentacross the various roles and by offloading Mailbox server scanning.

See “How Mail Security offloads Mailbox server scanning for Exchange Server2007/2010” on page 183.

Note: Install and configure Mail Security on all of the server roles in your Exchangeenvironment using the same parameters. This ensures optimum scanningperformance and violation and threat detection.

See “Before you install” on page 33.

See “How Mail Security scans messages on Exchange Server 2007/2010 roles”on page 178.


Configuring auto-protect scanningAuto-protect scanning provides continuous risk and violation detection. Whenyou enable auto-protect scanning, Mail Security scans email messages as theypass through the Exchange server. Infected message bodies and attachments andrule violations are detected on a real-time basis, based on the settings that youenable and configure.

You must enable auto-protect scanning to perform background scanning.


See “Configuring advanced scanning options for auto-protect and backgroundscanning” on page 187.

To configure auto-protect scanning

1 In the console on the primary navigation bar, click Scans.

2 In the sidebar under Views, click Auto-Protect.

3 In the content area, under Auto-Protect Settings, check EnableAuto-protect.



Configuring background scanningWhen Mail Security is installed on a Microsoft Exchange Mailbox server andbackground scanning is enabled, Microsoft Exchange creates a background threadfor each message database in the Exchange store. These threads run at a lowerpriority to minimize the impact on other Exchange server actions. As each threadreads through the messages in the database, it detects the messages that havenot been scanned by the latest definitions and scans them. This is useful if youhave updated your definitions and need to re-scan the entire store with newdefinitions.

You can also scan email messages that have attachments and specify whichmessages to scan based on the message date.

Note: Mail Security enables the Exchange VSAPI background scanning feature.Based on the load and Microsoft Exchange's algorithms, Microsoft might interruptthe background scanning process.


Scanning your Exchange servers for threats and violationsConfiguring auto-protect scanning

184

See “About enhancing performance when updating definitions” on page 242.

To configure background scanning



3 In the content area, under Background Scanning Options, check Enablebackground scanning.

You can only select this option if the Enable Auto-protect option has beenenabled.



■ In the schedule matrix, click the boxes for the days and hours during whichyou want background scanning to occur.

■ Under the schedule matrix, click the drop-down list and select the daythat you want background scanning to occur, the time that you wantscanning to start, the time that you want scanning to finish, and thenclick Select.

■ Click Select All to select all day and time ranges.

The boxes in the schedule matrix are blackened to indicate the time framesthat background scanning will occur.

Click Clear All to clear all of the options that you selected.

You must indicate a time range for background scanning to run.

5 Check Scan messages with attachments only to scan email messages andtheir attachments that are in the mailbox store.

Mail Security only scans messages that have attachments when you selectthis option.

6 Under Choose messages to scan, select one of the following options:

Scans all messages in the store.Scan all messages in the store

Scans all messages from the past numberof days.

Type the number of days.

The default setting is 2 days.

Scan all messages from the past numberof days

185Scanning your Exchange servers for threats and violationsConfiguring background scanning

Scans all messages from the past numberof hours.

Type the number of hours.

The time is measured from the time atwhich the scan starts. For example, at12:05 P.M. a user schedules a backgroundscan to start at 8:00 P.M. The user enablesthe "Scan all messages from the pastnumber of hours” and selects a value of10. The time frame for the messages to bescanned would be 10 hours prior to 8:00P.M.

Scan all messages from the past numberof hours

If you select this option, do the following:

■ Click the drop-down arrow and specifythe start date.

■ Select one of the following options:

■ To the date of the scan

Performs the scan as of the startdate that you specify to the currentdate

■ To the following date

Performs the scan as of the startdate that you specify to the datethat you specify in the drop-downlist

Scan all messages from the start date



Logging status of background scanning

Mail Security version 6.5.5 provides improved logs with status of the backgroundscan. An event is generated when background scan is either halted or is completed.This event also provides the count of the number of items that were scanned sofar during the background scan. Another event is generated when backgroundscan is completed. This event provides the total time that is taken for completingthe scan.

You can stop Mail Security from running a background scan at any time.

To stop a background scanning



Scanning your Exchange servers for threats and violationsConfiguring background scanning

186

3 In the content area, under Background Scanning Options, uncheck Enablebackground scanning.

4 On the toolbar, click Deploy changes.

Configuring advanced scanning options forauto-protect and background scanning

You can configure additional scanning options that apply to auto-protect andbackground scanning.

To configure advanced scanning options for auto-protect and background scanning



187Scanning your Exchange servers for threats and violationsConfiguring advanced scanning options for auto-protect and background scanning

3 Under Advanced Scanning Options, check any of the following:

Detects risks in message bodies.

The option is disabled by default.

Scan message bodies (applies to AV only)

Prevents the scanning of outboundmessages so that they can be scanned atthe Hub Transport.


Exclude outbound scanning on mailboxserver

Performs a scan each time definitions areupdated and a user attempts to access amessage.

Microsoft Exchange does not allow accessto any messages in the store until MailSecurity re-scans the message with thelatest definitions when a user attempts toaccess a file.

Because definitions are deliveredfrequently, the scan might not completebefore new definitions are available. Thiscan impact overall mail throughput.

This option is disabled by default.

Note: If this option is selected,background scanning of the store restartsafter every virus definition update. Ensurethat you do not select this option if youwant to complete background scanningof the entire store.

See “About keeping your server protected”on page 236.

On virus definition update, force rescanbefore allowing access to informationstore

Enables virus scanning of messages asthey pass through the Hub Transportserver or the Edge Transport server.


Note: Enabling Background scanningand Rescan on virus definition updatealong with Rapid Release definitions cansignificantly reduce performance.

Virus scan messages during SMTPtransport (recommended for perimeter orgateway servers)

Scanning your Exchange servers for threats and violationsConfiguring advanced scanning options for auto-protect and background scanning

188



About manual scansYou can perform manual scans when you want to scan messages for specificpurposes. For example, you can create a content filtering rule to detect a particularcategory of subject-line violations that are associated with a new threat, and thenrun the scan immediately.

To perform a manual scan, do the following:

■ Configure the manual scan parameters.

You can configure basic scanning options and specify the mailboxes and publicfolders that you want to scan. You can also enable content filtering scanningand enable the content filtering rules that you want to apply to the scan.See “Configuring the manual scan parameters” on page 189.

■ Run the manual scan.See “Performing a manual scan” on page 192.

■ View the manual scan results.See “Viewing manual scan results” on page 193.

You can stop running a manual scan at any time.

Configuring the manual scan parametersBefore you run a manual scan, configure the parameters for the scan. After youdeploy your changes, the parameters remain the same until you change them.

Mail Security lets you specify the following parameters for a manual scan:

You can choose from the following basic scanning options:

■ Stop scanning after ___ minutes. Next scan will restart where it stopped

Select this option if you want to specify a duration for the scan. Typethe number of minutes you want the scan to run in the box next to theoption.

■ Only scan items modified since last rescan

Select this option to scan only items that have been modified sincethe last scan. Scanning only items that have been modified decreasesoverall scanning time.

■ Scan message bodies (Applies to AV only)

Select this option to scan only the message bodies. Scanning messagebodies increases the overall scanning time.

Scan Options

189Scanning your Exchange servers for threats and violationsAbout manual scans

You can specify the mailboxes and public folders that you want includedor excluded from the scan.

This option is only available if you are in a server view.

Scan location

You can enable or disable content filtering scanning. If content filteringis enabled, enable the rules that you want to apply to the scan.

Content filtering is enabled by default.

Contentfiltering rules

To configure basic scanning options


2 In the sidebar under Views, click Manual Scan.

3 Under Tasks, click Edit manual scan.

4 In the Manual scan wizard, under Scan Options, check one or more of thefollowing:

■ Stop scanning after __ minutes

If you select this option, type the number of minutes you want the scanto run.


■ Only scan items modified since last scan

■ Scan message bodies (applies to AV only)


This is the default setting.Scan all messages in the store


Type the number of days in the box to theright.

Scan all messages from the past numberof days


Type the number of hours in the box tothe right.

Scan all messages from the past numberof hours

Scanning your Exchange servers for threats and violationsAbout manual scans

190


■ Use the drop-down menu to specifythe start date.






Scan all messages from the start date

6 Click Next.

To configure the scan location

1 Under Scan Location, to specify mailboxes to scan, select one of the following:

Scans all mailboxes.


All mailboxes

Scans no mailboxes.Exclude mailboxes

Scans only the mailboxes that you specify in the list box.

This option is only available in the single server view.

Specific mailboxes

2 To specify public folders to scan, select one of the following:

Scans all public folders.


All public folders

Scans no public folders.Exclude public folders

Scans only the public folders that you specify in the list box.


Specific public folders

3 Click Next.

191Scanning your Exchange servers for threats and violationsAbout manual scans

To disable content filtering scanning

1 Uncheck Enable content filtering.


2 Click Finish.



To enable content filtering scanning

1 Check Enable content filtering.



■ To add a new content filtering rule, on the toolbar, click Add new.

■ To modify an existing content filtering rule, on the toolbar, click Editrule.

■ To delete an existing content filtering rule, click Delete rule.See “About creating a content filtering rule” on page 135.

3 Click the box under the Enable column and select Enable to enable the rulesthat you want to apply to the scan.

4 Click Finish.



Performing a manual scanAfter you configure the manual scan parameters, you can perform the manualscan.

See “Viewing manual scan results” on page 193.

To perform a manual scan



3 Under Tasks, click Run now.

To stop the scan before it finishes, in sidebar under Tasks, click Stop.


Scanning your Exchange servers for threats and violationsAbout manual scans

192

Stopping manual scansYou can stop Mail Security from finishing a manual scan at any time.

To stop a manual scan



3 Under Tasks, click Stop.

Viewing manual scan resultsThe Manual Scan page shows the results of the most recent manual scan.

To view manual scan results


2 In the sidebar under Views, select Manual Scan.

3 Press F5 to refresh the page.

This process might take several minutes for large server groups.

About scheduling a scanIn addition to auto-protect scanning and manual scanning, you can schedule scansto look for different types of policy violations.

See “Creating a scheduled scan” on page 193.

See “Editing a scheduled scan” on page 194.

See “Configuring scheduled scan options” on page 194.

See “Enabling a scheduled scan” on page 199.

See “Deleting a scheduled scan” on page 199.

Note: From the Mail Security console, you cannot stop scheduled scans once theyare started.

Creating a scheduled scanYou can create as many scheduled scans as you need. When you create a scheduledscan, it is disabled by default. Enable the scan so that it runs according to theschedule that you specify.


193Scanning your Exchange servers for threats and violationsAbout scheduling a scan

To create a scheduled scan


2 In the sidebar under Views, select Scheduled Scans.

3 Under Tasks, click New scan.

4 Configure the schedule scan options.




Editing a scheduled scanYou can modify an existing scheduled scan as needed. Enable the scan so that itruns according to the schedule that you specify.


