GFI MailSecurity, 100-249, 2 Year SMA
Contents
1. Screenshot 134 Schedule activity monitor The activity monitor displays the following events I Information The scheduled report was successfully generated amp Warning The scheduled report was not generated since the product license is invalid or has expired Error The scheduled report was not generated due to some error Typical errors include e Errors when attempting to save the generated report to a specific location on disk for example out of disk space e Errors when attempting to send the generated report by email for example the SMTP server configured in the GFI ReportCenter settings is not reachable The activity monitor records and displays the following information e Date The date and time when the scheduled report was executed e Product name The name of the GFI product ReportPack to which the report belongs e Type The event classification error information or warning e Description Information related to the state of a scheduled report that has been executed The format and contents of the activity description vary depending on the event type NOTE The description is often the most useful piece of information indicating what happened during the execution of a scheduled report or the significance of the event Enable disable a scheduled report Scheduled reports can be enabled or disabled as required To disable a scheduled report follow these steps 1 Click on the Scheduled R2. cccccccecsseeeeeeseeeeeeeseeeeesseeeeseaas 87 What is a Trojan horse ccecsceeeeeeeeeceeeeaeeeeeeeceeeeeaaeeeeaaeseeeeeseaeeseaeeseeeseneees 87 Difference between Trojans and VirUSES cc eeeneeeeeeneeeeeeeeaeeeeeeeaeeeeeeaaeeeeeeaas 87 How does the Trojan amp Executable Scanner WOrk ccccssccecsssseeeeessteeeeeeaes 87 Configuring the Trojan amp Executable SCANNEL cc ccceeceeeeeeeeeneeeeeeeeseeeesaeeneeeeeaees 88 Configuring the Security level ccccceceteeeeeeeeeeeeeeeeeeeaeeeeneeseeeesaeeesaeeeeeeeeaas 88 Configuring actions ari aeiia ai eaaa alo rai il iad eaaa ans 89 Trojan amp Executable Scanner updates ccceeeeeesceceeeeeceeeeseaeeeeeeeseaeeesaeeseaeeseeeeeeeas 89 Triggering the Trojan amp Executable Scanner update manually eeeee 90 The Email Exploit Engine 91 Introduction to e mail exploits 0 0 cece eeeeeteeeeeenaeeeeeeaaeeeeeeaaeeeeeeaaeeeeeeaaeeeeeeaeeeeneaas 91 Whats an exploit ay c2cs vine din ail edie le ea ai ae ieee 91 What is an e mail exploit 2 20 ccceecececeeeeeeeeeeeeeeeceeeeeeeaeeeeaeeeeneeeseaeeeeaeeseaeeseneeess 91 Difference between Anti Virus software amp Email Exploit Detection SOTWare so aenean a RA TAEA EEE E AEE SAAANA 91 Configuring the Email Exploit Engine cccccecceceeeeeceeeeeeeaeeeeaeeceeeeeseaeeeeaeeneneeeeaees 91 Enable Disable email exploits ce ccecceeeeseceeeeseeceeeeeeeeeeeeneeeeeeeneneeeeeneeee
3. Screenshot 121 Custom Report Wizard 3 Click Next to continue 4 In the Name and Description page provide a descriptive report name and description in the Report Name and Report Description boxes and then click Next to continue GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Custom reports 153 Custom Report Wizard Name and Description Specify the name and description for this custom report The name and description of a custom report will be used to uniquely identify the report through the set of custom reports The custom report name must be unique Report name inbound amp Outbound email traffic per week days 4th Quarter 2006 Report description The Inbound amp Outbound email traffic per week days report shows the composite amount of inbound and outbound emails per week day for the selected period lt Back F Cancel Screenshot 122 Report name and description for a custom report 5 In the Date Filters page you need to specify what period of data you want to include in the custom report You can either specify a fixed date range so that the report always includes the same data or else you can specify a variable date range for example for the last 6 months When you select a variable date range the data included in the custom report will vary depending on when the report is generated Click Next to continue Custom Report Wizard Date Filters Spe
4. Lal Eile Tools Help ER AoE E ReportCenter 3 5 dre nWOxaden s MainRepott Product Selection GFI MaiSecuity 10 0 ReportPack z Default Reports SECURITY amp MESSAGING sora FO E ga GFI MailSecurity 10 0 ReportPack E Executive Reports 1E Viruses blocked monthly Report Title Inbound amp Outbound email tratfic perweek das Composite Description The Inbound amp Outbound email traffic permeck days report shows the composite amount of inbound and outbound emails perweek days forthe selected period Generated ort 1 16 2007 Outbound email traffic per week days Haske E 1E Monthly email traffic Processed amp Blocked emails per month Processed emails per month E Blocked emails per month EaP Administrative Reports IE Processed amp Blocked emails per four hours Processed emails per four hours Blocked emails per four hours Daily Processed amp Blocked emails Processed amp Blocked emails per week TE Monthly Processed amp Blocked emails Email Traffic Emalls processed te Favorite Reports al Default Reports Custom Reports L Scheduled Reports Options SY Help Current Page No 1 Total Page No 1 Zoom Factor Page Width Screenshot 119 Viewing a generated report Use the toolbar at the top of the report viewing pane to access common report related function
5. 3 You will be prompted to specify a user name and password to authenticate and determine whether you have access to the page requested If the account specified has access the GFI MailSecurity configuration or quarantine store is displayed 34 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP Eile Edit View Favorites Tools Help Address hti win2k3entsvr MailSecurity default aspx GFI MailSecurity l Settings version Information a Licensing y Information Store Protection B Content Checking g Attachment Checking amp Virus Scanning Engines Ke Decompression Trojan amp Executable Scanner Email Exploit Engine 2 HTML Sanitizer 53 Patch Checking ll Realtime Monitor Quarantine Options Quarantine R55 Feeds B Quarantine Reporting t Today t Yesterday This week t Allitems t Search Folders GFiMailSecurity SECURITY amp MESSAGING SOFTW GFI MailSecurity Z Use the Configuration and Quarantine Management console to configure D and manage your GFI MailSecurity installation GFI MailSecurity Configuration and Quarantine Management General Settings Configures administrator s email autoupdater local domains and smtp bindings for MailSecurity Version Information Displays version information Licensing Displays licensing information Information Store Protection Configures information store protection options Content Checking Configu
6. 9 During the installation you are prompted that the setup needs to restart the SMTP services Click Yes to restart these services and finalize the installation NOTE If you are installing on a Microsoft Exchange Server 2007 machine you will not be prompted to restart the SMTP service 10 When the installation completes click Finish to close the installation wizard NOTE 1 If you are installing on a Microsoft Exchange Server 2007 machine the installation will launch the GFI MailSecurity Post GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 21 Installation Wizard Refer to the following section for information on how to use this wizard NOTE 2 If you are upgrading from a previous version version 9 onwards of GFI MailSecurity you might be prompted to upgrade your quarantine database to a new Firebird database format For more information refer to the Quarantine Upgrade tool section in this manual 22 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP GFI MailSecurity Post Installation Wizard NOTE This section applies only when installing GFI MailSecurity on a Microsoft Exchange Server 2007 machine IMPORTANT You need to complete this wizard for GFI MailSecurity to work with Microsoft Exchange Server 2007 The GFI MailSecurity installation wizard launches the GFI MailSecurity Post Installation Wizard when you click Finish The GFI MailSecurity Post Installation Wizard registers GFI Mai
7. Add default report to favorites list You can group and access frequently used reports through the Favorite Reports panel button To add a default report to the list of favorite reports 1 Click on the Default Reports panel button to bring up the list of available reports 2 Right click on the default report that you want to add to the favorites list and then click Add to Favorites List 152 e GFI MailSecurity ReportPack Default reports GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Custom reports Introduction With GFI ReportCenter you can create custom reports that fit specific date ranges based on the default report templates included in the GFI MailSecurity 10 0 ReportPack Creating a new custom report To create a custom report 1 Click on the Default Reports panel button to bring up the list of default reports available 2 Right click on the default report you want to base the custom report on and then click Custom Report to display the Custom Report Wizard Custom Report Wizard Welcome to the MailSecurity Custom Report Wizard Welcome to the MailSecurity Custom Report Wizard Inbound Outbound email traffic per week days The Inbound Outbound email traffic per week days report shows the composite amount of inbound and outbound emails per week day for the selected period You can override the default email options for this scheduled report lt Back u Cancel
8. SMTP Password Verify Mail Settings InstallShield i Cancel Screenshot 115 Email settings page 8 Specify the default email settings that you want GFI ReportCenter to use when sending reports by email When you generate a report or while configuring a scheduled report you can either use these default settings or else specify different settings for that specific report only To check the email settings specified you can click Verify Mail Settings The installation wizard will send a test email to the address in the To box using the SMTP server specified 146 e GFI MailSecurity ReportPack Installation GFI MailSecurity for Exchange SMTP NOTE After the installation is complete you can change the email settings used by GFI ReportCenter at any time from the Options panel Click Next to continue 9 Specify the product installation path or click Next to leave as default The installation needs approximately 100 MB of free disk space 10 The installation wizard is now ready to copy the required files and finalize the installation To proceed click Install 11 When all the files are copied the installation wizard displays the finish page Click Finish to close the installation wizard and complete the installation Launching GFI MailSecurity 10 0 ReportPack for GFI ReportCenter Following the installation you can launch the GFI MailSecurity 10 0 ReportPack for GFI ReportCenter from Start gt Programs gt G
9. e All except this list Select this option if you want to apply this rule to all email users groups or public folders NOT present in the list 12 To add email users user groups and or public folders to the list click Add f http master domain com default Microsoft Internet Explorer User Lookups D Configure Users Check Names r Name Email Address Email Aliases Vv gi John Smith jsmith master domain com No other aliases Screenshot 58 Add users to an attachment checking rule 13 In the add users window specify the name of the email user user group or public folder that you wish to add to the list 14 Click Check Names to query the Active Directory or the imported list of SMTP addresses depending on how you installed GFI MailSecurity to check if the specified entry exists Any user group or public folder that matches will be listed below GFI MailSecurity for Exchange SMTP Configuring Attachment Checking e 67 NOTE You do not need to input the full name of the user user group or public folder It is enough to enter at least three characters GFI MailSecurity will list all the names that contain the specified characters For example if you input ott GFI MailSecurity will return names like Scott Adams and Freeman Prescott if they are available 15 Select the check box at the start of the listed name s to indicate the ones that you wish to add to the list and click OK NOT
10. There are two types of notifications e Administrative notifications GFI MailSecurity sends these notifications for example when a license is going to expire when a new patch is available and when new anti virus engine updates are available e End user notifications GFI MailSecurity sends these notifications to the sender recipient of an email when an email gets quarantined or modified The notification email message is generated from templates stored in sub folders in the ContentSecurity MailSecurity Templates folder Each template sub folder can contain an HTML body template html txt a text body template text txt and a subject template subject txt NOTE The template folder names and template file names are predefined and therefore you cannot change them The templates contain the text of the notification message as well as field names that are replaced by dynamic values upon generation of the notification message There are two types of template e Tag based templates These templates use tags in the form TAGNAME to indicate fields which need to be replaced with dynamic data e XSL based templates These templates are an XSL style sheet and are used in conjunction with dynamically created XML data to generate the notification message NOTE Always take a backup of the template you are going to modify In this way you can always recover from the backup template if your modified template
11. ccsceeessseeeeeees 26 Securing access to the GFI MailSecurity configuration quarantine 0 ccceeeeeeee 27 Adding local host to the trusted Sites liSt cccceeeeeeeeeeeeceeeeeeeeeeeteeeeeeeeeteees 30 Securing access to the GFI MailSecurity Quarantine RSS feeds c ceeeeeeeees 31 Accessing the GFI MailSecurity Configuration and Quarantine Store cc 33 Accessing the configuration from the GFI MailSecurity machine 06 33 Accessing the configuration from a remote machine cccceeeeseeeeeeeeeeeeees 34 Entering your license key after installation eeecceeeeeseeeeeeeeeeeeeenaeeeseeaeeeeeeaeeeeeeaas 35 Upgrading from GFI MailSecurity 8 to GFI MailSecurity 10 0 ececeesseeeeesteeeeees 36 Upgrading from GFI MailSecurity 9 to GFI MailSecurity 10 cee eessseeeeesteeeeees 38 GFI MailSecurity for Exchange SMTP Contents e i Quarantine Upgrade tO0l cccccccscecssecssececseeecaecesseecsseeecaeescsaeseeeeeesaeeseaeeesseeesaees 39 Using the quarantine upgrade tool eee eeeeteceeeenneeeeeenaeeeeeeaaeeeseeaaeeeeeeaaeeeeneaas 39 General settings 41 Introduction tO SETTINGS oeira an a eia NE 41 Define the administrator s email AdArESS 0 0 eee ee eeeece cette ee ee eee eeeetaeeeeeeaeeeeeenaeeeeee 41 Configuring proxy server settings for automatic UPdates cccccceesceeessetteeeseeeeees 42 Adding Local DOMAINS eecceeieeeeeee sees ee eeeeeeeeeeee
12. lt table border 1 gt lt tr gt lt td gt Subject lt td gt lt td gt lt B gt lt xsl value of select itemsubject gt lt B gt lt td gt lt tr gt lt tr gt lt td gt Sender lt td gt lt td gt lt B gt lt xsl value of select itemsenderemailaddress gt lt B gt lt td gt lt tr gt lt tr gt lt td colspan 2 align center gt Recipients lt td gt lt tr gt lt xsl for each select itemrecipients recipient gt lt tr gt lt td colspan 2 gt lt B gt lt xsl value of select gt lt B gt lt td gt lt tr gt lt xsl for each gt lt table gt lt P gt Regards lt BR gt GFI ContentSecurity lt BODY gt lt HTML gt lt xsl template gt lt xsl stylesheet gt GFI MailSecurity for Exchange SMTP Advanced topics e 131 Setting Virus Scanning API Performance Monitor Counters When you install GFI MailSecurity on the Microsoft Exchange machine directly you can use the Performance Monitor MMC to keep an eye on Virus Scanning API performance through the performance monitor counters made available by Microsoft Exchange NOTE The VSAPI performance monitor counters are only available on a Microsoft Exchange Server 2007 machine with the Mailbox Server Role installed To add and view the performance monitor counters listed below follow these steps 1 Click on Start gt Control Panel 2 In the Control Panel window double click Administrative Tools 3 In the
13. Address Space Delivery Restrictions Diagnostics Logging IntemetMail Dial up Connections Connections a Internet Mail Service MAILFA m Transfer Mode Message Delivery Inbound amp Outbound Use domain name system DNS C Inbound Only Forward all messages to host C Outbound Only f 00 125 125 130 C None Flush Queues I Dial using ooo Advanced Specify by E Mail Domain E Mail Domain Accept Connections Service Message Queues From any host secure or non secure Retry interval hrs C Only from hosts using Authentication 25 5 1 4 Specify by host Hosts Time outs I Clients can only submit if homed on this server I Clients can only submit if authentication account matches submission address Cancel Apply Help Screenshot 7 The Microsoft Internet mail connector 2 Click the Connections tab and in the Message Delivery area click Forward all messages to host Type the computer name or IP of the machine running GFI MailSecurity 16 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP 3 Click OK and restart the Microsoft Exchange Server from the services applet If you have Microsoft Exchange Server 2000 2003 You will need to set up an SMTP connection that forwards all email to GFI MailSecurity 1 Start the Exchange System Manager 2 Right click the Connectors Node click New gt SMTP Connector and then specify the co
14. Control Panel Double click Administrative Tools and then double click Internet Information Services 2 Expand the server name node right click the Default SMTP Virtual Server node and then click Properties GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 11 Default SMTP irtual Server Properties 172 16 130 74 E B Screenshot 2 Assign an IP address to the mail relay server 3 Assign an IP address to the SMTP relay server from the IP address list and then click OK Step 3 Configure the SMTP service to relay mail to your mail server Now you must configure the SMTP service to relay inbound messages to your mail server Start by creating a local domain in IIS to route mail 1 On the taskbar click Start gt Settings Control Panel Double click Administrative Tools and then double click Internet Information Services 2 Expand the server name node then expand the Default SMTP Virtual Server and then click Domains By default you should have a Local Default domain with the fully qualified domain name of the server 3 Configure the domain for inbound message relaying as follows a Right click the Domains node and then click New gt Domain 12 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP New SMTP Domain Wizard xi Welcome to the New SMTP Domain Wizard Use this wizard to create a new domain on this SMTP virtual server Specify the domain Type
