Avira AntiVir Exchange incl. AntiSpam 1 Year 10 units
Contents
1. Scan in selected attachments io elect J Extract archives Set threshold 50 Search in text extract Edit archives C Search in raw data List of selected dichonarnes 10 B Offensive Language German 10 Offense Language English Select Edit g Lancel Apply This job checks the subject line The overall threshold value is set to 50 This means that when five words phrases from the Offensive Language English or Offensive Language German dictionary have been found the specified actions are performed 127 Avira AntiVir Exchange 7 Calculation Every word or phrase in the Offensive Language list has a value of 10 In this example the threshold of 50 is reached when at least five words from these lists are found in the message Explanation Every word or phrase in the Offensive Language list has a weighting of 10 Each word or phrase from this list found is counted and multiplied with the weighting and finally compared to the threshold value In this case Lets assume that 5 words from the dictionary were found in the message The sum of these words is multiplied with the weighting 10 5 x 10 50 This value is compared to the threshold value Since this is also 50 the action is executed If only 4 words are found in the message the total value is 40 4 x 10 which is less than the threshold value and no action is triggered You are using two different dictionaries for checking the2. 3 Click the area you wish to view e g Default Quarantine or BADMAIL All available mails will be displayed up to a maximum of 10 000 4 Filter the mails using the Filter Options icon T 5 Double click on a mail to open it 6 Resend mails using the Resend itemicon as required 3 3 3 1 Quarantines If you have enabled the Copy infected email to Quarantine action in a job all affected messages are copied to a Quarantine and the AntiVir Monitor displays all information available on each e mail Click on a Quarantine to view a list of mails If you right click on a mail the following options are available Resend Quarantine item Label Add sender to addressist Add sender domain to addresslist Copy to E Copying mails is also possible via drag amp drop With the mouse simply drag the selected mail to another Quarantine Within a Quarantine you can filter messages according to numerous selection criteria To do so right click View Filter options or click on the vr icon The following dialog appears 64 Avira AntiVir Exchange 7 Filter Options Filter by Date Miscellaneous f No Filter C Las days Attachment name a ooo Subject Today Last 30 days C Yesterday This month Custom From 23 05 2009 Filter by Job type Sender and Recipients No Filter Sender f Select job type Antivir Scanning Recipients
3. Combination of Values to Overall Spam Probability The individual values of all combined criteria are weighted according to their defined relevance to establish a final evaluation The job compares this overall value the spam probability of the message with the three threshold values and allocates the e mail accordingly to one of the four spam probability ranges None to High When all combined criteria are taken into account our sample e mail with the three words from the dictionary may therefore still be classified as spam In this example the e mail in which six words from the dictionary were found and which was consequently classified as spam according to this criterion can still fall into spam probability category None or Low when the other criteria are considered The overall value is calculated from the relevance of the criteria the minimum and maximum values and the individually set soam probability ranges You will find the individual combined criteria on four tabs under Advanced Configuration The following tables provide an overview of the combined criteria contained in the job Note For further information on combined criteria refer to the technical whitepaper or contact our Support Combined No Spam Criterion Emails containing these phrases Checks whether message bodies contain business words that are typical for the user Combined Classification Criteria Here the results of other spam filtering products
4. checkpoint intercheck and intercheckpoint check will find check and checkpoint but not intercheck nor intercheckpoint 121 Avira AntiVir Exchange 7 The asterisk must be placed at the beginning or end of a word or phrase Plus symbol The plus symbol has the same function as the asterisk but indicates that the search term is part of a word or phrase Examples check will find checkpoint intercheck and intercheckpoint but not check on its own check finds only checkpoint The plus symbol must also be placed at the start or end of a word or phrase Tip If you enter a word or phrase without wildcard only that exact word phrase will be found For example if you enter check only the whole word check will be found 6 To sort the dictionary in ascending order click and to sort it in descending AL order click y LA 7 To create a new dictionary right click Dictionaries and select New Dictionary The Jobs tab lists the jobs that use an object 122 Avira AntiVir Exchange 7 Properties of Offensive Language English E General Jobs Detaile This object i used by the following obla Block offensive content P Display active jabs onli Note To use dictionaries in a job select a Content Filtering job under Policy Configuration enable the required dictionary and specify an overall threshold value fro
5. AVIRA More Than Security Zi A Avira AntiVir Exchange 7 Contents DR SEA n e a a a a ea Ea a a 6 1 1 Installation on an Exchange Server ccccccccccccseeeeeeceeeeeeeeeeeeeeeseeaeeeeseeaseeeseeeeeeeesageeeesaaeeeeeaas 6 1 2 Starting AntiVir Exchange Management Console cccccccseeeececeeeeeeeeeeeeeeessaeeeeeeeaaeeeeeaaees 6 1 3 Configuration in AntiVir Exchange Management Console ccccccccceeeeeeeeeesaeeeeeeeeaeeeenens 6 1 3 1 Required Basic Configuration Steps cc cccccccccceeeeeeeeeeeeeeeeeeeesesseeeeeeeeseseeeeeeeeessaaeeeeeees 7 1 3 2 Required Policy Configuration Steps 2 0 0 0 cccccccccceeeeeeeeeeeaeeeeeeeeseseaeeeeeeessseeeeeeseessaaeeeeees 7 1 3 3 Recommended Basic Configuration Steps cccccccccccceseeeceeeeeseeeeeeeeeeeaeeseeeeessaaeeeeeesseaaaees 8 1 3 4 Virus Scanning in Exchange Databases cccccccceccccee cesses ceeeeeaeeeeeeeeeseaeeeeeeessaaeeeeeesaaaeees 8 1 4 Observing Data in AntiVir Monitor 00 0c ccceeceeeeeeeeeeeeeeeeeeesaeaeeeeeseaeeeeseeeeseeesaaeeeeeseeeeeeaas 8 PAo EO obi ertern S E E E E E E E A S 9 2 1 OY SUNN ReguNe menis cease tess ceca aac connec a a a ia tees 9 2 2 Installation of the Virus Scanner cece ccccccceeeeeceeeeeeeeeeeeeeeeeeeeeeeeeeesaaeseceeeseaeaeeeeeesseaeeeeeeessaaeaees 9 2 3 Installation of Avira AntiVir Exchange on an Exchange Server cccccssecee
6. General Update Details Update patterns using the following configuration settings Update Settings Parameters UpdatesE stract Update interval E0 minutes Update timeout 600 seconds FeS Under normal circumstances all you need to set on this tab is the update interval Parameters 150 Avira AntiVir Exchange 7 This field specifies the directory where the update patterns are stored only change this setting if you have selected another directory during the SPACE setup Update interval Interval in minutes at which the program checks for pattern updates The minimum value is 15 minutes Update timeout Timeout in seconds for accessing the server If unsuccessful the update is aborted after this time has elapsed Details For details on entering the job details refer to Entering Job Details 5 5 2 alata Spam Filtering Job Configuration Under Mail Transport Jobs open the Advanced spam filtering job Enable the job and keep the default settings Under the Actions tab select Combined Criteria gt Spam Classification and enable the criterion Avira SPACE results Again it is recommended not to change this setting 151 Avira AntiVir Exchange 7 Properties of Ady anced spam filtering x Ho Spam gt pam Classification Spam Header Spam Subject spa Spam Criteria Exchange SCL Value Relevance of this criteria SCL HAM SPAM threshold M Avira SPACE results Relevance of
7. Selected components Antivir Exchange Server Components Information Store Scan grabber Antivir Exchange Management Console Antivir Exchange Online Help Installshield Cancel 12 Avira AntiVir Exchange 7 11 12 13 14 Now disable the on access scanners for the AntiVirData directory unless you have already done so Check your configuration settings These settings will be added as standard entries to the configuration of the Avira AntiVir Exchange Server For details refer to Avira AntiVir Exchange Server settings Follow the instructions on screen and click Install Avira AntiVir Exchange is installed to the following directory lt Drive gt lt default program dir gt Avira Avira AntiVir Exchange Click Finish in the final dialog Avira AntiVir Exchange is fully installed 2 4 Uninstallation of Avira AntiVir Exchange 7 1 OOS NS T Go to Start Settings Control Panel Add or Remove Programs Select the Avira AntiVir Exchange 7 Click Change to call the Setup In the Welcome window click Next In the selection dialogue click Remove Click Next and confirm with Remove The Setup then uninstalls Avira AntiVir Exchange without removing your configuration and the Quarantine data A decision concerning this data can be taken separately after completing the uninstallation i maiihi Exchange Server 20007 2003 InstallShield Wizard InstallShield Wizard Completed The Installs
8. address entries included in the user whitelist are delivered without prior checking for spam Emails containing attachments E mails with file attachments Most unsolicited mail does not contain attachments You can optionally 131 Avira AntiVir Exchange 7 enter a threshold value here Example Minimum number 2 means that all messages with two or more file attachments are delivered without spam checking Emails with minimum size of Spam e mails are generally small and large e mails are therefore unlikely to be spam Here you can enter a size above which message are no longer checked for spam Emails in TNEF format TNEF E Mails This Exchange specific format is not being used by spammers yet Emails encrypted and or signed Encrypted and or signed e mails Soammers do not send encrypted or signed e mails Spam confidence level SCL spam filter intelligent message ae IMF from Exchange 2003 SCL accepts integers from 1 to 9 Exchange assigns 1 for e mails from senders from the same Exchange organization The Wall Spam Filtering job treats this value as definite no spam criterion Microsoft Exchange No spam SCL value Also refer to Write spam result in Exchange SCL field 5 4 2 Definite Spam Criteria E mails from the following Blacklist All sender addresses known to be originators of spam The senders Blacklist default configuration contains a list of known addresses to which you can add further
9. cance too By default the Subject extension is pre set to WALL checked If enabled this text is added to the subject of each e mail checked by the job This job does not process mails that are being resent from Quarantine AntiVir Monitor lt select quarantined e mail gt All Tasks Resend quarantine item even if the Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine For further information on sending quarantined mail refer to Sending From Quarantine 153 Avira AntiVir Exchange 7 For details on the Mission Critical option refer to This job is mission critical in the AntiVir Chapter Setting up Address Conditions Under the Addresses tab specify the senders or recipients to which this job is to apply You can select addresses from existing lists or from your own ones For details on how to make the best use of address lists and details refer to the description under Address Lists Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Setting Threshold Under the Threshold tab set the
10. functionality for further processing The spam probability values are internally converted to SCL values which Outlook can use Tip If you are using the summary report function users are notified of all relevant spam e mails In that case you do not have to use Exchange Store forwarding to Junk mail folders For further information on the Exchange SCL field visit htto www microsoft com technet orodtechnol exchange 2003 library imtdeploy mspx Write spam value in mail header field The spam probability value low medium and high is always written in the mail header The result is converted to a string of asterisks one asterisk meaning a value up to 10 two asterisks a value up to 20 three asterisks up to 30 etc to which an Outlook rule can be applied You can also specify the result separately for each Spam probability In the Actions tab select Add Add X header field The result is then output as a numeric value instead of being converted to a string of asterisks To configure the actions for the Spam Probability High range set here from 91 to 100 click the High button The following dialog appears 138 Avira AntiVir Exchange 7 Achons for high spam probability Standard r Copy to Quarantine Spam High using label no label Delete Email Add e mail sender recipients ta userlist Send Administrator spam detected to Administrator Send notification to All Senders OOOO Send Recipient spam d
11. to two minutes for the Exchange Store to register the change 4 3 1 General Settings Under the General tab you can enable on demand scanning for both the private and the public Information Store In addition to on demand scanning you can also enable proactive and background scanning For further information refer to Scanning in the Information Store Properties of Informations Store Scan on SUPPORT Ex Scan all Private Stores WM On Demand scanning M Fro active scanning Background scanning Scan all Public Stores M On Demand scanning Background scanning Job is mission critical Gei a For details on the Mission Critical option refer to This job is mission critical 86 Avira AntiVir Exchange 7 4 3 2 Scheduling Use the Schedule tab to define a schedule for restarting the scan When scanning is restarted all elements in the Information Store are checked one more time This applies to all three scan modes If you have enabled background scanning this scan may take a long time and use a lot of processor capacity It is therefore advisable to restart scanning during periods of low system usage and following pattern file updates To create a schedule entry click Add Then select a start time and the days on which restarting is to be performed Confirm with OK Schedule Settings Schedule Settings Select the time you want this task to start Start Time 12 00 Select
12. which often use only a single junk filtering method are included Their combination with other criteria in the Wall Soam Filtering job eliminates the disadvantages of these products Exchange SCL value Also refer to Definite No Spam Criteria and Write spam result in Exchange SCL field The Intelligent Message Filter IMF also determines a spam probability for each message the so called Soam Confidence Level SCL from 1 to 9 The higher the spam probability the larger the SCL This criterion can be used to include the SCL value in the Avira AntiVir Exchange spam evaluation For further information refer to http www microsoft com technet prodtechnol exchange 2003 library imfdeploy mspx 147 Avira AntiVir Exchange 7 y O Avira SPACE results Avira SPACE checks incoming mail against known spam patterns Combined Header Criteria Suspicious sender properties Checks whether the message has a From header and whether this header is completed and corresponds with the sender in the SMTP protocol Suspicious recipient properties Checks whether the message contains a To header whether this header is completed and whether it or the CC header contains at least one of the SMTP recipients Digits in sender address es Checks whether one of the sender addresses SMTP or mail header contains digits Number of recipients per e mail Checks the number of recipients of an e mail Known spam x mailer
13. 128 Avira AntiVir Exchange 7 Properties of Block offensive content E4 General Addresses Conditions Content Restrictiong Actions Ser4 gt Achons for unwanted content Standard Copy to Quarantine Default Quarantine using label no label Delete Email Add e mail senderfrecipients to userlist Send Administrator forbidden cantent found to Administrator Send Sender forbidden content found to All Senders Send Recipient forbidden content found to All Recipients In this example a copy of the message is placed in Quarantine and the message is deleted without being delivered to its recipient A notification that the corporate policy was breached is sent to the Administrator You can select this notification from the pull down menu of available notification templates which you can format using the HTML toolbar or by entering appropriate HTML code yourself Save the configuration of the AntiVir Exchange Management Console each time you have modified the settings Click on the Save button The configuration is saved in the ConfigData xml file located inthe Avira AntiVir Exchange Config folder Pending changes are indicated by an asterisk next to the top node 5 4 Anti Spam with the AntiVir Wall Spam Filtering Job Spam Filtering scans e mails for characteristics typical for soam Unlike virus infected mail soam is not always clearly identifiable as such Unsolicited mail can hold a wide variety of conten
14. Before closing the AntiVir Exchange Management Console you are prompted to save any changes Note Pending changes are indicated by an asterisk next to the top node To save your configuration click the Save button The configuration is saved in the ConfigData xml file located in Avira AntiVir Exchange Config 1 3 Configuration in AntiVir Exchange Management Console Avira AntiVir Exchange 7 2 Avira Antivir Exchange OF x File Action View Basic Configuration 5 3 General Settings fg General Te ED Antivir Server E Address lists E Folders Templates OFF Utility Settings Database Connections PE Antivir Server Ee fa Folders o hE Quarantines Sein Utility Settings l E Fingerprints e Dictionaries Antivir Engine Ey amp Policy Configuration ff Information Store Jobs lf Mail Transport Jobs E Job Templates A Q Antivir Monitor D Servers H A SUPPORT2 After the installation use the AntiVir Exchange Management Console to make the required and recommended settings 1 3 1 Required Basic Configuration Steps Basic Configuration is used to define the valid server e mail addresses shared templates and utility settings 1 Under Basic Configuration General Settings AntiVir Servers Settings in the Address Settings tab check the entries for the Administrator s and the Internal domains Refer to 3 3 1 3 AntiVir Servers Settings 1 3 2 Required Policy Configuration Steps Use the Policy Co
15. Checks whether the X Mailer entry in the message is a known spam mail client Known spam results Takes into account the result of a preceding spam analysis for the classification of e mails as spam or non spam The result number of spam characters found is written to the X header of the e mail Avira AntiVir Exchange analyzes the X header and writes the number of spam characters into the criterion The evaluation is performed on the basis of the minimum maximum number of spam characters The result may come from an external system or be determined by an Avira AntiVir Exchange system on another server Combined Subject Criteria Missing subject Checks whether the message has a subject field with content Recipient address in subject Checks whether the part before the of a recipient address is found in the subject of the e mail Junk sequence in subject Checks whether the e mail subject contains long strings of spaces or meaningless character strings Emails containing these phrases Checks whether the e mail subject contains words typically found in spam mail Emails containing these concealed words Checks whether the e mail subject contains any concealed words from the dictionaries specified Combined Message Body Criteria 148 Avira AntiVir Exchange 7 Recipient address in body Checks whether the part before the of a recipient address is found in the message body of the e mail Junk sequence in subject Checks whet
16. Folders Quarantines The Summary column shows the quarantines for which a summary notification has been configured Yes No Whitelist Summary Reports Quarantine Summary Reports also provide information on the messages quarantined by AntiVir in the Whitelist Summary Reports 58 Avira AntiVir Exchange 7 Properties of New Quarantine Summary Report Summary Fields Whitelist Fields Blacklist Fields Schedule Details 4 gt Whitelist template whitelist Summary Report i i Create report as table Select columna m Sender Insert date Insert time Cfi Insert date and time ap Dols HTTP Oot MAIL Links m Report Mail Links m Report HTTP Remove from whitelist Remove from whitelist B Cancel Apply For the Quarantine Summary Report select the template with Whitelist Support so that the recipient of the Quarantine summary report can manage the entries in his whitelist and request a whitelist summary report Select the message fields to be listed in the Whitelist Summary Report Use the Whitelist template field to edit any existing whitelist template or create a new one Configure the Whitelist template with the variables as described under List of Notification Variables 3 3 1 9 Utility Settings Fingerprints Fingerprints are used by AntiVir to identify file types A comprehensive range of fingerprints subdivided into categories is included with Avira Anti
17. This job does not process mails that are being resent from Quarantine AntiVir Monitor lt select quarantined email gt All Tasks Resend quarantine item even if the Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine For further information on sending quarantined mail refer to Sending From Quarantine For details on the Mission Critical option refer to This job is mission critical in the AntiVir Chapter Tip In this job the Subject extension field is located under the Actions tab Setting up Address Conditions Under the Addresses tab specify the senders or recipients to which this job is to apply You can select addresses from existing lists or from your own ones For details on how to make the best use of address lists and details refer to the description under Address Lists 134 Avira AntiVir Exchange 7 Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Defining Actions Under the Actions tab specify the spam probabilities and the action to be taken on identified soam e mails
18. a subsequent job When the e mail is sent to its original recipients the information in the mail header tag is removed Add header field and value Define a new X header field and select the variable to be inserted e g to return a spam analysis result as code or value As opposed to the mail header tag this information is not removed when the e mail is sent to its original recipients Redirect mail Select the recipient of the redirected mail from the address book The Redirect mail option is not enabled by default it is simply included as additional suggestion Note About Redirect mail When you redirect a TNEF message to an external address the recipient will get a blank message that may contain an attached file called winmail dat Exchange uses the TNEF format when an Outlook user not Outlook Express sends a message within an Exchange organization This format is not used for Internet communications or by other mail programs Click Next and make additional settings depending on the options selected In the case of Redirect mail the following options are available 83 Avira AntiVir Exchange 7 Actions Assistent x Recipient selection Redirect mall to the following recipient a a Also send to original sender Also send to original recipient B Back Finish Cancel Click the address book icon el to select further recipients or define own addresses If the e mail is also to be delivered to the original recip
19. addresses Emails with this character set This function checks the charset field in the message header for the character sets in the specified list Messages with a matching character set are immediately classified as spam If enabled the mail s sender ID is also checked This allows to prevent spoofing i e the falsification of sender mail address domains The analysis is based on entries in a DNS which is used to determine from which iP addresses e mails from specific domains are allowed to be sent or not The Sender ID result is provided with the mail Wall checks the mail s Sender ID and classifies the result FAIL as spam To be able to use the SenderID function a number of other functions need to be enabled at the server such as the associated SenderID filter The filter is enabled under Server Protocols SMTP Properties in the Identification field In addition both server and client Outlook must be configured Exchange SenderID request returns FAIL For details on SenderID refer to http www microsoft com mscorp safety technologies senderid default mspx Tip If you want e mails deleted immediately only if they are definitely spam set the spam probability for High to 100 and define an appropriate action This ensures that only e mails definitely identified as spam i e using the blacklist or character set fall into this range If you set this range for instance to 91 to 100 e mails with a high spam pro
20. apply You can select addresses from existing lists or from your own ones For details on how to make the best use of address lists and details refer to the description under Address Lists Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Defining Actions Under the Actions tab specify the actions to be taken when the job finds an e mail with denied senders In this example a copy of the message is placed in Quarantine and the message is deleted without being delivered to its recipient A notification warning of the denied address is sent to the Administrator You can select this notification from the pull down menu of available notification templates which you can format using the HTML toolbar or by entering appropriate HTML code yourself 119 Avira AntiVir Exchange 7 Properties of Anti spam regarding sender address Ea General Addresses Conditions Actions Server Details Actons for denied addresses Standard Capy to Quarantine Default Quarantine using label no label Delete Ernail Add e mail senderfrecipients ta userlist Send Administrator forbidden senderf s found to Administrator Send Sender
21. change the file at a later stage proceed as follows Stop the SAVAPI service Go to the folder Avira AntiVir Exchange Engine Open the savapi ini file with Notepad Set the following parameters oe aa Use proxy server for updates If this value is enabled 1 the engine tries to download the updates through the specified proxy By default no proxy server is used Example ProxyEnabled 0 not enabled Proxy server address Use this parameter to enter the full name or IP address of the proxy server used for the update This value is used only when ProxyEnabled is enabled Example ProxyUrl proxy mydomain de Proxy port address The port specified here is used for updates through the proxy server This value is used only when ProxyEnabled is enabled Specify the port number of the proxy server in this parameter Example ProxyPort 3128 User name for proxy server proxy authentication Use this parameter to enter the user name under which the update service logs on to the proxy server This value is used only when ProxyEnabled is enabled Example ProxyUserName fmaier 7 Avira AntiVir Exchange 7 Password for proxy server proxy authentication Use this parameter to set the password to be used by the update service along with the user name to connect to the proxy server This value is used only when ProxyEnabled is enabled Example ProxyPassword passwort Search interval for new updates This value s
22. following headers and values it is possible to select all e mails that do not include headers or do not have the defined value However if such control elements must not appear in the header of e mails you can use the condition with following AntiVir tags and values instead as they are not displayed in the message body 3 3 2 3 Job Types There are 9 job types which you can find under Policy Configuration Mail Transport Jobs New TE aration 61 Avira AntiVir Exchange 7 AntiVir E Mail Size Filtering Checks messages for size and denies files that are larger than the allowed maximum size per message size AntiVir Attachment Filtering Checks messages for denied file attachments The various file formats are identified with fingerprints AntiVir Attachment Size Filtering Checks messages for denied file attachments and for file size and denies files larger than the specified size AntiVir Wall Content Filtering Checks messages and attachments for restricted text content AntiVir Wall Email Address Filtering Checks messages for address restrictions AntiVir Wall Recipient Limit Filtering Checks messages for a maximum allowable number of recipients per message the recipients in the To field of each message AntiVir Wall Xblock Image Filtering Checks messages for offensive images AntiVir Wall Spam Filtering Checks messages for spam using a range of criteria For each job type you can define individual con