To edit a scheduled scan



3 In the content pane, do one of the following:

■ Select the scheduled scan that you want to modify, and in the sidebarunder Tasks, click Edit scan.

■ Under the Name column, double-click the scheduled scan that you wantto modify.

4 Modify the schedule scan options as needed.




Configuring scheduled scan optionsMail Security provides a wizard that guides you through the process of configuringa scheduled scan.

After you configure the scheduled scan options, enable the scan so that it runsaccording to the schedule that you specify.


Scanning your Exchange servers for threats and violationsAbout scheduling a scan

194

You can configure the following scheduled scan options:

■ Name of the scan and the basic scan options

■ Mailboxes and public folders that you want to scan

■ Content filtering rules that you want to apply to the scan

■ Scan schedule

To configure basic scanning options




In the sidebar under Tasks, click New scan.Create a new scan

In the content area, under the Name column, double-clickthe scan that you want to modify.

Modify an existing scan

4 In the Scan name box, type the name for the scan.

Mail Security lets you enter a maximum of 128 SBCS (single-byte characterset) characters (64 double-byte character set characters) in the Scan namebox.

This option is only available if you are creating a new scheduled scan.

5 Under Scan Options, check Stop after scanning ___ minutes to limit theamount of time for the scan, and then type the maximum scanning time inminutes.

The default value is 120 minutes.

If Mail Security reaches this limit, it stops scanning. The next scheduled scanstarts where the previous scan stopped.

6 Check Only scan items modified since last scan to exclude items that havenot changed since the last scan.

7 Check Scan message bodies to scan message bodies.


Scans all messages in the store.


Scan all messages in the store.



Type the number of days in the box to theright.

Scan all messages from the past numberof days.


Type the number of hours.

Scan all messages from the past numberof hours.


■ Click the drop-down arrow and specifythe start date.






Scan all messages from the start date.

9 Click Next.


196

To select what to scan

1 In second panel of the schedule scan wizard, under Scan Location, to specifymailboxes to scan, select one of the following:

Scans all mailboxes.


All mailboxes

Scans no mailboxes.Exclude mailboxes

Scans only the mailboxes that you specify in the list box.


Specific mailboxes

2 To specify public folders to scan, select one of the following:

Scans all public folders.


All public folders

Scans no public folders.Exclude public folders

Scans only the public folders that you specify in the list box.


Specific public folders

3 Click Next.

To scan for content filtering rules

1 In the third panel of the scheduled scan wizard, click Enablecontentfilteringto enable content filtering rule scanning for the scheduled scan.


■ To add a new content filtering rule, on the toolbar, click New rule.

■ To modify an existing content filtering rule, on the toolbar, click Editrule.

■ To delete an existing content filtering rule, click Delete rule.See “About creating a content filtering rule” on page 135.

3 Click the box under the Enable column and select Enable to enable the rulesthat you want to apply to the scan.

4 Click Next.


To specify the scanning schedule

1 In the final panel of the scheduled scan wizard, in the Time of day to run box,select the time of day that you want Mail Security to perform the scan (in24-hour format).

2 Under Days to run on, check the days of the week that you want the scan torun.

3 Under Dates of the month to run on, select any of the following:

The scan runs on the first day of each month.1st

The scan runs on the 15th day of each month.15th

The scan runs on the 28th day of each month.End of the month

4 Check Run scan at service start to perform a scan when the service starts.

Do not enable the Run scan at service start option in a cluster environment.

5 Check Runscanwhenvirusdefinitions change to perform a scan when newdefinitions are received.

Enabling Run Scan When Virus Definitions Change in conjunction with RapidRelease Definitions can significantly impact performance. Leave this featuredisabled if you update definitions at frequent intervals. If this option isenabled, the scheduled scan runs each time definitions are updated. Becausedefinitions are delivered frequently, the scan might not complete before newdefinitions are available. This can impact overall scanning performance.

See “Scheduling definition updates” on page 241.

6 Click Finish.



You can stop Mail Security from running a scheduled scan at any time usingregistry settings.

To stop a scheduled scan

1 Close the Mail Security console.

2 On the Windows menu, click Start > Run.

In the Run box, type the following command

3 regedit

4 Click OK.


198

5 In the registry editor window, in the left pane, browse and locate the followingfolder:HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.x\Server\ScanJobs\<nameof scheduled scan>

6 In the right pane, double-click ProgressStateDword.

7 In the Value data box, type the binary value 0, and then click Ok.

8 Close the registry editor window.

9 On the Windows menu, click Start > Programs > Administrative Tools >Services.

10 Restart the Symantec Mail Security for Exchange service.

Enabling a scheduled scanYou must enable a scan so that it runs according to the schedule that you specify.Scheduled scans are disabled by default.

To enable a scheduled scan



3 In the content pane, select the scheduled scan that you want to enable.

4 Click the box under the Status column, and then click Enabled from theoptions in the drop-down menu.



Deleting a scheduled scanDelete a scheduled scan when it is no longer needed.

To delete a scheduled scan


2 In the sidebar under Views, click Scheduled Scans.

3 Select the scan that you want to delete.

4 In the sidebar under Tasks, click Delete scan.




Configuring notification settings for scan violationsYou can specify the administrators, users, or computers that should receive emailnotifications about scan violations. Restrict the issuing of alerts to a small list ofinterested administrators to avoid unnecessary interruptions.

Email notifications can be issued when a Mail Security scan detects a policyviolation or an outbreak. An alert can also be sent to notify an administrator whena server experiences a critical service failure.

You can also customize the subject line and message text for each type ofnotification message when you configure policies and rules.

Note:Email notifications are sent only to names and addresses that can be resolvedagainst Active Directory. If you are installing Mail Security on the Edge serverrole, type a fully qualified email address (for example, [email protected]).

To configure notification settings for scan violations


2 In the sidebar under Views, click Notification Settings.

3 In the content area, in the Address of sender to use in email notification box,type the email address of the sender that you want to use for emailnotifications.

4 In the Administrators or others to notify box, type the email addresses ofadministrators and users to notify.

Separate each entry by commas. If you are including an email address thatis not within your domain, type the fully qualified email address (for example,[email protected]).



Scanning your Exchange servers for threats and violationsConfiguring notification settings for scan violations

200

Managing outbreaks


■ About outbreak management

■ Enabling outbreak management

■ Configuring outbreak triggers

■ Configuring outbreak notifications

■ Clearing outbreak notifications

About outbreak managementAn outbreak situation occurs when an excessive number of threats or events thatexhibit virus-like behavior occur on a network. When an outbreak occurs, promptidentification of the situation and notification of administrative staff is critical.

Outbreak management lets you configure Mail Security to send alerts whenevera certain threshold of duplicate messages, which are sent within a period of time,is reached. In some instances, a large number of duplicate messages can indicatean active virus outbreak or a problem within your Exchange server. You canmonitor different type of conditions and receive timely alerts as they occur. Anoutbreak condition does not necessarily indicate that there is a problem. Sometimesthe duplicate messages threshold is met by normal email flow and that dependson your settings and the amount of email flow passing through the Exchangeserver.

When you configure outbreak settings, it is recommended that you consider thefollowing:

■ Threat potential of the event category that is being monitored

■ Amount of email that is typically processed

10Chapter

■ Size of your mail system

■ Stringency with which you want to define an outbreak

As your outbreak triggers are tested, you can fine-tune the values that you use.

Mail Security lets you manage outbreaks with the following options:

■ Enable Outbreak Management.See “Enabling outbreak management” on page 206.

■ Specify the criteria for an outbreak.

The criteria consist of the number of times that an event must occur during aspecified time interval.See “About the criteria that defines an outbreak” on page 202.See “About outbreak triggers” on page 205.See “Configuring outbreak triggers” on page 206.

■ Define the email notifications to send to the administrator when an outbreakis detected.See “Configuring outbreak notifications” on page 208.

■ End the outbreak event after the situation is managed.See “Clearing outbreak notifications” on page 209.

About the criteria that defines an outbreakYou can specify the number of occurrences of an event that must occur within aspecified time frame to define an outbreak. Although there are no standardnumbers to use when specifying frequencies, take into consideration the following:

■ Threat potential of the event category that is being monitored

■ Size of your mail system

■ Amount of email that is typically processed

■ Stringency with which you want to define an outbreak

Mail Security monitors your server at regular intervals to detect outbreaks (thedefault setting is every 2 minutes). When Mail Security checks your server foroutbreaks, it checks the events that occurred within the specified period of time(the default setting is 20 minutes). Mail Security issues an outbreak notificationwhen it detects an outbreak.

For example, assume that you enable outbreak management, configure MailSecurity to monitor for outbreaks every 2 minutes, and enable the “Same virus”outbreak trigger using the default configuration.

Managing outbreaksAbout outbreak management

202

Figure 10-1 provides an explanation of the events that would occur if Mail Securitydetects 50 messages that contain the Eicar virus at 1:05 P.M. and 50 messagesthat contain the Eicar virus at 1:19 P.M.

203Managing outbreaksAbout outbreak management

Figure 10-1 Example of an outbreak event

At 1:20, checks the prior20 minutes and detects anoutbreak. An outbreaknotification is sent.

At 1:22, checks the prior20 minutes and detects anoutbreak still exists. Asubsequent notification issent.

At 1:24, checks the prior20 minutes and detects anoutbreak still exists. Asubsequent notification issent.

At 1:26, checks the prior20 minutes. Does notdetect outbreakconditions. No notificationis sent.

1:00 P.M.

1:30 P.M.

1:151:45

1:00 P.M.

1:30 P.M.

1:151:45

1:00 P.M.

1:30 P.M.

1:151:45

1:00 P.M.

1:30 P.M.

1:151:45

Time at which 50 messages with ‘FreeOffer’ subject line are received

Managing outbreaksAbout outbreak management

204

About outbreak triggersThe set of defining criteria for an outbreak is called an outbreak trigger. Eachoutbreak trigger only monitors one type of event and defines an outbreak as thefrequency of the specified event within a given time period.

For example, one outbreak trigger could be defined as the occurrence of 50 ormore unscannable files within one hour. Another outbreak trigger could be definedas 30 or more filtering rule violations within 15 minutes.

If you enable multiple outbreak triggers and a message is received that violatesmore than one, Mail Security goes into outbreak mode and stops looking foradditional outbreaks. Only one outbreak rule is triggered.

Message bodies typically do not contain threats or security risks. To conserveprocessing resources, Mail Security installs with default settings that do not scanmessage bodies. (Message attachments are always scanned.)You can modify thesettings to scan message bodies.

If Mail Security does not scan the message body (which includes the subject line),the Same subject outbreak can not be triggered unless the message contains anattachment.


To activate the Same subject outbreak trigger for messages that do not containattachments, you can do any of the following:

■ Enable message body scanning.See “Configuring advanced scanning options for auto-protect and backgroundscanning” on page 187.