15. G Quarantine C Automatically Delete Screenshot 70 Configuring recursive archives options This filter allows you to quarantine or delete emails that contain recursive archives Recursive archives also known as nested archives are archives that contain other multiple levels of sub archives i e archives within archives A high number of archive levels can indicate a malicious archive Recursive archives can be used in a DoS Denial of Service attack since most content scanning and anti virus packages crash while attempting to scan nested archive levels To configure this filter 1 Click the GFI MailSecurity gt Decompression node 2 From the list of available filters in the right window click on Check for recursive archives 3 Select the Check for recursive archives check box to enable this filter and specify the maximum number of nested archives permitted IMPORTANT If you disable the Check for recursive archives rule GFI MailSecurity will not scan or quarantine recursive archives thus bypassing the anti virus checking 4 Decide on what to do with emails containing nested archives that exceed the specified limit by selecting one of the following options e Quarantine Select this option to quarantine the emails that contain recursive archives The administrator can later review these quarantined emails and approve or delete them accordingly e Automatically Delete Select this option to delete emails
16. GFI MailSecurity for Exchange SMTP 10 Manual By GFI Software Ltd http www gfi com Email info gfi com Information in this document is subject to change without notice Companies names and data used in examples herein are fictitious unless otherwise noted No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of GFI Software Ltd GFI MailSecurity is copyright of GFI SOFTWARE Ltd 2000 2008 GFI Software Ltd All rights reserved GFI MailSecurity is a registered trademark and GFI Software Ltd and the GFI logo are trademarks of GFI Software Ltd in the Europe the United States and other countries Version 10 0 Last updated March 02 2009 Contents About GFI MailSecurity 1 Introduction to GFI MailSeCurity ccccceecceceeeeeeeeeeeeeeeceeeeeceaeeecaaeseeeeeseeeesaeeeeaeeseeeeeseas 1 Key features of GFI MailSeCurity 0 ceccceceeceeceeeeeeeeeeeeeeeceeeeesaaeeeeaeeseeeeesaeeeeaaeseeneeseas 1 Virus checking using multiple virus engines eeeeeeeeeeeeeeeeeeeeeeeenteeeeeenaeeeees 1 Email attachment Checking filtering 2 2 eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeaees 1 Trojan and Executable SCanne ccccccceeeceeseeceeeeeeeaeeesaaeseeeeeseeeesaeeeeaaeeeeeeeeaas 2 FUME Sanitize ric tec tetas E e a ideale ed Glen A eben cveeeates 2 Decompression Mier reisse ata dete
17. Scheduling a report section earlier in the manual 3 Configure the default folder options as outlined in point 6 of the Scheduling a report section earlier in the manual 4 Click OK to save the new settings and close the Default Scheduling Settings dialog box Reports can be exported to disk or attached to an email in any one of the following file formats Adobe Acrobat PDF Use this format to allow distribution of a report on different systems such as Macintosh and Linux while preserving the layout Microsoft Excel XLS Use this format if you want to process the report further in Microsoft Excel Microsoft Word DOC Use this format if you want to access this report using Microsoft Word GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Configuring default options e 167 Rich Text Format RTF Use this format to save the report in a format that consumes less disk space and which allows accessibility through different word processors in different operating systems Default Scheduling Settings xj Email Options Folder Options Configure email options for the scheduled report You can configure GFI ReportCenter to generate the report and send it to a specified email address The generated report will be exported to one of these formats pdf xls doc or rtf To manager afi com ER From GFIRepotCenter t 27 0 0 1 Server mailfaxsrv Port 25 J SMTP Server requires
18. Screenshot 28 License key information When you obtain the 30 day evaluation key or the purchased licensed key you can enter your license key in the GFI MailSecurity gt Licensing node without having to re install the product GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 35 Entering the license key should not be confused with the process of registering your company details on our website This is important since it allows us to give you support and notify you of important product news Register at http www gfi com pages regfrm htm Upgrading from GFI MailSecurity 8 to GFI MailSecurity 10 Due to fundamental architectural changes between GFI MailSecurity 10 and GFI MailSecurity 8 it is not possible to install GFI MailSecurity 10 on top of an existing installation of GFI MailSecurity 8 This section therefore shows you how to e Replace your current GFI MailSecurity 8 installation with GFI MailSecurity 10 e Convert and import the GFI MailSecurity 8 configuration settings to GFI MailSecurity 10 s new configuration database format NOTE If GFI MailSecurity 8 was installed in SMTP mode and GFI MailSecurity 10 is installed in Active Directory mode you will not be able to convert and import the settings due to user based rules This also applies if GFI MailSecurity 8 was installed in Active Directory mode and GFI MailSecurity 10 is installed in SMTP mode To upgrade from GFI MailSecurity 8 to G
19. The total number of top level messages that are cleaned by the virus scanner Virus Scan Messages Cleaned sec The rate at which top level messages are cleaned by the virus scanner Virus Scan Messages Quarantined The total number of top level messages that are put into quarantine by the virus scanner Virus Scan Messages Quarantined sec The rate at which top level messages are put into quarantine by the virus scanner Virus Scan Files Scanned The total number of separate files that are processed by the virus scanner Virus Scan Files Scanned sec The rate at which separate files are processed by the virus scanner Virus Scan Files Cleaned The total number of separate files that are cleaned by the virus scanner Virus Scan Files Cleaned sec The rate at which separate files are cleaned by the virus scanner Virus Scan Files Quarantined The total number of separate files that are put into quarantine by the virus scanner Virus Scan Files Quarantined sec The rate at which separate files are put into quarantine by the virus scanner Virus Scan Bytes Scanned The total number of bytes in all of the files that are processed by the virus scanner Virus Scan Queue Length The current number of outstanding requests that are queued for virus scanning Virus Scan Folders Scanned in Background The total number of folders that are processed by background scanning Virus Scan Messages Scanne
20. 1 Click on the Default Reports panel button to bring up the list of available reports 2 Expand the Executive Reports node and right click on the Monthly email traffic report 3 Click Run for last 12 Months 150 GFI MailSecurity ReportPack Default reports GFI MailSecurity for Exchange SMTP RE Ele Tools Help 4 cannar oD Product Selection GFI MailSecurity 10 0 ReportPack kd Default Reports E f i GFI MailSecurity 10 0 ReportPack E P Executive Reports IE Viruses blocked monthly inbound amp Dutbound email traffic per week days inbound email traffic per week days Jutbound email traffic per week days onthly email traffic rocessed amp Blocked emails per month rocessed emails per month Blocked emails per month Eg Administrative Reports Processed amp Blocked emails per four hours Generating report j Load report file Processed emails per four hours Blocked emails per four hours SURERREOEE Daily Processed amp Blocked emails rocessed amp Blocked emails per week Monthly Processed amp Blocked emails fy Favorite Reports al Default Reports CustomReports L Scheduled Reports Options QD Help I 4 Screenshot 118 Report generation progress Viewing the generated report GFI ReportCenter displays the generated reports in the report viewing pane on the right hand side of the screen
21. 4 Screenshot 124 GFI ReportCenter listing the new custom report Generate a custom report To generate a custom report 1 Click on the Custom Reports panel button to bring up the list of custom reports available 2 Right click on the custom report you want to generate and then click Run GFI ReportCenter 3 5 Eile Tools Help 4 gt 9 66 1B Product Selection Du tsar fj inbound amp o1 Custom Reports Quarter 2006 fg GFI MailSecurty 10 0 ReportPack The Inbound amp Outboun A outbound emails per wer Sample Report Layi Add To Favorites List Scheduled Report B GFi Report Tit Descriptio off Favorite Reports Generatec iw Default Reports For period Custom Reports L Scheduled Reports 3200000 3000000 Screenshot 125 Run a custom report GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Custom reports e 155 Editing a custom report To edit the configuration settings of a custom report 1 Click on the Custom Reports panel button to bring up the list of custom reports available 2 Right click on the custom report you want to modify and then click Edit This will bring up the Custom Report Wizard through which you can make the required changes For more information on how to use the Custom Report Wizard refer to the Creating a new custom report section earlier in this chapter Deleting a custom report To delete a custom report 1 C
22. Range and then specify a start date in the Day from box and an end date in the Day to box Specify time In addition to the date you can also specify the time or time range of the emails you want to include in this folder To specify the time select the time check box and input a time value in the relevant box Specify time range To specify a time range for a particular day click Date Range and specify the same date value in both the Day boxes Subsequently specify the required start time in the Time from box and the end time in the Time to box 7 Click Save folder to create the search folder aE GFI maisecurity Settings Quarantine 4 9 Version Information Use this page to perform quick searches and manage quarantined content Q Licensing in categories Information Store Protection 2 Content Checking F Attachment Checking Quick Search Virus Scanning Engines Please select and use the following fields to perform quarantine content search g Decompression Search in sender recipients 8 Trojan amp Executable Scanner t 8 Email Exploit Engine cB HTML Sanitizer earch in subject B Patch Checking Search b il Reporting E Realtime Monitor earch in quarantine reason RH Quarantine Options Quarantine RSS Feeds A Quarantine I Today A Yesterday E This week Current search folders I Allitems Folder Items Auto purging Emails block it Engine o It Ide
23. Trojan and Executable Scanner Updates tab Triggering the Trojan amp Executable Scanner update manually To check download updates for the Trojan amp Executable Scanner immediately click Download updates 90 e The Trojan amp Executable Scanner GFI MailSecurity for Exchange SMTP The Email Exploit Engine Introduction to e mail exploits What is an exploit An exploit uses known vulnerabilities in applications or operating systems to compromise the security of a system for example execute a program or command or install a backdoor It exploits a feature of a program or the operating system for its own use What is an e mail exploit An email exploit is an exploit launched via email An email exploit is essentially an exploit that can be embedded in an email and executed on the recipients machine either once the user opens or receives the email This allows the hacker to bypass firewalls and anti virus products Difference between Anti Virus software amp Email Exploit Detection software Anti virus software is designed to detect malicious code It does not necessarily analyze the method used to execute the code The Email Exploit Detection Engine analyses emails for exploits i e it scans for methods to execute a program or command on the user s system The Email Exploit Engine does not check whether the program is malicious or not Rather it assumes a security risk if an email is using an exploit in order to
24. peseeseesensenseeey C Alias Cancel Screenshot 3 SMTP Domain Wizard Selecting domain type b Select Remote and then click Next c Type the domain name in the Name box and then click Finish IMPORTANT NOTE ABOUT LOCAL DOMAINS NOTE Upon installation GFI MailSecurity will import Local Domains from the IIS SMTP service If you add additional Local Domains in IIS SMTP service you must also add these domains to GFI MailSecurity because this does not detect newly added Local Domains automatically You can add more new Local Domains using the GFI MailSecurity configuration For more information refer to the Adding local domains section in the General Settings chapter of this manual Configure the domain to relay email to your mail server 1 Right click the domain you just created and then click Properties Select the Allow the Incoming Mail to be relayed to this domain check box 2 In the Route domain dialog box click Forward all email to smart host and type the IP address in square brackets of the server which will handle the emails addressed to this new domain For example 123 123 123 123 NOTE The square brackets are used to differentiate an IP address from a hostname which does not require square brackets i e the server detects an IP address from the square brackets 3 Click OK GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity 13 NE _Domain Properties 92 16
25. to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software GFI MailSecurity for Exchange SMTP Miscellaneous e 127 THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL DANIEL VEILLARD BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Except as contained in this notice the name of Daniel Veillard shall not be used in advertising or otherwise to promote the sale use or other dealings in this Software without prior written authorization from him 128 Miscellaneous GFI MailSecurity for Exchange SMTP Advanced topics Customizing the notification templates GFI MailSecurity sends notification emails to the administrator user whenever an event that needs attention occurs
26. Actions UsersiF olders k Configure content checking options for checking the content of the message body and attachments M Block emails if contentis found matching these conditions message body attachments Condition entry Edit condition AND NOT OR NOT Add Condition Update Conditions list All these conditions are validated as a single condition using the OR operator for each entry Clicking on an entry will copy the condition text in the condition entry above for editing Current conditions confidential information AND top secret blueprints Remove IV Match whole words only Vv Apply above conditions to attachments Attachment filtering Check all attachments having file extensions in this list Check all except attachments having file extensions in this list File extension entry eg txt eg jpg a File extensions html htm Screenshot 62 Content Checking Body Tab 9 To match keywords in the conditions list only against whole words select the Match whole words only check box 10 If you want the Content Checking rule to scan email attachments for the conditions specified in the previous steps select the Apply above conditions to attachments check box 11 You then need to specify which filename extensions to scan To add a filename extension type it in the File extension entry box and then click Add If you want to scan only the filename extensions you speci
27. Alternatively you can use Quick Search to look for the emails that you want to delete 106 e Quarantine GFI MailSecurity for Exchange SMTP NOTE You can delete an email that was quarantined today from the Today node the This Week node the All Emails node as well as from any Search Folder that contains the email The difference between the mentioned nodes is the amount of emails that are present within 2 Select the check box of the email s you want to delete and click Delete items NOTE 1 If you want to delete all the listed emails you do not need to select all the check boxes individually Just click Delete all NOTE 2 To refresh the information click Update NOTE 3 If an email matches more than one search folder the administrator does not need to delete the same email from each search folder If you delete an email from a search folder GFI MailSecurity removes it from the Quarantine Store and so it does not list in any of the other search folders Rescanning emails from the Quarantine Store The Quarantine Store allows you to submit quarantined emails for rescanning This option is provided mostly to cater for virus outbreak scenarios For example an email is quarantined on Monday because it infringed a Content Checking rule The same email also contained a newly released virus However since the virus signatures had not yet been updated when it passed through GFI MailSecurity it did not infringe any virus scanning
28. File Extension High alert 24 04 2006 13 11 23 Enabled Email Exploit Engine 8 Iframe within an HTML email Suspicious 01 09 2005 14 03 08 Enabled spim 2 HTML Sanitizer 4 Patch Checking hi Reporting f Realtime Monitor 4 Quarantine Options Quarantine RSS Feeds Quarantine A malformed File Extension High alert 15 02 2002 00 00 00 Enabled A Java Activex Component Exploit High alert 31 08 2005 07 25 26 Enabled A mime header vulnerability High alert 28 04 2006 12 56 39 Enabled d ASX buffer overflow High alert 31 08 2005 07 26 10 Enabled A Document Open method Exploits Possible intrusion attempt 28 04 2006 12 09 12 Enabled A popup object exploit High alert 28 04 2006 12 05 43 Enabled 100 0000000 2 oo VO Uwe ON BD object CODEBASE file execution High alert 28 04 2006 13 57 28 Enabled m J O Trusted sites i Screenshot 78 Email Exploit list Configuring the Email Exploit Engine properties To configure the Email Exploit Engine properties 1 Click the GFI MailSecurity gt Email Exploit Engine node 2 From the General tab select whether you want to check inbound and or outbound emails for email exploits by selecting the Check inbound emails check box and Check outbound emails check box accordingly GFI MailSecurity o Settings Cancel Version Information Licensing General Actions Updates Information Store Protection Content Checking ax Email Exploit Engine EF Attac