23. label no label Delete Email Add e mail sender recipients to userlist Send Administrator max size of email exceeded to Administrator Send Sender max size of email exceeded to All Senders Send Recipient max size of email exceeded to All Recipients 2 Cancel Apply In this example a copy of the message is placed in Quarantine and the message is deleted without being delivered to its recipient A notification about the excessive message size is sent to the Administrator You can select this notification from the list menu of available notification templates which you can format using the HTML toolbar or by entering appropriate HTML code yourself To define further actions click the Add button For a description of the procedure refer to the description in the AntiVir chapter under 110 Avira AntiVir Exchange 7 Enabling Virus Scanning Example Defining Actions Selecting Servers Job Details To select servers and specify job details proceed as described under Selecting Servers and Entering Job Details Save the configuration of the AntiVir Exchange Management Console each time you have modified the settings Click on the Save button The configuration is saved in the ConfigData xml file located inthe Avira AntiVir Exchange Config folder Pending changes are indicated by an asterisk next to the top node 4 4 7 Denying Attachment Types and Sizes Example Under Policy Configuration Job Templa
24. string Provider SQLO LEDE Initial Catalog DB Server network name Database user User Catalog Password po User Password Command Timeout 60 seconds B Cancel Apply The example below illustrates one of many possible configuration possibilities for the ADO string For more detailed information on this and other options and configurations of the MS SQL ADO string please refer to the applicable documentation from Microsoft Sample connection string Provider SQLOLEDB User ID ADOUSer Password ADOPwd Trusted_Connection No Initial Catalog DBCatalog Data Source LOCALHOST SQLEXPRESS a b Provider SQLOLEDB mandatory parameter needed to specify the provider Enter the value manually no Avira AntiVir Exchange variable available User ID ADOUser Password ADOPwd mandatory parameters enter the parameters User ID and Password manually in the string and set the Avira AntiVir Exchange variables Database user and Password The inserted variables ADOUser and ADOPwd will be replaced with the contents of the user and password fields below Using variables is the recommended procedure as this prevents values in the ADO string from being output in clear text But it is also possible to enter the values manually in which case you should leave the user and password fields empty Trusted_Connection No optional parameter for SQL authentication In order for the SQL server to identify the Avir
25. system and for accessing the Quarantine 1 Standard Windows file access Here AntiVir Exchange Management Console is run directly on the Exchange server on which all components of Avira AntiVir Exchange are installed This mode is suited for smaller systems and for managing the server locally SOAP and SSL The AntiVir Monitor refer to 3 3 3 AntiVir Monitor is accessed through SOAP and SSL using a permanently assigned communication port The AntiVir Exchange Management Console supports two operating modes 1 Local Administration Here the AntiVir Exchange Management Console is run directly on the Exchange server on which all components of Avira AntiVir Exchange are installed This mode is suited for smaller systems and for managing the server locally Remote Administration In this case the AntiVir Exchange Management Console is not installed on the Exchange server but on a client The AntiVir Exchange Management Console can run under the following client operating systems Windows 2000 Professional 15 Avira AntiVir Exchange 7 Windows 2003 Windows XP Professional Windows 2008 Windows Vista Remote administration is suited for central administration in multi server environments with the AntiVir Exchange Management Console accessing one or more Exchange servers to configure and administer Avira AntiVir Exchange 3 1 2 Avira AntiVir Exchange Server The term Avira AntiVir Exchange Server refers to the Avira
26. test Email body e cerpt Email headers Complete Email Icons used on these tabs Send message from Quarantine Delete message in Quarantine Create edit or delete message label Save message as Open Online Help Next message in Quarantine badmail Previous message in Quarantine badmail To add the message sender to an address list click the Add to button The address lists shown with this button are set individually For further information refer to Address Lists When you add the sender s address to the address list a message appears 66 Avira AntiVir Exchange 7 Anti ir Exchange Server 2000 7003 tofi addresses are added LL O addresses already exists in Antispam Whitelist 0 addresses are invvalicl The Processing Log tab shows the name of the job that has quarantined the message the job type the server the reason for quarantining the message as well as other processing details Quarantine Item E Processing Information Antivir job name canning wihAntengne ES Antivir job type Ce E Server name E Email file 501 62E6BF93A6964770A9FD6F4AEIC88E75 Description Job Scanning with Antivir Engine Mail exceeds the configured disk quota Processing log Job Scanning with Antivir Engine Mail exceeds the configured disk quota Reported reason Curent size 3072056 exceeds quota 307 200K 6 in section Archive Reported reason Extracting fil
27. this criteria very high Relevance of this criteria Set the relevance weighting for the entire criterion ranging from Low Very high The values for the relevance and the coefficient are multiplied and yield the result for this criterion 3 Once this job is active the configured SPACE Engine is automatically enabled 5 6 Blocking Images This job type is used to block images with offensive or pornographic content Supported formats include JPEG GIF TIF PNG BMP Blocking Offensive Images Example Under Policy Configuration Job Templates you will find the Block Offensive Images job Drag this job to the Mail Transport Jobs folder and open it there witha 152 Avira AntiVir Exchange 7 double click General Settings Under the General tab enter a name for the job An active enabled job has a checkmark in the job symbol Set the job to Enabled Yes Once you have saved your settings with Apply and closed the job the job is enabled Properties of Block Offensive Images E3 General Addresses Conditions Threshold Actions Server Details Hame Block Offense Images Job type Sntivir Wall block Image Filtering Enabled 0 es C No Subject extension f Add no subject extension C IALL checked Iv Quarantined emails qnore emails resent from quarantine Check emails resent from quarantine Options Job is mission critical Write processing log
28. threshold for triggering the actions defined To do so drag the slider with the mouse to the desired position Tip Alternatively you can use the cursor keys left right to increase decrease the value in steps of 2 With the Shift key kept depressed at the same time the value is increased decreased in steps of 5 154 Avira AntiVir Exchange 7 Properties of Block Offensive Images a General Addresses Conditions Threshold Actions Server Details The defined actions will be executed if the threshold specified here i reached or exceeded The default of 517 is a reasonable practical value Threshold R Scan inside compressed attachments B Cancel Apply Whether or not an image is classified as offensive depends on the threshold set here Possible values range from 0 to 100 Theoretically genuine pornographic or hardcore images can reach a value of 100 In practice however these values lie between 35 and 65 More than 80 of all images reach values between 45 and 50 We therefore recommend to set the threshold to 51 This value will identify images with a lot of naked skin such as pin ups A threshold below 50 does not make sense as these images are likely not to be pornographic In this example the action defined is triggered when the threshold of 51 is reached or exceeded The overall result for the e mail is the highest value of all images attached E mails with images that could not be classif
29. to a central SQL database To configure central whitelists a database connection between the SQL server and the Avira AntiVir Exchange server has to be configured first Then additional settings are required within Avira AntiVir Exchange in order for Avira AntiVir Exchange to be able to retrieve entries from the whitelist database The configuration of the database connection depends on the server environment 1 Depending on the operating environment proceed as described in the corresponding scenarios under Configuration of the Database Connection 2 Under Data Source enter the central SQL server Note Please note that in the database connection ADO string the DBCatalog variable for the whitelist database is replaced with the fixed database name Whitelist 3 Under Avira AntiVir Exchange Servers Properties in the field Select database connection for whitelist entries select the SQL server This field provides a selection of all data sources specified under Database connections 4 Open the Wall job Advanced spam filtering Actions Definite criteria No Spam and enable the option E mails from User Whitelist entries 49 Avira AntiVir Exchange 7 Setting up a Quarantine Database Besides using the Microsoft SQL server for whitelists it can also be used locally for Quarantine databases Normally the index of a quarantine is maintained in the local database Microsoft Jet Engine In case the capacity of a Jet
30. 1 Corporate Policy Example cccccccccccccccceeeeceeeceeeeeeeeeeesseeeeceeeeeseeeseeeeesseeeeeeeeesenseeseeeesas 60 3 3 2 2 CONGIUONS sses airnn ne ere ee ene ee een a eee eee eee eee ee 60 ec PJs JOD I YPES ciao ene eee ee oe 61 RAA ACION acta ncinza imccnaids checncirasieaanaiia meet E anaena aubaseauatnaesinera ddainanianmatior EE 62 3 3 2 0 JOD Processing Seguente sicceiadccscicsncsiecscnnaddnssanctictbesescueiheccncalacsancensned nieusousludedeactiatedneadtcatacssediic 63 3 3 3 AntiVir Monitor 0 20 0 ccc ccc ceecceeeeceeeeeaeeecaeeeseaeeeeeeeesaecesaeeesaueeseeeeseaeeseaeessueessueeeseeeeseeeeseeeesaaes 63 3 3 3 8 Fs 2101 ne ee eee nn eee ee eee eee ee eee 64 3 3 3 2 Avira AntiVir Exchange Reports cccccccccccceceeeeeeeeeeeeseeeeeseeseeseeeeeseeeeessegeeeseaeeesseeeessaaees 72 Bee diseases ssa cs peace societies E an cioee sie easadne toe aseeae ste E A EE EOS 73 4 2 Virus Gel UMN esscr E a EEEE EE E 73 4 2 1 Scanning Inbound and Outbound Messages cccccccccesseeeeeeeeeaeeeeeeeeeseeeeeeeeeeesseneeeeeeeeas 73 4 2 2 Scanning in the Information Store ccc ceeceecceeeeeseeeeceeeeeeeseeeeeeeeseeeeeeeeeeeeeaseeeeeeseaeeeeeees 74 4 2 3 Configuring and Enabling the AntiVir Scanner 00 cece ccccceceeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeessaeaees 75 4 2 4 Enabling Virus Scanning Example 0cccccccccccecseeseceeeeeeeeseeeeeeeseeeseeeeseseeeeeeeeeesaeeeeees 7
31. 144 Avira AntiVir Exchange 7 character set Note This function checks only the charset e mail header Make sure that you have selected only character set list s for this option and not any other dictionary Selecting Servers Job Details To select servers and specify job details proceed as described under Selecting Servers and Entering Job Details Save the configuration of the AntiVir Exchange Management Console each time you have modified the settings Click on the Save button The configuration is saved in the ConfigData xml file located in the Avira AntiVir Exchange Config folder Pending changes are indicated by an asterisk next to the top node 5 4 5 Advanced Spam Filtering Use the Spam Filtering job to set definite and combined spam criteria The definite criteria classify e mails as soam or non spam and label them Spam Probability is 0 None or Spam Probability is 100 High The combined criteria are used only for e mails that were not already classified with the definite criteria For soam detection with combined criteria several analysis mechanisms criteria checks are performed simultaneously and later cross evaluated Each criterion has a defined relevance to the overall result which can be set from Low to Very high You can also disable the criterion by deselecting the checkbox An additional individual value can be assigned to most criteria for Minimum and Maximum These two values apply for e
32. 8 4 3 Virus Scan in the Information Store Sample JOD cc eccccccccceeeeeeceeeeeaeeeeeeeeeseeaeeeeeeeeaas 85 4 4 File Restrictions for Attachments cccccccccccseeeeseeeeeseeeeesaeeeeeseueeeseeeeseeeeeaeeeeeseneessaneeeseees 93 AES VG mrene E E ARE palbenbenia E tina tunensiisttasaad eeun yhdnagieeynecatinns la OEE 93 Avira AntiVir Exchange 7 4 4 2 By Message Laces crs cise en ancient c pmisgsss eee eceance eB osieeanioereeto na eaeaenessenaeeneeaniadeesateeheneeseseeanes 94 4 4 3 By Type and or Attachment Size 0000 00 00 ccccc cece ce eeeeceeeeeaseeeeeeeeeeaeseeeeeseaeeaeeeeeseaeaeeeeeeeasaaees 94 4 4 4 Configuring Fingerprints cece ccc cceseeeeceeeceeeeeeeeeeeseeseeeeeeesseeeeeeeesseaeeeeeessaeeeeeeesessaeeeees 94 4 4 5 Denying File Attachments by Type Example ccccccccsceeceeceeeeeeeeaeeeeeeeseeeeesaeeeeeeeaas 103 4 4 6 Limiting Message Size Example cccccccccccceeeeeeeeaeeeeeeeeeeeeesaeeeeessaeeeeeseeeeessaaaeeeeeeas 107 4 4 7 Denying Attachment Types and Sizes Example cccccccccccceceeseeeeeeaeeeeeeeeeseeesaaaeeees 111 SE PAM Wall eec a e EE e A E EE 116 5 2 Address FINENDO usciciserssriasrs eade a a i i oae 116 5 2 1 Blocking Senders and or Recipients Example cccccceecesseeeeeeeesaeeeeeeeeeeseeseeeeeeeeas 117 5 3 Content Filtering With Dictionaries cc cccccc cscs eeeeceeeceeeeeeeeeeese
33. AntiVir Exchange functions and processes that are run on the Exchange server only The Avira AntiVir Exchange server can be installed in simple environments as well as more complex front end back end environments Avira AntiVir Exchange Server consists of several elements 3 1 2 1 Grabber The Grabber is a process ensuring that all messages schedule queries etc sent received or routed by the Exchange server are intercepted grabbed The SMTP protocol is used in Microsoft Exchange for transporting e mail schedule queries etc The entire e mail traffic is channeled through the SMTP Advanced Queue a part of the SMTP protocol regardless of whether the mail is internal between mailboxes on the same server or mailbox store inbound or outbound All messages must go through the Advanced Queue The Grabber is latched in to this Advanced Queue As a registered Event Sink it monitors the mail traffic and routes all relevant information to the Avira AntiVir Exchange service the second Avira AntiVir Exchange Server component Each message is held there until Avira AntiVir Exchange Server has finished processing it Note Exchange internal information for instance replication messages are recognized as such by the Grabber and left in the Exchange system unchanged 3 1 2 2 Avira AntiVir Exchange Service Enterprise Message Handler EMH As Windows service the Avira AntiVir Exchange service is started on a permanent basis an
34. Antivir S canniru f aa Antivir Attachment Filtering Antivir AttachmentSize Filtering Antivir Email Size Filtering Antivir Wall E mail Address Filtering EB Antivir Wall Content Filtering Ok Cancel Antivir Wall Recipient Lirit Filtering You can reset the options in one of three ways 1 Under Filter options select No Filter 2 Right click View Show all objects 3 Use the icon in the toolbar 7K The AntiVir Monitor view displays a maximum of 10 000 e mails at a time the most recent ones To view older e mails select appropriate filter options to restrict the e mails displayed A Quarantined Message To view this information double click the quarantined message or right click and select Properties of the quarantined e mail The Message tab contains a summary of the important information 65 Avira AntiVir Exchange 7 Quarantine Item Ed Email Information Date Time Pee Sender SMTP ee dd to Sender SS Recipients SM TF iarniniatore Recipients tlail Subject ee 0 Email size 207 78 kB Label SS CC Attachment informations Subject Wi test Date Fri S Jun 2009 09 46 06 0200 Message ID lt BF4E SRA0D5EDSCADBIDIBES 7 YDOBE BBE D248 Sea ne pares e M5 Has Athach yes MIME Version 1 0 Content Type application ms tnet name winmail dat Content Transfer Encoding binary amp MS TNEF Corelator lt BF4E SBA0D5E 0 SC408 901 6E 2 DOBEBREO24CB 3m nies Sencar Thread T opic
35. Contig Contig ata xml mE Filetime 2OO09 06 25716 54 12 E Wersion 1 1 0 E Status Configuration successfully running since YSOOUS O6B 2S5T7T1L6 54 23 License information m License Antivir for Exchange License Customer Wersian 7 1 Serveri i Mode FULL State VALID Walid until 2009 12 31 IS Scan information E ScannerOLl state Loaded E Wersion 110 E Last version update 2009 06 25T14 02 00 y OF Cancel Apply The status of the scanner DLL for the Information Store scan When the DLL indicates Loaded the Information Store scan is enabled The Information Store scan version This number is incremented with every restart The date of the last version update and the time and date of the last restart Under the Information Store Scan tab you can restart background scanning 92 Avira AntiVir Exchange 7 Properties Ba General Scan engine Test Information Store Scan Scan endine for Background Scan E When scanning is restarted all elements in the Information Store are checked one more time This applies to all three scan modes If you have enabled background scanning this scan may take a long time and use a lot of processor capacity It is therefore advisable to restart scanning during periods of low system usage 4 4 File Restrictions for Attachments Files can be restricted according to their type and size you can deny specific file types and you can specify maximum message and atta
36. F Users UZ ri Groups fe Dynamic groups fee ES Contacts Tats on Organizational units i vee qui U RSE lists 2j Bi lel E Antivir address lists Email address FF All Sender Recipients PF Antivir Administrators Ci Directory Users FF Extemal Sender Alecipients FF Intemal Sender Recipients Add Email address Remove Selected addresses FF Internal Sender Recipients Cancel The Avira AntiVir Exchange address lists are permanent lists generated from the global Avira AntiVir Exchange Server settings that are prompted for and entered during 40 Avira AntiVir Exchange 7 installation or which you have configured manually Also refer to Avira AntiVir Exchange Server settings Tip User defined address lists and AntiVir address lists are available only when you select addresses for a job User defined address lists can be edited at any time AntiVir address lists cannot be edited at all 3 3 1 6 Creating Notification Templates In each job under Actions you can specify the persons to be notified when Avira AntiVir Exchange has intercepted a denied message You can create new jobs using templates simply select the appropriate template for the job type For further information on the individual job types refer to Policy Configuration The notification templates for the individual jobs content filtering virus scanning etc are created under Basic Configuration Creating a notification templ
37. If SQL Server and Avira AntiVir Exchange Server are installed on the same computer the following must be met e The installations of SQL Server and Avira AntiVir Exchange Server are complete e The database s have been set up and the corresponding tables created e Atleast one user is defined as database user e This database user has sufficient rights to the database e The ADO driver has been installed on the Avira AntiVir Exchange server If SQL Server and Avira AntiVir Exchange Server are installed on different systems the following has to be additionally ensured e The protocol set on the SQL server meets the requirements for external server operation e The service has been restarted after completing the SQL Server configuration The database connection between Avira AntiVir Exchange and the SQL server is established through the ADO protocol 1 Under Basic Configuration General Settings Database Connections create a new database connection 2 Assign a Name for the connection configuration 3 Enter the ADO string information in the Connection stringfield 4 Enter the required values manually or use the Avira AntiVir Exchange variables available Server Catalog etc which will be replaced with appropriate values at runtime 47 Avira AntiVir Exchange 7 Properties of Database Connection Sample Ea General Details Jatabase Lonnection Sam Lee v Mame Database Connection 5 ample Server Connection
38. Name of the denied file type AntiVir Fingerprint category VAR Fingerprintcategory VAR Category of the denied file type AntiVir e mail size VAR MessageSize VAR Overall size of the message AntiVir Attachment name VAR AttachmentName VAR Names of the denied infected attachments AntiVir E mail size limit VAR SetSizeLimit V AR Maximum message size specified in the job AntiVir Virus name VAR Virusname VAR Names of the found viruses AntiVir Virus scanner VAR VirusScanner VAR Names of the scan engines that have found the virus Information Store Scan 42 Avira AntiVir Exchange 7 IS Scan Database VAR VSAPI_Database VAR Name of the Information Store in which the message was located at the time of the virus scan IS Scan Database URL VAR VSAPL_Url VAR URL of the Information Store in which the message was located at the time of the virus scan IS Scan Error description VAR VSAPIL ErrorText VAR Further description in the event of an error through the Information Store job IS Scan Submit time VAR VSAPIL SubmitTime VAR Date and time at which message was sent IS Scan Message URL VAR VSAPI MessageUrl VAR Information Store URL of the message at the time of the virus scan IS Scan Folder VAR VSAPL Folder VAR Name of the Information Store folder in which the message was located at the time of the virus scan IS Scan Mailbox VAR VSAPIL Mailbox VAR Name of the mailbox in which the mess
39. Properties of Advanced spam filtering x General Addresses Conditions Schone Server Details Achon Settings Spam Probability Mone 0 29 Subject extension Y Spam Probability Low 30 69 Spam Probability Medium 70 90 Spam Probability High 91 100 Advanced Configuration Definite Criteria Combined Criteria jf Write spam result in Exchange SCL field jw Write spam value in mail header field B Cancel Apply In this example the following spam probabilities are specified In the Spam Probability None value here 0 29 range no actions are usually 135 Avira AntiVir Exchange 7 performed The only possible action in this probability range is to add a Subject extension which you can define on this tab You could for example enter Checked for spam In the Spam Probability Low here 30 to 69 range the actions are defined ona separate tab Click the Low button The following dialog appears Low Achons for low spam probability Standard agaa OOO 2 Copy to Quarantine using label Delete Email Add e mail senderfrecipients to userlist Add subject extension Spam probability VAR spamvalue VAR at the beginning Send notification to Administrator Send notification to All Senders Send notification ta All Recipients jia Add The only action defined in this example is to add the probability as subject extension To configure the
40. SQL database The supported databases include MS SQL Server 2000 and MS SQL Server 2005 in addition MS SQL Server 2005 Express can be used with restricted CPU memory capacity When to use SQL servers A Microsoft SQL server could be used in multi server environments without server synchronization in order to ensure that each user receives a single central whitelist only for all servers involved A Microsoft SQL server could also be used for Quarantine databases If multiple SQL servers as well as multiple Avira AntiVir Exchange servers are installed in a multi server environments the servers can be arranged in pairs This means that a local SQL server is installed on each Avira AntiVir Exchange server and therefore only one database connection needs to be set up Note Please note that Avira AntiVir Exchange is optimized for being used as a local database based on the MS Jet Engine Complex server environments require a number of configurations of both Avira AntiVir Exchange and MS SQL Server which go beyond the scope of this document Please contact our Support for details Configuration of the Database Connection The following sections describe the configuration of database connections between Avira AntiVir Exchange and a Microsoft SQL server Please note that a distinction is made between a central MS SQL server for central user whitelists and a local MS SQL server for the Quarantine SQL Server and Avira AntiVir Exchange Server
41. Store jobs please refer to 4 2 2 Scanning in the Information Store 1 4 Observing Data in AntiVir Monitor After having saved your settings use the AntiVir Monitor to monitor the operation of Avira AntiVir Exchange With the AntiVir Monitor you can view current data in real time and manage for example the Quarantine Areas of the configured Servers For details refer to 3 3 3 AntiVir Monitor Avira AntiVir Exchange 7 2 Installation 2 1 System Requirements To install Avira AntiVir Exchange your system must meet the following requirements CD ROM drive or network access RAM Exchange recommendation plus additional 64 MB Hard disk at least 400 MB for installation Microsoft NET Framework 2 x Operating systems e Windows 2000 Server from Service Pack 4 e Windows 2000 Advanced Server from Service Pack 4 e Windows Server 2003 e Windows Server 2008 e Exchange Server e MS Exchange Server 2000 as of Service Pack 4 e MS Exchange Server 2000 Enterprise Edition as of Service Pack 4 e MS Exchange Server 2003 e MS Exchange Server 2007 SP1 Update Rollup 4 Hub Mailbox Attention Disable any real time or on access scan functions of your scan engines forthe Avira AntiVir Exchange AntiVirData directory 2 2 Installation of the Virus Scanner The AntiVir scan engine is fully preconfigured and ready for immediate use A virus scanning job that uses AntiVir is supplied and only needs to be enabled Also refer to 4 2 3 Configuring a
42. Update view Export list 20 Avira AntiVir Exchange 7 Bo S Move up one position New item BE Set filter in Quarantine badmail xe Disable filter in Quarantine badmail 3 2 2 Icons OO a An individual Avira AntiVir Exchange address list red collar Included by default in Avira AntiVir Exchange cannot be edited An individual user defined address list yellow collar Created by the user and to be configured under Properties B Notification Templates folder which contains the individual templates e a for each job type and recipient An individual notification template to be configured under Properties Icon for Database Connections Icon for an individual database connection to be configured under Properties A list of all Avira AntiVir Exchange servers in which you can add remove and configure servers The common server properties are defined under General Settings AntiVir Servers Settings Alternatively right click AntiVir Server Properties This includes the default e mail addresses and the internal domain s General AntiVir Servers Settings under the General Settings node in the Fal window on the right An individual AntiVir server to be configured under Properties Folder Settings and Utility Settings Folder Settings includes the quarantines while Utility Settings covers all add ons such as virus scanner fingerprints 21 Avira AntiVir Exchange 7 dictionaries The Q