■ Enable at least one content filtering rule.Content filtering rules require message body scanning, regardless of whetherthe message contains an attachment. The content filtering rule can be any ofthe default rules or a rule that you create.

Outbreak triggers apply to auto-protect scans only.


Best practices for managing outbreak conditionsDo the following to improve security during an outbreak:

■ Run Rapid Release to update virus definitions.See “Updating definitions on demand” on page 240.

205Managing outbreaksAbout outbreak management

■ Enable the "On virus definition update, force rescan before allowing access toinformation store" option on the Auto-Protect page.See “Configuring advanced scanning options for auto-protect and backgroundscanning” on page 187.

■ Start or schedule a background scan and configure the "Scan all messagesfrom the past number of days" option to cover the period of the outbreak.See “Configuring background scanning ” on page 184.

You can return to your pre-outbreak configuration when the outbreak has beenmanaged.

Enabling outbreak managementOutbreak management is enabled by default. You can specify the interval duringwhich you want Mail Security to check for outbreaks. By default, the interval isset to every two minutes.

At least one outbreak trigger must be enabled for outbreak management to work.


To enable outbreak management


2 In the sidebar under General, click Outbreak.

3 In the content area under Outbreak, check Enable Outbreak Management.


4 In the Check for Outbreaks every ___ minutes box, type the interval in minutesthat you want Mail Security to monitor your server for outbreaks.

The default value is 2 minutes.



Configuring outbreak triggersMail Security provides the following outbreak triggers:

■ Same attachment name

■ Same subject

Managing outbreaksEnabling outbreak management

206

■ Same virus

■ Unrepairable viruses

■ Unscannable files

■ Filtering violations

■ Total viruses

You can enable or disable the triggers. You can also modify the number ofoccurrences for a violation and the span of time in which the events must occurto constitute an outbreak. You can specify whether to notify an administratorwhen an outbreak occurs.

See “Configuring outbreak notifications” on page 208.

When you enable outbreak management, you can also configure Mail Security toautomatically add the names of outbreak triggered attachments to the OutbreakTriggered Attachment Names match list and outbreak triggered subject text tothe Outbreak Triggered Subject Lines match list. Mail Security uses these matchlists for pre-configured content filtering rules that automatically block suspiciousfile attachments or subjects. You can also use these match lists to create your owncontent filtering rules.

To configure outbreak triggers



3 In the content area, in the table, select the trigger that you want to modify.

The trigger that you select is highlighted in blue.

4 In the Status column, use the drop-down menu to select Enabled or Disabled.

5 In the Occurrences column, type the number of instances that must occur toconstitute an outbreak.


6 In the Time column, type the span of time in which the instances must occurto constitute an outbreak.


7 In the Units column, click the drop down menu, and select one of the following:

■ Minutes


■ Hours

■ Days

207Managing outbreaksConfiguring outbreak triggers

8 In the Notify Administrator column, check the box if you want to notify anadministrator of the outbreak.


9 In the Update Match List column, check the box if you want to automaticallyadd the attachment name or subject to the Outbreak Triggered Names matchlist or Outbreak Triggered Subjects match list. The trigger must be activated.


10 In the Rule column, click ViewRule to view or modify the associated contentfiltering rule.

This option is only available for the Same attachment name and Same subjecttriggers.

See “What you can do with content filtering rules” on page 155.



Configuring outbreak notificationsWhen you configure outbreak management settings, you can customize thenotification subject line and message text that is sent to the administrator. Youcan use variables to customize your text.

See “About the criteria that defines an outbreak” on page 202.


To configure outbreak notifications



3 In the content area, in the preview pane, under Initial Notification, in theSubject Line box, type your customized subject line text.

The default text is: Administrator Alert: Symantec Mail Security is detectinga possible virus outbreak

4 In the Message Body box, type your customized message body text.

The default text is: Outbreak Trigger Information: %trigger%Threshold isset at: threshold%

Managing outbreaksConfiguring outbreak notifications

208

5 Under Subsequent Notifications, in the Subject Line box, type your customizedsubject line text.

The default text is: Administrator Alert: Symantec Mail Security is stilldetecting a possible virus outbreak

6 In the Message Body box, type your customized message body text.

The default text is: Outbreak Trigger Information: %trigger%Threshold isset at: %threshold%



Clearing outbreak notificationsDuring an outbreak, subsequent notifications are sent based on the Time andUnits interval that you specify until the outbreak is no longer in effect. You canend subsequent outbreak notifications by clearing the current outbreak.



To clear outbreak notifications



3 Under Tasks, click Clear current outbreak.

209Managing outbreaksClearing outbreak notifications

Managing outbreaksClearing outbreak notifications

210

Logging events andgenerating reports


■ About logging events

■ About report templates

■ What you can do with reports

About logging eventsMail Security logs performance counters and events to the following locations:

Server events and policy violations are reported in the WindowsApplication Event Log. The Mail Security console provides an EventLog page that lets you view Windows Application Event Log entriesin chronological order with the most current event at the top. TheEvent Log page displays information, warning, and error events.

See “Viewing the Mail Security Event log” on page 212.

WindowsApplication EventLog

11Chapter

Mail Security logs extensive report data on threats, security risks,violations, spam, and server information to a reports database. Youcan use this data to generate summary or detailed reports based ondifferent subsets of the data. When you define a report, you specifycriteria such as the time span of the collected data, whether to showspecific violations or all violations, and the output format of thereport.

See “About report templates” on page 217.

You can specify how long Mail Security maintains data in the Reportsdatabase. You can also purge the database at any time.

See “Specifying the duration for storing data in the Reports database”on page 214.

See “Purging the Reports database” on page 215.

Mail SecurityReports database

The MMC Performance console shows system performance. You canadd Mail Security performance counters to the MMC view.

See “About logging performance counters to the MMC Performanceconsole” on page 215.

MicrosoftManagementConsole (MMC)Performanceconsole

Viewing the Mail Security Event logMail Security reports server events and policy violations (such as threat detectionsand filtering violations) to the Windows Application Event Log. You can accessthe Windows Application Event Log on the computer on which Mail Security isinstalled. For more information about how to access and use the WindowsApplication Event Log, see the documentation for your Exchange server.

The Mail Security Event Log lets you view and sort event data that is generatedby Mail Security and written to the Windows Application Event Log. You can viewthe Mail Security Event Log from the console. You can filter event data bycategories. You can also select a start date from which to begin displaying eventdata. When you select an event in the Event Log table, details about the eventappear in the preview pane.

The Mail Security Event Log displays the 5000 most recent Mail Security eventsfrom the Windows Application Event Log, per server. For example, if your groupcontains five servers, the event log can display up to 25,000 events.

The Event Log displays the following information:

Name of the server on which the event occurredServer

Date and time the event occurredTimestamp

Logging events and generating reportsAbout logging events

212

Severity categories are as follows:

■ Warning

■ Information

■ Error

Severity

Categories are as follows:

■ Auto-protect

■ Content Filtering Engine

■ Content Filtering Rules

■ Encrypted

■ Error

■ Licensing

■ LiveUpdate/Rapid Release

■ Manual and Scheduled Scanning

■ Outbreak Management

■ Quarantine

■ Scanning

■ Service

■ Premium AntiSpam

■ Threat/Security Risk

■ Unscannable

■ VSAPI

Category

Description of the eventMessage

Manually refresh the page if it is blank or to refresh the page to view the mostrecent events. In a large group, refreshing the page might take several minutes.

To view the Mail Security Event Log


2 In the sidebar under Views, click Event Log.

3 Click the column headers to sort the list data by different criteria.

To populate and refresh the Mail Security Event Log

◆ Press F5.

213Logging events and generating reportsAbout logging events

To filter the Mail Security Event Log

1 Under the Event Log table, in the Number of items per page list, select anumber of items that you want to view per page using the drop-down menu.


2 In the List box, select a category on which to filter the event data using thedrop-down menu.

3 In the entries since list, select a start date from which to begin displayingevent data using the drop-down menu.

Specifying the duration for storing data in the Reports databaseMail Security stores data on threat detection, definitions, spam, policy violations,scanning, and server events in a Reports database. You can use this data togenerate reports that include subsets of this data.

See “Software component locations” on page 35.

You can configure Mail Security to retain this data for the period of time that youspecify. Once the data is removed, it cannot be used in reports. For example,assume that you configure Mail Security to retain data for six months. If yougenerate a report for the past year, only the data for most recent six monthsappears in the report.

Mail Security provides a separate option to include spam data, including real-timeblacklist events, to reports. Selecting this option increases the time that is requiredto generate reports, which could affect performance. Consider using this optionshort-term (for example, a few weeks) to evaluate spam-related issues.

See “Resetting statistics” on page 233.

To specify the duration for storing data in the Reports database

1 In the console on the primary navigation bar, click Reports.

2 In the sidebar under Views, click Report Settings.


214

3 In the content area, select one of the following:

Keeps all data indefinitely.Store all data

No violation data is retained.

If you select this option means there is no data from which togenerate reports. However, total scans and items scanned byauto-protect are still reported.

Store no data

The data is cleared after the specified time period.

If you select this option, type the number of months of data tostore. Only summary spam data is stored unless you check the"Include spam data" option.


Store data for __months

4 Check Include spam data to include all spam-related events.

This option is disabled by default.



Purging the Reports databaseIn addition to configuring the period of time that you want Mail Security to storedata in the Reports database, you can purge the Reports database at any time.When you purge the Reports database, all data is removed. There is no data fromwhich to generate a report up to the time it is purged.

To purge the Reports database



3 Under Tasks, click Reset database statistics.

4 In the Operation Status window, click Close.

About logging performance counters to the MMC Performance consoleAdd the Mail Security 6.5 performance object to the Microsoft System Monitorto view Mail Security performance data in the MMC Performance console. Youcan view all of the Mail Security counters or select specific counters.

The Mail Security for Microsoft Exchange Management Pack is located on theproduct CD in the following location:

215Logging events and generating reportsAbout logging events

ADMTOOLS\MOM

See the MMC documentation for more information about how to add the MailSecurity performance object.

Table 11-1 lists the Mail Security counters that are available.

Table 11-1 Performance counters

DescriptionPerformance counter

Number of bytes scannedBytes Scanned

Number of bytes scanned persecond

Bytes Scanned/Sec

Number of scans performedon messages andattachments

Total Scans

Number of scans performedon messages andattachments per second

Total Scans/Sec

Number of software threatsdetected

Threats and Risks Found

Number of software threatsdetected per second

Threats and Risks Found/Sec

Number of content violationsdetected

Content Filtering Found

Number of content violationsdetected per second

Content Filtering Found /Sec

Number of spam violationsdetected

Spam Violations Found

Number of spam violationsdetected per second

Spam Violations Found/Sec

Note: Mail Security 6.5 lets you configure performance counters for logging . Bydefault, this counter is enabled. However, to improve Mail Security's scanningperformance, these performance counters for logging can be turned off by addingfollowing registry key and setting its value to 1.