29. GFI MailSecurity Installing GFI MailSecurity on a mail relay server Microsoft Exchange Server GFI MailSecurity Internet Figure 2 Installing GFI MailSecurity on a mail gateway relay server When installing on a separate server i e on a server which is not your mail server you must first configure that machine to act as a gateway also known as Smart host or Mail relay server for all your email This means that all inbound email must pass through this machine for scanning before being relayed to the mail server for distribution i e it must be the first to receive all emails destined for your mail server The same applies for outbound emails The mail server must relay all outgoing emails to the gateway machine for scanning before they are conveyed to the external recipients via Internet i e it must be the last stop for emails destined for the Internet In this way GFI MailSecurity checks all your inbound and outbound mail before this is delivered to the recipients NOTE 1 You must install GFI MailSecurity in SMTP Gateway mode if you are running Lotus Notes or another SMTP POPS server NOTE 2 If you are running a Windows NT network the machine running GFI MailSecurity can be separate from your Windows NT network GFI MailSecurity does not require Active Directory when installed in SMTP mode 6 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity in fro
30. GFI MailSecurity is being installed must be part of the Active Directory domain e No I do not have Active Directory or my network does not have access to Active Directory DMZ Select this option to continue installing GFI MailSecurity in SMTP mode In this mode GFI MailSecurity will create user based rules for example Attachment Checking rules based on the list of email users addresses imported from your mail server You must select this mode if you are installing GFI MailSecurity on a machine that does not have access to the Active Directory containing the complete list of all your email users This includes machines on a DMZ or machines that are not part of the Active Directory Domain However you can still choose this mode to install GFI MailSecurity on machines that do have access to the Active Directory containing all your email users Click Next to proceed with the installation ie GFI MailSecurity for Exchange SMTP InstallShield Wizard IIS Setup Virtual Directory Website and SMTP Server selection MIIS Setup Select the website on which to create the MailSecurity virtual directory Defaut Web Site http WIN2K3ENTSYR 80 x Enter the name of the configuration virtual directory to create MailSecurity Enter the name of the RSS virtual directory to create mailSecurityRSS gt SMTP Server Setup Select the SMTP server instance to bind MailSecurity to Default SMTP Virtual Server x Inst
31. MailSecurity ReportPack add on to generate informative reports based on the data collected in the database For further information on the features included in the GFI MailSecurity ReportPack refer to the GFI MailSecurity ReportPack chapters further on in this manual GFI MailSecurity supports both Microsoft Access and Microsoft SQL Server as a database backend Configuring the statistical information database GFI MailSecurity a Settings Apply 4 9 version Information a Licensing Information Store Protection Reporting a Content Checking F Attachment Checking ti Virus Scanning Engines g3 Decompression amp Trojan amp Executable Scanner g Email Exploit Engine n HTML Sanitizer 43 Patch Checking i Reporting Reporting records statistical information to a database This data is later used to generate reports of your choice This dialog allows you to config atabase backend for the reports I Enable Reporting Current database settings GFI MailSecurity for Exchange SMTP il E Realtime Monitor Quarantine Options Quarantine RSS Feeds o Quarantine Current type Microso ft Access Current location C Program Files GFI ContentSecurity MailSecurity data reports mdb E Done Screenshot 100 Reporting page Trusted sites To configure the reporting option 1 Click the GFI MailSecurity gt Reporting node 2 To enable data loggin
32. RSS Feeds Quarantine t Today Yesterday This week All items t Search Folders Address http win2k3entsvr MailSecurity default aspx es Go SECURITY amp MESSAGING SOFTW GFI MailSecurity sA Use the Configuration and Quarantine Management console to configure h and manage your GFI MailSecurity installation GFI MailSecurity Configuration and Quarantine Management General Settings smtp bindings for MailSecurity Version Information Displays version information Licensing Displays licensing information Information Store Protection Configures information store protection options Content Checking Configures a list of content checking rules Attachment Checking Configures a list of attachment checking rules Configures administrator s email autoupdater local domains and Screenshot 1 GFI MailSecurity Configuration GFI MailSecurity from a user s perspective GFI MailSecurity is totally transparent to the user This means that the user will not notice that GFI MailSecurity is active until it blocks an email that triggers a rule for example an email that contains a forbidden attachment or a virus In the case of a suspicious attachment GFI MailSecurity will quarantine the email for review by the administrator Optionally the recipient will receive a message indicating that the mail is awaiting administrator review As soon as the administrator approves the email GF
33. Server 2007 machine Information Store Protection is available only when the Mailbox Server Role and Hub Transport Server Role are installed GFI MailSecurity ships with both Norman and BitDefender Virus Scanning Engine as standard However you can optionally license the AVG Kaspersky and McAfee Virus Scanning Engines which are supported as well All of the aforementioned anti virus packages are proven and reliable virus detection engines which have received many awards and certifications including the industry leading certifications of ICSA z E GFI MailSecurity ae Apply Cancel Settings fa Version Information Virus Scanning x Licensing Information Store Protection Virus Scanning Engines B Content Checking Eg Attachment Checking M Norman Anti Virus Wo mcafee anti virus K Kaspersky Anti Virus You can review the status of your virus scanning engines and configure the order in which they execute below To configure a particular engine s settings click on the engine s node in the left hand BitDefender Anti Virus pane A ave anti virus Engine Status License Priority Decompression I Norman Anti Virus Gateway scanning Enabled licensedlo ae Information Store scanning Enabled 8 Trojan amp Executable Scanner eat erica y ateway scanning Enable H Email Exploit Engine YW Mcafee Anti virus Information Store scanning Enabled Hcensed 1 e 32 HTML Sanitizer Si Gatewa
34. Through this report you can get a picture of how email traffic and security threat patterns vary throughout the day Furthermore this report provides a total sum of emails processed and blocked for the period you select 184 e GFI MailSecurity ReportPack Default Reports List GFI MailSecurity for Exchange SMTP B lt GFi SECURITY amp MESSAGING SO Report Title Processed amp Blocked emails per four hours Composite Description The Processed amp Blocked emails per four hours report shows the composite amount of blocked emails against processed emails in four hour blocks for the selected period Generated on 29 08 2006 For period 22 08 2006 29 08 2006 Processed against Blocked emails F Hour Processed Emails Blocked Emails Percentage of Blocked Emails 00 00 04 00 320 667 863 0 27 04 00 08 00 252 575 1 900 0 75 08 00 12 00 274 844 2 665 0 97 12 00 16 00 301 962 2 175 0 72 16 00 20 00 263 159 2 458 0 93 20 00 00 00 191 729 931 0 49 1 604 936 10 992 0 69 Page 1 of 1 Processed emails per four hours This report combines data from the period you select into a single day to show you how many emails were processed in four hour blocks The same data is also presented as an area graph GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List e 185 B lt GFi Bnalic 00 00 04 00 08 00 12 00 16 00 20 00 Report Title Pr
35. View the full security threat report of an email To view the full security threat report of a quarantined email follow these steps 1 Expand the GFI MailSecurity gt Quarantine node and select the sub node that contains the email s you want to view for example select the Today node if you want to view emails that GFI MailSecurity quarantined today Alternatively you can use Quick Search to look for the emails that you want to view 2 GFI MailSecurity lists the quarantined emails in a table GFI MailSecurity can quarantine an email for one or more security reasons but it only displays the top security threat under the Reason column Quarantine a Use this page to sort and manage quarantined items l Approve items Delete items Rescan items Items per page 25 Approve all Delete all Update RSS feed enabled Use the URL associated with the RSS icon to subscribe to the feed ID Module Reason Sender Recipient s Subject Date Source Trojan amp breached trojan jackb master free game 8 Executable and executables adam external com ee and funny Scanner scanner policy aa pics 07 02 2007 Gateway 09 49 48 SMTP Page s lt 1 Edit search folder Delet arch folde Item source View all z Screenshot 91 A quarantined email 3 To view the full security threat report click on the row of the quarantined email you want to view GFI MailSecurity will list all the body parts of the email such as
36. When the settings are imported successfully the following dialog box is displayed GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Exporting Settings e 175 GFI ReportCenter f EY Import process completed successfully Details Importing settings for GFI MailSecurity 10 0 ReportPack Importing custom reports Importing scheduled reports Importing favorite reports Importing connection string OK Details Screenshot 145 Settings exported successfully 7 Click OK to close the dialog box 8 For the imported settings to take effect you need to exit GFI ReportCenter and then start it 176 e GFI MailSecurity ReportPack Exporting Settings GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List Executive Reports Viruses Blocked Monthly This report shows you how many virus infected emails GFI MailSecurity blocked per month in a table The graph included in the report will help you visualize information such as virus outbreak trends Bis GFi SECURITY amp MESSAGING sorrwane JP sil Report Title Viruses blocked monthly Description The Viruses blockedmonthly report shows the number ofemail viruses blocked on a monthly basis Generated om 1 10 2007 For period 41 1 2006 1 1 2007 Viruses Blocked Emails blocked Date Emails Blocked by Virus Scanners December 2005 141 January 2006 33 February 2006 33 March 200
37. added from this page click on it from the list and then click Remove NOTE The local domains you add from this page affect the GFI MailSecurity installation only The Microsoft Exchange Server 2007 accepted domains list is not modified H GFI MailSecurity Post Installation Wizard Local domains Specify the domains GFI MailSecurity should treat as local Domains with an asterisk next to them form part of the accepted domain list in Exchange The local domains you add here affect the GFI MailSecurity configuration only The Microsoft Exchange accepted domain list is not modified Local domains Add researchdomain loc Remove lt Back Cancel Screenshot 13 Local domains list 4 Click Next to continue 24 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP 5 The wizard displays a list of the Microsoft Exchange Server 2007 server roles detected on this machine and a list of the GFI MailSecurity components it needs to register for it to be able to process and scan emails passing through the server H GFI MailSecurity Post Installation Wizard Installation Summary The following GFI MailSecurity components will be installed The wizard detected the following Exchange Server 2007 roles Mailbox Hub Transport Client Access The following GFI MailSecurity components will be installed VSAPI Routing Transport Agent SMTP Transport Agent Click Nest t
38. containing recursive archives that exceed the specified nesting limit 5 Click the Actions tab to configure any actions to be performed whenever an email containing a recursive archive is detected and blocked For more information on how to configure actions refer to the Configuring decompression filter actions section in this chapter 6 Click Apply GFI MailSecurity for Exchange SMTP Decompression engine e 81 Check size of uncompressed files in archives General Actions K Decompression engine M check size of uncompressed files in archives Decompression engine options and actions Maximum size of uncompressed files in archive in Mb Please select the action to take when this rule is violated Q Quarantine C Automatically Delete Screenshot 71 Configuring checks for the size of uncompressed files in archives This filter allows you to block or delete emails with archives that exceed the specified physical size when uncompressed Hackers sometimes use this method in a DoS Denial of Service attack By sending an archive that can be uncompressed to a very large file they can often crash content security or anti virus software To configure this filter 1 Click the GFI MailSecurity gt Decompression node 2 From the list of available filters in the right window click on Check size of uncompressed files in archives 3 Select the Check size of uncompressed files in archives check box to enable this f
39. distributed to your email users When GFI MailSecurity quarantines an email the administrator can review it and then delete or approve the message Furthermore you might choose to quarantine mails carrying mp3 or mpg files as these hog bandwidth and can needlessly burden a mail server s disk space The Attachment Checking module has effectively saved thousands of companies from the LoveLetter virus Trojan and Executable Scanner GFI MailSecurity is able to analyze incoming executables and rate the risk level of an executable through a GFI patented process Through the Trojan and Executable Scanner GFI MailSecurity can detect and block potentially dangerous and unknown Trojans before they enter your network HTML Sanitizer The advent of HTML email has made it possible for hackers virus writers to trigger commands by embedding them in HTML mail GFI MailSecurity scans the email body parts and any htm html attachments for scripting code and cleans up the HTML by removing all the scripting code The HTML Sanitizer thus protects you from potentially malicious HTML email containing HTML viruses and attacks launched via HTML email Decompression filter The decompression filter is used to decompress and analyze compressed files archives attached to emails This filter is able to check for and block password protected archives corrupted archives and recursive archives Furthermore this engine can also monitor the size and amo
40. does not work as expected NOTE Before modifying XSL based templates make sure you are proficient in XML and XSL If you modify an XSL template and it is not well formed for example the notification services module will fail to send notification emails To check whether an XSL based template is well formed you can rename the template filename with an extension of xml and load it in Microsoft Internet Explorer If the template is well formed the browser will load it correctly If it contains errors the browser will highlight the exact line where the problem is located GFI MailSecurity for Exchange SMTP Advanced topics e 129 Variables used in XSL based notification templates Notify user and notify manager notifications in notifyuser folder and notifymanager folder respectively itemsenderemailaddress itemrecipients recipient longdate Date when email was processed Long date format infringedrules rule List of rules infringed Use xsl for each to enumerate jtemmessageid The message ID of the email processed itemscandirection 0 Inbound 1 Outbound 4 Mixed The listing on the next page shows a typical notify manager XSL template which will generate the following HTML output HTML Output HTML gt BODY gt lt lt On 04 August 2005 an email was blocked which has violated the following rules lt P gt lt P gt lt lt An B gt BitDefender Anti Vir
41. en eat ae rea 2 GFI MailSecurity components ceeeceeeeeeeceneeeeaeeeeeeeeeeeeeeaeeeeaaeseeeeeseaeeeeaaesteeeeeeeeeess 2 GFI MailSecurity from a user s perspective ceeeeeeeeceeeeeeeeeeeeeeeeeeeeeseaeeesaeeteneeseeneess 3 Add ons GFI MailESSentialS cccceccceceeeeeeene cesses ceeeeecaeeeeeaeeeeaeeseeeeseaeessaeeseeeeseaees 3 Installing GFI MailSecurity 5 INTFOGUCUION AAAA E E TE E E wtue shedeevecbl E E ET 5 Typical deployment sconaioS esiritta rennene EEn S EETA AES ANE AA SEERNE R 5 Installing GFI MailSecurity on your mail server ssssseesseesseeesesssrresrnssrrsrrresrnens 5 Installing GFI MailSecurity on a mail relay SCrvel ccceecceeeeeeeteeeeeneeteeeeees 6 Installing GFI MailSecurity in front of your firewall ceccceeeeeeeeseeeeeeeeeeeeeees 7 Installing GFI MailSecurity on an Active Passive Cluster cc cccccsseeseenees 7 Installing GFI MailSecurity on an Active Active Cluster cccesccesseseeeeeeeneees 9 Which installation mode Should USC c cccccceeeececeeeeeceeeeeeeaeeeeaeeseeeeesaeeesaeeeeeeeeeaees 9 Active Directory Modes iyanrin naiai ae aia Riny AAPA A ARAA EOR AA RE ARAA RAE FKEA ERREUR ETY 9 SMTP MOIE o ar CAE AARAA RENT AARE ccesate ccebusttsaadasteddenvaaidieeasads 9 System requirements cccecceceececeeeeeeeeceeeeeceaeeeeaaesseneeseaeeecaaesseaaesseeeeseaeeseaaesseneeenaees 10 Hardware requireMent ccecccccecescccceee
42. find quarantined emails that contain that specific word string in the subject GFI MailSecurity for Exchange SMTP e Search in quarantine reason Specify a keyword or phrase and click Search to find quarantined emails that contain that specific word string in the quarantine reason J GFI maitsecurity Settings Quarantine Eo Version Information q Licensing aes Use this page to sort and manage quarantined items y Information Store Protection 8 Content Checking Approve items Delete items Rescan items Items per page Ed Attachment Checking Virus Scanning Engines oc Decompression 7 ID Module Reason Sender Recipient s Subject Date Source Approve all Delete all Rescan all Update dE Trojan amp Executable Scanner breached PE Enel ot ore ma aks ttle adamantane com Jmtharaster funky 31 01 2007 eatevn E HTML Sanitizer aaar scanner jomain game 17 07 37 SMTP B Patch Checking policy Il Reporting Page s lt 1 E Realtime Monitor Edit search folder t rch folder Item source fiwa CO Quarantine Options Quarantine RSS Feeds J Quarantine B Today A Yesterday EA This week EQ Allitems A 2 Done Trusted sites Screenshot 86 Quick search results Search Folders GFI MailSecurity for Exchange SMTP What is a search folder A Search Folder is a special type of folder that has a search query associate