43. Vir Exchange Normally you do not have to make any changes to these fingerprints Refer to Configuring Fingerprints 59 Avira AntiVir Exchange 7 Dictionaries Here you can create dictionaries of text strings that you want AntiVir Wall content and spam filtering to block We have already created a few dictionary categories that you can customize to your requirements Refer to Setting up Dictionaries AntiVir Engine For details on the configuration of the virus scanner refer to Configuring and Enabling the AntiVir Scanner 3 3 2 Policy Configuration The Policy Configuration is used to implement the company policies by way of jobs Under Policy Configuration define your Avira AntiVir Exchange jobs based on your company s own policies Using a range of conditions or filters you can specify the messages that will be intercepted the actions to be performed and scheduled and the priority of each job i e the order in which jobs are run All conditions can be configured within the jobs Together the Avira AntiVir Exchange jobs form your company s policy 3 3 2 1 Corporate Policy Example All incoming spam messages are to be detected deleted and quarantined You do not want the junk mail to be delivered but its recipients should be notified about received spam so that they can decide for themselves which messages to accept Notifications are to be sent daily in the form of a Summary report To implement this use
44. a AntiVir Exchange server as Trusted Server enter Trusted_Connection No manually no Avira AntiVir Exchange variable available Initial Catalog DBCatalog mandatory parameter which sets the database to be used Enter the parameter Initial Catalog manually in the string and set the Avira AntiVir Exchange variable Database If using the SQL server for the Quarantine the variable DBCatalog will be replaced with the name of the database set under Quarantine Properties in 48 Avira AntiVir Exchange 7 the Folder name field On the other hand if using the SQL server for a central whitelist the variable DBCatalog will be replaced with the fixed name Whitelist You can use the DBCatalog variable to use a database connection for multiple databases within a MS SQL Server Please note that the databases need to be created exactly under that name Otherwise any connection attempts will fail e Data Source LOCALHOST SQLEXPRESS mandatory parameter for a locally installed MS SQL Server 2005 Express In this case enter the Data Source parameter manually an set the Avira AntiVir Exchange variable Server as required The Server variable will be replaced with the server s NetBios name at runtime If working with sub domains in more complex environments you can also use the Avira AntiVir Exchange variable Server network in which case the ServerFQDN variable is set and the server s FQDN Fully Qualified Domain Na
45. abled for direct access Anti Spam Blacklist Anti Spam Newsletter Blacklist Anti Spam Newsletter Whitelist Anti Spam Whitelist 9 Click OK again 10 To delete an address list click Address lists right click the list and select Delete from the context menu Using and Handling Addresses Within a Job In each job the Addresses tab allows to set the users for whom a job is valid Most of the current application cases can be set with options available 36 Avira AntiVir Exchange 7 Properties of Block video files x General Addresses Conditions Fingerprints Actions Server Details S ender Recipient conditions Advanced Message from fan Sender Recipients hd Addressed to Jan Sender Recipients ha caret ah Set whether the job is to be valid for all users or restricted to internal or external users This selection is available for senders and recipients Note Both conditions in the Message from and Addressed to fields must come true for an action to be triggered logical AND Split up emails with multiple recipients If a message is addressed to several recipients and one or more of these are entered in an address filtering job the message is split into two e mails one for the recipients specified in the address filtering job and one for the remaining recipients Only the message with the specified recipients is processed by the job The message is not split if no address filtering was defined for t
46. actions for the Spam Probability Medium range set here from 70 to 90 click the Medium button The following dialog appears 136 Avira AntiVir Exchange 7 Medium Achons for medium spam probability Standard Capy to Quarantine Spam Middle using label no label Delete Email Add e mail sender recipients ta userlist Add subject extension Spam probability VAR spamvbalue VAR at the beginning Send Administrator spam detected ta Administrator 414a s Send notification to All Senders qa Send notification to All Recipients E Add B Cancel Apply The actions defined here are place a copy of the message into Quarantine notify the Administrator deliver the original message to its recipient adding a subject extension to notify the recipient of the spam probability of this message e g Spam probability 75 The higher this value the greater the likelinood that this is not a high priority message The Spam probability Medium is for those mails that may or may not be spam The low values of this setting mean that a medium spam probability is assumed if a few criteria suggesting a great spam likelihood or many criteria suggesting a small likelihood of soam were found We recommend to store these e mails in a separate Quarantine Spam Middle and to let the recipients decide what to do with them Tip Summary reports can be used to notify users of quarantined spam mails addressed to them You can also u
47. aeeeeeeeeeseeseeeeeesseeeeeeeeneas 120 5 3 1 Setting up Dictionaries sxcssgecccsesncccccecsececcceauspacarswnccseldanctasdacsannatuenesdicitsaiadnariendetbneadeaedecasecenaseanersnaee 121 5 3 2 Checking and Denying Text Contents Example 0cccccccccccccseseeeeeeesaeeeeeeeeeeseeeeeeeees 125 5 4 Anti Spam with the AntiVir Wall Spam Filtering Job cc ecccceceeeeeeeeeeeeeeesaaeeeeeaeees 129 5 4 1 Definite No Spam Criteria 2 0 0 0 cccccccceeeeeseeeeeeeeeeeeeeeeeessaeeeeeeeeeeeeeeeeeessaeeeeeeesseaeaeeeeeesaas 131 5 4 2 Definite Spam Criteria ccc cccccc cesses ceeeeeaeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeseeeeeeeeessueeeeeeessssaeeeeeeeseaas 132 54 3 Pra a tical TIPS sictencansvanensdancen uattanavandecanrenatansons vend donasceenatonnciatacsiinavenhidiesudandenasevenccrmaarinbesndarveundiiarane 132 5 4 4 Spam Filtering Exampl rescore sesenseeecceczenetinncone sade a rmenineueuicedec Eai aes 133 5 4 5 Advanced Spam Filtering ccc c so ssaete ees cectecensted aemenanetsananasng a tsiannaeaSepsenasacacseGasetactebdeaaessteonasee icine esas 145 5 4 6 Manual Spam Filtering Configuration cccccccececccceeeeeeeeeeeeeeeeeeeeeeeeesaeeeeeeessaaeeseeessanaaees 149 5 5 Using SPACE for Fighting Spam cccccccccccceeccececaaeeeeeeeseeaeeeeeeeseaeeeeeeeseseaeeeeeeeesseeeeeeeeeeas 149 5 5 1 SPACE Engine Configuration ccccccccccccccccceeceeeeeeeeeeseeeeeeeeeeeseeeeeeeeesseeeeeeee
48. age was located at the time of the virus scan IS Scan Server VAR VSAPI_Server VAR Name of the server on which the virus scan was performed through the Information Store scan IS Scan Virus scanner VAR virusscanner VAR Names of the scan engine that has found the virus IS Scan Virus name VAR virusname VAR Names of the found viruses IS Scan Delivery time VAR VSAPL_ DeliveryTime VAR Date and time at which message was delivered Wall Wall Detailed content checking VAR DeniedContentTabHTML Detailed information on the VAR words sentences found Wall Mail part VAR DeniedMailParts VAR Attachments message body texts causing the action Wall Restricted dictionaries VAR DeniedWordlists VAR Dictionaries triggering the action because a value threshold was reached Wall Restricted words VAR DeniedWord VAR Word triggering the action because value threshold was reached Spam fitering Ne Wall SCL result VAR SCLAnalysis VAR Return value of the SCL probability level after having 43 Avira AntiVir Exchange 7 Wall Spam analysis details VAR SpamReportHTML VAR Detailed information on each spam criterion Wall Spam probability VAR SpamValue VAR Calculated spam probability value from 0 to 100 This value is compared with the individually defined threshold values in the advanced spam filtering job Wall Spam level VAR SpamLevel VAR AntiVir Wall adds a spam level in the form of an as
49. all AntiVir jobs on this server applies also to those jobs for which the option Quarantined e mails Check emails resent from quarantine has been enabled This means that even if you want quarantined e mails to be processed again all jobs for which the option Ignore emails resent from quarantine is selected will be excluded 71 Avira AntiVir Exchange 7 Adding Senders to an Address List Bad Mail If the e mail of a specific sender has been quarantined but you wish future mails from this sender to be accepted you can add the sender to one of your address lists e g Anti Spam Whitelist 1 In Avira AntiVir Exchange Monitor open the Quarantine where the desired mail is located 2 Right click the mail and enable All tasks Add sender to addresslist 3 Select the address list to which the sender is to be added lf you want to make sure that all senders from a specific domain are accepted and let through to the recipients mailboxes proceed in the same way but select the option Add sender domain to addresslist This avoids having to add every single e mail sender from a domain e g a customer to the address list individually The address is added in the form samplecompany com Note In both cases the option Allow adding addresses from quarantine must be enabled within the address list Otherwise the selected sender address cannot be added to the list Messages that cannot be processed by AntiVir jobs such as messages w
50. ally invalid e mail addresses such as info domain Press Enter before each new entry To search for an entry in a large list of custom addresses click on the Search icon ga This text search function is also available for dictionaries re To remove an entry from the list select it and click Remove 4 Select Addresses _ Oy x E E Addresses Antivir address lists TE am Email address ae E a ae FH All Sender Recipients LE a KO F Antivir Administrators ae f Users P T F Directory Users ae i Users UZ F Enternal Sender Fecipients es Groups 2 intemal Sender Recipients fs se f Dynamic groups pe Contacts Ea Organizational units Ai User defined address lists Aad Heme Fs Antivir address lists A EA TAE sddnoeses a User defined addresses i Y Search addresses FF Intemal Sender Recipients 7 7 Click OK Your address list should now look like this 35 Avira AntiVir Exchange 7 Properties of New address list x General Jobs Details qr HVAUUKESS ISE Mame M y address list M Allow adding addresses from quarantine E mall address ed Fis SyviralambH SADSBS Srdebs supp 8 Allow adding addresses from quarantine Use this option to specify whether or not addresses from quarantined messages can be directly added to this address list When checked you can add the quarantined mail s sender address to various address lists with the Add button in 3 3 3 AntiVir Monitor By default the following address lists are en
51. ameter field Enable this field if the job is to clean an infected mail or attachment After you have defined what is to be checked specify two different actions 1 One to be performed in case a virus was found and the file could not be cleaned 2 and another in case the file was cleaned successfully if you have selected this option The configuration of the actions is the same in both cases The following examples illustrates the fist case 81 Avira AntiVir Exchange 7 Malware found E Actions for malware found and not removed Standard x Copy infected email to Quarantine Infected Mails using label no label Delete Email Attachment Add e mail s nderfrecipients ta userlist Add subject extension Virus or unwanted program found and attachment removed atthe end Send Administrator virus or unwanted program found to Administrator Send Sender virus of unwanted program found to All Senders Send Recipient virus or unwanted program found to All Recipients q1 AAI da O jid Add B Cancel Apply In this example a copy of the e mail is placed in Quarantine and the infected attachments are deleted The message is delivered to its recipient only if the message body is virus free and the attachment could be deleted A notification on the virus is sent to the Administrator You can select this notification from the list menu of available notification templates which you can fo
52. and finds restricted content It triggers an alarm and initiates a series of actions that you have specified for the job under Actions Let s assume that you have specified the following i The message is to be moved into the Quarantine folder you have created and will not be delivered to the recipient Notifications with the relevant information from the Wall job are sent to the Administrator the sender and the recipient The actions available are the same as for address filtering 5 3 1 Setting up Dictionaries 1 Click Dictionaries 2 To open a dictionary double click it in the right pane 3 Under the General tab enter a name for the dictionary 4 Give the dictionary a weighting from 1 to 200 The dictionary weighting applies to each word or phrase and determines the relationship to other dictionaries and to what extent the dictionary is taken into account To select servers and specify job details proceed as described under Selecting Servers and Entering Job Details For further information on weighting refer to Checking and Denying Text Contents Example 5 Click the input field for the words and add words and phrases that you want to forbid Each word and or phrase must stand on its own line separated by a line break Enter key The following wildcards can be used in dictionaries Asterisk The asterisk represents none or more characters within a word or phrase Examples check will find check
53. ase LocIdxDB mdb For each quarantined e mail Avira AntiVir Exchange automatically creates an entry in the Quarantine database a Microsoft Access file The following information is stored in that database Message Subject line Date and time Message sender Message recipient E mail sender SMTP E mail recipient SMTP Short description of the applicable restriction Message size Name of the Avira AntiVir Exchange job that quarantined the message Name of the Exchange server Name of the e mail file Processing history When you view an Avira AntiVir Exchange Quarantine using AntiVir Exchange Management Console the information from the Quarantine database is shown first When you open a Quarantine entry further information is read from the e mail file For communicating with the Quarantine Avira AntiVir Exchange uses SOAP Simple Object Access Protocol and SSL Secure Socket Layer This applies both to local access directly on the server and to access from remote Windows workstations By default port 8008 is used for communications You can change this port in AntiVir Exchange Management Console Basic Configuration AntiVir Server node but you must then also make this change in all other Avira AntiVir Exchange consoles that access the server All stations must use the same port SSL is used to encrypt the SOAP communications channel The required components are included in the installation 17 Av
54. at text body and attachment have been checked by the current virus signature file If they have not the message is scanned before being forwarded to the client On demand scanning is the most commonly used task for Information Store scanning Pro active scan The proactive scan catches new messages before these are accessed by a client through an on demand scan Used in addition to on demand scanning it can help to speed up client access Background scan A background scan checks all elements of the Information Store It can be activated separately for the public and private Information Stores and scans all elements that were not yet scanned with the current scanner signature file In addition to a scheduled execution the background scan is run whenever the database is loaded for example when a server is started The Information Store scan is a global function that applies to the entire server so that only one AntiVir Information Store scan job exists on each server as opposed to any number of virus scanning jobs If a virus is found in a mail various actions tailored to the Information Store scan can be performed block object Object blocking denies access to the entire message object Current Microsoft mail clients generate a message when the user tries to open a blocked message while other and older clients may respond differently The blocked message can always 74 Avira AntiVir Exchange 7 be deleted however repla
55. ate You can find standard notification templates for each module under Basic Configuration General Settings Templates 1 Click Templates and select the template type 2 Inthe right pane right click the template you want to use and select Properties 3 Enter the Notification Subject 4 For the notification body text select the Notification Body tab and click Edit To add layout to your text with HTML use the Formatting toolbar To enter HTML tags directly open the source code with the Source button 5 The Jobs tab lists the jobs that use the notification template 6 Click OK List of Notification Variables The following variables can be entered in notification texts and notification subject lines Click on the arrow next to the Variable button v to insert them directly Note that the tokens VAR and VAR are case sensitive and must always be written in capital letters General General Sender VAR Mailsender VAR Sender of the message that triggered the action General Sender SMTP VAR From VAR Sender SMTP of the message that triggered the action General Subject VAR Subject VAR Subject line of the message that triggered the action General Date and Time VAR Date VAR Date and time at which the job that started the action was run General Date VAR DateOnly VAR Date on which the job that started the action was run General Recipient s VAR Recipients VAR Recipients of the message that trig
56. attachment is Except when message attachmentis Mo fingerprints selected 105 Avira AntiVir Exchange 7 Scan inside compressed attachments means that the internal unpacker opens archives and checks the files it contains for the fingerprints specified If this option is disabled only the archive is checked and identified as compressed format 2 Fingerprint conditions Click Video or No fingerprints selected to select a fingerprint category or an individual fingerprint from the list The following view appears Select Fingerprints aire arenas ESS aa E All Fingerprints Selected Fingerprints i EE Fingerprints Video Fl as All fingerprints ao Unassigned fingerprints Archive Gl ASCII ao Documents EAS Encryption lo Executables Add Remove Fe Fonts ge Images Exceptions A Interet Blt Mail ao Microzott Office lt Microsoft Office 2007 Hd Microsoft Windows El ao Misc ao OpenOffice HiS Sound md Sound MP3 Add Remove 3 Double click the category in the left pane or click the sign to open it then press the Add or Remove buttons to assign entire categories or individual fingerprints to the list of denied and or allowed fingerprints Tip You can enter a category such as Video under Selected Fingerprints and define one or more fingerprints from that category as exception under Exceptions To keep a clear overview do not use the same job for too many categories Defining Actions 1 Under
57. b click on Start If successful an OK is returned along with a message saying that an EICAR test virus was found 75 Avira AntiVir Exchange 7 Properties of Avira Anti ir Scan Engine x General Return Lode Settings Jobs Details ms R Bate ANUE Scan Engine Name Enabled Yes No Avia a Intertace rtk_antivir dl Parameter decomp Different clean parameter Clean parameter Timeout 900 Seconds Concurrent calls M Allow multiple concurrent calls B Cancel Apply You can change the properties of the scan engine under Basic Configuration Utility Settings AntiVir Engine Properties The name of the Avira antivirus interface DLL must be entered in the Avira AV Interface field This DLL file represents the link between Avira AntiVir Exchange and the virus scanner This entry is pre configured for all scan engines and must not be changed In the Parameter field enter the parameter to be used by the virus scanner for scanning To configure the virus scanner so that e mails or attachments are cleaned when a virus is detected enable the Different clean parameter option and enter the appropriate parameter in the Clean parameter field underneath Note If you wish to use the scan engine for virus checking only use the AntiVir job Scanning with AntiVir Engine and disable the Remove malware option in the Actions tab If the virus scanner is to clean any infected files found use th
58. bability based on other criteria will also be placed into this category 5 4 3 Practical Tips Depending on your working environment the job may sometimes classify normal and wanted mail as spam If that happens try the following configuration settings 132 Avira AntiVir Exchange 7 1 lf the affected e mails all exceed the spam probability threshold by only a small amount increase the threshold value to avoid false positives If e mails from a particular sender are regularly classified incorrectly as spam add this sender to the Active Directory or the whitelist under Definite Criteria No Spam so that these e mails are no longer checked for spam Try to identify terms and expressions typically used in the affected e mails and enter them in the Business Words dictionary These words will then be taken into account through the No Spam criterion Body business phrases so that e mails containing them will receive a lower spam value If the number of false positives is still unacceptably high after you have taken the above measures try to identify which criteria have caused the incorrect classification To do so you can use the Cause Description in the Quarantine or the AntiVir Wall Spam analysis details label variable If the same criterion is always responsible reduce its significance by reducing the relevance of this criterion by one level under Combined Criteria This criterion then has a lower relevance in determining the
59. bject The new version replaces the old one overwriting any user defined settings To update any elements and items such as dictionaries and fingerprints with a new version 1 Select Basic Configuration All Tasks Import Configuration 2 Select the appropriate XML file provided by Avira for update purposes Attention This function updates only individual jobs not the complete configuration ConfigData xml 3 3 1 3 AntiVir Servers Settings The AntiVir Servers Settings option is used to configure the standard settings for all Avira 24 Avira AntiVir Exchange 7 AntiVir Exchange servers Additionally each server can be configured individually for details refer to 3 3 1 4 Settings for an Individual AntiVir Server 1 Select Basic Configuration General Settings 2 To open the Properties a In the right window right click on AntiVir Servers Settings and select Properties b Or open the Properties with a double click on AntiVir Servers Settings c Or in the left window section under Basic Configuration right click on AntiVir Server and select Properties Packed Files and AntiVir Monitor The settings on the General tab set the maximum size of unpacked files on the hard disk and the maximum recursion depth for archives Whenever an e mail exceeds one of these values it is moved to the BADMAIL area Attention Be sure to use a correct setting for the communication port for AntiVir Monitor Otherwise communication with
60. can themselves contain further archives By default such recursively compressed files are decompressed to a nesting depth of five levels All archives exceeding this nesting depth are moved to the badmail folder The standard upper limit for an e mail including unpacked files is 500 MB Such a limit is particularly important to handle so called ZIP of Death attacks The recursion depth and the space restriction can be changed in the console under General Settings AntiVir Servers Settings Properties General tab 3 1 3 Avira AntiVir Exchange Configuration 18 Avira AntiVir Exchange 7 All information required to run Avira AntiVir Exchange is saved in the Avira AntiVir Exchange configuration file an XML file named ConfigData xml The structure of the ConfigData xml file is similar to that of a database various entries exist for each configuration area Since all configuration settings are stored in a single file the configuration can be easily distributed and backed up If you have a problem with the configuration you can simply send the ConfigData xml file to the Avira Support team for assistance The configuration settings are needed by both the Avira AntiVir Exchange Server and the AntiVir Exchange Management Console The Avira AntiVir Exchange server needs it for example to be informed of the Avira AntiVir Exchange jobs to be carried out To make changes to the configuration with the console the console must be able to access
61. ce with You can replace infected elements with an information text The infected element is then deleted mark as not infected In exceptional cases you may decide that an infected element is not to be flagged infected Subsequent virus scans will then find the virus again This action is intended for testing only as it provides no protection for users and the system Note Virus scanning in the MS Exchange Information Store is performed by the Microsoft Virus Scanning API version 2 0 2 5 For further information visit htto support microsoft com kb 28566 7 EN Attention Messages blocked by the Information Store scan may result in error messages during Information Store backups Attention Exiting or uninstalling Avira AntiVir Exchange and terminating the Information Store scan jobs releases any elements that were blocked due to virus infection as well as disabling the Information Store s active virus protection 4 2 3 Configuring and Enabling the AntiVir Scanner Except for the AntiVir scan engine we do not supply any virus scanners Avira AntiVir Exchange calls the scan engine through the Avira AV Interface a DLL file Attention Disable any real time or on access scan functions of your scan engines forthe Avira AntiVir Exchange AntiVirData directory Test your scan engine for correct operation Under AntiVir Monitor select the desired server name and in the right pane click Server Status Under the Scan engine Test ta
62. chment sizes Both the size and the type of attachments can also be checked with a single job 4 4 1 By Type AntiVir must be able to identify files according to their type This is done by way of file fingerprints which contain a binary file pattern for example for exe files and or the file extension for example for vbs files 93 Avira AntiVir Exchange 7 The result of this scan is compared with the denied allowed fingerprints under Fingerprint conditions set in the job properties and blocked or delivered accordingly For denied files the job actions are performed for instance for a mail with a denied attachment e The denied attachment is copied to the Quarantine folder e The message text is delivered to the recipient e Notifications are sent to the Administrator and the sender An AntiVir Attachment Filtering job can perform the following actions Place the entire e mail in Quarantine Remove affected attachments from the message Delete the affected message without delivering it Add email sender or recipients to the userlist Add a subject extension Notify the Administrator Notify the sender Notify the recipient Add label Notify other user defined recipients Start external program Add Avira tag and value Add header field and value Redirect mail 4 4 2 By Message Size E mails can be scanned and denied according to their total size The e mail size limit is specified under t
63. ctive Directory users E mails from User Whitelist enties Email subject containing these words Select dictionaries Antispam Content Whitelist Set threshold Scan email body Emails containing attachments Minimum number Emails with minimum size of Kilobyte i Ee UF Cancel Apply If you want to systematically allow e mails from specific senders click Antispam Whitelist and Antispam Newsletter Whitelist in the criterion Emails from these trusted senders Whitelist The address selection dialog appears 140 Avira AntiVir Exchange 7 4 Select Addresses Oo Eley Addresses H E Users S f T 28 Antispam Blacklist fesse namic groups FE HECTRSR CET CORR OR on Fa OLE OTOL OE OE EN EO OE ORE ERE EEE E E sae P PT Antispam Newsletter Blacklist PT Antispam Newsletter Whitelist Bee ta Organizational units biii Ee 5 User defined address lists 7 Antispam Whitelist User defined address lists User defined addresses i My address list a E Search addresses Add Remove Email address ET Antispam whitelist ET Antispam Newsletter Whitelist e Cancel Select or enter the addresses that are to be always allowed as sender You can use the asterisk and question mark as wildcard Alternatively you can specify entire domains in the form domain com After having entered all addresses click OK In the Definite No Spam Criteria dialog you can now customize the next crit