216

Note:HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.5\Server\TurnOffPerfCounters.Restart Mail Security service after setting this registry key.

About report templatesReport templates let you define a subset of the raw report data that is collectedby Mail Security for a single server. The goal of creating a template is to describea set of data that summarizes threats, security risks, filtering violations, spam,and server information, which can be saved and used to generate on-demand orscheduled reports. Report templates can include different categories orcombinations of security-related statistics.

You can create different report templates to describe different subsets of the rawreport data. After you create a report template, you can use it to generate reports.

Note: Reports cannot be generated with a new or updated report template untilyou deploy your changes.

Mail Security provides two pre-configured report templates that you can modify.You can also create your own report templates. When you create or modify areport template, Mail Security provides a wizard to guide you through theconfiguration process.

The types of report templates that you can create are as follows:

■ SummarySee “Creating or modifying a Summary report template” on page 218.

■ DetailedSee “Creating or modifying a Detailed report template” on page 223.

About report output formatsThe format options that are available for a Summary report are HTML and PDF.You can configure Mail Security to send copies of the report to the people thatyou specify. The recipients' email client must support and permit HTML-basedor PDF-based attachments.

If you use Outlook Express and you intend to use the HTML format, you need tomodify the following settings in Outlook Express:

■ On the Security tab, deselect the option “Do not allow attachments to be savedor opened that could potentially be a virus.”

217Logging events and generating reportsAbout report templates

■ On the Read tab, deselect the option “Read all messages in plain text.”

When you generate a Detailed report, Mail Security can save the report in HTMLformat, PDF format, or comma-separated value (.csv) format.

Generating a report in .csv format lets you do the following:

■ You can view or print the complete report data in an application, such asMicrosoft Excel.

If you have Microsoft Excel on your computer, a .csv file opens automaticallyas an Excel spreadsheet.

■ You can import the data into a third-party reporting application to generatecustom charts and reports.See “Accessing a report” on page 230.

Creating or modifying a Summary report templateYou can customize the Summary report template to contain the information thatyou want to include in a report. You can generate a Summary report for anindividual server or for an entire server group.

The Summary report template that you create appears in the Report Templatestable. You can modify the template at any time.

If you configure the template to create reports on demand, you can generate thereport from the Reports > Report Templates page. If you configure the templateto generate a scheduled report, Mail Security automatically generates the reportbased on the schedule that you specify.

See “Generating a report on demand” on page 229.

Note: Mail Security only supports emailing reports that are 5 MB or smaller. Youcan view reports that are larger than 5 MB on the Reports page. Mail Security logsthe generation of reports that are larger than 5 MB to the Windows ApplicationEvent Log.

Mail Security provides a wizard that helps you configure your report template.

To identify the report to be created or modified

1 Select the server or server group for which you want to generate a report.



Logging events and generating reportsAbout report templates

218

3 In the sidebar under Views, click Report Templates.


In the sidebar under Tasks, click Newtemplate.Create a new Executive Summaryreport template

In the content pane, in the Report Templatestable, double-click the template that you wantto modify.

Modify an existing report template.

To configure the report template options

1 Under Report Template Options, in the Template name box, type a name forthe report template.

This option is only available if you are creating a new report template.

2 In the Description box, type a description for the template.

3 Under Report type, click Executive summary.

This option is checked by default.

4 Under Report format, select the format in which you want Mail Security togenerate the report.

The default setting is PDF.

See “About report output formats” on page 217.

5 Check Email report to the following recipients and type one or moreaddresses to which the report should be delivered.

Separate entries with semicolons.

6 Click Next.

To configure on demand report generation

1 Under Report Generation Option, click On demand.

2 Click Next.

To specify the report time range

1 Click the drop-down arrow in the Time Range box and select one of thefollowing:

■ Past DayThis is the default setting.

■ Past Week

■ Past Month


■ Past Year

■ Customized

2 If you select the Customized time range, in the customize time range boxes,click the drop-down arrows and select the start and end dates for the datathat you want included in your report.

To configure scheduled report generation

1 Under Report Generation Option, click Scheduled.

2 In the Generate report at list, select the time of day to generate the report.

3 Click Daily, Weekly, or Monthly.

If you select Weekly, check the day(s) of the week to generate the report.

If you select Monthly, use the drop-down menu to select the day of the monthto generate the report.

If you select Monthly, also ensure that you select a day that exists in eachmonth. Otherwise, a report is not generated for that month. For example, ifyou select the 31st day of every month, reports are not generated for anymonth that has 30 days or less, such as February, April, June, September, andNovember.

4 Click Next.

To configure the report chart options

1 Under Report Chart Options, select any of the following:

■ Total violations chart

■ Threats and security risks chartAlso select the chart granularity using the drop-down menu.

The default setting is Week.

■ Content violation chartAlso select the chart granularity using the drop-down menu.

The default setting is Week.

■ Spam pie chart

2 Click Next.

To configure report content

1 Under Executive Summary Template Options, select the options that youwant to appear in the Summary report.

Data selections are as follows:


220

■ Show scan summary

Total number of files that wereprocessed during the reporting period

Total items scanned

Total number of files that were scannedwith auto-protect scanning during thereporting period

Items scanned by Auto-Protect

Total number of files that were scannedwith background scanning during thereporting period

Items scanned by background scan

Total number of files that were scannedwith manual scanning during thereporting period

Items scanned by Manual scan

Total number of files that were scannedwith a scheduled scan during thereporting period

Items scanned by scheduled scan(s)

Total number of files that were scannedwith a spam scan during the reportingperiod

Items scanned by antispam scan

■ Show violation summary

Total number of violations that weredetected during the reporting period

Total violations

Total number of virus violationsVirus violations

Total number of filtering violationsContent violations

Total number of antispam violationsAntispam violations

■ Show threats and security risks

Total number of threats that weredetected during the reporting period

Total threats

Table of top threats that were detectedduring the reporting period

Top threats table

Number of threats to include in the TopThreats Table

No. of items to include


Total number of unrepairable threatsthat were detected during the reportingperiod

Unrepairable threats

Number of security risks that weredetected during the reporting period

Total security risks

Number of messages in whichmass-mailer threats were detectedduring the reporting period

Mass-mailer threats

■ Infection disposition

Number of threats that were repairedduring the reporting period

Threats repaired

Number of threats that were deletedduring the reporting period

Threats deleted

Number of threats that werequarantined during the reporting period

Threats quarantined

2 Click Next.

3 Under Executive Summary Template Options, select the data that you wantto appear in the Executive Summary report.

Data selections are as follows:

■ Show content violations

Total number of content violations thatwere detected during the reportingperiod

Total content violations

Table of top content violations that weredetected during the reporting period

Table of top content violations

Number of items to include in the Tableof Top Content Violations


Total number of attachments that wereblocked during the reporting period

Total attachments blocked

Total number of multimedia/executableattachments that were blocked duringthe reporting period

Total multimedia/exe attachmentsblocked


222

Total number of encrypted attachmentthat were blocked during the currentreporting period

Total encrypted attachments blocked

Table of top attachments that wereblocked during the reporting period

Table of top attachments blocked

Number of items to include in the Tableof Top Attachments Blocked


Total number of unscannable items thatwere blocked during the reportingperiod

Unscannable items

■ Spam options

Total number of spam messages in eachspam category that were identifiedduring the reporting period

Spam by category

You must check the "Include spam data" box on the Reports Settings page toview data about spam and real-time black list events in the Summary report.

See “Specifying the duration for storing data in the Reports database”on page 214.

4 Click Next.

5 Under Executive Summary Template Options, check Showserverinformation.

6 Select the data that you do want to appear in the Executive Summary report.

7 Click Finish.



Creating or modifying a Detailed report templateThe Detailed report templates that you create appear in the Report Templatestable. You can modify the template at any time.

If you configure the template to create reports on demand, you can generate thereport from the Reports > Report Templates page. If you configure the templateto generate a scheduled report, Mail Security automatically generates the reportbased on the schedule that you specify.


See “Generating a report on demand” on page 229.

Note: Consider limiting the date range to less than 30 days. Generating a Detailedreport over 30 days might consume large amounts of computer memory, dependingon the number of violations that are in the report database.

Note: Mail Security only supports emailing reports that are 5 MB or smaller. Youcan view reports that are larger than 5 MB on the Reports page. Mail Security logsthe generation of reports that are larger than 5 MB to the Windows ApplicationEvent Log.

Mail Security provides a wizard that helps you configure your report template.

To identify the report to be created or modified

1 Select the server for which you want to generate a report.

Creating a Detailed report for a server group is not supported.





In the sidebar under Tasks, click New template.Create a new Detailed reporttemplate.

In the content pane, in the Report Templatestable, double-click the template that you want tomodify.

Modify an existing reporttemplate.

To configure the report template options

1 In the Report Template Options panel, in the Template name box, type a namefor the report template.

This option is only available if you are creating a new template.

2 In the Description box, type a description for the template.

3 Under Report type, click Detailed.


224

4 Under Report format, select the format in which you want Mail Security togenerate the report.

The default setting is PDF.


5 Check Email report to the following recipients and type one or moreaddresses to which the report should be delivered.

Separate entries with semicolons.

6 Click Next.

To specify the report time range

1 Click the drop-down arrow in the Time Range box and select one of thefollowing:

■ Past DayThis is the default setting.

■ Past Week

■ Past Month

■ Past Year

■ Customized

2 If you select the Customized time range, in the customize time range boxes,click the drop-down arrows and select the start and end dates for the datathat you want included in your report.

To configure on demand report generation

1 Under Report Generation Option, click On demand.

2 Click Next.

To configure scheduled report generation

1 Under Report Generation Option, click Scheduled.

2 In the Generate report at list, select the time of day to generate the report.


3 Click Daily, Weekly, or Monthly.

If you select Weekly, check the day(s) of the week to generate the report.

If you select Monthly, use the drop-down menu to select the day of the monthto generate the report.

If you select Monthly, also ensure that you select a day that exists in eachmonth. Otherwise, a report is not generated for that month. For example, ifyou select the 31st day of every month, reports are not generated for anymonth that has 30 days or less, such as February, April, June, September, andNovember.

4 Click Next.

To configure report content

1 Under Detailed Template Options, in the Type of violation list, use thedrop-down menu to select the type of violation that you want to appear inthe report.

2 In the Sender filter box, type an identifying characteristic of the sender whosemessages will appear in the report.

This can be the domain name or address of the sender, or a name or word, ora wildcard expression.

If the sender is a member of your Active Directory group, use the user nameinstead of the full email ID. For example, you would use John_Doe instead ofJohn_Doe.symantecsecurity.com.

3 In the Violation filter list, do one of the following:

Click the drop-down menu and select apre-defined violation filter.

The list consists of the default rules (forexample, Basic Virus Rule) that areprovided when you install the product.Filter selections vary based on the type ofviolation that you choose.