43. in the Server box If you use Windows Authentication clear the Use SQL Server Authentication check box If you use Microsoft SQL Server authentication select the Use SQL Server Authentication check box and specify a user name and password in the User box and Password box respectively From the DB Name list select the GFI MailSecurity reporting database 5 If you selected Microsoft Access specify the full path to the Microsoft Access database in which GFI MailSecurity is logging reporting data in the space provided You can do this either by typing the path in the box or else click Browse and then select the Microsoft Access file visually from the dialog box 166 GFI MailSecurity ReportPack Configuring default options GFI MailSecurity for Exchange SMTP Database Source i x Database Source M Database settings a Database Type MS Access Please specify the full path including filename of the database backend C Program Files GFISMSEC msec mdb OK Cancel Apply Screenshot 137 Microsoft Access reporting database 6 Click OK to save the new settings and close the Database Source dialog box Configuring default scheduling options To configure the default settings the scheduled reports use when distributing reports by email or saving to disk follow these steps 1 On the Tools menu click Default Scheduling Options 2 Configure the default email options as outlined in point 7 of the
44. login Io User name Password Report format Adobe Acrobat pdf Cancel Apply Screenshot 138 Default Scheduling Settings 168 e GFI MailSecurity ReportPack Configuring default options GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack General options Entering your license key after installation If you purchased a license key for the GFI MailSecurity 10 0 ReportPack enter your License key using the Options gt Licensing node no re installation re configuration required NOTE 1 You must purchase a different license key for every GFI product ReportPack to be installed and accessed through the GFI ReportCenter framework For example to install both the GFI FAXmaker 12 0 ReportPack and the GFI MailSecurity 10 0 ReportPack you must purchase two separate license keys one for each product ReportPack NOTE 2 Entering the License Key should not be confused with the process of registering your company details on our website This is important since it allows us to give you support and notify you of important product news You may register and obtain your GFI customer account from http www gfi com pages regfrm htm To input your GFI MailSecurity 10 0 ReportPack license key GFI ReportCenter 3 5 File Tools Help gt eIM MMe 1 amp p Product Selection fs GFI MailSecurity 10 0 ReportPack Executive Reports Viruses blocked monthly Inbound a
45. node including the Search Folders You can also use Quick Search to look for specific emails that you want to approve To approve emails GFI MailSecurity for Exchange SMTP Quarantine e 105 1 Expand the GFI MailSecurity gt Quarantine node and select the sub node that contains the email s you want to approve for example select the Today node if you want to approve emails that were quarantined today Alternatively you can use Quick Search to look for the emails that you want to approve NOTE You can approve an email that was quarantined today from the Today node the This Week node the All Emails node as well as from any Search Folder that contains the email The difference between the mentioned nodes is the amount of emails that are present within Quarantine A Use this page to sort and manage quarantined items Approve items Delete items Rescan items Items per page 25 Approve all Delete all Rescan all Update SEFF RSS feed disabled Configure RSS feeds 7 ID Module Reason Sender Recipient s Subject Date Source triggered rule content policy block most common meredith external co image attachments Gipg triqgered rule content policy block all potentially paul external com malicious attachments jackb master party 02 02 2007 Gateway ole Attachment domain pic 14 07 56 SMTP Checking jackb master funny 02 02 2007 Gateway domain vid
46. of reports in off peak hours such as after office working hours so that you make the best use of system resources Furthermore you can also configure GFI ReportCenter to distribute scheduled reports by email automatically For every scheduled report you can configure custom emailing parameters including the list of report recipients and the file format for example Adobe Acrobat PDF in which the report will be attached to the email Both default and custom reports can be scheduled for automatic generation Scheduling a report To schedule a report follow these steps 1 Click on the Default Reports or Custom Reports panel button 2 Right click on the report you want to schedule and then click Scheduled report to display the Schedule Report Wizard GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Scheduling reports e 157 Schedule Report Wizard Welcome to the MailSecurity Schedule Report Wizard This wizard will help you schedule the following report Viruses blocked monthly The Viruses blocked monthly report shows the number of virus emails blocked on a monthly basis fou can override the default email options for this scheduled report lt Back Cancel Screenshot 127 Schedule Report Wizard 3 Click Next to continue Schedule Report Wizard l Name and Description Specify the name and description for this custom report The name and description of a custom report will b
47. proxy server settings for automatic updates GFI MailSecurity will automatically search and download updates for example virus definitions updates and Trojan amp Executable Scanner definitions updates from the GFI update servers If the server on which GFI MailSecurity is installed connects to the internet through a proxy server you need to configure the proxy server settings as follows 1 Click the Settings node to open the general settings page 2 Click the Updates tab 3 Select the Enable proxy server check box In the Proxy server and Port boxes specify the Machine Name IP of the proxy server and the port to connect on respectively If the proxy server requires authentication select the Enable proxy authentication check box and specify the user name and password in the Username and Password boxes respectively Proxy server settings Configure proxy settings IV Enable proxy authentication Usermame Screenshot 34 Updates server proxy settings 4 Click Apply 42 e General settings GFI MailSecurity for Exchange SMTP Adding Local Domains General Updates Local Domains Bindings JA Local Domains Configure local domains Domain Local domains list master domain com Remove Trusted sites f Screenshot 35 Local Domains list GFI MailSecurity needs to know what your local domains are to be able to classify an email as inbound or outbound During installation GFI MailSecuri
48. receive the original email with the malicious parts removed A security notice is attached to the email to inform the recipients what email parts were removed and for what reason This behavior is always enabled and is not affected by this setting e Notify administrator Select this option to send email notifications to the administrator whenever an email containing an archive is quarantined e Log occurrence to this file Select this option to log the event whenever the selected decompression filter blocks an email In the box below specify either a file name only or the full path to the log file Click Apply ao 84 e Decompression engine GFI MailSecurity for Exchange SMTP Enable disable decompression filters Decompression Decompression Engine Disable Selected Enable Selected E Description Status I Check password protected archives Enabled I Check for recursive archives Enabled E Check size of uncompressed files in archives Enabled I Scan within archives attachment checking Enabled Screenshot 74 Decompression tool filters list To enable or disable any of the available decompression filters 1 Click the GFI MailSecurity gt Decompression node 2 In the right window select the check box of the filter s that you want to enable or disable 3 Click Enable selected or Disable selected accordingly NOTE You can select all check boxes in one go by selecting the check box next to
49. reports Exporting favorite reports Exporting connection string Screenshot 143 Settings exported successfully 7 Click OK to close the dialog box 174 e GFI MailSecurity ReportPack Exporting Settings GFI MailSecurity for Exchange SMTP Importing the GFI MailSecurity 10 0 ReportPack Settings To import GFI MailSecurity 10 0 ReportPack settings follow these steps 1 Click on the Options panel button 2 Right click on the Import Export Configuration node and then click Import Export Configuration 3 Click Import configuration options 4 Type the full path including filename with extension XML in the box provided to specify from which XML file you want to import the GFI MailSecurity 10 0 ReportPack settings Import Export Configuration x Import Export Ee GFI MailSecurity 10 0 ReportPack Import Export Configuration The import export configuration functionalities can be used to perform backups of scheduled reports custom reports favorite reports and other options The exported configurations can also be imported into a separate ReportCenter instance provided that the same ReportPacks exist on both instances Specify the action to perform Import configuration options Export configuration options Specify the path and filename of the file to import export C MSECT ORPConfiguration xml he Screenshot 144 Import setting dialog box 5 Click OK to start the import process 6
50. rule CONTENT POLICY Block Sexual Content Words Checking found jack Screenshot 92 Viewing the full security threat report of a quarantined email GFI MailSecurity for Exchange SMTP Quarantine 109 Enable email approval via HTML approval forms z GFI MailSecurity i Cancel Settings C s Eo version Information a Licensing Quarantine Mode Directory Harvesting y Information Store Protection B Content checking amp Quarantine mode Ed Attachment Checking Virus Scanning Engines g3 Decompression a Email opti EB Trojan amp Executable Scanner tof Email Exploit Engine Select where the quarantine approval forms will be sent These forms allow their recipient to communicate with the product s quarantine store to view further 3 HTML Sanitizer details of quarantined items and approve or discard them 43 Patch Checking I Reporting E Realtime Monitor amp Quarantine Options Select recipient Quarantine RSS Feeds h Quarantine M Send quarantine approval forms by email Send to administrator send to the following email address Trusted sites Screenshot 93 Quarantine Options configuration page You can configure GFI MailSecurity to send HTML Quarantine Action Forms through email to the administrator or an authorized user The Quarantine Action Form makes it possible for the administrator to approve or delete quarantined emails dire
51. store Access Control Lists 6 To configure the accounts that get access to the configuration pages use the Add and Remove buttons underneath the Configuration URL Access Control List If you want to deny access to a listed account without removing it from the list select the check box under the Deny column 7 To configure the accounts that get access to the quarantine store use the Add and Remove buttons underneath the Quarantine URL Access Control List If you want to deny access to a listed account without removing it from the list select the check box under the Deny column NOTE To avoid reselecting the same accounts twice once for each list you can easily drag and drop accounts and groups between the two lists 8 When ready click OK 9 If you want to specify a different virtual directory name you can do so by editing the entry in the Virtual directory box 10 Click OK to save your changes A progress bar shows you the progress while applying the new settings GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 29 GFI MailSecurity SwitchBoard New settings applied successfully Screenshot 20 New SwitchBoard settings successfully applied 11 When the process completes click OK Adding local host to the trusted sites list When you configure GFI MailSecurity to be accessible only locally you need to add the local host address http 127 0 0 1 to the list of trusted sites in Internet E
52. that will be forwarding the email to this virtual server and then click OK to add the entry to the list NOTE You can specify the IP of a single computer group of computers or a domain GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity 15 e Single computer Select this option to specify one particular host that will relay email via this server If you want to look up the IP address of a specific host click DNS Lookup e Group of computers Select this option to specify the base IP address for the computers that you want to relay e Domain Select this option to include all the computers of a specified domain This means that the domain controller will openly relay emails via this server Please note that this option adds processing overhead and may reduce SMTP service performance because it includes reverse DNS Lookups to verify the domain name of all IP addresses that try to relay Step 5 Configure your mail server to relay email via the Gateway server After you have configured the IIS SMTP service to send and receive email you must configure your mail server to relay all email to the mail relay server If you have Microsoft Exchange Server 4 5 5 5 1 Start the Microsoft Exchange Administrator and double click on Internet Mail Service to open the properties configuration dialog box Internet Mail Service MAILFAXSRY Properties x Queues Routing Security General Permissions Connected Sites
53. the Enable Gateway Scanning SMTP check box You now need to select whether you want to scan inbound and outbound emails using this Virus Scanning Engine To scan inbound emails select the Scan Inbound Emails through SMTP Transport Event Sink check box To scan outbound emails select the Scan Outbound Emails through SMTP Transport Event Sink check box 3 If you installed GFI MailSecurity on the Microsoft Exchange machine you will also have the option to scan the Information Store using this Virus Scanning Engine To scan the Information Store select the Enable Information Store Virus Scanning VSAPI check box NOTE When GFI MailSecurity is installed on a Microsoft Exchange Server 2007 machine information store scanning is available only when the Mailbox Server Role and Hub Transport Server Role are installed 52 e Configuring virus checking GFI MailSecurity for Exchange SMTP 4 BitDefender Control also allows you to block or ignore emails with attachments that contain macros This feature can be configured by selecting one of the following options e Do not check macros Select this option if you want GFI MailSecurity to ignore macros and only scan emails for viruses e Block all documents containing macros Select this option if you want to quarantine all emails that contain a macro even if the macro is a genuine one NOTE Quarantining of emails depends on the Actions configured in the Virus Scanning Engine If you sele
54. the contents of a new message Pro active scanning When a new item is submitted to the Information Store it is immediately added to a queue for scanning If a new item is accessed while it is still in the scanning queue it will be allocated a higher priority for scanning If an email client attempts to access a new message while it is still in the scanning queue scanning of this message will therefore receive higher priority This is the recommended mode of operation since it causes the Information Store to attempt scanning of an item upon receipt doing away as much as possible with the delay associated with on access scanning H 7 Trusted sites Screenshot 53 VSAPI scan settings 4 From the VSAPI Settings tab you can enable background Information Store Scanning by selecting the Enable background scanning check box This option will cause all the contents of the Information Store to be scanned which depending on the amount of items stored in the Information Store could result in a huge processing load on the Exchange server For this reason it is recommended that this option be only enabled during periods of low server activity such as during the night 5 Select a VSAPI scan method from the following e On access scanning New items in the Information Store are scanned as soon as they are accessed by the email client This scan method will thus introduce a short delay before the email client can di
55. the ones having a genuine macro but at the same time you have enabled the Delete item option ALL emails containing a macro will be deleted 3 To send email notifications whenever an infected email is detected enable any of the following options e Notify local user Select this option if you want to notify the email local users when this filter detects a virus NOTE If a threat is detected in an outbound email the recipients will receive the original email with the malicious parts removed A security notice is attached to the email to inform the recipients 56 e Configuring virus checking GFI MailSecurity for Exchange SMTP what email parts were removed and for what reason This behavior is always enabled and is not affected by this setting e Notify administrator Select this option if you want to notify the administrator whenever this virus scanner detects an infected email 4 Select the Log occurrence to this file check box and specify a log file name in the box below if you want to log the virus scanning activity to a log file You can specify either the file name only or else the full path to a custom location on disk Virus scanner updates General Actions Updates i Configure the Automatic Updates For This Profile Automatic Checking For Updates Automatic update options Configure the automatic update options IV Automatically check for updates Downloading option Check for updates and download 7 Downl
56. to the SMTP server bindings section in the General Settings chapter Click Next to continue the installation 6 Setup will now search your network and will import a list of your Local Domains from the IIS SMTP service GFI MailSecurity determines if an email is inbound or outbound by comparing the domain in a sender s address to the list of local domains If the address exists in the list then the email is outbound Check that all your Local Domains have been included in the list on display If not make sure to add any unlisted domain after the installation completes For more information refer to the Adding local domains section in the General Settings chapter Click Next to continue 7 Setup will now ask you to define the folder where you want to install GFI MailSecurity GFI MailSecurity requires approximately 50 MB of free hard disk space Additionally you must also reserve approximately 200 MB for temporary files Click Change to specify a new installation path or click Next to install in the default location and proceed with the installation NOTE If you are installing GFI MailSecurity on a x64 machine it will be installed under the c program files x86 folder 8 The installation wizard has now collected all the required installation settings and is ready to install GFI MailSecurity If you want to make changes to these settings click Back Otherwise click Install to start the installation process