64. d badmail folders In addition it provides access to statistical evaluations The Monitor lists all servers configured under Basic Configuration AntiVir Server The AntiVir Monitor accesses the servers via the network using SOAP SSL encryption To enable access to a server first enter the server under Basic Configuration AntiVir Server and then refresh the AntiVir Monitor view For details on how to add a server please refer to Settings for an Individual Avira AntiVir Exchange Server Also make sure your Quarantine has been set up according to the instructions under Quarantine Configuration You can view detailed information on the Avira AntiVir Exchange version configuration etc for each server in AntiVir Monitor right click the desired server and select Properties The AntiVir Monitor requires a logon as authorized user If you are not logged on to the server locally a logon dialog will prompt you for a user name and password to access the corresponding domain The AntiVir Monitor access rights are set in the properties of the 63 Avira AntiVir Exchange 7 access acl file in the folder Avira Avira AntiVir Exchange AppData Select the Security tab and provide the desired users at least with write access To observe data in the Monitor 1 Click on the desired server 2 Authenticate yourself with a user name and a password with sufficient rights to access the Avira AntiVir Exchange data on the server s file system
65. d uses all information provided by the Grabber From then on the subsequent processing through Avira AntiVir Exchange is entirely monitored and controlled by the Avira AntiVir Exchange service If the Avira AntiVir Exchange service is stopped the Avira AntiVir Exchange security functions are switched off The Avira AntiVir Exchange service has access to all information required including for instance the configured Avira AntiVir Exchange jobs the installed Avira AntiVir Exchange license 16 Avira AntiVir Exchange 7 the Active Directory the Avira AntiVir Exchange Quarantine Using this information it scans messages for viruses identifies and quarantines spam and adds legal liability disclaimers After processing is complete the Avira AntiVir Exchange service returns the e mails to the Exchange server 3 1 2 3 Avira AntiVir Exchange Quarantine Virus infected or other undesirable messages can optionally be stopped on the server to prevent them from reaching their intended recipients These messages are instead placed in the Avira AntiVir Exchange Quarantine Several default quarantines are set up on each Avira AntiVir Exchange server during installation The Administrator can set up additional quarantines An Avira AntiVir Exchange Quarantine consists of the following Quarantine directory on the Exchange server AntiVirData Quarantine Default Quarantine the messages copied into the Quarantine Quarantine datab
66. database is insufficient these entries can also be written to a locally installed SQL server This requires having installed MS SQL on the mail server The configuration of the database connection depends on the server environment 1 Depending on the operating environment proceed as described in the corresponding scenarios under Configuration of the Database Connection 2 On each server set Data Source tO LOCALHOST in order to access the locally installed SQL server Note Please note that in the database connection ADO string the DBCatalog variable for the Quarantine database is replaced with the folder name under Quarantine Properties Folder Name This allows to use one database connection for several Quarantine databases When using SQL databases it could happen that the database service fails or becomes inaccessible As a result the Quarantine cannot be accessed during that period of unavailability and any e mails that should have been quarantined cannot be stored properly To handle e mails when the Quarantine is unavailable you can enable the option Quarantine is mission critical similar to the same option for jobs Quarantine Properties General As soon as a Quarantine is set to mission critical any Quarantine error is immediately signaled to the job The job is stopped and the job troubleshooting routine is started The action performed with the e mail ignore job or move to badmail directory depends on th
67. dies of all inbound e mails for spam This dictionary has a weighting value of 5 If a word or phrase from this dictionary is found in an e mail for instance check it out it receives a score of 5 Now specify the number of occurrences required for this criterion to be taken into account in the overall score Minimum threshold as well as the maximum number of occurrences allowed Maximum score To do so add up the value of the words to be found If for instance you specify a value of 30 as in our pre configured job six different words from this dictionary must be found in the message for the message to be classified as spam according to this criterion If only three words are found the message is not definitely spam according to this criterion but the probability of it being spam is already quite high If the dictionary had a threshold value of 10 three hits would be enough to classify the e mail as spam Note Words that occur more than once in an e mail are counted only once lf for example the phrase check it out occurs three times within the same e mail it would add only 5 to the score not 15 as in a normal Wall Content Filtering job In addition specify the Relevance of this criteria which determines the extent to which the criterion is taken into consideration in the overall evaluation If set to Very high the 146 Avira AntiVir Exchange 7 criterion will be taken into account accordingly for the overall value
68. ditions all of which must apply for the specified action to be executed Address filtering can be performed by all job types You can for example create a job that quarantines and deletes all messages without forwarding them to their recipient that were sent from the domains gmx net and hotmail com are larger than 500 KB contain the word Look in the subject field and belong to the fingerprint category Sound This would be an AntiVir Attachment Size Filtering Job Avira AntiVir Exchange is delivered with a number of standard jobs which can be adapted to your requirements Of course you can also create your own jobs Preconfigured jobs are available under Policy Configuration Job Templates With the mouse drag the desired job to Mail Transport Jobs There is no limit to the number of jobs you can create The order in which the jobs will be processed is shown in the job list in Mail Transport Jobs For additional information refer to Job Processing Sequence A job can be enabled or disabled To prevent a job being run you can simply disable it you do not have to permanently delete it from your configuration For each job on the Actions tab you can specify the actions to be executed when a message meets the defined criteria or is virus infected 3 3 2 4 Actions In addition to the job specific actions you can use the following standard actions Copy to Quarantine A copy of the message is placed in the specified Delete e
69. e Mission Critical setting in the job Troubleshooting SQL Servers Problems that occur during the installation or configuration of an SQL server can have various causes Therefore the troubleshooting steps below can only provide basic information as to possible causes Check the port default 1433 or adjust it to your server environment Path for Microsoft SQL Server 2005 Configuration Tools SQL Server Configuration Manager under SQL Native Client Configuration Client Protocols double click TCP IP Path for Microsoft SQL Server 2005 Configuration Tools SQL Server Configuration Manager SQL Server 2005 Services SQL Server Browser Status Running Make sure the SQL Server browser is enabled When a central SQL Server has been installed on a different computer than Avira AntiVir Exchange Server the following requirements must also be met lf using Microsoft SQL Server 2005 select Configuration Tools SQL Server Surface Area Configuration Surface Area Configuration for Services and Connections Under MSSQLSERVER Database Engine Remote Connections select the option Using both TCP IP and named pipes in order to authorize the connection on the SQL server as configured in the ADO string 50 Avira AntiVir Exchange 7 After configuration is complete the SQL Server service has to be restarted Tip Also refer to the Quarantine configuration options Quarantine is mission critical in case of a database service fa
70. e Sy St nfo WIN DOSS ustems2LogF ilesex0807 03 log tet from archive Exchange_AYSUPINF AIPY ZIF extraction exceeded quota for document The Details tab displays Resent information details on the resend process 67 Avira AntiVir Exchange 7 Quarantine Item Message Processing Log Detalls Rezent Information Last resent on 23 06 2009 13 50 15 Resent history 2005 06 2371 13 50 15 Resent by Local user at 10 40 120 127 To eames aes Processing action Deliver the e Mail bypassing any Antivir Exchange jobs on this server A Mail in the Information Store Quarantine To view this information double click the message in the Information Store quarantine or right click and select Properties The Item tab contains a summary of the important information 68 Avira AntiVir Exchange 7 Quarantine Item ltem Information Date Time ii i Sender epi enchendelecd ee Object location STORE SUPPORT2 First Storage Group Mailbox Store SUPPORT2 Posteingang VIAG Recipients 70 TLS OU FIRST ADMINISTRATIVE GROUP CN RECIPIENTS CN WMAIER Subject M E E ES Size ee E E E E E E E EE EES Label iis nna Attachment information File sot HE 72D 69450CAD 441 EB41OEECEE1A6D32E aA To copy the item to another quarantine on this server right click the item and selectAll Tasks Copy to The Processing Log tab shows the name of the job that has quarantined the item the job type the server the r
71. e bytes are counted in reverse The entry 1 for example is the last byte of the file 2 would then be the last but one byte etc The file size is irrelevant for this purpose A start position of 1 and an end position of 1 means that the entire file will be searched for the specified pattern You can also enter two negative values for example 6 as start position and 1 as end position The search is then performed from the last byte to the sixth from last byte regardless of the byte size of the file A positive start position and a negative end position are always possible for example 11 as start position the eleventh byte and 10 as end position the tenth byte from the end You can not enter a negative start position and a positive end position Example Windows OS2 Bitmap files bmp When you open the pattern settings for a bitmap file the following dialog appears 99 Avira AntiVir Exchange 7 30 01 2003 03 00 00 For details on the Check Binary and Name Pattern option refer to Configuring Fingerprints 4 Now click Edit to open the first entry The following dialog appears 100 Avira AntiVir Exchange 7 Enter Binary Pattern Ea Binary Pattern Shark postion hi End position 3 Hexadecimal Values 42740 Cancel The start position is 1 the end position 3 This means that the file is searched for the binary pattern 42 4D between the first and the third byte i e between offse
72. e AntiVir job Scanning and disinfection with AntiVir Engine In this case the option Remove malware needs to be enabled and the actions to be performed for infected mails must have been set 76 Avira AntiVir Exchange 7 Update timeout Enter the number of seconds after which an unsuccessful attempt to connect to the server is aborted Take into account the performance of your server The minimum value is 60 seconds We recommend a value of 60 to 120 seconds Allow multiple concurrent calls Sets that the scan engine can process several e mails at the same time The specific number of calls is set under Basic Configuration AntiVir Server Properties General tab Number of threads Also refer to Settings for an Individual Avira AntiVir Exchange Server The Return Code Settings tab can be used to edit the pre configured return codes The meaning of each code is to be found under Details Comments The Jobs tab lists the jobs that use the scan engine Attention Please do not use this tab for updating Avira AntiVir Exchange AntiVir powered by Avira The AntiVir Engine is included in the installation package and is enabled by default Default parameters decomp decompress PKLite and LZExe archives verbosescan scan complete file Alternative parameter paranoid interpret warning from heuristic analysis as virus If you are using a proxy server specify the savapi ini file for online updates in the Setup To
73. e click the category in the left pane or click the sign to open it Tip You can enter a category such as Microsoft Office under Selected Fingerprints and define one or more fingerprints from that category as exception under Exceptions To keep a clear overview do not use the same job for too many categories For further information on fingerprints and on entering name and binary patterns refer to Configuring Fingerprints Defining Actions Under the Actions tab specify the actions to be taken when the job finds an e mail that was denied by an attachment size job 114 Avira AntiVir Exchange 7 Properties of Block office files gt 10 MB General Addresses Conditions Fingerprint Size Actions Server 4 r Achons for dented attachments size Standard q Aaa K da Copy to Quarantine Default Quarantine using label mo label Delete Email f Attachment Add e mail sender recipients to userlist Add subject extension Max attachment size exceeded attachment has been removed atthe end Send Administrator max size of attachment exceeded to Administrator Send Sender max size of attachment exceeded ta All Senders Send Recipient max size of attachment exceeded to All Recipients E 2 Careu ame In this example a copy of the message is placed in Quarantine the infected attachments are deleted and the message is delivered without its attachment A notification on
74. e following information 97 Avira AntiVir Exchange 7 Start position End position Hexadecimal values Start position The position within a file from which a pattern search is performed The following values are possible Start at the first byte of the file Start at the first byte second byte etc of the file Be Start at the sixth byte from the end of the file 2 End position The position within a file up to which the pattern search is performed The following values are possible Search to the EE TE from the end of the file Hexadecimal values The pattern to be searched for between the start and end positions Fingerprints can consist of several binary patterns 1 Go to the fingerprint Properties refer to Configuring Fingerprints and select the Pattern Settings tab 2 Click Add 3 Enter the Start position the End position and the Hexadecimal search value 98 Avira AntiVir Exchange 7 Binary Pattern Fd Binary Fatter Start postion hi End position f Hexadecimal Yalues B Cancel Apply The start position is the point in the file from which the specified binary pattern will be searched for The position of the first byte in the file i e the beginning of the file is offset 1 The second byte then has an offset of 2 etc The end position is the offset up to which the pattern is searched for lf the number in one or both of these fields is prefixed with a minus sign th
75. eason for quarantining the item as well as other processing details 69 Avira AntiVir Exchange 7 Quarantine Item E Processing Information Antivir job name Informations Store Scan on SUPPORT Antivir job type antivir Information Store Scanning Sener name SUPPORT2 Description Eicar 7 est Signature found in store item PosteingangYlAGRAl 2e4 EML by Avira Antivir Scan Engine Processing Log Avira amp ntivir Scan Engine Anthi SAMAP 2 Interace powered by Avira Dec 11 2007 Scan engine version 9 0 193 Using virus data from 23 06 2009 7 2 23 13 Savapi version 2 3 0 4 Scanning file C Program Files Avira antyir Exchange 4antivirl ata veaphayS CAN _00039987 50337914352_042c 80r Malware found Etear Test Signature File not disinfected because disinfection i disabled Avira 4ntvir Scan Engine Anti SAMAP 2 Interace powered by Avira Dec 11 2007 Scan engine version 9 0 193 Using virus data trom 23 06 2009 7 2 23 13 Savapl version 2 3 0 4 op zl rad Ao Hi Copy to Sending From Quarantine If you want to send a quarantined message to its original recipient or another user you can resend it directly from the Quarantine without having it rechecked by the AntiVir Exchange job 1 Inthe AntiVir Monitor open a list of quarantined messages 2 Right click the desired message and select All Tasks Resend quarantine item Tip As an alternative you can send the message directly fr
76. ed as previously defined The example below illustrates the working principle of a virus scanning job The job checks for instance an e mail with the result virus found It triggers a virus alarm and initiates a series of actions specified under Actions You can for instance specify the following 1 Ifa virus is found clean the original mail and deliver it to the recipient 2 Ifthe mail could not be cleaned a copy of it is placed in your selected Quarantine 73 Avira AntiVir Exchange 7 folder and the original is deleted without being forwarded 3 Notifications with the relevant information from the scan engine and the AntiVir job are then sent to the Administrator sender and recipient The following actions are possible Scan for Viruses Clean infected message Add a subject extension Copy the entire e mail to Quarantine Remove infected attachments from the message Delete the affected message without delivering it Run an external application Notify the Administrator sender and or recipient Notify any other user definable persons Add X header field Redirect e mail 4 2 2 Scanning in the Information Store In addition to virus scanning at transport level Avira AntiVir Exchange is also able to scan data in the public or private MS Exchange Information Store There are three basic types of Information Store scanning On Demand scan When a client tries to open a mail a comparison is performed to ensure th
77. eeeeeeeeesaeeeeeeeens 9 2 4 Uninstallation of Avira AntiVir Exchange 7 ccccccccccsecccceeeeeeneeeeeneeeeeseeeessaseeeseeeesneeesaneees 13 SLE U E T TE A E sos EIEE NEIE E A S A E A 15 3 1 The Architecture of Avira AntiVir Exchange ccccccccccseeeeeseeeeeeeeeeeeaeeeeeeaeeeesaneeeseeeeesseneeeas 15 3 1 1 AntiVir Exchange Management Console cccccccccsecceeeceeseeecaeeeeeeeeaeeeeeeseaeeeseaeseeesaaeeees 15 3 1 2 Avira AntiVir Exchange Server ccccccccccsseseeceeeeeeeseeeeeeeeeeaeeeeeeessaeeeeeeessssaeseceeessaeaeseeesseaaaees 16 ag er MC 0 0 ane ee ee ee eee ee ee ee eee 16 3 1 2 2 Avira AntiVir Exchange Service Enterprise Message Handler EMH 0 16 3 1 2 3 Avira AntiVir Exchange Quarantine cccccccccccececeeeeeceeeeeseeeeeeeeeeesseeeseeeesseeeeeeesessaneeeeees 17 3 1 2 4 Active Directory LDIF siaspsiaioiuscomusainawadsvainssaiesy cies nisandeadvesnavartaiolaursiniet naisinhasmelaatiarsavaapwasaansiads 18 3 1 2 5 Compressed Files and Archives Avira AntiVir Exchange Unpacker c0 cc 18 3 1 3 Avira AntiVir Exchange Configuration cccccccccccccceccseeeeeeeeeceeeeeceeeeeseaeeeeeeseseaeeeeeesesseaeees 18 Die U Er IMENI E a a a naathavingealannedumeiamenmuidarissuebiannctoeras 19 SAR ee oc oee E ne ee A E 20 ee ICONS apenas ction cntqetatna E E E E E E 21 3 3 Configuration in AntiVir Exchange Manag
78. ement Console ccccccccceseeeeeeeeeeeeeeeaeeeeeeeeas 22 3 3 1 Basic Configuration cs icsosecicstcoxcasstaceceseceicdazceviesdsnecnancadsadeatineiadcnsainelaebeuavendseaedetevaad reas yenieueedbegeassxee8aee 23 3 3 1 1 Configuration Reports ssc cccccedcstencsacciasasnaiqzadmewnassntavennestiiecuedsasactsiwdsadvasebtiekinsttaieuasanextatadantenaaanes 23 3 3 1 2 Import Configuration ios saeicescceesacceeresvecesacexdecacg dete ved cevnt vavadessved sexeedooubsenasendousad deensbeacdsdsdaneedeaedeeets 24 3 3 1 3 AntiVir Servers Settings ccc cccccceeecceceecaeeeceeeeeaeeseeeeeeeeseeeeeeeeesseeeeeeeeeesaaseceeesaaaeeeeeeseaaas 24 3 3 1 4 Settings for an Individual AntiVir Server cccccccccsssscccececeseeseeeeeeseeeeeeeeeeeesnseeeeeeeeanees 29 So kI Address LISIS ae ce en er E ene enn eee E eee eee eens 34 3 3 1 6 Creating Notification Templates cc cccccccccccceeeeeeeeeeeseeeeeeeeeeaeeeeceesseseeeseeessseaaaeeeeeesaas 41 3 3 1 7 Creating a Database Connection to an SQL Server 0 0 e cece cece eee eeeeeeeeeeeeeeeeeeaeaeeees 46 33 Lo Folder SENOS srera aie E E EE E E TEE E 51 3 3 1 9 Utility Settings sc se ose cesiePecincncesvornedes cecsveeusedueyesextsencbes Leswingo ad dnsewstteeestsnwbacseneutb pads dedebeagetstusuadeseckoss 59 3 3 2 Policy Configuration osicosssecccsdesaciwescdamsicecdmarvneebexsdupeccontsannreindenasictetsisbduecsinenisiendeasbexsnsinciedexsennsewexkioeectos 60 3 3 2
79. ensive image the notification variables Xblock attachment and Xblock result will provide the name and the analysis result for the image with the highest score only To define further actions click the Add button For a description of the procedure refer to the description in the AntiVir chapter under Enabling Virus Scanning Example Defining Actions 156 Avira AntiVir Exchange 7 5 Limiting the Number of Recipients With this job type you can limit the number of recipients for each e mail When this job is enabled users cannot send bulk mail to all users in your company Limiting Number of Recipients Example Under Policy Configuration Job Templates you will find the Block emails with more than 50 recipients job Drag this job to the Mail Transport Jobs folder and open it there with a double click General Settings Under the General tab enter a name for the job An active enabled job has a checkmark in the job symbol Set the job to Enabled Yes Once you have saved your settings with Apply and closed the job the job is enabled Properties of Block emails with more than 50 recipients Ma EE ye ws tha n 50 recipients as Job type Antivir Wall Recipient Limit Filtering Enabled fe Yes No Subject extension f Add no subject extension 0 Antivir wall checked Iv Quarantined emails 0 qgnore emails resent from quarantine Check emails resent from quarantine Options Job i
80. erion Email subject containing these words Click Antispam Content Whitelist The Dictionary Selection dialog appears 141 Avira AntiVir Exchange 7 Select Items Ei Select Items Available bens Selected thems Antispam Denied Character Sets Anti spam Frequently Used Spam Paras Anti spam Offers Antrspam Pharmacy Offers Antispam Sample Business Words Anti pam Spam Content Body Anti spam Span Content Subject Antispam Suspicious HTML Code 1 Antispan Suspicious HTML Code 10 Anti pam Suspicious HTML Links a Antispam 4 Mailer List Confidential lafarnation Edit Edit 2 omes Use the and ro keys to add and remove dictionaries in the list The double arrows add or remove all existing dictionaries In the right field double click Antispam Content Whitelist or click the Edit button The following dialog appears 142 Avira AntiVir Exchange 7 Properties of Antispam Content Whitelist General Jobs Details Mame weighting 10 List of words phrases NOSPAM B Lancel Apply For further information on setting up dictionaries refer to Setting up Dictionaries Fora detailed description of the remaining criteria refer to Definite No Spam Criteria When you have completed the dictionary and confirmed your input twice with OK click the Spam tab 143 Avira AntiVir Exchange 7 Properties of Advanced spam filtering x No Spa
81. eristics that match the combined criteria the greater the likelinood that the message Is spam The identified characteristics are combined hence combined criteria to obtain a value indicating the probability that the message is spam Tip The defined job is configured so that a high spam probability for example over 91 can be achieved only when definite spam characteristics have been identified by several combined criteria The job distinguishes between up to four spam probability ranges The boundaries between these ranges i e the probability threshold values are user definable with sliders For each range you can specify actions to be taken for e mails that fall into that range For example you can specify that e definite non spam with a Spam probability of 0 is delivered as normal e e mails with a spam probability below 10 are also delivered as normal You may want to place e mails for classification in the Spam Low Quarantine for mail with a soam probability between 10 and 50 the SCL field is processed in Exchange 2003 so that the e mail is automatically moved to the recipient s junk mail folder or the e mails are placed into the Spam Middle Quarantine the recipients receive a Summary report on the quarantined e mails and can request their delivery if required e e mails with a soam probability over 50 are deleted immediately Here too you can place e mails in the Spam High Quarantine The follow
82. es of Block office files gt 10 MB General Addesses Conditions Fingepiint Size Actions Server _4 Fingeipnnt Sime conditions Fingerprint Size Selection Maximum size of massage attachment 10000 kB When the massage attachment ic Microsoft Office Microsoft Office 2007 Except when message attachmentis Ho fingerprints selected 2 Ok Cancel Note Unlike for simple fingerprint checking the Scan inside compressed attachments option is not available here To limit the size of compressed files enter their formats in this job Fingerprint Size conditions To specify the size in kilobytes click 10000 To select a fingerprint category an individual fingerprint or the maximum size from the list of fingerprints click on Microsoft Office The following view is displayed 113 Avira AntiVir Exchange 7 Select Fingerprints Ea Microsoft Office Microsott Office 2007 Microsott Windows Misc AllFingerprints Haran Selected Fingerprints S E ES Fingerprints a als G2 Al fingerprints 45 Microsoft Office 2007 KA Unassigned fingerprints Berd S Archive ASCII Documents Encryption Executables niet Add pe Fonts EARE Images Exceptions Internet Mall SISESE Open tice Maximum size in kilobyte 10000 Add Remove Bo eas With the Add and Remove butions you can assign entire categories or individual fingerprints to the list of denied and or allowed fingerprints To do so doubl
83. essueeeeeeesesaaases 150 5 5 2 Advanced Spam Filtering Job Configuration ccccccccccccceeeeceecceaeeeeeeeeseeeeeeeeeeessaaeeeeees 151 5 6 BLOC MUNG AI ACS ecce ENEE E N TE 152 5 7 Limiting the Number of Recipients cccccccccseeceeeeeseeeeesaeeeeeesaeeeeeeseeeeeeeseeaeeeesseeeeesaaeeees 157 Avira AntiVir Exchange 7 Avira AntiVir Exchange 7 1 Getting Started 1 1 Installation on an Exchange Server 1 To install Avira AntiVir Exchange double click the file antivir_exchange_server_2k_en exe Or antivir_exchange_server_2k7_64bit_en exe in the installation package 2 Follow the Installation instructions Unless you specify a different installation directory Avira AntiVir Exchange Is installed in the default directory i e C Programme Avira AntiVir Exchange German C Program Files Avira AntiVir Exchange English Attention Disable any real time or on access scan functions of your scan engines forthe Avira AntiVir Exchange AntiVirData directory 1 2 Starting AntiVir Exchange Management Console Avira AntiVir Exchange is a server product that is configured through AntiVir Exchange Management Console For Avira AntiVir Exchange to work the AntiVir for Exchange service must be running Also refer to 3 1 2 2 Avira AntiVir Exchange Service Enterprise Message Handler EMH 1 To start the console go to Start Programs Avira AntiVir Exchange AntiVir Exchange Management Console
84. etected to All Recipients 7 Add B Cancel Apply The Spam probability High is intended for those e mails that are probably spam and should not be delivered In this example the original message is deleted immediately without being forwarded to its recipient A copy of the message Is placed in the Quarantine Because of today s large numbers of junk mail the Administrator is not notified Note A high volume of junk mail can result in large quarantines which can reduce system performance When you no longer need the e mails you should therefore disable the Low and High Quarantine copy Tip Depending on your mail environment you may want to set different threshold values for the Medium and High ranges Before you do change the thresholds though observe whether the job yields good filtering results with these settings Your aims should be to maximize the number of spam e mails in the Spam High Quarantine to maximize the number of ham e mails in the Soam Low Quarantine and therefore to minimize the volume of mail going into the Spam Medium Quarantine 139 Avira AntiVir Exchange 7 On the Actions tab you can adjust the spam criteria Click Definite Criteria The following dialog appears Properties of Advanced spam filtering Ea No Spam Spam Definite No Spam Criteria M Emails from these trusted senders Whitelist Select addresses Antispam Whitelist Antispam Newsletter Whitelist Emails from A