To select a pre-defined violation filter

Click the drop-down menu and select UserDefined Rule.

Click the drop-down menu in the Rulename box and select one of the contentfiltering rules that you created.

To select a user defined content filteringrule

(This option is only available if you selectthe violation types “All” or “ContentEnforcement.”)

4 Select the columns that you want to appear in the detailed report.


226

5 Click Finish.



Deleting a report templateDelete a report template when it is no longer needed.

To delete a report template



3 In the content area, select the template that you want to delete.

4 In the sidebar under Tasks, click Delete template.




What you can do with reportsThe following lists the tasks that you can do to reports:

■ Configuring the initial set up of the report consolidation feature

■ Generating a consolidated report

■ Generating a report on demand

■ Accessing a report

■ Printing a report

■ Saving report data

■ Deleting a report

Configuring the initial set up of the report consolidation featureMail Security supports generating a consolidated Summary report for all of theservers in a server group. Mail Security stores report information on each serverin the location that you specify. When you generate a consolidated report, MailSecurity pulls the report information for each of the servers to create theconsolidated report.

To use the report consolation feature, perform the following initial setup tasks:

227Logging events and generating reportsWhat you can do with reports

Mail Security lets you specify where youwant each server to store the reports forconsolidation. The location must be the samefor each server in the group.

You must ensure that the full directory pathexists on each server. For example, if youspecify a directory path of \ProgramFiles\Symantec\6.5\My Reports, ensure thateach server contains this full directory path.You must also ensure that the path locationhas permission to allow read/write access.

Specify the shared location to store reports

The Symantec Mail Security Utility servicemust be able to access the shared storagelocation. Configure the service to run in anaccount that is a member of the local systemAdministrators and Domain Users groupsand has access to the shared storagelocation.

Grant access for the Symantec Mail SecurityUtility service to access the shared storagelocation

To specify the shared location to store reports

1 Select the server or server group that you want to modify.




4 Under Report Consolidation, type the name of a valid UNC path. For example:

\\<serverip>\<location>

The path must be less than 256 characters. The following characters are notsupported in the path name:

~'!@#%^&*( )+=|?;:"[]{}



To grant access for the Symantec Mail Security Utility service to access the sharedstorage location

1 In the Services MMC snap-in, select the Symantec Mail Security Utility service.

2 Right-click and select Properties.

3 Click on the Log On tab.

4 Under Log on as, select This account.

Logging events and generating reportsWhat you can do with reports

228

5 Enter the username and password (and confirm the password) of a validaccount that is configured to be a member of the local system Administratorsand Domain Users groups and has access to the shared storage location.

6 Click OK.

7 Right-click and select Restart to restart the Symantec Mail Security Utilityservice.

Generating a consolidated reportWhen you are in a group view, you can generate a consolidated report of all of theservers in the group. You must do an initial set up for the report consolidationsettings before you generate a consolidated report. Consolidated reports can begenerated for on-demand reports and scheduled reports. For on demand reports,a single consolidated report is generated. But if a consolidated report is scheduled,then separate reports for each and every server in the group are generated.


To generate a consolidated report



3 In the Report Templates table, select the report that you want to generate.

4 In the sidebar under Tasks, click Generate consolidated report.

You must be in a group view to generate a consolidated report.


Generating a report on demandAfter you create a report template, you can use it to generate reports of policyviolation information. Mail Security automatically appends the current date andtime to the name of your report template when it names the report. This lets yourun the same report on different dates and compare the data.


See “Accessing a report” on page 230.

To generate a report on demand



3 In the Report Templates table, select the report that you want to generate.


4 In the sidebar under Tasks, click Generate report if you are in a server viewor Generate consolidated report if you are in a group view.


Accessing a reportYou can view a report from the console or from the Mail Security Reports folder.If you view a report from the console, you must be in a server view.

The Reports page in the console displays the following information:

Indicates the name of the reportName

Indicates the type of report (Detailed or Summary)Type

Indicates the date and time that the report was generatedDate Created

Indicates the output format (PDF, HTML, or CSV)Format

Indicates the template from which the report was generatedTemplate Name

Indicates the current status of the report generation

The report statuses are as follows:

■ Ready: The report is generated and can be viewed.

■ Generating: The report is currently being generated.

■ Failed: The report generation has failed. The event is logged to theWindows Application Event Log.

A report can only be viewed when its status is Ready.

Status

A generated report (scheduled or on demand) is also automatically saved in itsown folder in the Mail Security Reports folder. You can browse to the folderlocation and view the report file.

The file is automatically deleted from the Mail Security Reports folder when youdelete a report in the console.

See “Deleting a report” on page 233.

To access a report from the console


2 In the sidebar under Views, click Reports.

3 In the content pane in the Reports table, do one of the following:


230

■ Select the report that you want to view, and in the sidebar under Tasks,click Viewreport if you are in a server view or Viewconsolidated reportif you are in a group view.

■ Double-click the report.

See “Printing a report” on page 231.

See “Saving report data” on page 232.

To access a report from the Mail Security Reports folder

1 Right-click on the Windows Start menu and select Explore.

2 Browse to the Mail Security Reports folder.

The default location is as follows:

\Program Files (x86)\Symantec\SMSMSE\6.5\Server\Reports

3 Double-click the report folder that contains the report that you want to view.


Double-click the file to view it. The report appears thesame as if it were accessed from the console.

For a report in .htmlformat

Double-click the file to view it.

You must have Adobe Acrobat Reader installed to viewreports generated in .pdf format.

For a report in .pdfformat

Open the .csv file in a program such as Microsoft Excel toview it.

Files created in .csv format contain raw data and must beviewed in a program that can interpret the data.

For a report in .csvformat


Printing a reportYou can print a report if your printer is properly configured. Mail Security providesfeatures that let you configure the page set up and preview the report. Print reportsin landscape mode to prevent the data from being cut off at the right margin.

To print a report





■ Select the report that you want to view, and in the sidebar under Tasks,click Viewreport if you are in a server view or Viewconsolidated reportif you are in a group view.


4 On the toolbar, do any of the following:

Click Page Setup.Configure printer options

Click Print Preview.

You can print the report from the Print Preview window.

Preview the report

Click Print.Print the report

5 Click OK.

Saving report dataYou can save reports to the destination of your choice. This lets you manage andmaintain your reports. It also lets you email reports or lets users access the reportsthat they want to view.

To save report data




■ Select the report that you want to view, and in the sidebar under Tasks,click Viewreport if you are in a server view or Viewconsolidatedreportif you are in a group view.


4 On the toolbar, click Save.

5 In the Save window, do the following:

■ In the File name box, type the name of the file.

■ In the Save as type box, select the file type.

■ In the Encoding box, select the encoding that you want to use.

The default value is Unicode.This option only appears if you are saving the file in .htm or .html format.

6 Click Save.


232

Deleting a reportDelete a report when it is no longer needed or after you have saved the report toa file location. This lets you manage the volume of reports on the Reports page.

See “Saving report data” on page 232.

When you delete a report in the console, the file is automatically deleted from theMail Security Reports folder.

See “Accessing a report” on page 230.

To delete a report



3 In the content pane in the Reports table, select the report that you want todelete.

4 In the sidebar under Tasks, click Delete report if you are in a server view orDelete consolidated report if you are in a group view.

Resetting statisticsYou can reset statistics for reporting purposes. Resetting statistics also resets theActivity Summary information on the Home page.

To reset statistics



3 Under Tasks, select one of the following:

■ Reset database statistics

Purges all data from the Reports database.See “Purging the Reports database” on page 215.

■ Reset Home page statisticsResets the Home page statistics for Recent Activity, Total Violations, andActivity Summary data.

■ Reset all statisticsResets Home page statistics and database statistics

4 In the Operation Status window, click Close.



234

Keeping your product up todate


■ Monitoring your version support status

■ About keeping your server protected

■ How to update definitions

■ About enhancing performance when updating definitions

■ Distributing definitions to multiple servers

Monitoring your version support statusMail Security provides version support status information so that you know thesupport life cycle for the version of Mail Security that you are using. It also keepsyou informed when a newer version of the product is available.

The version support status information is updated through LiveUpdate. You obtainupdated version support status information automatically when you run a manualor scheduled LiveUpdate on a computer that has the product and the consoleinstalled. (You might have to refresh the console to see the updated version supportstatus information after a manual or scheduled LiveUpdate runs.)


You can also manually update the version support information from the Homepage. Manually update your version support information from the Home page ifyou are on a computer that only has the Mail Security console installed or if youare updating definitions through Symantec Endpoint Protection or SymantecAntiVirus Corporate Edition.

12Chapter

The version support status information is stored by the console, and the consoleapplies the information to all the servers managed by the console. This meansthat you only need to update the version support status in any view. The versionsupport information is automatically updated for all of the servers managed inthe server group. The version support information appears on the console for allof the servers in the group, but does not appear on the console for the individualserver.

To monitor your version support status in a server view

◆ In the console on the primary navigation bar, click Home.

The version status information appears in the Status pane.

To monitor your version support status in a group view

1 In the console on the primary navigation bar, click Home.

2 In the Status pane, in the Server list, select the server for which you want toview version status information.

The version status information appears below the Server List.

To manually update the version status information


2 In the Status pane, click Update Version Status...

3 In the LiveUpdate dialog box, click Next.

This LiveUpdate session only searches for updates to your product. It doesnot search for or download updates to your definitions.


4 In the LiveUpdate dialog box, click Finish when LiveUpdate is complete.

To refresh the version status information on the Home page


2 Press F5.

About keeping your server protectedMail Security relies on up-to-date information to detect and eliminate risks. Oneof the most common reasons that problems occur is that definition files are notup-to-date. Symantec regularly supplies updated definition files that contain thenecessary information about all newly discovered risks. Regular updates of thatinformation maximize security and guard your organization's Exchange mailserver against infections and the downtime that is associated with an outbreak.

Keeping your product up to dateAbout keeping your server protected

236

Mail Security lets you update your protection from threats and security risksusing the following tools:

LiveUpdate downloads and installs available definitions from the SymantecLiveUpdate server. LiveUpdate certified definitions undergo stringent testingand are updated daily.

LiveUpdate is enabled by default with a recommended daily schedule.However, you can modify the schedule.


LiveUpdate

Rapid Release definitions provide the fastest response to emerging threatsand are updated approximately every hour. Rapid Release definitions aredelivered by FTP and provide reliable first-line protection.

Rapid Release definitions are created when a new threat is discovered. RapidRelease definitions undergo basic quality assurance testing by SymantecSecurity Response, but they do not undergo the intense testing that is requiredfor a LiveUpdate release. Rapid Release definitions are updated by Symantecas needed to respond to high-level outbreaks and might be made availablebefore the LiveUpdate definitions quality assurance process is complete.Rapid Release definitions provide a quick response to new threats and securityrisks and can be augmented later on by more robust detection capabilitiesin certified definitions.