57. 2 When using Small Business Server ensure you have installed Service Pack 2 for Exchange Server 2000 and Service Pack 1 for Exchange Server 2003 e Microsoft Net framework 2 0 e MSMQ Microsoft Messaging Queuing Service e Internet Information Services IIS x32 or x64 Edition SMTP service and World Wide Web service NOTE If installing on a Microsoft Exchange 2007 machine the IIS SMTP service is not required since it has its own built in SMTP server e Microsoft Data Access Components MDAC 2 8 IMPORTANT Disable anti virus software from scanning the GFI MailSecurity directories Anti virus products are known to both interfere with normal operation as well as slow down any software that requires file access In fact Microsoft does not recommend running file based anti virus software on the mail server For more information please refer to http kbase gfi com showarticle asp id KBID001559 IMPORTANT GFI MailSecurity directories should never be backed up using backup software Hardware requirements The hardware requirements for GFI MailSecurity are e Pentium 4 or equivalent 2Ghz e 512MB RAM e 1 5 GB of physical disk space 10 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP Preparing to install GFI MailSecurity on an IIS mail relay server In order to install GFI MailSecurity on a mail relay gateway machine it must be running the IIS SMTP Service and World Wide Web service You must also configur
58. 6 All rights reserved GFI Software Ltd Screenshot 135 GFI MailSecurity reporting database To check which GFI MailSecurity reporting database source is currently being used by the GFI ReportCenter to generate reports follow these steps 1 Click on the Options panel button 2 Click on the Database Source node to view the current GFI MailSecurity reporting database details in the right pane GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Configuring default options e 165 Configuring the GFI MailSecurity reporting database source To change the GFI MailSecurity reporting database source follow these steps 1 Click on the Options panel button 2 Right click on the Database Source node and then click Set Database Source Database Source x Database Source M Database settings Database Type Ms SOL Server 7 Please specify the name or IP of the machine containing the SOL Server MSDE database to use Server fi 92 168 0 211 v J Use SOL Server Authentication User reportingaccount Password DE name MSECT OReporting z j Cancel Apply Screenshot 136 Microsoft SQL Server reporting database 3 Select the reporting database type from the Database Type list If you selected Microsoft Access go to step 5 If you selected Microsoft SQL Server go to step 4 4 Specify the machine name or IP address of the server hosting Microsoft SQL Server
59. 6 33 April 2006 22 May 2006 4 June 2006 44 July 2006 33 August2006 33 September 2006 55 October 2006 33 November 2005 4 All rights re GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List e 177 Inbound and outbound email traffic per week days This report combines the amount of emails sent and received during a particular period into a single week to present a bar graph showing inbound and outbound traffic for each day of the week Since the amount of emails sent or received on each day of the week is stacked on the same bar you can visually determine the ratio of emails sent versus received on the mail server Through this report you can conclude on which days of the week the mail server is most busy This could help you determine the right day of the week to perform maintenance on the mail server Bs GFi SECURITY amp MESSAGING SOFTW Report Title Inbound amp Outbound email traffic per week days Composite Description The Inbound amp Outbound emailtraffic perweek days report shows the composite amount ofinbound and outbound emails per week days forthe selected period Generated om 1 10 2007 For period 1 1 2006 1 1 2007 Email Traffic hbound E Outbound Emails processed Page 1 of 1 Inbound email traffic per week days This report combines the amount of emails received during a particular period into a single week to present a bar graph showing inbound traf
60. 8 1 1 Screenshot 4 Configure the new domain Step 4 Secure your mail relay server In this step you will set up your SMTP virtual servers mail Relay Restrictions This means that you must specify which machines may relay email through this virtual server i e effectively limit the servers that can send email via this server 1 Right click the Default SMTP Virtual Server node and then click Properties 2 In the properties dialog box click the Access tab and then click Relay to open the Relay Restrictions dialog box 14 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP Relay Restrictions x Select which computer may relay through this virtual server Only the list below C All except the list below Computers Access _ _ IP Address Mask Domain Name 192 1 22 30 Add Remove M Allow all computers which successfully authenticate to relay regardless of the list above Cancel Help Screenshot 5 Relay Restrictions dialog 3 Click Only the list below and then click Add to specify the list of permitted computers Computer x Add one of the following to the list Single computer IP address 192 160 2 DNS Lookup C Group of computers Subnet adare SHEL Mest Domain Hame r Cancel Help Screenshot 6 Specify machines which may relay email via virtual server 4 In the Computer dialog box specify the IP of the mail server
61. API Performance Monitor Counters cccsscceeeesteeeeeeees 132 Troubleshooting 135 Ipitgofol 6 oi fo aieeeeacrrerrerrtee cer nceereerre re receeeerre Peron creer aa aa cere E aa 135 Knowledge Bases oirinn E ET TA 135 A len mola OTIA PEE PE AE E E A TT 135 Request technical support sssssssssseessrressernesrnrnesnnnnsernnnnnttnnstnnnnnnnnnsnnnnnnttnnnnnnnnnnnnn neea 135 Build notificationSis inanasan aaien aaa aaa beaa aiai aiaiai 136 GFI MailSecurity ReportPack Introduction 137 About GFI ReportCenter cccecceeeceeeeececeeeeeeeae scence eeaeeeseaeeeeaaesneeeeseaeeesaaeseeeeeseeneess 137 About the GFI MailSecurity 10 0 ReportPack eseesssesseesseessesesesernnsnnneennsrnnsennsrnnees 138 Components of the GFI MailSecurity 10 0 ReportPack cecceeeereseteeeeseeeeeeetees 138 GFI ReportCenter framework cccccceeceeeeeeeeeeeeeeceaeeeeaae scenes seeeesaeeeeeeeeeeeess 138 GFI MailSecurity 10 0 default reports eeeeeeeececeeeeeeeeeeeeeeseeeeeeaeeeeaeeeeeeees 140 Report scheduling SCrVICE eee eeeeeeeenneceeeenneeeceeaeeeeeeaaeeeeeeaaeeeseeaaeeeeneaaeeeeneaas 140 KEY TEALULOS eee tick ee a eee ete eed AE VVAA ATE olan aed 140 Centralized reporting enisinia iiyn i iiia E E i 140 Default repos susene rennin a ia ee eit A a eee 140 Distribution of reports via Mall eee eee eeneeeeeenneeeeeeaeeeeeeaaeeeseeaaeeeeeeaeeeeseaas 140 Report export to various format eecceeeeeneeeeeeeneeeeeenaeee
62. Administrative Tools window double click Performance to start the Performance monitor MMC 4 Press Ctrl I to load the Add Counters dialog box 5 From the Performance object list select MSExchangelS 6 Click Select counters from list 7 Select one of the Virus Scan counters as listed below 8 Click Add 9 Repeat step 7 and 8 to add all the performance counters you want 10 Click Close Add Counters 21x Use local computer counters Select counters from computer WIN2K3ENTSVR v Performance object MSExchangelS C All counters All instances Select counters from list f Select instances from list Virus Scan Bytes Scanned Virus Scan Files Cleaned Virus Scan Files Cleaned sec Virus Scan Files Quarantined Virus Scan Files Quarantined se Virus Scan Files Scanned Ma b Add Explain Screenshot 109 Adding VSAPI performance monitor counters The information provided below is also available from the following link http support microsoft com kb 285696 The following VSAPI Performance Monitor counters are available 132 e Advanced topics GFI MailSecurity for Exchange SMTP Virus Scan Messages Processed This is a cumulative value of the total number of top level messages that are processed by the virus scanner Virus Scan Messages Processed sec This counter represents the rate at which top level messages are processed by the virus scanner Virus Scan Messages Cleaned
63. Default Web Site to host the GFI MailSecurity WWW virtual directory NOTE The Default Web Site IP address of Node2 should not be set to All unassigned You should configure the Default Web Site to use the IP address of the MAILCLUSTER machine 3 When the GFI MailSecurity installation on Node2 completes you should be able to access the Node2 configuration using the following URL http Node2 MailSecurity 4 From the Cluster Administrator console make Node2 active 5 Install GFI MailSecurity on the local hard disk of Node1 as described in the Installing GFI MailSecurity section of this chapter When you reach the IIS Setup step of the installation select Default Web Site to host the GFI MailSecurity WWW virtual directory NOTE The Default Web Site IP address of Node1 should not be set to All unassigned You should configure the Default Web Site to use the IP address of the MAILCLUSTER machine 6 When the GFI MailSecurity installation on Node1 completes you should be able to access the Node1 configuration using the following URL http Node1 MailSecurity 7 To access the product configuration of the currently active node use the following URL http MAILCLUSTER MailSecurity NOTE 1 To access product configuration from a remote machine you must configure the GFI MailSecurity SwitchBoard application making sure that the MAILCLUSTER name IP is specified for IIS Mode For more information refer to the Sec
64. E 1 You can select all the listed names at once by selecting the check box next to the Name column heading at the top left of the list NOTE 2 Repeat steps 12 to 15 to add all the users you want to the list NOTE 3 To remove entries from the list select the user user group public folder you want to remove and click Remove NOTE 4 If no names are included in the list GFI MailSecurity will automatically apply this rule to all the email users in Active Directory SMTP address list 16 Click Apply Removing attachment rules Attachment Checking et se Es Attachment Checking I Rule Status Priority CONTENT POLICY Block all potentially malicious attachments Enabled 1 t 7 CONTENT POLICY Block most common video attachments avi etc Enabled 3 t 7 CONTENT POLICY Block most common audio attachments mp3 etc Enabled 4 t f Z Trusted sites Screenshot 59 Selecting an attachment checking rule for removal To Remove an Attachment Checking rule 1 Click the GFI MailSecurity gt Attachment Checking node 2 From the Attachment Checking page in the right window select the check box of the rule s that you want to remove NOTE You can select all check boxes in one go by selecting the check box next to the Rule column heading at the top left of the list 3 Click Remove Selected to delete the selected rules 68 e Configuring Attachment Checking GFI MailSecurity for Exchange SMTP Ma
65. Exploit Engine A EE O Trusted sites Screenshot 89 Search Folder options To modify the properties search criteria and auto purge settings of an existing search folder 1 Expand the GFI MailSecurity gt Quarantine gt Search Folders node 2 Click on the Search Folder you want to modify and from the right pane click Edit search folder 3 Make the required changes to the search folder properties For more information on how to configure search folder options refer to the Grouping quarantined emails in Search Folders section earlier in this chapter 4 Click Save folder Deleting Search Folders To delete an existing search folder 1 Expand the GFI MailSecurity gt Quarantine gt Search Folders node 2 Click on the Search Folder you want to delete and from the right pane click Delete search folder NOTE When you delete a search folder no emails are actually deleted from the quarantine store This is because a search folder is just a query that retrieves matching emails from the Quarantine Store In other words a search folder is just a visual grouping of emails that match certain criteria but the actual email is not physically stored in the search folder However you can still approve or delete emails from within a search folder by using the Approve items Delete items buttons Approving emails from the Quarantine Store You can approve emails from any sub node underneath the Quarantine
66. FI ReportCenter gt GFI MailSecurity ReportPack NOTE GFI ReportCenter will run with limited functionality upon expiry of the evaluation period This will also occur if the license key you entered is not a valid GFI ReportCenter license key Selecting a product When more than one GFI product ReportPack is installed on the same machine you can select the GFI product ReportPack you want to use from the Product Selection list GFI ReportCenter 3 5 File Tools Help gt RISD B Product Selection E Executive Reports Viruses blocked monthly Inbound amp Outbound email traffic per week days ee ee oe ere ae Dee Pa Screenshot 116 Product Selection list For example to run the reports provided in the GFI MailSecurity 10 0 ReportPack click on the Product Selection list and select the GFI MailSecurity 10 0 ReportPack entry NOTE Select the ALL PRODUCTS option to display and navigate all the ReportPacks that are currently installed in GFI ReportCenter GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Installation e 147 GFI MailSecurity ReportPack Default reports Introduction After installing the GFI MailSecurity 10 0 ReportPack a number of pre configured reports can immediately be generated on the data stored in the reporting database backend of GFI MailSecurity These default reports are organized into two categories Executive Reports The executive repor
67. FI MailSecurity 10 follow these steps 1 Uninstall GFI MailSecurity 8 2 When the GFI MailSecurity 8 uninstallation completes certain files are left behind under the root folder where GFI MailSecurity 8 was installed One of these files is the avapicfg rdb file located in the Data sub folder NOTE Do not delete this file since it contains the GFI MailSecurity 8 configuration settings You will need this file to migrate the settings from GFI MailSecurity 8 to GFI MailSecurity 10 3 Install GFI MailSecurity 10 as shown in the Install GFI MailSecurity section of this chapter NOTE To install GFI MailSecurity 10 you need to have the following installed on the machine e Microsoft Net framework 1 1 2 0 e MSMQ Microsoft Messaging Queuing Service e Internet Information Services IIS SMTP service and World Wide Web service NOTE Do not install GFI MailSecurity 10 to the same path where GFI MailSecurity 8 was installed to prevent files such as avapicfg rdb from being overwritten 4 After the installation of GFI MailSecurity 10 is complete you need to stop all GFl related services along with the IIS Admin service from the Services control applet Then you can run the GFI MailSecurity 8 settings migration tool NOTE You must stop the following services before going on to the next step e GFI Content Security Attendant Service 36 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP e GF
68. I Content Security Auto Updater Service e GFI MailSecurity Attendant Service e GFI MailSecurity Scan Engine e IIS Admin e Simple Mail Transfer Protocol SMTP 5 To convert and import the GFI MailSecurity 8 settings to the GFI MailSecurity 10 configuration database you need to run the msec8upg exe tool found in the GFI MailSecurity 10 folder for example c program files GFl ContentSecurity MailSecurity i Migrate GFI MailSecurity 8 configuration settings to GFI MailSecurity 9 x Please browse to the MailSecurity 8 configuration database It is normally stored in the MailSecurity Data directory The file name is avapicfg rdb C Program Files GFI MailS ecurity D ata avapictg rdb Click the Migrate button to start the migration process Migrate Screenshot 29 GFI MailSecurity 8 configuration settings migration tool 6 Double click the msec8upg exe file 7 When the tool loads click Browse Select the avapicfg rdb file from the data sub folder under the GFI MailSecurity 8 root folder 8 Click Migrate NOTE If you click Migrate and the user lookup mode of GFI MailSecurity 8 and GFI MailSecurity 10 do not match for example GFI MailSecurity 8 was installed in SMTP mode and GFI MailSecurity 10 is installed in Active Directory mode or vice versa an error like the one shown below will be displayed In such a case you will not be able to convert and import the settings due to user based rules Configu
69. I MailSecurity Virus checking using multiple virus engines GFI MailSecurity scans email for viruses using multiple anti virus engines Scanning email at the gateway and at mail server level prevents viruses from entering and or spreading within your network Furthermore you can avoid the embarrassment of sending infected emails to customers as GFI MailSecurity also checks outgoing mail for viruses GFI MailSecurity includes the industrial strength Norman and BitDefender anti virus engines that have received various awards You also have the option to add the AVG McAfee and Kaspersky anti virus engines Multiple anti virus engines give you a higher level of security since anti virus engines complement each other and lower the average response time to a virus outbreak GFI MailSecurity also includes an auto update facility that allows you to configure the anti virus engines so that they automatically check and download any available updates without administrator intervention Email attachment checking filtering GFI MailSecurity s key feature is the ability to check all inbound and outbound email It can quarantine all email with dangerous attachments such as exe vbs and other files Such attachments are more likely to carry a virus worm or email attack Since email GFI MailSecurity for Exchange SMTP About GFI MailSecurity e 1 viruses Can spread so quickly and cause immense damage it is best to quarantine such emails before they are