85. expression To specify a denied sender you can enter something like tom as a disallowed sender instead of individual e mail addresses That means that all mail sent by any Tom with any extension such as family name and from any domain is denied This includes your own employee Tom Jones to whose mails the same restrictions will be applied To specify a particular domain you can enter domain com All senders or recipients from this domain are then denied Be careful when you create an address filtering job for multiple servers that denies an entire domain It is not always obvious which addresses are private and which business in nature Keep in mind that smaller companies may have e mail addresses for example under ISP domains such as demon co uk or aol com Address filtering is a simple means for filtering out e mails sent from known spam addresses The usual suspects can be intercepted at the server and deleted at once Note As the processing condition is the same as the job restriction condition for address filtering a subject extension if defined is added to passed e mails even if the message does not meet the processing condition Specified action is performed Content condition fattened a e s Checked added Processing i lo message Job x i condition fulfilled h Subject address filtering Job is not run ie mo text added to Subject Job resincion condition fulf
86. forbidden recipients found to All Senders Send Recipient forbidden sender found to All Recipients B Cancel Apply To define further actions click the Add button For a description of the procedure refer to the description in the AntiVir chapter under Enabling Virus Scanning Example Defining Actions Selecting Servers Job Details To select servers and specify job details proceed as described under Selecting Servers and Entering Job Details 5 3 Content Filtering With Dictionaries AntiVir Wall uses predefined dictionaries to look for undesirable text content It can check the following message elements Subject E mail text Attachments 120 Avira AntiVir Exchange 7 Content filtering can be limited to specific senders or recipients You can specify for example that only external mail is scanned for pornography racism etc while own domain mail to external recipients can be checked for internal or confidential information Messages are scanned and compared against the specified dictionaries When a dictionary is enabled for a particular job the words or sentences you have entered in that list are considered restricted as of a specific threshold value The job also defines the character conversion When the specified threshold is reached the job starts the actions that you have previously defined under the Actions tab The working principle of a content filtering job The job checks an e mail
87. ge how a Feature is installed Feature Description E Antivir Exchange Server Components Beee E Information Store Scan This Feature requires 16M6 on vour hard drive Ik has 2 of 2 subfeatures selected The subfeatures require 137MB on 4 vour hard drive Install to C Programme viraAntivir Exchange Change Installshield Help Space lt Back Cancel In case another Information Store Scan application apart from Avira AntiVir Exchange is already running on the server the feature will be disabled If you wish to use Information Store Scan the other application has to be uninstalled first 10 Avira AntiVir Exchange 7 5 Click Next 6 Inthe next screen you have to specify the path of the configuration file i Anti ir Exchange Server 2000 2003 InstallShield Wizard El Configuration Options R a i Settings For the Antivir Exchange configuration file AVIRA Ant Vir Please select the configuration Create local configuration Use existing configuration Specify path to configuration manually eal C Programmelayviralantivir Exchange Config Configbata xml Installshield Cancel 7 If you do not operate Avira AntiVir Exchange on several servers and want to work with a central configuration file for administration purposes confirm the default setting and click Next 8 Inthe next dialog specify the administrator s e mail address lt Back 11 Avira An
88. gered the action 41 Avira AntiVir Exchange 7 General Job Name VAR Jobname VAR Name of the job that started an action General Non applicable VAR UnrestrictedRecipients Recipients of the message that recipients VAR triggered the action who were not defined in the inbound address conditions General Quarantine folder VAR Quarantine VAR The Quarantine in which a message was placed General ID of a Quarantine VAR QuarantineDocRef VAR Unique identifier of the e mail quarantined mail General Server VAR Server VAR Server through which the affected message was sent here the name entered in the configuration settings General Server network name VAR ServerFQDN VAR Server through which the affected message was sent here the server s network name Fully Qualified Domain Name General Time VAR TimeOnly VAR Time at which the job that started the action was run General Avira AntiVir Exchange VAR ToolReport VAR Summary of the scan results Report General Avira AntiVir Exchange VAR ToolReportDetails VAR Result of the scans with all Report Details details General Applicable recipients VAR RestrictedRecipients VAR Recipients of the message that triggered the action who were defined in the inbound address conditions AntiVir AntiVir Attachment size VAR AttachmentSize VAR Size of the denied infected attachment AntiVir Attachment type VAR FingerprintName VAR
89. gs to the Microsoft Office category 2 Select the Pattern Settings tab 96 Avira AntiVir Exchange 7 Properties of Microsoft Access Project General Pattern Settings Jobs Details Scan option F Name and binary pattem have to match Name pattern adp Binary pattern Last Modificatio 3 Inthe Name pattern field enter the file extension for this name pattern Note You can define several filename patterns for each fingerprint Multiple entries must be separated with a semicolon You can use the wildcard for multiple characters for instance to define a fingerprint with the filename pattern vbs You can also specify complete filenames in this field If you enter for instance AttO1 cdf here the created fingerprint when specified in a job denies all files with that name Note If you have selected the option Name and binary pattern have to match both the filename pattern file extension and the binary pattern of the checked file must correspond with the data in the fingerprint properties Make sure that you have specified this information If you have not selected this option but both patterns have been specified in the fingerprint properties only one of the patterns must match to identify the file format For further information on entering name and binary patterns refer to Selecting Fingerprints Creating Binary Patterns for Fingerprints Description Binary patterns contain th
90. h as Blocking Senders and or Recipients Example 5 2 Address Filtering Address filtering focuses on the senders and recipients of the e mails You can deny specific senders so that no mail from these addresses is delivered to your users and you Can deny specific recipients so that none of your employees or only selected people can send mail to them The following objects can be used for address filtering Mail Enabled Active Directory user Mail Enabled Active Directory groups Mail Enabled Active Directory contacts User definable SMTP addresses including wildcards INTERNAL domains defined as internal in Avira AntiVir Exchange EXTERNAL all addresses that are not INTERN Administrator the e mail addresses defined as Administrator in Avira AntiVir Exchange Senders and recipients are defined by the corresponding e mails fields A sender can be either an employee of your company sending e mail to someone outside or someone outside sending an e mail to an employee of your company You can define both senders and recipients as individuals or groups 116 Avira AntiVir Exchange 7 For address filtering you can normally use the following wildcards Asterisk The asterisk is the wildcard for one or more letters and digits It can be used several times within a word or expression Question mark 7 The question mark represents a single character It can also be used several times within a word or
91. he recipients Note that splitting messages affects the performance of your server Scanning for viruses Corporate policy You want to scan all messages for viruses In this case it is not enough to scan messages from external domains only you also have to make sure that no infected mail leaves the company The specified actions Scanning for viruses if necessary cleaning the file and sending a copy to Quarantine must therefore be 37 Avira AntiVir Exchange 7 performed regardless of the sender and recipient address Implementation The action is executed for Message from lt A11 Senders Recipients gt and Addressed to lt All Senders Recipients gt There are no exceptions Each mail from each sender to each recipient is checked for viruses The following are the address settings for the job Properties of Scanning with Anti ir Engine General Addresses Conditions Antivir Engine Actions Server 4 r Sender Aecipient conditions Advanced Message from Jan Sender Recipients h Addressed to Jan SenderRecipients al ea The Advanced window of the Addresses tab provides options for an easy implementation of more complex corporate policies Click on the Advanced button and when finished click the Basic button to return to the standard selection Job for blocking file attachments Company policy Let us assume you want to block messages with attached video files from Internet domains unless
92. he Ctrl key while dragging A plus symbol then appears in the cursor Attention When you delete a fingerprint from any category with the Del key it is permanently deleted and can not be restored To remove a fingerprint from a category without permanently deleting it right click it and select All Tasks Remove fingerprint s from this category Make sure that the fingerprints you want to delete or remove are no longer used by an Avira AntiVir Exchange job To create a new fingerprint category click on Fingerprints in the left pane right click and select New Fingerprint Category For a new fingerprint right click the category and select New Fingerprint The Jobs tab in the fingerprint properties shows the list with the jobs that use the fingerprint Creating Fingerprints with Name Patterns If a file s binary pattern is not known it can be identified quickly using a name pattern 1 Double click a fingerprint to open the Properties The General tab refer to Configuring Fingerprints shows the fingerprint s name 95 Avira AntiVir Exchange 7 and categories with a Microsoft fingerprint in the example below Properties of Microsoft Access Project Ea General Patten Settings Jobs Details Name List of selected fingerprint categories Last Modiioation Date A2 Microsoft Office 10 10 2008 10 00 00 Select s Cancel pply The fingerprint is called Microsoft Access Project and belon
93. he Email Size tab An AntiVir Email Size Filtering job can perform the following actions Place the entire e mail in Quarantine Add label Delete the affected message without delivering it Add email sender or recipients to userlist Notify Administrator sender recipient Notify other user defined recipients Start external program Add Avira tag and value Add header field and value Redirect mail 4 4 3 By Type and or Attachment Size Attachments can be checked for size and messages delivered or denied accordingly The maximum attachment size is specified on the Fingerprint Size tab This job can check and deny attachment types while at the same time filtering by attachment size AntiVir Attachment Size Filtering jobs can perform the same actions as attachment filtering jobs 4 4 4 Configuring Fingerprints Fingerprints consist of a name pattern and or a binary pattern e Filename pattern used to define file types by filenames and file extensions exe etc e Binary pattern used to define file types using unique binary file information 94 Avira AntiVir Exchange 7 Malicious users can manipulate filenames by simply changing the extension to a different file type To prevent file type filtering being fooled by this type of manipulation you can use the binary pattern which uniquely identifies file formats The binary pattern is therefore the most reliable method for identifying file types Filename pat
94. he analysis in one of several formats for importing into another application 72 Avira AntiVir Exchange 7 4 AntiVir 4 1 Overview AntiVir checks messages for viruses for the type and size of their attachments and for the total message size In that context a distinction is made between scanning on the transport level inbound outbound messages and scanning in the MS Exchange database public and private Information Store Job types Virus scanning in inbound and outbound messages Job Type AntiVir Scanning Virus scanning in MS Exchange databases on access amp proactive background Job Information Store scan Blocking specific file types in attachments Job Type AntiVir Attachment Filtering Limiting message size Job Type AntiVir Email Size Filtering Limiting attachment type and or size Job Type AntiVir Attachment Size Filtering Note Create a separate job for each restriction type Job types cannot be changed later For a detailed description of the procedure refer to Enabling Virus Scanning Example 4 2 Virus Scanning 4 2 1 Scanning Inbound and Outbound Messages To configure the scan engine open the Basic Configuration Utility Settings right click AntiVir Engine and edit the properties The job Scanning with AntiVir Engine starts the engine as defined in the configured conditions The conditions determine the messages for which a job will be performed If configured further actions are perform
95. her the e mail body contains long strings of spaces or meaningless character strings Emails containing these phrases Checks whether the e mail body contains words typically found in spam mail Emails containing these concealed words Checks whether the e mail body contains any concealed words from the dictionaries specified Emails containing suspicious HTML code Checks whether the e mail body contains any HTML constructs Emails containing suspicious HTML links Checks whether the e mail body contains any Spammer links Many HTML Links Checks whether the e mail body contains many HTML links in relation to the size of the text Embedded images Can be used to identify soam content conveyed through embedded images internal ref to attachments For instance it is possible that in configurations without SPACE e mails with embedded images are systematically considered spam unless embedded images are standard practice for e mail communication in the corresponding environment 5 4 6 Manual Spam Filtering Configuration To use the Wall Spam Filtering job as described above you should set up the following sequence of actions in your job to ensure effective soam blocking 1 Filtering of known spam addresses 2 Checking Subject line for text and obvious elements such as dots or spaces Also refer to the Spam Content Subject dictionary under Dictionaries in the Basic Configuration 3 Checking e mail body texts for spam links includ
96. hield Wizard has successfully uninstalled Antivir Exchange Server 2000 2003 Click Finish to exit the wizard Delete all user and registry data asi ion J oe a el WWW avira Bi R AntiVir Gance Click Finish if you wish to keep your configuration and Quarantine data If you want Back to delete all Avira AntiVir Exchange components enable the Delete all user and 13 Avira AntiVir Exchange 7 registry data checkbox first 14 Avira AntiVir Exchange 7 3 General 3 1 The Architecture of Avira AntiVir Exchange Avira AntiVir Exchange consists of three main components AntiVir Exchange Management Console Avira AntiVir Exchange Server and Avira AntiVir Exchange configuration 3 1 1 AntiVir Exchange Management Console The AntiVir Exchange Management Console is the cockpit from where Avira AntiVir Exchange is configured and administered It is a so called Snap In for the MMC The AntiVir Exchange Management Console can be used to administer individual Exchange servers with Avira AntiVir Exchange installed as well as entire Avira AntiVir Exchange server farms This simplifies daily administration tasks in particular in a multi server environment With the AntiVir Exchange Management Console the Administrator has access to all configuration information needed and to the AntiVir Monitor Quarantine of the Avira AntiVir Exchange servers Two different access methods are used for configuring the
97. his function is especially useful for spam filtering i e for the spam quarantines It also helps to reduce the administrator s workload by allowing users to forward quarantined messages to their inboxes For each server you can specify whether and how users can access their quarantined mail The user receives a Summary report on quarantined mails clicks on the corresponding action for the selected mail and by doing so sends a request These actions are configured individually for each Quarantine and include Request delivery to the recipient of the summary notification Release delivery to all recipients and or Remove mail marked for deletion in the Quarantine The user gets access through a mail request or a HTTP request Select the Quarantine access tab Properties of SUPPORT eI General Address Settings Wuarantine Access Quarantine Maintena_4 User accessible Quarantine settings ialbos F Delete email requests after processing M Allow users to request quarantined items by HTTP Server or F HTTP port oS BI Cancel Apply Allow users to request quarantined items by email Quarantine queries are started by a mail request This message is generated automatically when the user clicks the action link for a quarantined message in the summary report and is sent to the e mail address 32 Avira AntiVir Exchange 7 entered in the Mailbox field on this tab A precondition is that the e mail address exis
98. ied e g charts are delivered to the recipient unless they also contains images that could be classified and have reached the threshold Scan inside compressed attachments means that the internal unpacker extracts files from archives and checks them for unwanted images If this option is disabled only the archive is checked and identified as compressed format 155 Avira AntiVir Exchange 7 Defining Actions Under the Actions tab define the actions to be performed when the job finds an e mail with one or more offensive images Properties of Block Offensive Images 3 General Addresses Conditions Threshold Actions Server Details Achons for unwanted images Standard W Copy to Quarantine Default Quarantine using label no label Delete Email Add e mail senderfrecipients to userlist Send Admin Offensive Image Detected to Administrator Send Sender Offensive Image Detected to All Senders Send Recipient Offensive Image Detected to All Recipients E Cancel Apply In this example a copy of the message is placed in Quarantine and the message is deleted without being delivered to its recipient A notification warning of the denied address is sent to the Administrator You can select this notification from the pull down menu of available notification templates which you can format using the HTML toolbar or by entering appropriate HTML code yourself Note If the job identifies more than one off
99. ient or original sender enable the corresponding checkbox After having entered the recipient click Finish Selecting Servers Under the Server tab select the server or servers on which the job is to be enabled 84 Avira AntiVir Exchange 7 Properties of Scanning with Anti ir Engine General Addresses Conditions Antivir Engine Actions Sever 4 r List of servers where this job is awallable 4 SUPPORT Select Edit Click Select A dialog similar to the one for selecting scan engines appears Note If a server is not listed it may not be correctly configured For further information about configuring Avira AntiVir Exchange servers refer to Settings for an Individual Avira AntiVir Exchange Server Entering Job Details Use the Details tab to add a job description Save the configuration of the AntiVir Exchange Management Console each time you have modified the settings Click on the Save button The configuration is saved in the ConfigData xml file located in the Avira AntiVir Exchange Config folder Pending changes are indicated by an asterisk next to the top node 4 3 Virus Scan in the Information Store Sample Job 85 Avira AntiVir Exchange 7 Under Policy Configuration in the Information Store jobs area you will find an Information Store scan job for each server Double click this job to open it Attention When you enable or disable the Information Store scan job it takes up
100. ile formats Block all archives except ZIP files Blocks all compressed formats except ZIP files Block suspicious attachments Blocks known malicious attachments such as Nimda Block images Blocks image formats Block video files Blocks video formats Block sound files Blocks sound formats Block executable files Blocks exe com files etc We will use the Block video files job as an example Drag this job to the Mail Transport Jobs folder and open it there with a double click General Settings 1 Under the General tab enter a name for the job An active enabled job has a checkmark in the the job symbol 2 Set the job to Enabled Yes 3 Save your settings with Apply and close the job The job is enabled 103 Avira AntiVir Exchange 7 Properties of Block video files General Addresses Conditions Fingerprints Actions Server Details e Mame Block video files Job type Antivir Attachment Filtering Enabled fe Neg C No Subject extension f Add no subject extension C antivir checked vd Quarantined emails f gnore emails resent from quarantine C Check emails resent from quarantine Options Job is mission critical White processing log B Cancel Apply By default the Subject extension is pre set to AntiVir checked If enabled this text is added to the subject of each mail checked by the job This job does not process mails that are being resent from Quaran
101. illed Specified action is performed Address filtering job 7 Jobresiicion condon i futni adiress Hierig i Checked added lo message Subject The following actions can be performed Copy the entire e mail to Quarantine Add label Delete the affected message without delivering it Notify the Administrator Notify the sender Notify the recipient Notify other user defined recipients Start external program Add Avira tag and value Add header field and value Redirect mail 5 2 1 Blocking Senders and or Recipients Example 117 Avira AntiVir Exchange 7 Under Policy Configuration Job Templates you will find a configured address filtering job Double click the job Anti spam regarding sender address to open it General Settings Under the General tab enter a name for the job An active enabled job has a checkmark in the icon symbol Set the job to Enabled Yes Once you have saved your settings with Apply and closed the job the job is enabled Properties of Anti spam regarding sender address RS General Addresses Conditions Actions Server Details mi RR x R an spam regarding sender address i Hame Anti spam regarding sender address Job type Antivir Wall Email Address Filtering Enabled Nes C No Subject extension f Add no subject extension C Antivir wall checked YI Quarantined emails gnore emails resent from quara
102. ilure described in the preceding section 3 3 1 8 Folder Settings Quarantines Configuration A Quarantine is a directory in which all messages are placed that meet the criteria defined for the Copy to Quarantine action When Avira AntiVir Exchange is installed a folder named Quarantine Is created in the data directory which initially contains a few default quarantines and later all other new quarantines 1 Select Basic Configuration Folder Settings Quarantines to configure the existing quarantines and set up new ones In the right window section all available quarantines are shown 2 Right click an existing Quarantine in the right pane and select Properties Properties of Default Quarantine x Name Folder Hame Defaut Quarantine Database connecthon Local database mdb file a Delete mails after SU days Size of body excerpts 206 bytes Options jf Include processing lags Quarantine is mission critical B Cancel Apply 51 Avira AntiVir Exchange 7 3 Under Name enter a descriptive name for the Quarantine The Quarantine s Folder Name remains the same This option is only available when you create a new Quarantine Set after how many days a quarantined mail is to be automatically deleted Use the Size of body excerpts field to set whether or not and how much text from the body of the mail message text is to be stored in the database When seiting this field please take in
103. ing actions can be performed Copy the entire e mail to Quarantine Add label Delete the affected message without delivering it Add the email sender or recipients to userlist Notify the Administrator Notify the sender Notify the recipient Notify other user defined recipients Start external program Add Avira tag and value Add header field and value 130 Avira AntiVir Exchange 7 Redirect mail The individual thresholds are i Spam Probability None Default 0 a Spam Probability Low Default 0 9 2 Spam Probability Medium Default 10 49 4 Spam Probability High Default 50 100 The Low Medium and High ranges can be adjusted with sliders and linked to corresponding actions which are then performed on all e mails in that range For soam probability None you can specify a subject extension In addition to effective spam filtering an anti spam solution must prevent the incorrect classification of mail as spam false positives and use the available processing resources efficiently in productive use Mail is therefore checked using the definite criteria before the combined criteria are applied so that e mails that can be definitively classified as spam or non spam are not subjected to further analysis The exclusion criteria prevent checking e mails that can be definitely identified as non spam for example through their sender Note When a definite criterion applies the spam probabilit
104. ing redirections and click trackers Also refer to the Spam Content Body dictionary under Dictionaries in the Basic Configuration 4 Checking e mail bodies for soam text and typical features such as HTML comments within an HTML message text Also refer to the HTML Spam Detector dictionary under Dictionaries in the Basic Configuration To optimize filtering be sure to set the most efficient Job Processing Sequence 5 5 Using SPACE for Fighting Spam SPACE Spam and Phishing Advanced Crossplatform Engine is an interface used for fighting against Spam and Phishing e mails It is used as additional spam criterion in the advanced AntiVir Wall Spam Filtering job The SPACE Engine analyses the emails using the local information stored in its databases updated periodically and several RBL DNS Servers Realtime Black List 149 Avira AntiVir Exchange 7 The result of this analysis is a value that is used to calculate the spam probability within the advanced spam filtering job 5 5 1 SPACE Engine Configuration If you plan to use SPACE for fighting spam first configure the SPACE Engine for periodical updates The configured engine is automatically used whenever a spam filtering jon with SPACE enabled is called Open the Basic Configuration gt Utility Settings and select SPACE Engine Double click the selected SPACE Engine or right click and open the Properties Update Settings SPACE Update Properties of SASI Engine i X
105. ir Monitor lt select quarantined email gt All Tasks Resend quarantine item even if the Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine For further information on sending quarantined mail refer to Sending From Quarantine For details on the Mission Critical option refer to This job is mission critical in the AntiVir Chapter Setting up Address Conditions Under the Addresses tab specify the senders or recipients to which this job is to apply You can select addresses from existing lists or from your own ones For details on how to make the best use of address lists and details refer to the 126 Avira AntiVir Exchange 7 description under Address Lists Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Selecting Dictionaries Under the Content Restrictions tab specify the dictionaries to be used by this job Properties of Block offensive content Ea General Addresses Conditions Content Restncthons Actions Geri r Scan options W Scan email subject Scan email body