Rapid Release definitions can be retrieved manually on-demand.

See “Updating definitions on demand” on page 240.

RapidRelease

Both methods let you update definitions on demand and automatically, based onthe schedule that you specify. You can run Rapid Release definition updates insteadof or in addition to LiveUpdate updates. For example, you can schedule dailyLiveUpdates and then manually run Rapid Release when a new threat emerges.

If your organization has both front-end and back-end Exchange servers, you mightwant to consider using Rapid Release definitions on the front-end for the fastestresponse to new threats and leverage certified Live Update definitions on theExchange back-end mailbox servers.

Note: Mail Security relies on the definition update process to keep the versionsupport information current. Configure Mail Security to perform definition updatesif you have multiple Symantec antivirus products on the same computer.

You must have a valid content license to update definition files. A content licenseis a grant by Symantec Corporation for you to update Symantec corporate softwarewith the latest associated content, such as new definitions. When you do not have

237Keeping your product up to dateAbout keeping your server protected

a content license or your license expires, your product does not receive the mostcurrent definitions, and your servers are vulnerable to risks.


About setting up your own LiveUpdate serverThe LiveUpdate Administration Utility lets you set up an intranet HTTP, FTP, orLAN server, or a directory on a standard file server to handle LiveUpdateoperations for your network.

The LiveUpdate Administration Utility is available on the Mail Security productCD in the following location:

\ADMTOOLS\LUA\

For more information, see the LiveUpdate Administrator documentation on theMail Security product CD in the following folder location:

\DOCS\LUA\

If you set up your own LiveUpdate server, you must edit the LiveUpdateconfiguration for Mail Security to point to the local LiveUpdate server.

For more information, contact Symantec service and support .


Note: : If you use LiveUpdate Administrator to push definitions to Mail SecurityServers , include the product SymantecMail Security forMicrosoft Exchange 6.5toyour product list in the LiveUpdate Administrator.

Configuring a proxy server to permit LiveUpdate definitionsSome organizations use proxy servers to control connections to the Internet. Touse LiveUpdate, you might need to specify the address and port of the proxy serveras well as a user name and password. If needed, you can modify the proxy serverconfiguration settings through LiveUpdate.

LiveUpdate can use an HTTP, FTP, or ISP proxy server.

To configure FTP settings for LiveUpdate

1 On the Windows menu, click Start > Control Panel.

2 In the Control Panel window, double-click Symantec LiveUpdate.

Keeping your product up to dateAbout keeping your server protected

238

3 In the LiveUpdate Configuration dialog box, on the FTP tab, click I want tocustomize my FTP settings for LiveUpdate.

When this setting is checked, the Use a proxy server for FTP connectionsoption appears and is checked by default.

4 In the Address box, type the IP address of the FTP proxy server.

5 In the port box, type the port number.

Typically, the port number for FTP is 21.

6 Click OK.

To configure HTTP settings for LiveUpdate



3 In the LiveUpdate Configuration dialog box, on the HTTP tab, click Iwant tocustomize my HTTP settings for LiveUpdate.

When this setting is checked, the Use a proxy server for HTTP connectionsoption appears and is checked by default.

4 In the Address box, type the IP address of the HTTP proxy server.

5 In the port box, type the port number.

Typically, the port number for HTTP is 80.

6 If a user name and password are required to access the HTTP proxy server,under HTTP Authentication, click I need authorization to connect throughmy firewall or proxy server. Then type the user name and password in theboxes that appear beneath the option.

7 Click OK.

To use an ISP dial-up connection for LiveUpdate



3 In the LiveUpdate Configuration dialog box, in the ISP tab, click Customizedsettings for LiveUpdate.

4 Under Use this Dial-up Networking connection, do one of the following:

■ In the drop-down list, select the appropriate connection.

■ If the connection that you want to use is not found in the drop-down list,click Add, and then follow the Location Information Wizard instructionsto add a connection.

239Keeping your product up to dateAbout keeping your server protected

5 Type your ISP user name and password.

6 Click OK.

How to update definitionsYou can update definitions using any of the following methods:

■ Perform updates on demand.See “Updating definitions on demand” on page 240.

■ Schedule automatic updates.See “Scheduling definition updates” on page 241.

Updating definitions on demandIf you are in a single server view, you can use LiveUpdate or Rapid Release todownload the most current definitions on demand.

If you are in a group view, you can use LiveUpdate to download the most currentdefinitions. After you update the definitions, distribute the updated definitionsto the servers in your group.

See “Distributing definitions to multiple servers” on page 242.

To update definitions on demand for a single server


2 In the sidebar under Views, click LiveUpdate/Rapid Release Status.

3 Under Tasks, select one of the following:

■ Run LiveUpdate Certified Definitions

■ Run Rapid Release Definitions (via FTP)


To update definitions on demand for a server group


2 In the sidebar under Views, click Group LiveUpdate Status.

3 Under Tasks, click Run LiveUpdate.

4 In the LiveUpdate options panel, click Start.

5 When LiveUpdate is complete, click Close.

Keeping your product up to dateHow to update definitions

240

Scheduling definition updatesYou can schedule Mail Security to perform definition updates automatically. Ifyou have multiple servers that you want to perform their own updates using thesame settings, you can configure the settings in the Global Group view or auser-defined group view. When you deploy your changes, the settings are deployedto all of the servers in the group. If you configure LiveUpdate to run on a scheduleand deploy the changes to a group, it runs at the specified time in the local timezone of each server.

See “About enhancing performance when updating definitions” on page 242.

To schedule definition updates


2 In the sidebar under Views, click LiveUpdate/Rapid Release Schedule.

3 In the content pane, under LiveUpdate/Rapid Release Schedule, check Enableautomatic virus definitions updates.


4 Select one of the following:

■ Use Rapid Release definitions

■ Use Certified LiveUpdate definitions


5 Under Schedule, select one of the following:

■ Run every [ ], and then, using the drop-down menu, select the interval inhours that you want to run LiveUpdate or Rapid Release.

The default value is 1 hour.

■ Run at a specific time, and then type the time of day (in 24-hour format)and check the day or days of the week that you want LiveUpdate to run.The default setting for LiveUpdate is to run at 10:56 A.M. every day of theweek.

This option is not available for Rapid Release.



241Keeping your product up to dateHow to update definitions

About enhancing performance when updatingdefinitions

If auto-protect scanning is enabled and you are updating definitions at hourlyintervals or less (using Rapid Release or LiveUpdate), disable at least one of thefollowing auto-protect features on servers that have a message store:

■ Scans > Auto-Protect: Enable Background Scanning

■ Scans > Auto-Protect: On virus definitions update, force rescan before allowingaccess to the information store

When both of these options are enabled, the message store is rescanned each timedefinitions are updated. If you update definitions at hourly intervals or less, thiscan impact overall mail throughput.


Distributing definitions to multiple serversUpdate LiveUpdate definitions on multiple servers by doing the following:

Perform a LiveUpdate so that you can distribute the mostup-to-date definitions that are available.


See “Updating definitions on demand” on page 240.

Perform a LiveUpdate

Distribute the updated definitions to multiple servers so thatall servers are protected. You must have a valid license foreach server or the definitions is not be applied.


Distribute the updateddefinitions to the serversin the group

Note:Mail Security only supports distributing LiveUpdate definitions to multipleservers.

You must be in a group view to distribute definitions to multiple servers.

To distribute definitions to multiple servers


2 In the sidebar under Views, click Group LiveUpdate Status.

3 In the sidebar under Tasks, click Send virus definitions to servers.

Send alert notifications when definitions are out of date

Keeping your product up to dateAbout enhancing performance when updating definitions

242

Mail Security provides the following methods for notifying when virus definitionsare older than the configured number of days.

■ An alert notification email is sent to the administrator.

■ An event is logged in the system’s event log with event ID 404.

Mail Security checks at least once a day whether the current virus definitions arelatest or out of date. If virus definitions are found outdated, then Mail Securitysends an email notification to the administrator. Mail Security continues to sendperiodic notifications until it gets a new definition set.

You can specify the frequency of sending notifications when an old definition isfound. By default, an email notification is sent after every six hours. You can setthe frequency of sending notifications at an hour-level granularity.

You can configure the number of days an outdated virus definition can remainon the system after which an alert notification is sent. This configuration is doneby specifying values for the registry keys DefsMonitorDaysThreshold andDefsMonitorResendIntervalInHr.

For 32-bit platform, the path for these registry keys is:HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.5\Server\Components\LiveupdateConfig

For 64-bit platform, the path for these registry keys is:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\6.5\Server\ Components\LiveupdateConfig

Table 12-1lists the registry keys for this feature, their data types, and possiblevalues.

Table 12-1 Registry key settings

PurposeData typeRegistry key

Specifies the number of days afterwhich a definition is considered as oldand a notification is sent.

The default value of this registry keyis two days. If the value of the registrykey is set to zero, then you are notnotified about the old virusdefinitions. The minimum value ofthis registry key is two.

REG_DWORDDefsMonitorDaysThreshold

243Keeping your product up to dateDistributing definitions to multiple servers

Table 12-1 Registry key settings (continued)

PurposeData typeRegistry key

Specifies the interval (in hours) atwhich a notification is sent.

The default value of this registry keyis six hours. The minimum value ofthis registry key is one.

REG_DWORDDefsMonitorResendIntervalInHr

Note:With this feature, Mail Security has discontinued using the older mechanismof sending alerts on LiveUpdate failure.

Keeping your product up to dateDistributing definitions to multiple servers

244

Using variables tocustomize alerts andnotifications

This appendix includes the following topics:

■ About alert and notification variables

About alert and notification variablesMail Security lets you customize notification and alert messages using variables.

Note: The percent (%) sign is used to surround variables in the replacement textand email notification boxes. However, when a single percent sign (%) is placedin the text, it is filtered out and does not appear in the email notifications.

Table A-1 lists the replacement variables that you can use in any violationnotification.

Table A-1 Replacement variables for multiple types of violations

DescriptionVariable

Starts a new line in the notification message%n%

Autofills with the name of the server on which a violationwas discovered

%server%

Table A-2 lists the replacement variables that you can use in rule violationnotifications.

AAppendix

Table A-2 Replacement variables for rule violation notifications

DescriptionVariable

Autofills with the description of the action taken in responseto a rule violation

%action%

Autofills with the name of the attachment in which a ruleviolation has been found

%attachment%

Autofills with the date and time of a violation%datetime%

Autofills details of the violation

This variable is only available for the quarantine thresholdnotification

%details%

Autofills with any general information available about theviolation

%information%

Autofills with the name of the location at which a violationwas discovered, for example, inbox, outbox, public folder

%location%

Autofills with the name of the intended recipient of amessage in which a violation was discovered

%recipient%

Autofills with the name of the scan that discovered aviolation

%scan%

Autofills with the name of the sender of a message in whicha violation was discovered

%sender%

Autofills with the contents of the subject line%subject%

Autofills with the name of the violation detected%violation%

Autofills with the list of violating terms that triggeredcontent filtering policy

%ViolatingTerm%

Table A-3 lists the variables that you can use in outbreak notifications.