70. I MailSecurity will forward the email to the recipient Add ons GFI MailEssentials A companion product to GFI MailSecurity is GFI MailEssentials GFI MailEssentials adds a number of corporate email features to your mail server notably Trusted sites e Anti spam using a variety of methods including Bayesian analysis e Email management including disclaimers POP3 downloader and server based auto replies and more For more information http Awww gfi com please visit the GFI website at NOTE GFI MailEssentials is available at a bundle price if purchased in combination with GFI MailSecurity GFI MailSecurity for Exchange SMTP About GFI MailSecurity e 3 Installing GFI MailSecurity Introduction This chapter explains how to install and configure GFI MailSecurity You can install GFI MailSecurity directly on your mail server or you can choose to install it on a separate machine configured as a mail relay gateway server When installing on a separate machine you must first configure the machine to relay the inbound and outbound emails to your mail server prior to installing this mail security software In order to function correctly GFI MailSecurity requires access to the complete list of all your email users and their email addresses This is required in order to configure content policy rules such attachment checking and content checking GFI MailSecurity can access the list of email users in two ways
71. January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 3 AlI rights Monthly blocked emails SECURITY amp MESSAGING SO The Monthly blacked emails report showsthe amount of blocked emails against processed emails per month for the selected period 09 08 2006 01 08 2004 01 08 2006 Processed Emails 342 974 3 088 137 2 613 065 2 613 175 3 105 199 2 509 856 3 219 059 3 198 477 20 689 942 Blocked Emails 13 350 71 961 38 900 31 036 91 655 49 335 48 461 30 543 375 241 Percentage of Blocked Emails 3 89 2 33 1 49 1 19 2 95 1 97 1 51 0 95 2 03 190 e GFI MailSecurity ReportPack Default Reports List GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Troubleshooting Introduction The troubleshooting chapter explains how you should go about resolving any software issues that you might encounter The main sources of information available to users are e The manual most issues can be solved by reading this manual e GFI Knowledge Base articles e Web forum e Contacting GFI Technical Support Knowledge Base GFI maintains a Knowledge Base which includes answers to the most common problems If you have a problem please consult the Knowledge Base first The Knowledge Base always has the most up to date listing of technical support questions and patches To access the Knowledge Base visit http kbase gfi com Web F
72. TP GFI MailSecurity ReportPack Installation e 145 lf you configured GFI MailSecurity to log reporting data into a Microsoft Access database click Use Microsoft Access and then specify the full path in the Database Path box If on the other hand you configured GFI MailSecurity to log reporting data into a Microsoft SQL Server database click Use Microsoft SQL Server and then specify the server name or IP number of the machine hosting the Microsoft SQL Server in the Database Server box In the Database Name box specify the database containing the GFI MailSecurity reporting data Select the authentication method you want to use to connect to the Microsoft SQL Server database If you select Server authentication you need to specify a login name and password in the Login ID and Password boxes respectively NOTE After the installation is complete you can change the reporting database used by GFI ReportCenter at any time from the Options panel Click Next to continue j GFI MailSecurity 10 ReportPack InstallShield Wizard x Mail Settings E 4 gt Enter administrator email and SMTP mail server settings P a4 Please enter the details of the SMTP server and email adress that are to be used by GFI MailSecurity 10 ReportPack for email reporting From GFIReportCenter 127 0 0 1 To manager ofi com SMTP Server mailfaxsry Port 2s SMTP server does not require authentication C SMTP server requires authentication SMTP User
73. abase format NOTE The old quarantine data will not be available until imported Using the quarantine upgrade tool The Quarantine upgrade tool is automatically launched after installing the upgrade to GFI MailSecurity SR8 In case you need to launch it manually navigate to the GFI MailSecurity installation folder typically Program Files GFl ContentSecurity MailSecurity and run QssUpgrade exe Ret GFI MailSecurity Quarantine Upgrade O x H Quarantine Upgrade tool is now ready to copy your quarantine data to Firebird database Press Start to begin Recipient DateTime Subject 196 villian evil com SMTP Admini 07 11 20 Stop this e mail 4197 villian evil com SMTP Admini 07 11 20 Stop this e mail 4198 villian evil com SMTP Admini 07 11 20 Stop this e mail 199 villian evil com SMTP Admini 07 11 20 Stop this e mail 200 vilian evil com SMTP Admini Stop this e mail x201 vilian evil com SMTP Admini Stop this e mail 202 villian evil com SMTP Admini Stop this e mail Start x203 vilian evil com SMTP Admini Stop this e mai 204 villian evil com SMTP Admiri Stop this e mail 205 villian evil com SMTP Admini Stop this e mail Stop 206 vilian evil com SMTP Admini 07 11 20 Stop this e mail 207 villian evil com SMTP Admini 07 11 20 Stop this e mail 208 villian evil com SMTP Admini 07 11 20 Stop this e mail 209
74. aeeeeeeaaeeeseeaaeeeeeeaaeeeseeaaeeeeseaeeeeeeaas 43 SMTP Server DINGINGS cccceceeceeeseeeeeeeeeeseeeesaeceeaaecaaaeeaeeeeaaesaaaeseeeesaaeseeaaeseeeaeenaees 43 Managing local users in SMTP MOde ceecceeeeeceeeeeceeeeeeeaeeeeeaeeeeeeeseeeesaeeeeeeeeneeee 44 To add a new local user follow these steps ce eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 45 To remove a local user follow these St PS 00 0 eee eeeeeceeeeeeeeeeeeeeeeeeeeeteeeeeeeeeeees 46 Configuring virus checking 47 Configuring Virus Scanning Engines ccccccceeeseeeeneeceeeeeseaeeeeaeeseeeeeseaeeesaeeseneeteaees 47 AVG Configurationitssis justia ete ease aaa asl deat th ah aves eles 48 AVG WED Siteni a ier edie valine wal Glen Date rie 50 Kaspersky configuration aseni irririk innie eerk a 50 Kaspersky wab Senoren rane ean iaaa AE REEE AEE RA aa AAE TEE sits 51 BitDefender CONPIQUIATION ors ernaten Tne E EENE EEEE AE EEEN CEARA ENESE EEA 52 BitDefender Website iesirea neris TaESA ES RAAE BA EEEE SE 53 MICATES CONPIQUIALION erusin EEn EAT nE STNE ENES EAEAN AAS EAA E AAEREN 53 McAfee website meie thi rar ennn TAAA S AAE A EEE EEEE TE 54 Noman CONTIQUIATION eiiis Ea nE TE EE EEEE AASE EA E AAEE E 54 NOrman wesi seccictececeseceetiatseens haere atdenesvaieenataneht AE EES EEA SE 55 Virusscanner ACTIONS aoee eaea a EA AAEREN EEES 56 Virusscanner UPCateS isk a EAn A E TA ASES ERREA EAT ARAS ETA AE ARASA AT 57 Triggering the virus update manually assss
75. aeeeseeaaeeeeeeaeeeeneaas 177 Inbound and outbound email traffic per week days cccceeeeeeeseeteeeeeeees 178 Inbound email traffic per week days 0 eeeeeeeeeeesneeeeenneeeeeeaeeeseeaaeeeeeeaeeeeneaas 178 Outbound email traffic per Week CaYS eeeeeeeececeeeeeeeeeeeeeeseeeeeseaeeeeeeteenees 179 GFI MailSecurity for Exchange SMTP Contents e v Monthly email traftic 2 2 csec cai he eee eile 180 Processed and blocked emails per month eeeceeeeseeeeeeeeeeeeeeenaeeeeeeaeeeeeeaas 181 Processed emails per MOM 0 ee eececeeeenneeeeeeneeeeeeaeeeeeeaaeeeseeaaeeeeneaeeeeseaas 182 Blocked emails per Month iecur aaea e Ree EAER E ES ENE TEE 183 Administrative REOS si zsccssccetecisttececessceseenetatacceszatecgeeessencens tisceegeanaccnnactueceeizeancenstaaics 184 Processed and blocked emails per four NOUMS eeceeceeeeeeeeeeeeneeeeeeenaeeeeeeaes 184 Processed emails per four hours 0 eeeeceeeeeneeeeeenneeeeeeaeeeeeeaaeeeeeeaaeeeeeeaaeeeeeeaas 185 Blocked emails per four NOULS cee ceeeeeteeeeeenteeeeeeeneeeeeeaeeeeeeaaeeeeetaeeeeteaeeeene 186 Daily processed and blocked emails cccceeeeeseeeeeenneeeeeeneeeeeeaeeeeeeaeeeeeeaas 187 Processed and blocked emails per WEEK ccccceeeeeteeeeeeneeeeeenaeeeeeeaeeeeeeaas 188 Monthly processed and blocked emails cece eee cece teeter ae eeeee tenets 189 GFI MailSecurity ReportPack Troubleshooting 191 INTROGUCHON win ta t
76. ailSecurity Configuration and Quarantine Store GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 27 GFI MailSecurity SwitchBoard Bs GFiMailSecurity User Interface Mode Tracing Configuration user interface mode Select the user interface mode you want to use to configure and manage GFI MailSecurity C Local mode Configure and manage GFI MailSecurity from this machine only IS mode Configure and manage GFI MailSecurity remotely IIS user interface mode options Website name Default Web Site http WIN2K3ENTSVA 80 Re Virtual directory MailSecurity Security ASS Virtual directory MaiS ecurityRA SS Security IIS mode configuration URL htip 27w IN2K3ENTSYR 80 MailSecurity IIS mode quarantine URL http 7 IN2K3ENTSVA 80 MailS ecurity quarantine i Cancel Apply Screenshot 17 GFI MailSecurity SwitchBoard 3 If you selected Local mode you do not need to configure anything else If you selected IIS mode you now need to configure the Active Directory accounts or groups that have access to the Configuration and Quarantine Store and you can change the virtual directory name where the GFI MailSecurity pages are stored NOTE If you select Local mode you need to add http 127 0 0 1 to the list of trusted sites in Internet Explorer For further information refer to the Adding local host to the trusted sites list section be
77. allshield Cancel Screenshot 10 Define your SMTP server and GFI MailSecurity virtual folder details 5 You now need to select the server where you want to host the GFI MailSecurity configuration pages On this server two virtual directories are created to host the configuration pages and the quarantine RSS 20 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP feeds You can specify custom virtual directory names if you want or else leave the defaults NOTE If you are installing on a Microsoft Exchange Server 2007 machine the IIS SMTP service is not required since it has its own built in SMTP server In such a case the SMTP Server Setup area is not displayed and you can click Next to continue and go to step 7 directly GFI MailSecurity relies on the IIS SMTP service to send and receive SMTP mail It binds to your default SMTP virtual server i e the server specified in the MX record of your DNS Server However if you have multiple SMTP virtual servers on your domain you can bind GFI MailSecurity to any available SMTP virtual server To change the default SMTP connection select the required server from the list of available SMTP Virtual Servers provided in this dialog box NOTE After installing the product you can still bind GFI MailSecurity to another SMTP virtual server from the GFI MailSecurity Configuration GFI MailSecurity gt Settings gt Bindings For more information refer
78. ame Specifying jog will block all jpg files NOTE 2 To remove an entry from the list select it and click Remove Selected 5 Additionally you can specify a file size in kilobytes as a threshold This has the effect of blocking all attachments with a file size bigger than the one you specify irrespective of whether it matches an entry in the list To enable this option select the Block all files greater than the following size in Kb check box and specify the maximum file size in KB allowed without blocking General Actions Users F olders Ce Attachment Checking Actions Actions IV Block attachment and perform this action O Quarantine email C Delete email C Move to folder Loo E Notification options Iv Notify administrator v Notify local user Logging options v Log rule occurrence to this file attachmentchecking tet Screenshot 56 Attachment Checking Actions Tab 6 After you have specified what the attachment rule should check for you must specify what this rule should do whenever it finds the specified attachment s Click the Actions tab to open the rule actions configuration page 7 Select the Block attachment and perform this action check box if you want to quarantine delete or move the blocked emails to a particular folder Additionally select one of the following options e Quarantine email Select this option to quarantine the email containing the attachment for review by an administr
79. an a a Ae nia ee ata a ae ait 191 Knowledge Base cnuas cue air ire ne i ee ea one ate ee ee 191 Web Form s it5 ach dats dete oie iat heen 191 Request technical SUPPOMT rires an eSEE aE A ARE ES E A A 191 Build NOtiniGationS ee a E a E libero cella ete sed 192 vi e Contents GFI MailSecurity for Exchange SMTP About GFI MailSecurity Introduction to GFI MailSecurity The need to monitor email messages for dangerous offensive or confidential content has never been more evident The most deadly viruses able to cripple your email system and corporate network in minutes are being distributed worldwide via email in a matter of hours for example the MyDoom worm Products that perform single vendor anti virus scanning do not provide sufficient protection Worse still email is likely to become the means for installing backdoors Trojans and other harmful programs to help potential intruders break into your network Products restricted to a single anti virus engine will not protect against email exploits and attacks of this kind Your only defense is to install a comprehensive email content checking and anti virus solution to safeguard your mail server and network GFI MailSecurity acts as an email firewall and protects you from email viruses exploits and threats as well as email attacks targeted at your organization GFI MailSecurity is totally transparent to your users and does not require additional user training Key features of GF
80. arantine folder RSS Feed Status Interval Maximum Items E Emails blocked by email exploit engine Disabled 10 minutes 100 Edit Emails blocked by virus scanners Enabled 10 minutes 100 Edit Screenshot 97 Quarantine folder RSS feed 4 Select the Enable Quarantine RSS feeds on this folder check box 5 Specify an interval in minutes in the Refresh feed content every box The default value is 10 minutes 6 Specify the maximum number of items you want the feed to include in the Feed should contain at most box NOTE 1 By default the GFI MailSecurity quarantine RSS feeds require authentication and thus only the users configured in the GFI MailSecurity SwitchBoard tool can subscribe to the RSS feeds For more information refer to the Securing access to the GFI MailSecurity Quarantine RSS feeds section in the Installing GFI MailSecurity chapter NOTE 2 If you give everyone access to the RSS feeds from the GFI MailSecurity SwitchBoard application or disable NTLM security on the RSS feeds virtual directory anyone will be able to subscribe to the feeds If you suspect unauthorized users managed to get a copy of a quarantine folder RSS feed URL click the Reset Feed URL button for the specific quarantine folder and then click Apply You then need to update the RSS subscription in your RSS feed reader application to point to the new URL If you suspect that all RSS feed URLs might have been discovered click Edit to the rig
81. ard New settings applied successfully AR0ARATRATARSANANERANENM Screenshot 25 New SwitchBoard settings successfully applied 9 When the process completes click OK Accessing the GFI MailSecurity Configuration and Quarantine Store This section will show you how to access the GFI MailSecurity Configuration and Quarantine Store from the local machine or a remote machine Accessing the configuration from the GFI MailSecurity machine To access the GFI MailSecurity configuration or quarantine store from the same machine where GFI MailSecurity is installed i e locally follow these steps 1 Click the GFI MailSecurity shortcut found under Start gt Programs gt GFI MailSecurity 2 If you have configured GFI MailSecurity to be accessible only locally via the GFI MailSecurity SwitchBoard application a viewer application will automatically load up displaying the GFI MailSecurity configuration and quarantine store GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 33 fiScr1 ContentSecurity L 10 xl GFi MailSecurity SECURITY amp MESSAGING SOFTWARE 26 GFI MailSecurity Settings Version Information ra Use the Configuration and Quarantine Management console to configure Q Licensing 5 and manage your GFI MailSecurity installation y Information Store Protection E Content checking GFI MailSecurity Configuration and Quarantine Management g Attachment Checking Virus Scanning Engines e G
82. ates tab in the Trojan amp Executable Scanner page in the right window GFI MailSecurity for Exchange SMTP The Trojan amp Executable Scanner e 89 3 Select the Automatically check for updates check box to enable the auto update feature 4 From the Downloading options list select one of the following download options e Only check for updates Select this option if you want GFI MailSecurity to just check and notify the administrator whenever updates are available for the Trojan amp Executable Scanner NOTE This option will NOT download the available updates e Check for updates and download Select this option if you want GFI MailSecurity to check and automatically download any updates available for the Trojan amp Executable Scanner 5 Specify how often you want GFI MailSecurity to check download updates for the Trojan amp Executable Scanner by typing an interval in hours 6 Click Apply General Actions Updates ia Trojan amp Executable Scanner Updates Automatic update options Configure the automatic update options M Automatically check for updates Downloading option Download check after the specified number of hours Last update Update options M Enable email notifications upon successful updates Notifications will always be sent for unsuccessful updates Click the button below to force the updater service to download the most recent updates Download updates Screenshot 77
83. ator For more information refer to the Quarantining chapter in this manual GFI MailSecurity for Exchange SMTP Configuring Attachment Checking e 65 e Delete email Select this option to delete the email and attachment completely e Move to folder This option will move the email to the specified folder Input the folder name in the box provided underneath this option NOTE Please note that you cannot configure actions to affect a single attachment within an email Actions will always affect the whole email containing the attachment 8 You can configure an attachment rule to send email notifications to the administrator and or user whenever an email containing an attachment is blocked You can configure the required notifications by selecting any of the following options e Notify local user Select this option if you want to notify the email local users when this filter blocks an attachment NOTE If a threat is detected in an outbound email the recipients will receive the original email with the malicious parts removed A security notice is attached to the email to inform the recipients what email parts were removed and for what reason This behavior is always enabled and is not affected by this setting e Notify administrator Select this option if you want to send email notifications to the administrator whenever an email containing an attachment is blocked The administrators email address is specified during the instal