106. ira AntiVir Exchange 7 package 3 1 2 4 Active Directory LDIF Avira AntiVir Exchange does not make any changes or additions to the Active Directory However Avira AntiVir Exchange does read various information from the Active Directory When started the Avira AntiVir Exchange service determines the available Global Catalog server which is used for example for resolving addresses in distribution lists during e mail processing The AntiVir Exchange Management Console uses the Active Directory to select sender recipient conditions If an Active Directory is not available for example because the corresponding ports are not open an LDIF file can be used This can for example be created through an LDAP export from an Active Directory an Exchange 5 5 user directory or a Notes Name and Address Book NAB 3 1 2 5 Compressed Files and Archives Avira AntiVir Exchange Unpacker Files are often compressed zipped before being sent by e mail To allow compressed files to be scanned for viruses Avira AntiVir Exchange unpacks the files before running the scan An unpacker is automatically installed with Avira AntiVir Exchange The unpacker supports the following archive formats ACE CAB ZIP Selfextracting ZIP ARJ Selfextracting ARJ TAR GZIP TGZ Tape archive UUE Executable compressed ASCII archive LZH LH ARC RAR Selfextracting RAR Java Archive jar BZIP2 Note Archives
107. iru detected Information S E Add B Cancel Apply Specify whether a copy of the object is to be quarantined and labeled A separate default quarantine is available for the Information Store With the second option the object can be blocked replaced or just marked as not infected Also refer to Scanning in the Information Store The final option defines whether a notification is sent to the administrator s Use the Add button to define further actions for instance sending notifications to other users or starting an external application Removing successful Specifies the actions to be taken if the file was cleaned successfully 89 Avira AntiVir Exchange 7 Removing successful Achons for malware found and removed Standard jf Copy infected item ta Quarantine Information Store Quarantine using label Virus or unwanted program Remove malware Add e mail senderfrecipients to userlist Send Administrator virus or unwanted program removed Information Store to Administrator The following actions are available a Use the first option to specify whether a copy of the object is to be quarantined and labeled The copy is created before cleaning so that the object is quarantined in its original state D In addition you can define whether a notification is sent to the administrator s Object unscannable This option allows to control the behavior of Avira AntiVir Exchange when it finds encr
108. is aborted and the infected mail is passed as it is to the next job in the processing chain d Both Quarantine and job ARE mission critical The mail is moved to the BADMAIL Quarantine and not delivered Attention As long as the Quarantine error has not been eliminated it will systematically be signaled to the job if the Mission Critical option is enabled for the Quarantine If the job itself is not mission critical it will disable itself after a certain time and no longer process any mails On the other hand if the job is mission critical as well each mail will be moved to the bad mail area and not delivered until the error has been resolved 52 Avira AntiVir Exchange 7 Regardless of the actual mission critical setting the Avira AntiVir Exchange administrators are informed by e mail of recurring Quarantine or job errors 8 Under the Summary Reports tab you can now configure a summary notification for the selected Quarantine Note In case you allow the users to access and modify whitelists press Add and select Quarantine Summary Report with Whitelist Support under Template 1 Right click Quarantines and select New Quarantine 2 The Folder Name is taken from the description Only the characters A Z and 0 9 are used all others are converted into underscores 3 The proposed Folder Name can be overwritten Note Enter the folder name only not an absolute path 4 When you have saved the c
109. is text is added to the subject of each mail checked by the job This job does not process mails that are being resent from Quarantine AntiVir Monitor lt select quarantined email gt All Tasks Resend quarantine item even if the Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine For further information on sending quarantined mail refer to Sending From Quarantine For details on the Mission Critical option refer to This job is mission critical in the section AntiVir Setting up Address Conditions Under the Addresses tab specify the senders or recipients to which this job is to apply You can select addresses from existing lists or from your own ones 112 Avira AntiVir Exchange 7 For details on how to make the best use of address lists and details refer to the description under Address Lists Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Specifying Fingerprint and Size Under the Fingerprint Size tab enter the maximum permissible e mail size and the fingerprint format Properti
110. ith unknown formats are referred to as badmail Because Avira AntiVir Exchange cannot read these messages little is known about badmail Such mail may therefore also contain undetected viruses There is only one badmail folder on each server and you can not create further badmail folders Otherwise the same functions and options apply to badmail as for quarantined mail 3 3 3 2 Avira AntiVir Exchange Reports With AntiVir Reports functions you can retrieve detailed information on e mail processing Eight predefined reports and one advanced statistics report are available The advanced statistics report can be defined individually The reports can be accessed through the AntiVir Monitor The reports list the policy violations detected e g viruses undesired file attachments both graphically and in list form Specific reports are available for the most current Avira AntiVir Exchange issues In addition information on quarantines is also shown Reports can be created for freely selectable periods They can be printed and exported with a wide range of options for further processing Report data is temporarily stored during processing and written to the evaluation database at half hour intervals i e processed e mails do not immediately in the reports Click AntiVir Reports and double click the required report in the right pane to open it In the window that appears enter the desired time span for the report Click a to export t
111. ked by enabled AntiVir jobs but are delivered to the recipient without further processing Also refer to the next tab Summary Fields 55 Avira AntiVir Exchange 7 Se In the Fields tab select the message fields to be listed in the quarantined messages summary report If for example you check Subject here the subject of the quarantined messages is listed in the summary report A default selection is already preselected Properties of New Quarantine Summary Report X General Summary Fields whitelist Fields Blacklist Fields Schedule 4 gt jv Create summary report as table Select column aa Deliver date and tine sender Subject Size H HTTP H Links m Report HTTP M Request Release Remove Add to user whitelist Add to user blacklist Release Remove Add to user whitelist Add to user blacklist B Cancel Apply Users can click the links in the summary report to perform actions with the selected messages Select the actions the user will be allowed to perform Request The quarantined message is forwarded to the recipient of the summary report Release The message is forwarded to all original recipients Remove The quarantined message is marked for deletion Add to user whitelist blacklist The sender of the e mail is entered in the user s whitelist blacklist Note Each of the options you select in the Fields tab will appear as a separate
112. l checked by the job This job also processes Quarantined emails The processing action for sending from quarantine applies to all jobs and has priority Therefore if you select an email in the AntiVir Monitor and use the Resend item command with activated option Deliver the email bypassing any AntiVir jobs on this server the email is not processed by any job So you should use the option Resubmit the email to all AntiVir jobs on this server For further information on sending quarantined mail refer to Sending From Quarantine Job is mission critical If a job is mission critical any errors would place the email in the badmail area Enable this option for critical jobs such as virus scanning select checkbox Attention Until the cause is rectified all affected e mails both inbound and outbound are placed in the badmail area 79 Avira AntiVir Exchange 7 A job is not mission critical when any processing errors are to be ignored for the corresponding e mail in which case it is passed to the next job for further processing All processing errors are recorded in the Windows Event Log If the same processing error occurs five times in succession the job is disabled and automatically restarted after 15 minutes Do not enable this option for company critical jobs For most of the jobs the default setting is not mission critical The jobs to be considered mission critical should be defined through corporate policies Write processi
113. link in the summary report 56 Avira AntiVir Exchange 7 11 In the Whitelist Fields tab select the message fields to be listed in the whitelist notification ie Select the Schedule tab and click Add A Schedule Settings dialog opens in which you can specify the time at which summary reports will be generated In the example below a Summary report is sent to the recipient of the soam mail daily at 12 o clock 12 00 AM hours Schedule Settings EI Schedule Settings Select the time wou want this task to start Start Time IE ae d Select the day s you want this task to start jf Monday M Thursday If Tuesday Jw Friday M Wednesday Saturday Sunday 3 esl La Click OK 14 The new Quarantine summary report now appears in the Schedule tab To change the time or day click Edit to delete the summary click Remove 57 Avira AntiVir Exchange 7 Properties of New Quarantine Summary Report Summary Fields whitelist Fields Blacklist Fields Schedule Details 4 r Create Quarantine summary report at EA At t00 on ever working day Summary reports will be sent at 12 00 AM to the recipients of soam mail quarantined in Spam Middle Note You can create several different summary reports with differing contents for a single Quarantine For each report the messages are compiled separately from the Quarantine even if the reports are scheduled for the same time Tip A list of all quarantines is available under
114. m 1 to 10 000 As soon as this threshold value is reached when all weighting factors identified words phrases of the active dictionaries are added the specified actions are performed For further information refer to Checking and Denying Text Contents Example Searching for Text in Dictionaries 1 To search for and replace text in dictionaries double click the dictionary to open it and click 123 Avira AntiVir Exchange 7 Search for ki Direction f Top f Down Search options Find whole word only Replace Cancel Case sensitive Count matches only alll If you do not specify any additional options the function looks for the entered character string everywhere i e also within words and phrases Find whole word only You can separate words with any non alphanumeric character including paragraph marks and manual line breaks Case sensitive Makes the search case sensitive Count matches only Only the number of matches is displayed not the matches themselves Antivir Exchange Server 27000 7003 1 3 matches Found 2 To replace a string with another click Replace 124 Avira AntiVir Exchange 7 Search for Search options Find whole word only Case sensitive Count matches only You can also use the text search and replace function for your own addresses Also refer to Address Lists 5 3 2 Checking and Denying Text Content
115. m Spam Definite Spam Criteria M Emails from the following senders Blacklist Select addresses Antispam Blacklist Antispam Newsletter Blacklist fa E mails from User Blacklist enties a Emails with this character set Select list Antispam Denied Character Sets Exchange SenderID request returns FAIL B Lancel Apply In the Emails from the following senders Blacklist field click Antispam Blacklist and Antispam Newsletter Blacklist An address selection dialog appears in which you can enter e mail addresses or domain names Note Make sure you keep both the whitelist and the blacklist up to date In addition by selecting a particular character set you can declare e mails from specific regions as spam by default Enable Emails with this character set and click Antispam Denied Character Sets Each row contains the code for one character set The allocation of countries to character sets is shown on the Details tab If you have communication partners in any of the countries whose character sets are listed here change the list as follows 1 Copy the Antispam Denied Character Sets list under Dictionaries 2 Rename your list 3 Remove the character sets with the countries of your communication partners from the list 4 Save the list 5 Delete the Antispam Denied Character Sets list in the Advanced Spam Filtering job and enter your own list under Definite Spam Criteria E mails with this
116. mail Quarantine folder where it can be viewed any time The infected denied message is permanently deleted from the server If selected a copy is first placed in Quarantine Delete attachment The infected attachments are permanently deleted 62 Avira AntiVir Exchange 7 Add a subject extension A configurable supplement is added to the Subject line to indicate that the message has been processed Send notifications to Notifications can be sent to the following groups and individuals Administrators Sender Recipients Other persons Run external Program Runs an external program Add X header field A field is added to the message header which can be filled with a value from one of the variables Redirect mail The e mail is resent to the recipients specified Optionally the message can also be sent to the Original recipients 3 3 2 5 Job Processing Sequence The order in which jobs are processed is shown in the job list under Policy Configuration Mail Transport Jobs New jobs are added at the end of the list and can be moved to the desired position with the A and Ty icons in the icon bar or through the context menu All Tasks Move up Move down 3 3 3 AntiVir Monitor The AntiVir Monitor allows you to view the Quarantine areas on each available server as well as detailed information on the mails quarantined there The AntiVir Monitor is used to observe all Avira AntiVir Exchange servers quarantines an
117. me is read If the SQL server is used for central whitelists enter the name of the central SQL server manually Attention Exception In case of a central SQL server e g to be used for central whitelists the two Avira AntiVir Exchange variables Server and Server network cannot be used in the ADO string Enter the name of the SQL server manually i e DataSource Name_of_server 5 Inthe Database user field enter the name of the SQL user who is allowed to access the database shown as User in the figure In the following field enter the corresponding Password The values entered here can be retrieved and inserted in the ADO string through the variables ADOUser and ADOPwd 6 Use the Command timeout field to set the number of seconds after which the database connection is aborted if no data is returned from the database For large databases it is recommended to begin with a value around 60 seconds Setting up Central Whitelists In a multi server environment each server creates its own user whitelists Thus without server synchronization each user is provided with a separate whitelist for each of the servers which all need to be maintained individually In order to manage these whitelists centrally and simplify administration you can set up a Microsoft SQL server instead of the standard local database based on the Microsoft Jet Engine This Microsoft SQL server will write the information for all Avira AntiVir Exchange servers involved
118. mmary Subject VAR Subject VAR Subject of the summary report Summary Current summary VAR Nowdate VAR Date at which the current report date summary report was generated Summary Last Summary report VAR Lastdate VAR Date at which the previous date summary report was generated Summary Current summary VAR Now VAR Date and time at which the report date and time current Summary report was generated Summary Last summary report VAR Last VAR Date and time at which the date and time previous Summary report was generated Summary Recipients VAR ReptTo VAR Recipients of the summary report Summary Fully qualified domain VAR FQDN VAR Full domain name of the server name on which the Quarantine for which a notifications to be generated is located Summary List of Quarantine VAR HtmlIList VAR Complete list of all quarantined e mails items for a recipient with HTML formatting compulsory field in the Quarantine summary report Summary HTTP port VAR HTTPPort VAR Port of the HTTP server Summary HTTP server VAR HTTPServer VAR HTTP server through which HTTP user requests are sent Summary Quarantine VAR Displayname VAR Name of the Quarantine from where the message list was generated Summary Server VAR Server VAR Short name of the server where the Quarantine is located for which a notification is to be generated Summary Current summary VAR Nowtime VAR Time at which the current report time su
119. mmary report was generated Summary Last summary report VAR Lasttime VAR Time at which the previous time summary report was generated Collective notifications Collective notification Table of VAR TOCList VARIi Numbered HTML list of all contents notifications Subject Each entry in the list has a link to the corresponding entry in the notification list NotificationList variable Collective notification Notification VAR NotificationList VAR HTML list of all notifications List Body separated by dashes Whitelist 45 Avira AntiVir Exchange 7 Whitelist Whitelist entries VAR HtmIList VAR Complete list of all entries for a recipient with HTML formatting compulsory field in the whitelist summary report Whitelist Fully qualified domain VAR JFQDN VAR Full domain name of the server name on which the whitelist for which a notifications to be generated is located Whitelist HTTP port VAR JHTTPPort VAR Port of the HTTP server Whitelist HTTP server VAR HTTPServer VAR HTTP server through which HTTP user requests are sent Whitelist Display name VAR Displayname VAR Name of the whitelist from which the list of e mails was generated Whitelist Recipients VAR ReptTo VAR Recipients of the summary report Whitelist Reply To VAR Reply To VAR Address to which replies to the whitelist summary report are to be sent NotificationReplyTo Whitelist Sender VAR From VAR Sender of the
120. nd Avira AntiVir Exchange Monitor 3 3 1 Basic Configuration The Basic Configuration is used for general settings and the essential basic settings of the modules e General settings such as e address lists e templates e Avira AntiVir Exchange servers e Folders such as Quarantines e Utilities e dictionaries for content checking e fingerprints for blocking attachments e AntiVir Engine 3 3 1 1 Configuration Reports The configuration reports provide an overview of the current configuration 1 Right click on Basic Configuration and select All tasks Show Configuration Reports All Tasks Import Configuration Show version wiew Show Configuration Reports Refresh Export List Help 2 Click on the desired report 23 Avira AntiVir Exchange 7 Select Configuration Report x Available Configuration Reports Srtivir Addresslsts Configuration Sntivir Templates Configuration Anti Wuarantines Contiguration Sritivir Fingerprint Categones Configuration Antivir Fingerprints Configuration Antivir Dictionaries Configuration Srtivir Scan Engine Configuration 3 Click on Display report l The report is opened as HTML file in the browser 4 Click Preview Report E for a preview of the printed report 5 Click Save Report to save the selected report as HTML file 3 3 1 2 Import Configuration Attention Before you update a Basic Configuration object make a backup copy of the existing o
121. nd Enabling the AntiVir Scanner Attention Disable any real time or on access scan functions of your scan engines forthe Avira AntiVir Exchange AntiVirData directory 2 3 Installation of Avira AntiVir Exchange on an Exchange Server 1 From the Avira AntiVir Exchange installation package run double click the file antivir_exchange_server_2k_en exe Or antivir_exchange_server_2k7_64bit_en exe 2 First select the Setup language Then select the desired product version and language The selected product language applies to the user interface and the notifications sent to the users by Avira AntiVir Exchange Avira AntiVir Exchange 7 i AntiYir Exchange Server 2000 7003 InstallShield Wizard Product selection R B85 Select the platform and language For your product AVIRA AntiVir Select the platform you wish to install Antivir Exchange Cluster Installation Select the language for the management console and user notifications English Y InstallShield Cancel 3 Inthe next window accept the License Agreement and click Next to continue 4 Inthe next dialogue select the features to be installed This selection includes all server components and the AntiVir Exchange Management Console lt Back Antivir Exchange Server 2000 2003 InstallShield Wizard EJ Custom Setup R om jee Select the program features you want installed AVIRA Ant Vir Click on an icon in the list below to chan
122. nd attachments Drag this job to the Mail Transport Jobs folder and open it there with a double click General Settings 107 Avira AntiVir Exchange 7 Under the General tab enter a name for the job An active enabled job has a checkmark in the job symbol Set the job to Enabled Yes Once you have saved your settings with Apply and closed the job the job is active Properties of Block emails greater than 100 MB x General Addresses Conditions Email Size Actions Server Details La EJ ae I 1 Pee Jr Hock emais greater than 100 MB Hame Block emalle greater than 100 ME Job type Antivir E mall Size Filtering Enabled Nes No Subject extension Add no subject extension Antivir checked mi Quarantined emails 0 gnore emails resent from quarantine C Check emails resent from quarantine Options P Job is mission critical Write processing log 2 Cancel Apply By default the Subject extension is pre set to AntiVir checked If enabled this text is added to the subject of each mail checked by the job This job does not process mails that are being resent from Quarantine AntiVir Monitor lt select quarantined email gt All Tasks Resend quarantine item even if the Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine Setting up Addre
123. ne Summary Report x General Summary Fields whitelist Fields Blacklist Fields Schedule 4 gt a e S KeEvrHUSraNiNnEe SUMMA Report Name New Wuarantine Summan Report Active fe es C Wo Processing do not process by Antivir jobs Template Quarantine Summary Report Recipients Summary data All mails f New mails only C Mails older than 14 days In the Recipients field select All Recipients The original recipients of the quarantined messages will receive the summary report Select Userdefined Recipients when you want to limit the group of recipients of a summary report The selected recipients senders groups or other address patterns are listed in the text field under the Recipients field As Template you can use a summary report that you have created yourself under General Settings Templates Quarantine Summary Report By default Avira AntiVir Exchange contains the preconfigured Quarantine summary report template If you wish to allow the users to add a sender to their user whitelist from within the summary notification use the template named Quarantine Summary Report with Whitelist Support For the Summary data report s contents select New mails only The summary report will then list only those messages that have been quarantined since the last summary report Processing do not process by AntiVir jobs means that messages resent or released on the user s request are not chec
124. nfiguration to define and enable selected jobs according to the company s policies 1 Under Job Templates find the template you wish to use 2 To create a new job select the template and drag it to the Mail Transport Jobs folder Give the job a name edit its properties then enable the job Enabled Yes 3 Make sure that the jobs are performed in the correct order refer to 3 3 2 5 Job 7 Avira AntiVir Exchange 7 Processing Sequence 4 Save your changes Also refer to 1 2 Starting AntiVir Exchange Management Console 1 3 3 Recommended Basic Configuration Steps In the Basic Configuration it is recommended to define individual settings for address lists templates etc However this is not necessary for simply testing the system 1 Configure the Address lists for selections in job rules under General Settings 2 Where required change the Templates under General Settings 3 Under Utility Settings configure any accessories required e g dictionaries fingerprints and the virus scanner 1 3 4 Virus Scanning in Exchange Databases Under Policy Configuration Information Store Jobs you can enter appropriate settings for each Avira AntiVir Exchange server separately It is not possible to create Informations Store jobs A new Information Store job is automatically provided whenever a new server is specified If the server is removed the Information Store job will also be deleted For further details on Information
125. ng log The Processing Log provides information on how e mails were processed by the job Enable this function if you need some sort of evidence or if you wish to test the job With this option enabled information on whether and how the job has processed the mail is written into a text file for each mail This log text file is stored in the Avira AntiVir Exchange installation directory in the Log folder Logging is defined for each job but the text file contains the information for all jobs for which Write processing log is enabled A separate text file is created for each day Name of the text file Audit_all_ lt date of last modification gt 1log e g Audit all 20050909160 Individual pieces of information on the e mail processed are separated by semicolon and can be evaluated manually or automatically 1 Date and time when the e mail was processed Job ID Job name Message ID SMTP sender SMTP recipient Avira AntiVir Exchange filtering result ae Oke Sy a Restricted e mail matches the restrictions defined b Unrestricted e mail does not match the restrictions defined Recipient groups are resolved with a separate line written for each recipient Setting up Address Conditions Under the Addresses tab specify the senders or recipients to which this job is to apply You can select addresses from existing lists or from your own ones For details on how to make the best use of address lists and details refer to the descrip
126. nge 7 Properties of Anti ir Server x General Address Settings Detaile Administratorla Notification sender antiving 3rdebs support local re Reply address Administrator 3rdsbs support local Eal Internal domains ardsbs support local B Cancel Apply Administrator s The Avira AntiVir Exchange Administrator addresses entered in this field will receive important status notifications on the installation as well as the configured Administrator notifications As default the installation enters the Administrator address prompted for Notification sender The sender shown in the Avira AntiVir Exchange notifications As default the installation enters Avira AntiVir Exchange with the mail domain of the Administrator address prompted for Reply address The recipient stored in the Avira AntiVir Exchange notifications of replies to these notifications As default value the installation program enters the Administrator address prompted for Internal domains The mail domains entered in this field are considered as internal mail domains all others as external ones This setting is used to enable the Avira AntiVir Exchange rule engine to identify incoming and outgoing mails through the sender and recipient addresses For instance a spam filter job will only apply to incoming mails while a trailer is not to be added to an incoming mail 28 Avira AntiVir Exchange 7 Multiple domains are separated by Carriage Retu