Table A-3 Replacement variables for outbreak notifications

DescriptionVariable

Autofills with the number of messages that violate theoutbreak trigger

%count%

Autofills with the threshold level of an identified outbreaktrigger

%threshold%

Using variables to customize alerts and notificationsAbout alert and notification variables

246

Table A-3 Replacement variables for outbreak notifications (continued)

DescriptionVariable

Autofills with the name of the outbreak trigger that detectedan outbreak

%trigger%

247Using variables to customize alerts and notificationsAbout alert and notification variables

Using variables to customize alerts and notificationsAbout alert and notification variables

248

Troubleshooting

This appendix includes the following topics:

■ Why a file triggers the Unscannable File Rule

■ Reducing the incidence of malformed MIME false positives

■ Common error messages

■ Resolving installation issues

Why a file triggers the Unscannable File RuleA file can trigger the Unscannable File Rule when Mail Security is unable to scanthe file.

Some examples of when a file might trigger the Unscannable File Rule are asfollows:

BAppendix

Mail Security cannot access the file to scanit.

This can occur when another thread orprocess is accessing the file. For example,two separate antivirus software programs(a file system-based program and anemail-based program) attempt to scan thesame file simultaneously.

Configure your other antivirus programs toexclude certain folders from scanning. Ifanother antivirus program scans theExchange directory structure or the MailSecurity processing folder, it can causefalse-positive threat detection, unexpectedbehavior on the Exchange server, or damageto the Exchange databases.

See “About using Mail Security with otherantivirus products” on page 68.

For information about how to preventSymantec antivirus products from scanningthe Exchange directory, go to the followingSymantec Knowledge Base article:

http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2000110108382454?Open&src=w

Mail Security cannot access the file.

Mail Security correctly identifies the file, butthe file is corrupt.

The file is corrupt.

Mail Security misidentifies the file based onthe message header. The actions that theprogram performs on the file are incorrectand invalid for the file type.

This can also occur in a file that containsinvalid characters or values in the header.

The file is incorrectly identified.

The antivirus scanner or decomposer timesout while attempting to scan the file.

This can occur when a file meets or exceedsthe scanning limits that you specify.

See “Configuring file scanning limits”on page 113.

The scanner or decomposer times out.

TroubleshootingWhy a file triggers the Unscannable File Rule

250




This could occur if the temporary workingdirectory is deleted or moved. Check to seeif the \Temp directory exists. If it has beendeleted, create it in the following location:

C:\Program Files (x86)\Symantec\SMSMSE\6.5\Server \Temp

The temporary working directory is missing,or the path to the directory is incorrect.

A file that contains a large attachment (forexample, a 100 MB attachment that iscompressed into a 4 MB .zip file) mighttrigger the Unscannable File Rule.

See “Configuring file scanning limits”on page 113.

See “Configuring rules to addressunscannable and encrypted files” on page 114.

The file contains a large compressedattachment.

You must configure the Symantec antivirusproduct to exclude Mail Security foldersfrom being scanned.

See “About using Mail Security with otherantivirus products” on page 68.

A Symantec antivirus product is attemptingto scan files in Mail Security folders.

Note: If the Encrypted File Rule is enabled, encrypted files will trigger theEncrypted File Rule instead of the Unscannable File Rule.


Reducing the incidence of malformed MIME falsepositives

A message body or attachment might trigger the Unscannable File Rule and appearin the Event Log as Event ID 218. However, the MIME container in the emailappears to be correct.

You can either reduce the sensitivity for malformed MIME identification or disabledetection of malformed MIME containers to reduce the incidence of malformedMIME false positives.

251TroubleshootingReducing the incidence of malformed MIME false positives

To reduce malformed MIME identification sensitivity

◆ Create or modify the following DWORD registry value:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\SMSMSE\6.5\Server\DecMIMEIdentificationStrength

The value can be a decimal between 1 and 5. The higher the number, the lowerthe sensitivity, which reduces the incidence of false positives.

To disable malformed MIME container detection

◆ Create or modify the following DWORD registry value to decimal 0.

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\SMSMSE\6.5\Server\BlockMalformedContainers

Common error messagesTable B-1 lists some common error messages that might occur.

Table B-1 Common error messages

DescriptionError message

The following are the most common reasons that the Mail Security service getsstuck in a starting state:

■ There are timing conflicts with the operating system.

A solution is to make the Mail Security service dependent upon anotherservice, such as the Microsoft Exchange Information Store service(MSExchangeIS).

For more information, see the Microsoft Knowledge Base. On the Internet,go the following URL:

http://support.microsoft.com/default.aspx?scid=kb;en-us;193888

■ The Temp and Quarantine folders are not excluded from being scanned byother antivirus products.

The Temp and Quarantine folders are located in the following directories:

■ \Program Files (x86)\Symantec\SMSMSE\6.5\Server\Temp

The exclusion of the above Temp folder is critical to the operation of theproduct. The product uses the Temp folder as a processing folder.

■ \Program Files (x86)\Symantec\SMSMSE\6.5\Server\Quarantine

The Mail Security service is stuckin a starting state

If spam-related data does not appear in reports, ensure that the "Include spamdata" checkbox is enabled on the Report Settings page.

See “Specifying the duration for storing data in the Reports database” on page 214.

Spam data is not collected bydefault

TroubleshootingCommon error messages

252

http://www.support.microsoft.com/default.aspx?scid=kb;en-us;193888

Table B-1 Common error messages (continued)


One possible cause for this error is if the Domain Controller is running on thesame server as Microsoft Exchange. Microsoft acknowledges this as a defect andhas provided a manual workaround for this issue.

For more information, refer to the Microsoft Knowledge Base. On the Internet,go to the following URL:

http://support.microsoft.com/?id=824308

This article references ASP.NET 1.1, but the article also applies to ASP.NET 2.0.

Cannot connect to server

This error can occur when the mail client is open on the desktop at the sametime a violation is detected on the server. These warnings can be ignored. Refreshthe mailbox. Outlook, Exchange, and Mail Security will continue to functionnormally.

Unique identifier (UID) errorsmight occur in Outlook or OutlookExpress when using IMAP

A message sender who is using Outlook Web Access might get the followingerror message if Mail Security detects a violation:

The action could not be completed because of a conflict with the original item.The conflict may have occurred when an existing item was updated on anothercomputer or device. Open the item again and try making your changes. If theproblem continues, contact technical support for your organization.

This issue is a defect in Exchange 2007. There is currently no workaround. Formore information, see the Microsoft Web site.

This error only occurs on Outlook Web Access 2007.

OWA message: The action couldnot be completed because of aconflict with the original item

Table B-2 lists some common error messages that might occur on Exchange 2010mailbox role.

Table B-2 Common error messages on Exchange 2010 mailbox role

DescriptionError Message

Please check whether the SMSMSE_RBAC right isalready there or change username

Error in assigning ApplicationImpersonation right to user. Pleasecheck whether the SMSMSE_RBACright is already there or changeusername.

Check whether user has a mailbox. If not create amailbox for the user, or give some other user whohas mailbox.

User does not have mailbox or Errorin checking mailbox.

253TroubleshootingCommon error messages

http://support.microsoft.com/?id=824308

Table B-2 Common error messages on Exchange 2010 mailbox role (continued)

DescriptionError Message

User must be a member of the following groups:Administrators and Exchange OrganizationManagement

User is not member of Administratorsgroup. Please add user toAdministrators group.

Already there is a user with RBAC rights, Duringsilent install, different user is provided.

Existing RBAC user is different fromthe given username.

This error occurs if the status of manual scan onthe UI is FAILED or if there is an error in the eventlog with event ID 396. The possible cause is thatMail Security is unable to determine or connect tothe Client Access Server (CAS) of the mailboxdatabases on the server. To resolve this issue,ensure that CAS server is up and running and canbe accessed from the mailbox server.

The scan <ScanName> could not becompleted as Microsoft Exchange'sClient Access Server is not reachable.

Following are some error messages that might occur when a user's passwordexpires.

Update the service account credentials usingservice control manager.

Service is still running but EWS calls are notworking.

Update the service account credentials usingservice control manager.

Service is not able to start.

Resolving installation issuesYou may encounter installation and post-installation issues. Web links can assistyou to resolve these issues. They provide information about product installationand configuration details and are available for both 32-bit and 64-bit installers.

You are recommended to access Web links to resolve any issues you may encounterduring installation and post-installation.

To access Web links during wizard based installation

◆ During wizard based installation, you can access the Web links from thewizard.

From the MSI installer user interface, click the link for which you needinformation.

TroubleshootingResolving installation issues

254

To access Web links during silent installation

◆ During silent installation, you can access the Web links from the installer logfile.

The log file locations are:

■ For 32-bit installer, C:\Documents and Settings\Administrator\Local

Settings\Temp\ SMSMSE65_setup.log

■ For 64-bit installer, C:\Users\Administrator\AppData\Local\Temp\SMSMSE65_setup.log

To access Web links during remote installation

◆ During remote installation, you can access the Web links from the installerlog file on the remote machine.

The log file locations are:

■ For 32-bit installer, C:\Documents and Settings\Administrator\Local

Settings\Temp\ SMSMSE65_setup.log

■ For 64-bit installer, C:\Users\Administrator\AppData\Local\Temp\SMSMSE65_setup.log

Note: Each installation error and warning in the log file has a URL. You can copyand paste the URL from the log file on to the browser to view the instructions.

Table B-3 lists the errors you might encounter during remote installation andhow to resolve them.

Table B-3 Remote installation issues


If the user name that was provided whilelogging into Windows is not a member of theLocal Administrators group on the remoteserver, this message is displayed. Ensure thatthe user is a member of the LocalAdministrators group and retry the remoteinstallation process.

Access to the network resource was denied.

255TroubleshootingResolving installation issues

Table B-3 Remote installation issues (continued)


One possible cause is when the user namethat was provided while logging intoWindows is not a member of OrganizationManagement, one of the Exchange securitygroups. The other cause can be the ActiveDirectory is not in sync maybe because ofActive Directory replication latency. Ensurethat the user is a member of OrganizationManagement and that the Active Directoryobjects are replicated correctly. Start theremote installation process again.

Error in assigning ApplicationImpersonation right to user. Please checkwhether SMSMSE_RBAC right is alreadythere or change user name.

Sometimes it takes a long time during the launch of Mail Security console when.NET Framework 2.0 is installed on your system. If you are running .NETFramework 2.0, then it is recommended that you install SP1 of .NET Framework2.0. However, you do not experience delay in launching Mail Security console onsystems with higher versions of .NET Framework installed.