84. atus is set to Disabled for all Virus Scanning Engines the Information Store Scanning feature is disabled The GFI MailSecurity configuration will inform you with a dialog that the Information Store Scanning feature is going to be disabled since you are trying to disable the only Virus Scanning Engine left which is set to scan the Information Store If you click OK the particular virus scanning engine will have the Information Store Scanning feature disabled and so will the overall Information Store Scanning feature If you click Cancel the virus scanning engine will not have the Information Store Scanning feature disabled and the overall Information Store Scanning feature will remain active since there is at least one virus scanning engine that is still configured to scan the Information Store Microsoft Internet Explorer xi 2 J This will disable information store protection af Cancel Screenshot 40 Information Store Scanning will be disabled If the overall Information Store Scanning feature is disabled you need to enable it from the Information Store Protection node before you can configure any Virus Scanning Engine to scan the Information Store If you try to configure a Virus Scanning Engine to scan the Information Store and the feature is disabled from the Information Store Protection node the GFI MailSecurity configuration will inform you about this with a dialog as shown in the screenshot below Microsoft Internet Exp
85. bout this action as shown in the screenshot below If you need to enable or disable the Information Store Scanning option for a specific Virus Scanning Engine please refer to the Configuring Virus Scanning Engines section earlier in this chapter Microsoft Internet Explorer xi All virus scanning engines are by default enabled for Information Store Virus Scanning You can use the Virus Scanning Engines node should you wish to disable any of the engines Screenshot 52 All Information Store Virus Scanning Engines have been enabled 3 To configure what VSAPI scan method to use click the VSAPI Settings tab 60 e Configuring virus checking GFI MailSecurity for Exchange SMTP Information Store Virus Scanning VSAPI Settings fp Configures VSAPI Settings Microsoft Exchange Virus Scanning API VSAPI settings 7 Enable background scanning Enabling background scanning will cause all the contents of the Information Store to be scanned Depending on how many items you have in the Information Store the Exchange server might get very busy during this process It is recommended that this option be enabled only during times of low server activity typically at night On access scanning New items in the Information Store are scanned through VSAPI as they are accessed New email messages are therefore scanned as they are accessed by the email client This means that there might be a short delay before the email client displays
86. box browse to the GFI MailSecurity installation folder lt GFl ContentSecurity AntiVirus Kaspersky gt and choose kavss exe 7 Click Apply and OK to apply the changes 8 Restart the GFI Content Security Auto Updater Service and the GFI MailSecurity Scan Engine services Securing access to the GFI MailSecurity configuration quarantine The GFI MailSecurity configuration and quarantine store can be accessed through a web browser and thus it is imperative that you configure proper access security so that only authorized users can set up rules and manage the quarantine store You can configure access security to the GFI MailSecurity configuration pages and quarantine store via the GFI MailSecurity SwitchBoard application To configure access security follow these steps 1 Click the GFI MailSecurity SwitchBoard shortcut found under Start gt Programs gt GFI MailSecurity 2 The GFI MailSecurity SwitchBoard application is loaded You now need to select whether you want to allow only local access to the Configuration and Quarantine Store or else both local and remote To allow only local access click Local mode so that the Configuration and Quarantine Store can only be accessed when working directly on the server machine where GFI MailSecurity is installed On the other hand to allow both local and remote access click IIS mode so that authorized users both from the local machine and other remote machines can access the GFI M
87. c patterns vary from month to month you can also spot interesting trends regarding the amount of security threats received Furthermore this report provides a total sum of emails processed and blocked for the period you select GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List e 181 BGFi SECURITY amp MESSAGING SOFTW Report Title Processed amp Blocked emails per month Composite Description The Processed Blocked emailsper month report showsthe composite amount of blocked emails against processed emails permonth forthe selected period Generated om 1 10 2007 For period 11102005 1 10 2007 Blocked emails E Processed E Blocked Processed Emails Blocked Emails Percentage of Blocked Emails January 27 2 February 35 7 M March 37 50 April 27 2 May 33 350 June 36 30 July 22 22 August 33 39 September 33 330 October 39 82 November 26 00 December 44 49 32 9 Page 1 of 1 Processed emails per month This report combines data from the period you select into the twelve months to show you how many emails were processed for each month of the year The same data is also presented as an area graph 182 e GFI MailSecurity ReportPack Default Reports List GFI MailSecurity for Exchange SMTP Ie BGFi SECURITY amp MESSAGING SOFTW Report Title Processed emailsper month Composite Description The Processedemailsper month report shows the composite amount ofprocessed
88. cation GFI MailSecurity detected a threat Attachments E GFiMailSecurit B iMaitsecur y Notification On 05 May 2006 at 11 03 06 AM the item described below was quarantined From adam external com To jackb master domain com Subject Check out this game Threat report coolgame exe File coolgame exe breached the following Trojan amp Executable Scanner rule s Checks if the executable tries to change keyboard mouse or display settings CheckUIChange Regards GFI ContentSecurity Unknown Zone Mixed Screenshot 95 Quarantined email user notification Enable quarantine RSS feeds What is RSS Really Simple Syndication RSS is a protocol used by websites that update their content frequently for example news sites weblogs and so on to inform end users of what is new or updated on the website The website publishes an XML file called an RSS feed that complies with the schema defined in the RSS standard End users make use of a special application called a feed reader or aggregator to subscribe to the different RSS feeds The aggregator reads the XML file from the URL specified when subscribing parses the content and displays a list of updated articles The entries usually include a summary of the article and a link to view the full article How does GFI MailSecurity use RSS The quarantine store is like a website that is updated frequently with new blocked content To facilitate the work of the admi
89. ceeaaeeeeeeaaeeeeeeaeeeeneaas 141 PUTINO i E A AEEA EEE EAE EE VIE AE eats 141 Report scheduling ete even eines cade niece adeeb a Ea ie a 141 Report CUStOMIZation osian i iiaiai iina EEE VEA AAE E N 141 FAVOS inanan Me iieiea daia diedit aa ieda aA ag aE Eaa VRE 141 Wizard assisted CONfIQUIAtION ce eeeeeeeeceeeeeeeeeeeeeeteeeaeeeeeeaaeeeeeeaaeeeeeeaaeeeeneaas 141 License scheme and evaluation period ssssssssesssrissssrnesrsnnesrnnnesrennesnnnnnnnnnennnnnannnnne 141 Evaluation pend vsictiiccteteieehctiveiciteieeebhieagiecinmeetastieieheietie adenine g 141 Purchasing alicense Key scieccctises civeseccethyestgiesietestaveuighessteienin UNS ERRETA RATERS 141 GFI MailSecurity ReportPack Installation 143 iv e Contents GFI MailSecurity for Exchange SMTP System requirements sssini kiiin i iniii iiaae ei iiaiai ina 143 Installation pr c d re iaieiieith i aiid id eiae k 143 Launching GFI MailSecurity 10 0 ReportPack for GFI ReportCenter 0 c08 147 Selecting a PrOdUCt sssecie eres eecisbtescecutav paghhenaetivyeesOruetetivesl deere a a aaea aa ai 147 GFI MailSecurity ReportPack Default reports 149 INtrOGUCHION neie naia ae EAEN EAE in LNA 149 Generating a default report ssesesessiesissrssrerissrtrinsrneiisirstrntintnntinsruttasrnstnntnntnnrenn ntes 150 Example Generating a Monthly email traffic report based on the last 12 months data ererroruai nuana a at 150 Viewing the generated report eece
90. change the virus scanning execution priority click the up or down arrows to respectively increase or decrease the priority of the virus scanner Repeat the same procedure until the virus scanner reaches the desired position in the priority execution sequence list Configuring Virus Scanning optimizations From the GFI MailSecurity gt Virus Scanning Engines node you can instruct GFI MailSecurity to stop virus scanning an item if a number of virus scanning engines already detected a virus in that item To enable this option select the Stop virus scanning the current item if viruses are detected by check box and specify the number 58 e Configuring virus checking GFI MailSecurity for Exchange SMTP of virus scanners that need to detect a virus to stop virus scanning in the box Click Apply Virus Scanning Optimizations Iv Stop virus scanning the current item if viruses are detected by virus scanners M Stop scanning even for non virus related threats Screenshot 50 Configure virus scanning optimizations For example if you select this option and enter 2 in the box virus scanning on an item that contains a virus is performed by at most two virus scanning engines if they detect it Emails that do not contain a virus are scanned by all enabled virus scanning engines anyway If you want to streamline further the path taken by items containing a virus select the Stop scanning even for non virus related threats che
91. cify the data range that should be applied to the report Fixed Date Range Start Date Sunday October 01 2006 End Date Sunday December 31 2006 Variable Range Range Size Choose Range Size lt Back n Cancel Screenshot 123 Selecting the date range 6 In the Custom Report Wizard finish page click Finish to complete the wizard GFI ReportCenter will display the Custom Reports panel where the custom report you just created is listed 154 e GFI MailSecurity ReportPack Custom reports GFI MailSecurity for Exchange SMTP E GFI ReportCenter 3 5 File Tools Help 4 Togoko Pane Product Selection GFI MailSecurity 10 0 ReportPack z Custom Reports E f l GFI MailSecurity 10 0 ReportPack Bf Inbound amp Outbound email traffic per week days 4th Quarter 2006 Report Title Inbound amp Outbound emailtraffic per week days Composite Description The Inbound amp Outbound email traffic per week days report shows the composite amount of inbound and outbound emails per week days forthe selected peri Generated ort 1 17 2007 For period 10 1 2008 12012008 dre WAxGgkastoe EGFi secunna MESSAGING Email Traffic of Favorite Reports a Default Reports Custom Reports L Scheduled Reports D Options DY Help Current Page No 1 Total Page No 1 Zoom Factor Page Width
92. ck box and click Apply This option will instruct GFI MailSecurity to stop further scanning of the current item such as with Attachment Checking and so on since the amount of virus scanning engines you specified have detected a virus Configuring Information Store Scanning NOTE 1 The Information Store Protection node is only available if you install GFI MailSecurity on the Microsoft Exchange machine NOTE 2 When GFI MailSecurity is installed on a Microsoft Exchange Server 2007 machine Information Store Protection is available only when the Mailbox Server Role and Hub Transport Server Role are installed This section will show you how to enable or disable Information Store Scanning and select the scan method used by VSAPI Virus Scanning API To configure the Information Store Scanning feature follow these steps 1 Click the GFI MailSecurity gt Information Store Protection node 2 In the Information Store Virus Scanning tab you can enable or disable Information Store Scanning by selecting clearing the Enable Information Store Virus Scanning check box accordingly The status of the Virus Scanning Engines used to scan the Information Store is also displayed GFI MailSecurity for Exchange SMTP Configuring virus checking e 59 GFI MailSecurity l Settings fo Version Information Cancel A Licensing Information Store Virus Scanning VSAPI Settings amp E Content Checking Ep Configures Information Stor
93. ck for a more recent build of the GFI MailSecurity 10 0 ReportPack 4 Choose whether you want the installation wizard to search for a newer build of the GFI MailSecurity 10 0 ReportPack on the GFI website Then click Next to proceed with the installation 5 In the license page read the licensing agreement carefully and then click accept the terms in the license agreement Click Next to continue 6 Enter your Name Company and License key If you are evaluating the product leave the license key as default i e Evaluation Click Next to continue jig GFI MailSecurity 10 ReportPack InstallShield Wizard Database Selection Data source settings For GFI MailSecurity 10 ReportPack GFI MailSecurity 10 ReportPack generates reports based on the data collected by GFI MailSecurity 10 Specify the database source that will be used by the GFI MailSecurity 10 ReportPack Use Microsoft Access Use Microsoft SQL Server Database Server fi92 168 0 211 Browse Database Name MSEC10Database Connect using C Windows authentication credentials of current user Server authentication using the Login ID and password below Login ID reportingaccount Password seem Installshield lt Back Cancel Screenshot 114 Database selection page 7 In the Database Selection page you need to select the database you configured GFI MailSecurity to use for reporting purposes GFI MailSecurity for Exchange SM
94. ct Delete item in the Actions tab of the Antivirus Engine all emails containing macros will still be DELETED i e they are NOT Quarantined 5 The configuration settings required in the Actions and Updates tabs are identical for all the installed Virus Scanning Engines For more information on how to configure these parameters refer to the Virus Scanner Actions section and Virus Scanner Updates section in this chapter 6 After you have configured all the required parameters click Apply All changes and configuration settings will take effect immediately NOTE The section at the bottom of the General tab displays information on the scanning engine This includes the Virus Scanning Engine version and the virus signature count License details for the current anti virus engine are also displayed BitDefender website For more information about the virus patterns included in the BitDefender engine visit the BitDefender website at http Awww bitdefender com McAfee configuration NOTE The McAfee engine is purchased separately the engine is not included in the base product As standard GFI MailSecurity includes both the Norman and the BitDefender anti virus engine For pricing information on adding the MacAfee anti virus engine please visit the GFI website www qgfi com The configuration options of the McAfee Virus Scanning Engine are identical to those of the BitDefender engine For more information on how to configu
95. ctly from the email client without accessing the Quarantine Store To enable the sending of HTML Quarantine Action Forms follow these steps 1 Click the GFI MailSecurity gt Quarantine Options node 2 Select the Send quarantine approval forms by email check box to enable the sending of HTML Quarantine Action Forms through email 3 Specify to whom you want to send the HTML Quarantine Action Forms i e specify who will review approve the quarantined emails by selecting one of the following options e Send to administrator Select this option to send the HTML Quarantine Action Forms to the administrator i e using the email address specified during the installation stage or configured in the GFI MailSecurity gt Settings node gt General tab For more information on how to configure the administrator s email address refer to the Define the administrator s email address section in the General Settings chapter e Send to the following email address Select this option to send the HTML Quarantine Action Forms to a specified email address user group or public folder Type the recipient in the box provided underneath this option NOTE In the HTML Quarantine Action Form you can click More details to view all the information related to the quarantined email 4 Click Apply 110 e Quarantine GFI MailSecurity for Exchange SMTP How to approve or delete quarantined emails from an email client When GFI MailSecurity quarant
96. d in Background The total number of messages that are processed by background scanning GFI MailSecurity for Exchange SMTP Advanced topics e 133 Troubleshooting Introduction The troubleshooting chapter explains how you should go about resolving any software issues that you might encounter The main sources of information available to users are e The manual most issues can be solved by reading this manual e GFI Knowledge Base articles e Web forum e Contacting GFI Technical Support Knowledge Base GFI maintains a Knowledge Base which includes answers to the most common problems If you have a problem please consult the Knowledge Base first The Knowledge Base always has the most up to date listing of technical support questions and patches To access the Knowledge Base visit http kbase gfi com Web Forum User to user technical support is available via the web forum The forum can be found at http forums qfi com Request technical support If you have referred to this manual and our Knowledge Base articles and you still cannot solve issues with the software contact the GFI Technical Support team by filling in an online support request form or by phone e Online Fill out the support request form on http support gfi com supportrequestform asp Follow the instructions on this page closely to submit your support request e Phone To obtain the correct technical support phone number for your region p
97. d to it The contents of the search folder are the quarantined emails that match the search query The content of a search folder is thus dynamic and changes automatically as emails that match the search folder criteria are quarantined or deleted Why are search folders useful The main benefit of search folders is that they help you organize your quarantined emails In this way it is easier for the administrator to identify and then approve or delete blocked emails Each search folder can have different search criteria thus you can virtually split the Quarantine Store into subdivisions containing emails with specific characteristics in each group For example you can create a search folder that collects only emails that were quarantined by the Virus Scanning Engines A good idea is to create a search folder for each GFI MailSecurity module so that instead of viewing one huge list of quarantined emails you split them up into logical groups Grouping quarantined emails in Search Folders To create a new search folder follow these steps 1 Click on either the GFI MailSecurity gt Quarantine node or the GFI MailSecurity gt Quarantine gt Search Folders node 2 From the right panel click New search folder Quarantine e 101 3 In the Search folder name box type a name for the new search folder for example Emails blocked by Attachment Rules 4 If you installed GFI MailSecurity on the Microsoft Exchange Server machin