127. nt select General Settings AntiVir Servers Settings Properties General tab and 26 Avira AntiVir Exchange 7 disable the Create collective notifications option Central Whitelists In multi server environments each server involved creates its own user whitelists Thus without server synchronization each user is provided with a separate whitelist for each of the servers which all need to be maintained individually In order to manage these whitelists centrally and simplify administration you can set up a Microsoft SQL server instead of the standard local database based on the Microsoft Jet Engine This Microsoft SQL server will write the information for all Avira AntiVir Exchange servers involved to a central SQL database To create a central user whitelist you need to configure a database connection between the SQL server and the Avira AntiVir Exchange Server Basic Configuration Database Connections Once the connection has been established select the appropriate configuration in the Select database connection for Whitelist entries field under AntiVir Servers Settings General tab Definition of e mail addresses and internal domains Avira AntiVir Exchange requires a number of basic settings concerning the mail domain of the mails processed During installation the e mail address of the Avira AntiVir Exchange Administrator specified is used for the following Avira AntiVir Exchange basic settings 27 Avira AntiVir Excha
128. ntine C Check emails resent from quarantine Options Job is mission critical Write processing log B Cancel Apply By default the Subject extension is pre set to AntiVir Wall checked If enabled this text is added to the subject of each mail checked by the job By default the threshold as of which a mail is considered spam is set at 50 To avoid negative spam detection rates it is recommended not to change this value This job does not process mails that are being resent from Quarantine AntiVir Monitor lt select quarantined email gt All Tasks Resend quarantine item even if the 118 Avira AntiVir Exchange 7 Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine Save the configuration of the AntiVir Exchange Management Console each time you have modified the settings Click on the Save button The configuration is saved in the ConfigData xml file located in the Avira AntiVir Exchange Config folder Pending changes are indicated by an asterisk next to the top node For further information on sending quarantined mail refer to Sending From Quarantine For details on the Mission Critical option refer to This job is mission critical in the AntiVir Chapter Setting up Address Conditions Under the Addresses tab specify the senders or recipients to which this job is to
129. o Management Mark eting Note As a general rule all of the conditions specified in the senders and recipients fields must be fulfilled for an action to be initiated logical AND If several addresses are entered within the same condition e g senders only one has to apply to trigger the action The exceptions except where addressed from to have no effect on the initiation of this action Messages to or from these addresses are forwarded without performing any of the actions defined 39 Avira AntiVir Exchange 7 To specify the addresses for a specific condition click Internal Senders Recipients No addresses selected or a corresponding entry in the exceptions This opens the Select Addresses dialog 4 Select Addresses E G Addresses TE Users a FF Users A E Hive os Users F J ag oo Mf Users K O oof Users P T pe fF Users UZ EAT Groups fe Dynamic groups ire E Contacts pk car Organizational units fee User defined address lists ae Antivir address lists ee User defined addresses Be P Search addresses i Ea Antivir address lists Email address F All Sender Recipients Ci Antivir Administrators FF Directory Users Ge E sternal cae ital Email address F Intemal Sender Recipients Caroi _ You can also use the AntiVir address lists 4 Select Addresses El as Addresses abe Users Hie Pees on s Users A E oo Mf Users FA MF User K O iz WF Users P T tn M
130. om the Properties dialog by clicking WE icon The following dialog appears 70 Avira AntiVir Exchange 7 Resend Item sa Recipient Selbngs E NON m DSE m NN n m n e N a N eN E N N n D En E On E n M On E n E N E On m n m n E n m an C Ohange email rcpients Processing Actor Resubmit the email to all Anti jobs on this server Cf Deler the email bypsssing arp Anthi jobs on this server Delete Delete ilem alter resent res The From field of the message contains the original sender i e not a forwarded mail 3 To change the recipient enable the Change e mail recipients option and then click the Select Address icon el Note No address lists are available to select an address for resending from quarantine Refer to Address Lists 4 Ifyou do not want any jobs to process the message select the option Deliver the email bypassing any AntiVir jobs on this server When you forward a message from the Quarantine it is likely to be urgent even though it contains restricted words or attachments so you probably want this to be your default setting Note This is a global setting If you have enabled jobs that are to scan mail resent from Quarantine activate the option Resubmit the email to all AntiVir jobs on this server Otherwise the job option Check emails resent from quarantine will not apply and all messages will be forwarded without further checking Note The instruction Resubmit the email to
131. onfiguration these quarantines are automatically created by the EMH and displayed in the Avira AntiVir Exchange Monitor after you press Refresh Note The size of a Quarantine is limited to 1 GB Defining Quarantine Summary Reports Quarantine Summary Reports provide information on the messages quarantined by Avira AntiVir Exchange the Whitelist Summary Reports on the new entries in the user whitelist Summary reports can be sent to various recipients or recipient groups and contain a list of various quarantined messages The listed messages the actions the user can take when receiving a Summary report and the additional information contained therein are defined separately for each summary report Summary reports consist of two parts The template which contains variables and defines the form of the notification To edit the summary report template select Basic Configuration General Settings Templates Quarantine Summaries The variables used here apply only to the summary report and its form Configure the summary report template as described under Creating Notification Templates The list of quarantined e mails the actual content of the summary notification Fields are used to define which e mails and which e mail fields are to be listed in the summary notification The content of the summary report i e the list of quarantined messages is set by the Summary Quarantine e mail list VAR HTMLList VAR variable
132. pecifies the number of minutes after which the update service searches for new versions on the server entered under UpdateURL The default value is 120 minutes 2 hours An automatic update of the engine and virus signatures is automatically performed immediately after the first action virus scan If this value is zero automatic updating is disabled Example UpdateInterval 120 4 2 4 Enabling Virus Scanning Example Under Policy Configuration Mail Transport Jobs you will find the Scanning with AntiVir Engine job Double click this job to open it General Settings Under the General tab enter a name for the job Each enaled job has a checkmark in the job symbol To enable a job select Enabled Yes Once you have saved your settings with Apply and closed the job the job is enabled 78 Avira AntiVir Exchange 7 Properties of Scanning with Anti ir Engine General Addresses Conditions Antivir Engine Actions Server ale E scanmng Wath Antivir Engine Mame Scanning with antivir E ngne Job type Antivir Scanning Enabled es C No Subject extension C Add no subject extension Antivir checked I Quarantined emails qnore emails resent from quarantine C Check emails resent from quarantine Options W Job is mission critical Write processing log caret o By default the Subject extension is pre set to AntiVir checked This text is added to the subject of each mai
133. pients per e mail 158 Avira AntiVir Exchange 7 Properties of Block emails with more than 50 recipients General Addresses Conditions Number UF Recipients Actions 54 r Defne masimum number of recipients per emall Mumber Eo B Lancel Apply In this example each incoming or outgoing e mail can be addressed to no more than 50 recipients AS soon as an e mail contains 51 recipients the specified action is triggered Note If an e mail is addressed to a group of recipients with a single address the Exchange server must be able to resolve the list into its individual recipients to identity the actual number of recipients Addresses that act as mailing lists are treated as single addresses if they are outside the scope of the Exchange server Defining Actions Under the Actions tab specify the actions to be taken when the job finds a mail with too many recipients 159 Avira AntiVir Exchange 7 Properties of Block emails with more than 50 recipients General Addresses Conditions Number Of Recipients Actions 5 _4 gt Achons for recipient number limit exceeded Standard Jf Copy to Quarantine Default Quarantine using label no label Delete Email Add e mail senderfrecipients to userlist Send Administrator max recipient count exceeded to Administrator Send Sender max recipient count exceeded to All Senders Send Recipient max recipient count exceeded to All Reciprent
134. rmat using the HTML toolbar or by directly entering appropriate HTML code Tip Check whether the infected mails addressed to your company are often also spam lf they are it is best to delete the entire message and not just the attachment This saves filtering of the remaining message text Note If you have selected the Scan options Scan e mail body option and a virus is found in the text body the entire message including any attachments is deleted if you have selected the Delete and don t deliver the restricted attachment s option attachments are not delivered without text body The affected message section is usually deleted separately If only the attachment was infected only the attachment is deleted To define additional actions click Add 82 Avira AntiVir Exchange 7 Actions Assistent EI Additional actions Notification Start external program Add Avira tag and value Add header field and value 3 res Notification Select the recipient of the notification from the address book Start external program Define a new application to perform actions of this application To start an external application enter the path and where required any necessary parameters Add Avira tag and value Mail header tags can be inserted by Avira AntiVir Exchange during the process in order to perform special Avira AntiVir Exchange actions For instance it is possible to add information to an e mail that can be evaluated by
135. rn Subdomains are automatically included when the main domain is preceded by a wildcard e g domain com As default the installation enters the mail domain of the Administrator address prompted for These entries apply to all Avira AntiVir Exchange servers The settings can be changed at any time in the same window 3 3 1 4 Settings for an Individual AntiVir Server Select Basic Configuration AntiVir Server and in the right window double click the required server to view its properties To define a new server right click AntiVir Servers New AntiVir Server and edit its Properties General Server Settings 29 Avira AntiVir Exchange 7 Properties of SUPPORT E4 General Address Settings Quarantine Access Quarantine Mantena ale Name SUFFORT Number of threads J Event logging level Medium x Delete Bad mails after SU daps Delete Job Processing Log Files after 14 dans caret ton _ 1 Enter the Name of the Exchange server During the installation the current Exchange server is automatically entered as the internal domain 2 Set the maximum number of e mails processed simultaneously by Avira AntiVir Exchange in the Number of threads field A reasonable maximum depends on the capacity and performance of your server 3 Select the Event logging level for the Event Log You can view this log with the Event Viewer Windows Event Log The options range from None to Maxim
136. s B Cancel Apply In this example a copy of the message is placed in Quarantine and the message is deleted without being delivered to its recipients A notification about the number of recipients is sent to the Administrator You can select this notification from the pull down menu of available notification templates which you can format using the HTML toolbar or by entering appropriate HTML code yourself To define further actions click the Add button For a description of the procedure refer to the description in the AntiVir chapter under Enabling Virus Scanning Example Defining Actions Selecting Servers Job Details To select servers and specify job details proceed as described under Selecting Servers and Entering Job Details 160 AVIRA More Than Security ae 7g Avira AntiVir Exchange 7 Avira AntiVir Exchange 2000 2003 Avira AntiVir Exchange 2007 Avira GmbH Lindauer Str 21 88069 Tettnang Germany Telephone 49 0 7542 500 0 Fax 49 0 7542 525 10 Internet http www avira com Avira GmbH All rights reserved This manual was created with great care However errors in design and contents cannot be exclu ded The reproduction of this publication or parts thereof in any form is prohibited without previous written consent from Avira GmbH Errors and technical subject to change Issued Q3 2009 AntiVir is a registered trademark of the Avira GmbH All other brand and product name
137. s Example The Policy Configuration Job Templates contains various jobs for content filtering with dictionaries Block offensive content Search for obscene and pornographic language Block script commands Search for script commands that could cause damage Block emails containing personal records Search for terms common to resum s CVs Block emails from the Nigeria Connection Search for terms specific to Nigeria e mails We will use the Block offensive content job as an example Drag this job to the Mail Transport Jobs folder and open it with a double click General Settings Under the General tab enter your own name for the job An active enabled job has a checkmark in the job symbol Set the job to Enabled Yes Once you have saved your settings with Apply and closed the job the job is enabled 125 Avira AntiVir Exchange 7 Properties of Block offensive content Hame Job type Antivir Wall Content Filtering Enabled es C No Subject extension Add no subject extension C Anii wall checked Quarantined emails qnore emails resent from quarantine C Check emails resent from quarantine Options P Job is mission critical Write processing log 2 Cancel Apply By default the Subject extension is pre set to AntiVir Wall checked If enabled this text is added to the subject of each mail checked by the job This job does not process mails that are being resent from Quarantine AntiV
138. s are trademarks or registered trademarks of their respective owners Protected trademarks are not marked as such in this manual However this does not mean that they may be used freely
139. s mission critical Write processing log 2 Lancel Apply 157 Avira AntiVir Exchange 7 By default the Subject extension is pre set to AntiVir Wall checked If enabled this text is added to the subject of each mail checked by the job This job does not process mails that are being resent from Quarantine AntiVir Monitor lt select quarantined e mail gt All Tasks Resend quarantine item even if the Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine For further information on sending quarantined mail refer to Sending From Quarantine Setting up Address Conditions Under the Addresses tab specify the senders or recipients to which this job is to apply You can select addresses from existing lists or from your own ones For details on how to make the best use of address lists and details refer to the description under Address Lists Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Specifying the Number of Recipients Under the Number Of Recipients tab enter the maximum number of reci
140. se the Microsoft SCL value to forward the e mails directly to the users junk folder through the Exchange Store see next section If you have a Subject extension defined to display the soam probability value users can set up their own Outlook message rules to deal with the mail Write spam result in Exchange SCL field As of Service Pack 1 for Exchange 2003 and Outlook 2003 Microsoft supplies a soam filter This Intelligent Message Filter IMF determines a spam probability the so called Spam Confidence Level SCL from 1 to 9 The higher the spam probability the larger the SCL An SCL of 0 means that the message is probably not spam 1 is used for unfiltered mail for example internal mail from senders in the same Exchange organization The Exchange SCL value trigger specified actions such as automatically 137 Avira AntiVir Exchange 7 moving message to the user s Outlook junk mail folder In the Exchange System Manager you can centrally define what is to be done with e mails with SCL values above a set threshold You do not have to specify the action on the same system that assigns the SCL As the IMF assigns the e mails SCL value any defined actions can be only be performed on the target system To that end the e mail gateway must also run Exchange 2003 Even if you do not use the IMF you can use this option to define the spam probability value for the spam filtering jobs as SCL result so that they can use Exchange Store
141. sh to modify the time and or the purge period click Edit and enter the selected time 33 Avira AntiVir Exchange 7 Properties of SUPPORT E4 Address Settings Quarantine Access Uuarantine Maintenance Anti h r Wuarantines on this server will be compressed at the Following times At 03 00 Sat Remove Tip If necessary you can also purge quarantines manually To do so right click on the quarantine under AntiVir Monitor Servers server_name Quarantine Areas and select All Tasks Compress Quarantine View a List of All Jobs The AntiVir Jobs tab provides a list of all jobs defined on this server To edit a job on the server select the job properties 3 3 1 5 Address Lists Under Address lists you can create your own address lists to be selected for individual jobs The available addresses are taken from the Active Directory Creating editing or deleting address lists 1 Go to Basic Configuration General Settings 34 Avira AntiVir Exchange 7 2 Click Address lists 3 Right click and select New Address list from the context menu 4 Enter a meaningful name for the address list 5 Click the Select members icon el In the window that opens select the addresses to be added and click Add 6 To add your own addresses to the address list enter them in the input field You can use the asterisk and question mark wildcards It is also possible to enter form
142. spam probability of e mail If you are sufficiently familiar with the characteristics of typical e mails in your business environment both soam and non spam you can also use the Combined Criteria under Advanced Configuration to optimize each criterion for your environment This is especially useful if you had to reduce the relevance of a criterion by a large amount or disable it altogether to prevent false positives This can however result in a reduced effectiveness of the spam filter For further information refer to Advanced Spam Filtering 5 4 4 Spam Filtering Example Under Policy Configuration Mail Transport Jobs you will find a configured Spam Filtering job Double click the Advanced Spam Filtering job to open it This job scans the e mails for special soam features General Settings Under the General tab enter a name for the job An active enabled job has a checkmark in the job symbol Set the job to Enabled Yes Once you have saved your settings with Apply and closed the job the job is enabled 133 Avira AntiVir Exchange 7 Properties of Advanced spam filtering x General Addresses Conditions Actions Server Details Ta T gt gt Hame Job type Antivir Wall Spam Filtering Enabled Yez No Quarantined emails qnore emails resent from quarantine C Check emails resent from quarantine Options Job is mission critical Write processing log B Cancel Apply
143. ss Conditions Under the Addresses tab specify the senders or recipients to which this job is to apply 108 Avira AntiVir Exchange 7 You can select addresses from existing lists or from your own ones For details on how to make the best use of address lists and details refer to the description under Address Lists Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Specifying Message Size Under the Email Size tab enter the e mail size limit in kilobytes Properties of Block emails greater than 100 MB x General Addresses Conditions Email Size Actions Server Details Email size limit ooood KB E Cancel Apply 109 Avira AntiVir Exchange 7 With the setting above the maximum allowed size of each incoming and outgoing e mail is 100 000 kilobytes Defining Actions Under the Actions tab specify the actions to be taken when the job finds an e mail that exceeds the maximum size Properties of Block emails greater than 100 MB ies General Addresses Conditions Email Size Actions Server Detail Schons for email size lmit exceeded Standard Copy to Quarantine Default Quarantine using
144. subject and the message body for denied content The overall threshold value for the job is set to 20 and the first dictionary A specified in the job has a weighting of 20 The second dictionary B specified in this job has a weighting of 1 This means that the specified actions are performed when one word or phrase from the dictionary A or 20 terms from the dictionary B are found The threshold is calculated as follows Every word or phrase in the first word list A has a weighting of 20 If an e mail contains only a single phrase from this list the threshold value is reached and the action is performed Every word or phrase in the second word list B has a weighting of 1 Each word or phrase from this list found is counted and the sum of them multiplied with the weighting The found value is then compared to the threshold value If therefore 21 words from the dictionary B are found in the message these are multiplied by the value 1 21 x 1 21 the sum is compared to the threshold value Since this is 20 the action is executed Tip To handle content in different languages create the appropriate Dictionaries and define one job for each language For languages such as French and Spanish define your own character conversion table For further information on creating your own schemes please contact our Support Defining Actions Under the Actions tab specify the actions to be taken when the job finds an e mail with denied content
145. summary report Whitelist Server VAR Server VAR Short name server on which the whitelist for which a notifications to be generated is located Whitelist Size VAR CollectedSize VAR Size of the whole whitelist Whitelist Subject VAR Subject VAR Subject of the summary report Whitelist Summary part VAR SummaryPart VAR In case more than 3 000 new addresses are to be entered ina whitelist the user receives several whitelist reports The variable returns the number of the summary report 1 for the first 3000 entries 2 for the next 3000 etc Whitelist Send whitelist by web VAR link HTTP_SendWhitelist Whitelist request and notification VAR occur through HTTP Whitelist Send whitelist by mail VAR link MAIL_SendWhitelist Whitelist request and notification VAR occur through an e mail Whitelist Clear whitelist by web VAR link HTTP_ClearWhitelis Delete the whitelist through VAR HTTP Whitelist Clear whitelist by mail VAR link MAIL_ClearWhitelist Delete the whitelist through an VAR e mail 3 3 1 7 Creating a Database Connection to an SQL Server Overview Connection to SQL servers Database connections are used to connect Avira AntiVir Exchange to external databases Thus rather than using the standard local database based on the Microsoft Jet Engine it 46 Avira AntiVir Exchange 7 is also possible to use a Microsoft SQL server which stores Avira AntiVir Exchange data in an
146. t 1 and offset 3 The binary pattern is entered as a hexadecimal number in the lower field The pattern in this example corresponds to the letters BM This is part of the ID of a Windows OS2 bitmap file This is still not a complete pattern 5 To complete the binary pattern for a bitmap file you must add one more entry which looks like this 101 Avira AntiVir Exchange 7 Enter Binary Pattern Ea Binary Pattern Shark postion mo End position Hexadecimal Values OOOUU000 Cancel Here a search is performed for the pattern 00000000 between offsets 7 and 11 Only when both binary patterns have been found in a file does the file match the pattern and can be identified as a bitmap 6 For each additional search pattern click Add Note If you want to identify fingerprint binary patterns that are not included in the supplied list of file patterns please contact the publisher of the software to which the file tyoe applies e g Adobe for Acrobat pdf files or contact our Support Further Fingerprint Examples Example of a simple fingerprint ZIP file Example of a more complex fingerprint Windows Meta File 5 6F72642E446F63756D656E74 DOCF11E0A1B11AE10000 1 1 57006F007200640044006F0063 0075006D0065006E0074 102 Avira AntiVir Exchange 7 4 4 5 Denying File Attachments by Type Example Under Policy Configuration Job Templates you will find various jobs for blocking different f
147. t and its originators use various methods to disguise it as normal mail to avoid its detection by spam filters 129 Avira AntiVir Exchange 7 Any spam filtering job therefore has to take into account that e mails may not be definitely identifiable as soam The spam filtering job works with a range of different criteria for identifying soam These criteria are split into definite and combined criteria Using the definite criteria the job scans mail for unique spam characteristics and classifies them into soam and non spam It then uses the combined criteria to investigate the gray zone and determine a likelihood of the checked message being spam its spam probability The spam probability for the definite criteria is always 0 or 100 while the probability for the combined criteria can range from 1 to 99 You will find a configured Advanced spam filtering job under Policy Configuration Job Templates The job carries out a range of analyses and checks the following elements of each e mail E mail headers Subject E mail text Like in normal content filtering e mails are checked for characteristic soam texts using dictionaries In the gray zone some of the characteristics typical for soam occur more frequently while others suggest that an e mail may not be spam On their own combined criteria only pick up particular characteristics of an e mail that suggest that it may be spam The greater the number of charact
148. ted from the SMTP Advanced Queue by the Grabber 3 The Enterprise Message Handler EMH Avira AntiVir Exchange Service fetches the mail for processing 4 According to the configuration settings the EMH checks whether or not the e mail is to be processed by Avira AntiVir Exchange 5 Messages to be processed are dealt with as specified in the configuration settings jobs by priority 6 When processing is complete the EMH releases the e mail and if applicable modifies the e mail as configured 3 2 User Interface 1 Start Avira AntiVir Exchange 2 Select Basic Configuration Policy Configuration or AntiVir Monitor in the left column The window on the right then shows the corresponding subfolders 19 Avira AntiVir Exchange 7 2 Avira Anti ir Exchange Me x File Action View Help 7 asic lg 3 General Settings El fg General EE FD Antivir Server TA 2 Address lists Rr Folders a E Templates OF Utility Settings fi Database Connections Ey Antivir Server ei Sr Folders E Quarantines 6 Utility Settings pi E Fingerprints E Dictionaries J Antivir Engine E amp Policy Configuration B Information Store Jobs ff Mail Transport Jobs Ry Job Templates ES Antivir Monitor D Servers A SUPPORT2 3 To view the Online Help click on the Help 2 button in the toolbar or select Help from the Action menu 3 2 1 Toolbar Previous O ee Next BE Z l Up one level Properties of the selected item