To reduce time during the launch of Mail Security console

1 Start Internet Explorer.

2 On the Tools menu, click Internet Options.

3 Click the Advanced tab, and then locate the Security section.

4 Uncheck Check for publisher’s certificate revocation and then click OK.

5 After the installation is complete, check Check for publisher’s certificaterevocation

Note: The Check for publisher's certificate revocation option is set on aper-account basis.

TroubleshootingResolving installation issues

256

AActive Directory 144, 158Active Summary 233adware. See security risksagent, transport 33alert notifications 17, 30, 242, 245Allowed Senders list 119antispam filtering

about 117configuring Symantec Premium AntiSpam 122configuring whitelists 119how it works 118licensing requirements 73processing spam 124processing suspect spam that exceeds a SCL

threshold 126processing suspected spam 129SCL values, about 119

antivirusBasic Virus Rule 107detecting mass-mailer viruses 107enabling detection 107how Mail Security detects viruses 106logging detections 211modifying virus policies 107quarantining viruses 95setting Bloodhound detection level 107Unrepairable Virus Rule 107updating protection against 236

antivirus definitions. See definitionsantivirus products, other 33, 68attachments

Allow-Only Attachment Rule 134blocking by attachment name 159detecting executables 166detecting multimedia files 163enforcing email attachment policies 159filtering 133Outbreak Triggered Attachment Names match

list 168

attachments (continued)Quarantined Triggered Attachment Names

Rule 134Sample Attachment Name match list 168Sample Executable File Names match list 168Sample Multimedia File Names match list 168

auto-protect scans 156, 184, 187automated installation 49

Bbackground scanning 177

configure 184stop 184

background scans 187Basic Virus Rule 107Bloodhound heuristics technology 106

CClustered Continuous Replication cluster 58clusters

clustered continuous replication 53configuring the cluster resource 56considerations before installing on 54installing on 53, 58installing on a Clustered Continuous Replication

cluster 58installing on a Single Copy Cluster node 55single copy clusters 53uninstalling from 71

consoleabout 66accessing 65Home page 67installing 47primary navigation bar 67system requirements 40version support 235

consolidated report 227, 229container files

configuring limits 113decomposing 106

Index

container files (continued)denial-of-service attacks 113encrypted 105, 114unscannable 105, 114

content area 66content filtering rules

about 26, 133configuring conditions 135configuring violation notification 146deleting 157elements of 135enabling for auto-protect scanning 156enforcing attachment policies 159literal string 135managing 155managing match lists 168metacharacters 173multiple violations 133pre-configured rules 134prioritizing 156refreshing Active Directory groups 158regular expressions 172specifying local domains 158specifying users to whom rules apply 144specifying violation actions 147supported SMTP address formats 144wildcards 135

content license 73.csv (comma-separated value) report format 217

Ddefinitions

about 106distributing to multiple servers 242licensing requirements 73, 236LiveUpdate Administration Utility, about 238out of date 17, 242updating 236, 240

denial-of-service attacks 105, 113deploy all settings 81deploy changes 81Detailed report. See templatesdialers. See security risksDirectX 39discard changes 81domains, specifying local 158DOS wildcard expressions 171

Eencrypted files 114Enterprise Vault 27error messages 252Event Log

about 211contents 212filtering contents 212viewing 212

executable files, detecting 166, 168Executive Summary report. See templatesexpressions

regular 172wildcard 171

Ffeatures

new and enhanced 15protecting and managing your server 22

file filtering 133file filtering rules

about 26, 159blocking attachments by name 159detecting executable files 166detecting multimedia file types 163

filtering. See content filtering rulesformats, report output 217FTP proxy server, LiveUpdate connection 238

GGlobal Group 79

Hhack tools. See security riskshelp 31heuristics 106Home page 67, 233HTML

encoding 133report output format 217

HTTP proxy server, LiveUpdate connection 238hyper-threaded processor 69

IIIS (Internet Information Services) 39–40impersonation 39in-memory scanning 17

Index258

inbound/outbound settings 158installation

before you install 33customizing remote server installation 49installing on a Clustered Continuous Replication

cluster 58installing on a local server 43installing on a Microsoft Exchange Cluster 53installing on a Microsoft Exchange cluster 54installing on a remote server 48, 51installing on a Single Copy Cluster node 55installing on a Veritas Cluster Server 58–59installing the console only 47post-installation tasks 63security and access permissions 38system requirements 39types of 42uninstalling 70uninstalling before reinstalling 43using an automated installation tool 52

Intel Xeon processors 69ISA server, registering 121ISP proxy server, LiveUpdate connection 238

Jjoke programs. See security risks

Llicense

activating 74content license 73expiration 73installing 76locating the serial number 75obtaining a license file 75obtaining a serial number 75renewing 77requirements 73software updates 73Symantec Premium AntiSpam 73upgrading 73

list pane 66literal string 135LiveUpdate

about 236distributing definitions to multiple servers 242enhancing performance 242licensing requirements 73

LiveUpdate (continued)updating definitions

on demand 240scheduled 241

using proxy servers 240LiveUpdate Administration Utility 19, 238local domains, specifying 158local quarantine 95

See also Quarantine Serverabout 95establishing thresholds 97forwarding items to the Quarantine Server 96purging 102releasing messages

by mail 100to a file 102

threshold notifications 97viewing 99

logs 217See also reportsEvent Log

about 211contents 212filtering contents 212

logging destinations 211MMC Performance console 211, 215Reports database

about 211purging 215storing data 214

Windows Application Event Log 211

MMail Security for Microsoft Exchange

about 13–14accessing the console 65features 15, 22getting more information 31

Mail Security for Microsoft Exchange ManagementPack 19, 215

Mail Security Reports folder 230Mail Security resource 60, 71manual scans

about 177, 189configuring 189running 192stopping while in progress 193viewing results 193

mass-mailer worms 105

259Index

match listsabout 168pre-configured 168

MCC (Microsoft Management Console) 211MDAC 39menu bar 66message archiving 27messages, common errors 252metacharacters 173Microsoft Certificate Services 2.0 63Microsoft Excel 217MIME, malformed 251MMC (Microsoft Management Console) 215MountV resource 60, 71MSXML 43multimedia file type detection 163

N.NET Framework 39–40notification settings 200notification, variables 245notifications 17, 30, 242

OOpen Proxy list 122Operation Status 81outbreak. See outbreak managementOutbreak management

best practices 205outbreak management

about 201clearing notifications 209configuring notifications 208configuring triggers 206defining an outbreak 202enabling 206triggers, about 205

PPerformance counters 215performance, enhancing 242permissions 38policies 23post-installation tasks 63pre-installation requirements 33premium antispam service. See Symantec Premium

AntiSpampreview pane 66

primary navigation bar 66–67processing limits 113protection, server 236proxy server

configuring for Symantec PremiumAntiSpam 121

LiveUpdate 240

QQuarantine Server 95

See also local quarantineabout 95forwarding items to 96location on product CD 19

RRapid Release

about 236enhancing performance 242licensing requirements 73updating definitions

on demand 240scheduled 241

regular expressions 172remote access programs. See security risksreplacement variables 245reports 217

See also templatesaccessing 230consolidated 227, 229creating or modifying 218, 223deleting 233email notification limitations 218, 223generating on demand 229managing 227printing 231Reports page display information 230resetting statistics 233saving data 232viewing with third-party tools 217

Reports databaseabout 211purging 215storing data 214

reputation service 122resource, cluster 56risks 105

See also security risks

Index260

risks (continued)See also threatsBloodhound heuristics technology 106categories of 105configuring security risk detection 110configuring threat detection 107decomposing container files 106how risks are detected 106setting container file limits 113

roles, Microsoft Exchange Server 2007/Server2010 33

RTF encoding 133

SSafe list 122SAT (Store Action Threshold) 118scan processes 69scanning limits 113scanning threads 69scans

advanced scanning options 187auto-protect 184background 184How messages are scanned 178manual 189notifying of violations 200offloading mailbox server scanning 183optimizing scanning performance 183scheduling 193types of scans 177

scheduled scansabout 177, 193configuring 194creating 193deleting 199editing 194enabling 199

SCL (spam confidence level) values 118–119screen resolution, recommended 33security and access permissions 38security risks

about 105categories of 110configuring detection 110

serial numbers, licensing 75server groups 79

See also serversadding servers 88applying definitions 242

server groups (continued)creating 87deleting 92deploying all settings 81deploying changes 81Global Group 79managing, about 82moving servers from/to 89pushing out settings to servers 91restoring default settings 91server settings file location 79user-defined 79viewing settings 86

server protection 236server roles, Exchange Server 2007/Server 2010 33servers 79

See also server groupsadding to groups 88deploying changes 81importing and exporting settings 92managing, about 82modifying communication properties 93moving to another group 89removing from group management 91restoring default settings 91synchronizing settings 91viewing settings 86viewing status 87

settings, importing and exporting 92shared storage volume 62, 71sidebar 66Single Copy Cluster 55SMSMSE Admins 38SMSMSE Viewers 38software components 35SPA. See Symantec Premium AntiSpamspam. See antispam filteringspyware. See security risksSSL (Secure Socket Layer) communications 63, 93statistics, resetting 233string, literal 135Suspect list 122Symantec AntiVirus Corporate Edition 33, 68, 236Symantec Brightmail AntiSpam 33Symantec Central Quarantine 19Symantec Endpoint Protection 33, 68Symantec Enterprise Vault 27Symantec Mail Security for Microsoft Exchange. See

Mail Security for Microsoft Exchange

261Index

Symantec Premium AntiSpam 117See also antispam filteringabout 120configuring 122configuring your proxy server 121processing spam 124processing suspect spam that exceeds a SCL

threshold 126processing suspected spam 129registering through an ISA server 121reputation service 122scoring suspected spam 122

system requirements 39

TTCP (Transmission Control Protocol) port,

changing 93templates

about 217creating or modifying 218, 223deleting 227Detailed 217output formats 217Summary 217

threats 105See also risksBloodhound technology 107configuring detection 107detecting mass-mailer infected messages 107types detected 105

toolbar 66trackware. See security riskstransport agent 33Trojan horses 105

UUNC (Universal Naming Convention) path 76Unfiltered Recipients list 119uninstallation 43Unrepairable Virus Rule 107unscannable files 114, 249updates. See definitionsuser credentials 43

Vvariables, replacement 245Veritas Cluster Server 58–59version support 235

virus 105See also risksBasic Virus Rule 107configuring detection 107detecting mass-mailer viruses 107enabling detection 107how Mail Security detects 106logging detections 211modifying virus policies 107quarantining 95setting Bloodhound detection level 107Unrepairable Virus Rule 107updating protection against 236

virus definitions. See definitions

Wwhitelists 119wildcard expressions, DOS 171Windows Application Event Log

about 211viewing contents of in Mail Security 212

worms 105

Xx-headers 27

Z.zip files. See container files

Index262

Symantec Mail Security for Microsoft® Exchange Server...

Documents

Transcript of Symantec Mail Security for Microsoft® Exchange Server...