149. terisk rating in steps of 10 in the header of each scanned message e g X SPAM TAG indicates a spam probability between 0 and 10 X SPAM TAG a probability between 20 and 30 You can define a rule that looks for this string in the Outlook message header and applies actions to message with more than a certain number of asterisks For further information on creating rules in Outlook refer to the Outlook help Address Filtering rs Wall Number of recipients VAR NumberRecipient VAR Number of recipients to which the message is addressed Wall Max number of recipients VAR SetRecipientLimit VAR The maximum number of recipients defined in the job Wall Restricted senders VAR DeniedSender VAR Name of the sender that started an action Wall Restricted recipients VAR DeniedRecipient VAR Name of the recipient that started an action X Block Wall X Block image name VAR XblockAttachment VAR Name of the offensive image If several images are found the one with the highest value is specified Wall X Block image result VAR XblockResult VAR Result value of the offensive image If several images are found the one with the highest value is specified Quarantine summary report Summary Sender VAR From VAR Sender of the summary report Summary Reply to VAR Reply To VAR Address to which replies to the summary report are to be sent NotificationReply To 44 Avira AntiVir Exchange 7 Su
150. terns however can be used to quickly react to new virus attacks As soon as the extension of the file containing a virus is known for example Nimda Virus readme exe a virus infection can be prevented even before a virus pattern update is available from the publisher of your antivirus application A new fingerprint with the filename pattern is simply created to identify the virus You can also block individual files lf your company employs custom software that uses its own file formats you can also create fingerprints for these files which you can use for example to prevent files of this type being sent as e mail attachments to recipients outside the company Sorting and grouping fingerprints You can sort fingerprints and group them into logical categories Fingerprint categories are listed alphabetically 1 Go to Basic Configuration Utility Settings Fingerprints to view all available categories in the right pane 2 Doble click a category to open it The individual fingerprints appear in the right pane 3 You can drag individual fingerprints from the right pane into a different category in the left pane 4 To view the Properties of a fingerprint in the right pane double click or right click the fingerprint Note To copy fingerprints from the All Fingerprints category drag them to the desired category When you drag fingerprints from any of the other categories they are moved To copy from other categories hold t
151. tes you will find a number of jobs for blocking various file formats and sizes Block office files gt 10 MB Microsoft Office files exceeding 10 MB Block sound files gt 5 MB Sound files exceeding 5 MB Block video files gt 5 MB Video files exceeding 5 MB Tip Unlike checking the e mail size checking the format and the size of attachments applies to attachments only Neither the subject nor the message body nor the e mail header are taken into account We will use the Block office files gt 10 MB job as an example Drag this job to the Mail Transport Jobs folder and open it there with a double click General Settings Under the General tab enter a name for the job An active job has a checkmark in the job symbol Set the job to Enabled Yes Once you have saved your settings with Apply and closed the job the job is active 111 Avira AntiVir Exchange 7 Properties of Block office files gt 10 MB General Addresses Conditions Fingerprint Size Actions Server a Mame Block office files gt 10 MB Job type Antivir Attachment Size Filtering Enabled fF Hes i No Subject extension f Add no subject extension C Antivir checked tv Quarantined emails gnore emails resent from quarantine Check emails resent from quarantine Options Job is mission critical Write processing log 2 Cancel Apply By default the Subject extension is pre set to AntiVir checked If enabled th
152. the ConfigData xml file The configuration file can be placed both in a local directory and on a shared network path The Avira AntiVir Exchange configuration used by the AntiVir Exchange Management Console and the Avira AntiVir Exchange Server is specified through an entry in the Registry The path to the configuration file can be entered in the format C or as UNC path Servername Share ConfigData xml If the Avira AntiVir Exchange configuration file specified is not available Avira AntiVir Exchange uses the last known good configuration which is logged in the Windows Events Log The last known good configuration is saved locally for each server and is updated whenever the Avira AntiVir Exchange configuration is changed and access from the Avira AntiVir Exchange configuration file to the last know good configuration is possible Tip To open a non standard configuration with the Management Console you must specify the file with a special parameter Run the Avira msc file with the parameter config and the desired configuration file e g WG NE Oran RI OSN AVi ra Alniest Vaina hae han e Avra musi eon g O Ero l Or Dre a on a Go ec inn You can also specify a UNC path here For detailed instructions for customizing the Avira AntiVir Exchange configuration refer to 1 3 Configuration in AntiVir Exchange Management Console The sequence is as follows 1 An e mail message arrives at the mail server 2 The e mail is intercep
153. the restriction is sent to the Administrator You can select this notification from the list menu of available notification templates which you can format using the HTML toolbar or by entering appropriate HTML code yourself To define further actions click the Add button For a description of the procedure refer to the description in the AntiVir chapter under Enabling Virus Scanning Example Defining Actions Selecting Servers Job Details To select servers and specify job details proceed as described under Selecting Servers and Entering Job Details 115 Avira AntiVir Exchange 7 5 AntiVir Wall 5 1 Overview AntiVir Wall is used to filter e mails or attachments according to their text content check images for offensive contents classify e mails according to their content to restrict inbound or outbound e mail addresses and to limit the number of recipients per e mail Job types Filtering by e mail address Job Type AntiVir Wall Email Address Filtering Filtering by message or attachment content Job Type AntiVir Wall Content Filtering Spam filtering Job Type AntiVir Wall Spam Filtering Checking for offensive images with Xblock Job Type AntiVir Wall Xblock Image Filtering Restricting the number of recipients Job Type AntiVir Wall Recipient Limit Filtering Note Create a separate job for each restriction type Job types cannot be changed later For details on setting up jobs refer to the sample jobs suc
154. the Actions tab specify the actions to be performed when the job finds an attachment with a denied fingerprint 106 Avira AntiVir Exchange 7 Properties of Block video files General Addresses Conditions Fingerprints Actions Server Details 4 chons for denied attachments Standard Capy to Quarantine Default Quarantine using label no label Delete Email f Attachment Add e mail sender recipients ta userlist Add subject extension Forbidden attachment found and removed atthe end Send Administrator forbidden attachment found to Administrator Send Sender forbidden attachment found to All Senders Send Recipient forbidden attachment found to All Recipients B Cancel Apply In this example a copy of the e mail is placed in Quarantine and the infected attachments are deleted The message is delivered to its recipient but the denied attachments are removed A notification about the denied fingerprint is sent to the Administrator You can select this notification from the list menu of available notification templates which you can format using the HTML toolbar or by directly entering appropriate HTML code 2 To define further actions press the Add button 4 4 6 Limiting Message Size Example Under Policy Configuration Job Templates you will find the Block emails greater than 100 MB job Tip The message size limit applies to the e mail as a whole including subject text body header a
155. the Wall job Advanced spam filtering 3 3 2 2 Conditions In each job you can use Conditions to set the requirements as to which mails or documents a job is to be run for To this end several types of rules are defined by default You can set the different parameters for a specific condition according to your requirements Before a job is run the rules for this job are evaluated When all set conditions apply the e mails or documents are handled by the job Rules allow the grabber to carry out job requests depending on the information in the individual documents This enables a very precise selection of documents to be checked 60 Avira AntiVir Exchange 7 4 Advanced Conditions E OO Select conditions For emails a with specific words in the subject a with Following subject command z n marked as importance a with Following Antivir tags and values a with Following headers and values tnie e E A EAA a ea ie ee a with Following headers 0 a with THEF mail body a with HTML mail body EJ FF CI ah ey me EJ EJ a Execute job on messages Fulfilling all of the Following conditions 2 e Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND The value of X headers allows to control e mail processing so that for instance the results can be evaluated by open source tools Moreover with the condition with
156. the day s You want this task to start M Monday M Thursday Tuesday Friday Wednesday Saturday Sunday 2 es 4 3 3 Defining Actions Under the Actions tab specify the actions to be taken if the job finds an infected mail Extra archive scan with AntiVir unpacker Avira AntiVir Exchange s built in unpacker will extract the compressed files before passing them to the virus scanner 87 Avira AntiVir Exchange 7 Properties of Informations Store Scan on SUPPORT ey General Antivir Engine Schedule Actions Details Scan options Estra archive scan with Antivir unpacker Defne action s tor the following Malware found Removing not successful Remove malware M Yes if possible Defne actonfal for the following Removing successtul Defne action s for the following Object unscannable B Lancel Apply Three different actions are possible Virus found Removing not successful Specifies the actions if virus was found and the file could not be cleaned 88 Avira AntiVir Exchange 7 Malware found Removing not successful E Achons for malware found and not removed Standard Jf Copy infected item to Quarantine Information Store Wuarantine using label Virus or unwanted program Information Store scan black object e Add e mail sondertrecipik al replace with mark as not infected of ct FLL i Block object aa Send Administrator v
157. the servers will be impossible Usually port 8008 is used also entered as default port during installation The values specified here apply to all servers 25 Avira AntiVir Exchange 7 Properties of Anti ir Server x General Address Settings Details ANUV Server Communication Fort Boos Expand each archive file to maximum size of KB 307200 Expand nested archive file to the level of F M Create collective notifications Colective Avira notification template ow Select database connection tor Whitelist entries Local database mdb file gt E Cancel Apply In this context also read the description on allocating rights and security settings under 3 3 3 AntiVir Monitor Collective Notification As a general rule each job can be configured so that when a specific event occurs the recipients senders and or administrators are informed of this event Actions tab If several events occur for an e mail the Avira AntiVir Exchange servers are not configured by default to send separate notifications for each event Instead all notifications are combined to a single collective notification i e the recipients receive a single notification mail with a list of all events that have occurred The template used is under Collective Notifications Templates You can change this template or create new templates Note If you prefer to send individual e mail notifications for each eve
158. they are addressed to Marketing or Management Run this job when a message arrives from checks the sender s So does the exception Except where addressed from 38 Avira AntiVir Exchange 7 e And where addressed to checks the recipient s So does the exception Except where addressed to Implementation The address settings in the job should look as follows The specified job action i e blocking files with video attachments is performed for the lt External Senders Recipients gt specified under Run this job when a message arrives from and is not performed for the lt Internal Senders Recipients gt specified under And where addressed to Under Except where addressed to enter the Marketing and Management addresses If you have not already entered these as a group in the Active Directory you can enter them individually All video attachments from external senders to internal recipient will now be blocked unless the recipient is a member of the Marketing department or a corporate manager These are the address settings for the job Properties of Block ideo Files l X General Addresses Conditions Fingerprints Actions Server Details M Handle ever recipient separately SenderHecinent conditions Basic Address Selection Run this job when a message arnives from All Sender Recipients Except where addressed from Mo addresses selected And where addressed to Internal Sender Recipients Except where addressed t
159. tiVir Exchange 7 iz Anti ir Exchange Server 2000 2003 InstallShield Wizard E3 E mail address configuration oe Bn amp Specify the Antivir Exchange administrator e mail address AVIRA Ant Vir Antivir Exchange administrator e mail address Administrator Srdsbs support local The administrator e mail address is required For Antivir Exchange system notifications You can change the Administrator s e mail address later under Basic Configuration antivir Exchange Server For Further information please refer to the manual or online help Installshield Cancel 9 If you are using a proxy server for updates you can make the settings in the next window Passwords are stored in clear text lt Back All of the settings can later be changed in the configuration files of AntiVir 10 A summary of your settings is now displayed i Anti ir Exchange Server 2000 2003 InstallShield Wizard Ready to Install the Program R The wizard is ready to begin installation AVIRA Ant Vir Click Install to begin the installation TF you want to review or change any of your installation settings click Back Click Cancel to exit the wizard ATTENTION Antivir Exchange system verification involve an Eicar Test virus Please ensure that the real time or on access scanning Functions of eventually installed virus scanners are disabled For the directory C Programme4yviraantivir Exchange antivirDakay
160. tine AntiVir Monitor lt select quarantine item gt All Tasks Resend quarantine item even if the Resubmit the email to all AntiVir jobs has been enabled The Ignore emails resent from quarantine option means that this job is systematically skipped when a mail is resent from Quarantine Setting up Address Conditions 1 Under the Addresses tab specify the senders or recipients to which this job is to apply You can select addresses from existing lists or define others 2 Click on the Save button Save the configuration of the AntiVir Exchange Management Console each time 104 Avira AntiVir Exchange 7 you have modified the settings The configuration is saved in the ConfigData xml file located in the Avira AntiVir Exchange Config folder Pending changes are indicated by an asterisk next to the top node Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Selecting Fingerprints 1 Under the Fingerprints tab select the denied fingerprints Properties of Block video files es General Addresses Conditions Fingerprints Actions Server Details Scan option I Scan inside compressed attachments Fingerprint conditions Fingerprint Selection When the message
161. tion under Address Lists Setting up Content Conditions Under the Conditions tab you can set the requirements as to which mails or documents a job is to be run for For the use and settings of conditions refer to Conditions Note The content conditions and the address conditions set in the Addresses tab must simultaneously come true for a job to be run logical AND Defining Actions Under the Actions tab specify the actions to be taken when the job finds a virus infected message 80 Avira AntiVir Exchange 7 Properties of Scanning with Anti ir Engine General Addresses Conditions Antivir Engine Action Server 4 r Scan options v Extra archive scan with Antivir unpacker jf Scan email body Defne achonls for the following Malware found Remove malware ves if possible Defne achonls for the following Malware removed E A This job scans e mails for viruses but does not attempt to clean infected e mails and attachments Although the virus scanner is capable of cleaning infected objects it is advisable to quarantine infected attachments immediately as in practice viruses are usually received in spam and rarely by accident from known communication partners Note As the job is to perform a virus scan only you need to configure the scan engine accordingly Under Basic Configuration Utility Settings AntiVir Engine select the engine and disable the Different clean par
162. to account the privacy aspects and the required space in the database Note The size of a Quarantine is limited to 1 GB 6 The Include processing logs field can be used to log the processing of quarantined e mails e g to trace back the reasons for quarantining a mail You can call the corresponding e mail in the AntiVir Monitor and view the Processing Log including all details Quarantine is mission critical If enabled any Quarantine errors are signaled to the job after which the job is stopped and the job troubleshooting routine is started The action performed with the e mail ignore job or move to badmail directory depends on the Mission Critical setting in the job For additional information on the mission critical jobs refer to This job is mission critical Example An anti virus job detects a virus in an incoming e mail According to the job configuration the e mail is to be moved to the default Quarantine and not to be delivered to the recipient Due to a Quarantine error however the e mail cannot be quarantined The following settings for the job and the Quarantine are conceivable a Both Quarantine and job are NOT mission critical The Quarantine error will be ignored The mail cannot be quarantined but it is not delivered either b The Quarantine is NOT mission critical the job IS mission critical Result the same as above c The Quarantine IS mission critical the job is NOT mission critical The job
163. ts and that the mail is sent through the server on which Avira AntiVir Exchange and the applicable quarantines are installed We recommend that you set up the mailbox on the same server The message content is read out thereby triggering the action requested by the user Avira AntiVir Exchange recognizes request messages through 1 the e mail address specified in the Mailbox field 2 the keyword for a user request in the message User Request Finally the request message is placed in the specified mailbox To delete request messages once they have been processed check the Delete request mails after processing option Allow users to request quarantined items by HTTP Quarantine queries are started by an HTTP request When the user clicks the required action the default Web browser opens The user is notified that the inquiry is being processed The precondition for this inquiry is a free port The default port is 8009 Attention The browser always displays the same feedback message OK_Response html inthe Avira AntiVir Exchange AppData directory If the requested message no longer exists for example because it has been deleted from the Quarantine the user is not notified Quarantine Maintenance Use this tab to specify the time at which the Quarantine on the servers is to be purged This deletes all messages marked for deletion to make space for newer messages The default setting is each Saturday at 03 00 a m If you wi
164. uarantine folder structure which contains all Quarantine folders PE L a i An individual Quarantine folder to be configured under Properties The Fingerprints folder A logically linked fingerprint group An individual fingerprint to be configured under Properties The folder for the Dictionaries used for content filtering An individual dictionary to be configured under Properties The AntiVir scan engine to be configured under Properties Policy Configuration for configuring individual jobs according to the company policy Folder for Job Templates includes sample jobs for each job type The template of an AntiVir job or AntiVir Wall job to be configured under Properties An active job to be configured under Properties An inactive job to be configured under Properties The AntiVir Monitor for viewing all Quarantine Areas on each available server The Quarantine Areas contain the copies of original messages including attachments on The Quarantine Areas folder viewing the original messages Detailed information is available for each e mail A single quarantined object An invalid quarantined object Treenea of Quarantine matenan wo Individual AntiVir report 3 3 Configuration in AntiVir Exchange Management Console The AntiVir Exchange Management Console window consists of three sections Basic ll El 22 Avira AntiVir Exchange 7 Configuration Policy Configuration a
165. um 4 Set the number of days the mails are to remain in the BADMAIL Quarantine When this period expires the mails are automatically deleted 5 Set the number of days after which a job processing log in the Log folder is to be deleted Tip To be able to access a newly created server in the AntiVir Monitor refresh the 30 Avira AntiVir Exchange 7 view in the Monitor right click on AntiVir Monitor Refresh or click on the Refresh icon in the toolbar Individual E mail Addresses for an AntiVir Server Both the user defined and default installation settings in the Properties for all Avira AntiVir Exchange Servers are copied to each individual server These are the AntiVir Servers default settings To specify different settings for a specific server enable the Customize address settings option and enter the new addresses in the appropriate fields Properties of SUPPORT ee General Address Settings Quarantine Access Quarantine Maintena 4 gt Customize address settings Administratora Administrators drdsbs support local Fa Notification sender Antivir rdsbs support local Reply address Administratotsrdsbs support local fel cancel __ User specific Access to Quarantine With Avira AntiVir Exchange users can access their quarantined messages themselves For each Quarantine you can specify individual access rules for messages and users 31 Avira AntiVir Exchange 7 T
166. which must be set for every summary report The entries recorded in the list are specified under Folders Quarantines Properties Summary Reports Add Summary fields The variable Summary Sender under Templates refers to the sender of the summary report the same sender as for all Avira AntiVir Exchange notifications to be defined under AntiVir Servers Settings The Sender checkbox in the Fields tab for a Quarantine specifies that the sender of the quarantined message will be shown in the list 53 Avira AntiVir Exchange 7 Summary reports are especially useful for spam quarantines and the recipients of spam Users will normally receive a list of all new soam messages that were addressed to them and have been placed in a particular Soam Quarantine Set up reporting for this scenario as follows i Open Basic Configuration Folders Quarantines a In the right window section double click the soam Quarantine Spam Middle to open it Properties of Spam Middle General SUMMA Reports Jobs Details ST PC Mame Folder Name Spam_Middle Database connection Local database mdb file a Delete mails after 2 days Size of body excerpts 206 bytes Options W Include processing logs Quarantine is mission critical 2 care a _ 2 Select the Summary Reports tab 4 Click Add Select the General tab and enter a Name for the summary report 54 Avira AntiVir Exchange 7 Properties of New Quaranti
167. xample to the dictionaries used by the criterion to check the e mails Below the minimum value this criterion is not used in the overall weighting of e mail When the maximum score is reached or exceeded this criterion considers the e mail as spam Attention This classification as spam only applies to this one criterion whose maximum value was reached while analyzing an mail As this analysis uses combined criteria however the other criteria can yield different results overruling the criterion whose maximum value was reached Also refer to the example below Combined Criteria Example 145 Avira AntiVir Exchange 7 Properties of Advanced spam filtering E Spam Classification Spam Header Spam Subject Spam Body alel Combined Body Criteria Recipient address in body Relevance of this criteria M Junk sequence in body Relevance of this criteria Very high Check outside HTML body Typically used characters San Rarely used characters ean Blank line threshold Te M Emails containing these phrases Select dictionaries Anti spam Frequently Used Spam Phr Anti spam Attracting Words Anti spam Offers Anti spam Pharmacy Offers Relevance of this criteria ve ry high hime Hheochold i x B Cancel Apply In the combined criterion Emails containing these phrases under the Spam Body tab you are using the Anti spam Frequently Used Spam Phrases dictionary to check the e mail bo
168. y is always 0 or 100 and therefore falls into the probability range None or High for which the corresponding actions are performed Note Of course these criteria do not affect the execution of the remaining enabled jobs such as attachment checking by AntiVir Thus if you have enabled the definite No spam criterion E mails with attachments and set the threshold value Minimum number to 2 this means only that the Spam Filtering job immediately places these e mails into the None spam probability range and not that a AntiVir job will let those two attachments pass into your network unchecked Note Normally you do not have to adapt the combined criteria If your soam detection rate is unsatisfactory try optimizing the definite spam criteria see below for exclusion criteria 5 4 1 Definite No Spam Criteria You can define the following exclusion criteria in the job E mails from these trusted senders Whitelist Whitelist addresses of all known senders that are always allowed and that are known not to send spam This normally includes all regular communication partners as well as the domains of your customers and suppliers Keeping this list up to date and comprehensive ensures that your system resources will not be burdened with unnecessary checking E mails from Active Directory users All of the users and contacts included in the Active Directory are regarded as trustworthy E mails from User Whitelist entries The senders
169. ypted objects which cannot be opened for scanning 90 Avira AntiVir Exchange 7 Object unscannable Ed Achons for unecannable objects Standard z Information Store scan mark as not infected l l Add e mail sender recipil abort scanning i mark as not infected HMutatututatiatavaTatatefafstatatatatarstatatatatatatatatafatatatetatatatatatatatatatatstatatatatetatalatatatatatatataletatatstatatatatetata 7 M Send Administrator unsi ina ation Store to Administrator xl Add B Cancel Apply Two options are available In the Information Store scan field select one of two settings a abort scanning The object will be rescanned with the next scan If previous scans have not treated the object as uninfected access is denied o mark as not infected The object is treated as if it were virus free It is not rescanned before virus scanning is restarted You can also notify the administrator and add further actions by clicking on the Add button 4 3 4 Job Details Refer to Entering Job Details 4 3 5 Server Status Under AntiVir Monitor Servers lt servername gt Server Status you can see the current status of the Information Store scan and the option for a manual restart 91 Avira AntiVir Exchange 7 The General tab shows information about Server Configuration License and IS Information Store Scan Properties E3 General acan engine Test Information Store Scan Exchange
Download Pdf Manuals
Related Search