98. des a total sum of emails processed and blocked for the period you select GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List e 187 Bis GFi SECURITY amp MESSAGING sorwane JO il Report Title Daily blocked emails Description The Daily blocked emails report shows the amount of blocked emails against processed emails per day for the selected period Generated on 09 08 2006 For period 26 07 2006 09 08 2006 Day Processed Emails Blocked Emails Percentage of Blocked Emails 2607 2006 95 115 0 80 2707 2006 123 267 0 88 28 07 2006 123 877 0 56 29 07 2006 121 474 0 39 30 07 2006 89 495 0 99 3107 2006 117 909 0 32 01 08 2006 133 913 0 50 0208 2006 134 765 0 52 0308 2006 114 169 0 75 0408 2006 141 347 0 68 05 03 2006 119 499 0 44 0608 2006 86 974 1 01 0708 2006 160 816 0 43 0808 2006 75 107 1 31 1 637 727 0 68 Page 1 of 1 Processed and blocked emails per week This report combines data from the period you select into a single year to show you how many emails were processed blocked due to a security threat and what percentage of the processed emails was blocked email during each week of the year The same data is also presented as an area graph Apart from getting a picture of how email traffic patterns vary from week to week throughout the year you can also spot interesting trends regarding the amount of security threats received Furthermore this report p
99. disabling rules ecccceeeeeneeeeeenneeeeeeaeeeeeeaaeeeeeeaaeeeseeaaeeeseeaaeeeseeaaeeeeeeaeeeeseaas 78 Changing the rule priority ccccccseeeeseeceeeeeeeeeeeeaeeeeneeceeeeesaaeeseaaeseeeeseaeeesaaeeseneeeeaees 78 Decompression engine 79 Introduction to the Decompression engine ceeeeeeeeeeteceeeeeteeeeeenaeeeseeaaeeeeeeaeeeeeeaas 79 Configuring the decompression engine filt rs ccccceeeeeeeeeeeeeeeeeeeeeeseeeeeeaeeseneeesaees 80 Check password protected archives ccccccceecceeeeeeeeeaeeeeeeeseeeeeseaeeeeeeeeeeeeeeas 80 Check corrupted archives cccccceceeeceeceeeeeeeeeeeeeecaeeeeaaeseeneeseaeeesaaesseaaeeseneeseas 80 Check for recursive ArChives c ccceccceceeeeeeeeeeeeeeeceaeeeeaaeeeeeeeseaeeesaeeesaeseneeeeaas 81 Check size of uncompressed files in archives ccceeceeseeceeeeeeeeeeeeteeeeeeeetees 82 Check for amount of files in archives cceceeeeeeceeeeeeeeeeeeeeeseeeeesaeeeeaaeeeeeeeeeas 83 Scan within archives 0 cceccecceeeeeececeeeeeeeaeeeeeaeeeeeeeceaeeeeaaeeeeaeeseeeeseaeeesaeeeeneesaas 83 ii e Contents GFI MailSecurity for Exchange SMTP Configuring decompression filter actions cceeeeeeceeeeeeeeeeaeeeeaeeceeeeeseaeeesaeeseneeenaees 84 Enable disable decompression filters eececeeeeseeeeeeenneeeeeenaeeeeeeaaeeeeeeaaeeeeeeaeeeeneaas 85 The Trojan amp Executable Scanner 87 Introduction to the Trojan amp Executable Scanner
100. e you can limit the emails in this search folder to those blocked from a particular source From the list under the Item source area you can select one of the following e Information store VSAPI Only quarantined items forming part of the Information Store will be displayed e Information store Transport This option is only available when GFI MailSecurity is installed on a Microsoft Exchange Server 2007 machine with the Hub Transport Server Role installed Only quarantined items forming part of the Information Store that were scanned through the Hub Transport Agent will be displayed e Gateway SMTP Only inbound or outbound quarantined emails SMTP traffic will be displayed e Any All quarantined items will be displayed irrespective of the source 5 You can now configure auto purge settings for this search folder If you configure auto purging on a search folder GFI MailSecurity will delete any emails in that search folder that are older than the number of days you specify To enable auto purging select the Enable Auto purging check box and specify a value in the days s box NOTE Configure auto purging with great care since emails purged from the Quarantine Store are not recoverable 6 Specify the search criteria that will determine the contents of this folder You can select any of the following options e Quarantine reason Select this option to include all the emails containing a specific keyword or
101. e Virus Scanning P Attachment Checking Virus Scanning Engines Decompression Enable Information Store Virus Scanning 2 Trojan amp Executable Scanner When this option is enabled the contents of the Microsoft Exchange Information 3 Email Exploit Engine Store are scanned for viruses through the Microsoft Exchange Virus Scanning API 7 VSAPI pen HTML Sanitizer 2 Patch Checking Only the Virus Scanning Engines are utilized for Information Store Protection ii Reporting Use the Virus Scanning Engines node to configure which engines are used for Information Store Scanning E Realtime Monitor Quarantine Options Information Store Virus Scanning Engines Status Quarantine RSS Feeds a Quarantine Engine Status License Norman Anti Virus Enabled Licensed McAfee Anti Virus Enabled Licensed Kaspersky Anti Virus Enabled Licensed BitDefender Anti Virus Enabled Licensed ECI AVG Anti Virus Enabled Licensed Trusted sites Screenshot 51 Information Store Protection node NOTE When you disable Information Store Virus Scanning the Information Store Scanning option of all Virus Scanning Engines is disabled automatically When you enable Information Store Virus Scanning the Information Store Scanning option of all Virus Scanning Engines is enabled automatically This setting does not affect the Gateway scanning option of each Virus Scanning Engine The GFI MailSecurity configuration will prompt you a
102. e list 8 Click the Database Access tab 9 Select the check box near the Database you have just created General Server Roles Database Access Ta Specify which databases can be accessed by this login Database roles for msec reporting database Permit in Database Role al db_owner amp db_accessadmin a amp db_securityadmin db ddadmin ina Properties Screenshot 106 Enabling the db_owner field 10 In the Database roles for list select db_owner Click OK to save your settings GFI MailSecurity for Exchange SMTP Reporting e 123 Realtime Monitor About the Realtime Monitor Through the Realtime Monitor page you can monitor the GFI MailSecurity email processing activity in a Live environment Therefore you can use this option to check the status of each email and determine whether an email was successfully processed not processed or quarantined Z JE GFI mailsecurity Realtime Monitor Settings Version Information uena The Realtime Monitor shows all the scanning activity in chronological order Information Store Protection Content Checking GFI MailSecurity Statistics Attachment Checking Number of processed items 644 08 Virus Scanning Engines Number of quarantined items Decompression Number of unprocessed emails in the last 24 hours 71 Trojan amp Executable Scanner For more informati
103. e quarantined email to the intended recipient and remove it from the Quarantine Store In addition if the email was inbound the recipient will receive an email describing the status change of the quarantined email i e approved or deleted This email is mostly required to inform the user when the quarantined email is deleted Quarantined mail from the user point of view The quarantining of mail is largely transparent to the mail user For both inbound and outbound mail users will receive the quarantined mail as soon as the administrator approves it If you select to notify the local user via the notification options group under the actions tab of a particular node the local user will receive an email to inform him that an email was quarantined as shown in the following screenshot GFI MailSecurity for Exchange SMTP Quarantine e 111 NOTE If a threat is detected in an outbound email the recipients will receive the original email with the malicious parts removed A security notice is attached to the email to inform the recipients what email parts were removed and for what reason This behavior is always enabled and is not affected by the notify local users setting E http master domain com Notification GFI MailSecurity detected a threat Microsoft Internet Explorer _ Of xi G Reply Reply to all 3 Forward 9 2b Xe gt Hep From Administrator Sent Fri 05 05 2006 11 03 To Jack Brown Ce Subject Notifi
104. e the machine as an SMTP relay to your mail server This means that the MX record of your domain must be pointing to the gateway machine This section describes how you can configure your mail relay and install GFI MailSecurity About Windows 2000 2003 IIS SMTP amp World Wide Web services The SMTP service is part of IIS which is part of Windows 2000 2003 XP It is used as the message transfer agent of Microsoft Exchange Server 2000 2003 and has been designed to handle large amounts of mail traffic The World Wide Web service is also part of IIS It uses the HTTP protocol to handle web client requests on a TCP IP network The IIS SMTP service and World Wide Web service are included in every Windows 2000 2003 XP distribution Step 1 Verify installation of IIS SMTP and WWW services GFI MailSecurity uses the Windows 2000 2003 XP IIS SMTP service as its SMTP server 1 On the taskbar click Start gt Settings Control Panel Double click Add Remove Programs and then click Add Remove Windows Components 2 From the dialog on display locate and click the Internet Information Services IIS component then click Details 3 Select the SMTP Service check box and World Wide Web Service check box Click OK to start the installation of the selected services Follow the onscreen instructions and wait until the installation completes Step 2 Specify mail relay server name and assign an IP 1 On the taskbar click Start gt Settings gt
105. e used to uniquely identify the report through the set of custom reports The custom report name must be unique Report name Inbound email traffic per week days generate every month Report description The Inbound email traffic per week days report shows the composite amount of inbound emails per week day for the selected period lt Back se Cancel Screenshot 128 Report name and description for a scheduled report 4 In the Name and Description page provide a descriptive report name and description in the Report Name and Report Description boxes and then click Next to continue 158 e GFI MailSecurity ReportPack Scheduling reports GFI MailSecurity for Exchange SMTP Schedule Report Wizard Time Schedule Specify the time schedule to be used to automatically generate the report Scheduled reports can be generated either once using a specific date and time or else re generated using a time frame starting from a specific time C Generate this report once on the following day time Date Time 1 17 2007 12 01 02 PM Generate this report every Interval 30 Days bd Start date time 2 1 2007 gt 12 00 00 AM lt Back n gt Cancel Screenshot 129 Scheduled report time schedule 5 In the Time Schedule page select whether you want to generate the report once or periodically If you want to generate once on a particular date click Generate this re
106. eature and specify the maximum size in MB allowed for uncompressed files received within an archive IMPORTANT If you disable the Check size of uncompressed files in archives rule GFI MailSecurity will not scan or quarantine archive attachments thus bypassing the anti virus checking 4 Decide on what to do with emails containing archived files that exceed the specified size when un compressed e Quarantine Select this option to quarantine the emails that contain these archives The administrator can later review these quarantined emails and approve or delete them accordingly e Automatically Delete Select this option to delete emails containing archived files that when un compressed exceed the specified size limit 5 Click the Actions tab to configure any actions to be performed whenever this filter detects and blocks emails containing an archive For more information on how to configure actions refer to the Configuring decompression filter actions section in this chapter 6 Click Apply 82 e Decompression engine GFI MailSecurity for Exchange SMTP Check for amount of files in archives General Actions K Decompression engine M Check for amount of files in archives Decompression engine options and actions If number of files within archive exceeds Please select the action to take when this rule is violated O Quarantine Automatically Delete Screenshot 72 Configuring the amount of file
107. eb for newer builds Periodically GFI releases product and ReportPack updates that can be automatically downloaded from the GFI website To check if a newer built is available for download 1 Select the GFI MailSecurity 10 0 ReportPack from the Product Selection list 170 e GFI MailSecurity ReportPack General options GFI MailSecurity for Exchange SMTP 2 Click on the Options panel button 3 Right click on the Version Information node and select Checking for newer builds Program ersion Properties Screenshot 141 Version Properties Checking for newer builds GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack General options e 171 GFI MailSecurity ReportPack Exporting Settings Introduction This section will show you how to export the settings configured for the GFI MailSecurity 10 0 ReportPack into an XML file This is useful if you need to take a backup of the favorite reports list and the configured custom and scheduled reports Exporting settings is also useful if you need to setup an installation of GFI ReportCenter on another machine For this scenario you need to export the settings from the configured GFI ReportCenter installation copy the exported XML file over to the other machine where the new installation of GFI ReportCenter is installed and then import the settings from the XML file Exporting the GFI MailSecurity 10 0 ReportPack Settings To export all the settings for the GFI Ma
108. ecked with the highest priority rule on top and the lowest priority rule at the end of the list The priority number of each rule is displayed on the right hand side of the Content Checking page under the Priority column The Content Checking page allows you to change the priority of the rules as follows 1 Click the GFI MailSecurity gt Content Checking node 2 From the Content Checking page in the right window click the up amp or down arrows to respectively increase or decrease the priority of the required rule Repeat until the rule reaches the desired position in the list i e until the rule is assigned the desired priority 78 e Configuring Content Checking GFI MailSecurity for Exchange SMTP Decompression engine Introduction to the Decompression engine GFI MailSecurity for Exchange SMTP The Decompression engine decompresses and analyzes archives attached to an email GFI mailsecurity Da Decompression Settings o version Information P A Licensing pe Decompression Engine y Information Store Protection content Checking Disable Selected Enable Selected Ed Attachment Checking p Virus Scanning Engines D Description Status we O Check password protected archives Enabled A Trojan amp Executable Scanner B To Check corrupted archives Enabled Hef Email Exploit Engine 7 O Check for recursive archives Enabled dE HTML Sanitizer 2 Patch Checking o Check si
109. ecking e 63 General Actions Users Folders EJ Attachment Checking Rule display name Rule name New Attachment Checking Rule Email checking I Check inbound emails I Check outbound emails Attachment blocking Block all Block this list Block all except this list Enter filenames with optional wildcards eg vbs eg letter vbs eg happy exe eg orders mdb Cd Remove Selected 7 Block all files greater than the following size in Kb 2048 Screenshot 55 Attachment Checking General Tab 3 Specify the name of the rule and select whether to apply this rule to inbound and or outbound emails by selecting the respective check boxes 4 Decide on the type of attachment blocking required e Block all Select this option to block email attachments of any type e Block this list Select this option to block ONLY the listed attachment types 64 e Configuring Attachment Checking GFI MailSecurity for Exchange SMTP e Block all except this list Select this option to block attachment types that are not included in the list NOTE 1 To add an attachment type to the list input the required full file name or file extension in the box next to the Add button When ready click Add You can use asterisk wildcards to replace characters or strings in the attachment type extension For example specifying orders mdb blocks all mdb files which contain the string orders in the file n
110. ecommend that you perform Directory Harvesting checks using LDAP lookups i e click Use LDAP lookups and specify your LDAP server details NOTE 2 When GFI MailSecurity is setup behind a firewall the Directory Harvesting feature will not be able to connect directly to the internal Active Directory because of the Firewall In this case although both options will be available you must use LDAP lookups in order to enable the Directory Harvesting filter to connect to the internal Active Directory of your network i e pass through your Firewall Make sure to enable default port 389 on your Firewall NOTE 3 When connecting to an Active Directory using LDAP i e when GFI MailSecurity in installed on a DMZ or behind a Firewall you have to specify the authentication credentials in this form Domain User e g master domain administrator NOTE 4 In an Active Directory normally the LDAP server is the Domain Controller 9 If you want to keep a log of the emails that GFI MailSecurity deletes through the Directory Harvesting filter select the Log occurrence to this file check box and specify a log file name in the box below 10 Click Apply GFI MailSecurity for Exchange SMTP Quarantine e 117 Reporting Introduction to GFI MailSecurity Reporting Through the reporting option you can configure GFI MailSecurity to log statistical data such as the amount of emails being processed and quarantined into a database You can then buy the GFI
111. ecurity IIS mode configuration URL http WIN2K3ENTSVR 80 M ailSecurity IIS mode quarantine URL http WIN2K3ENTSVR 80 M ailS ecurity quarantine i Cancel Apply Screenshot 23 GFI MailSecurity SwitchBoard 3 In the IIS mode access control list dialog box you can configure who can subscribe to the quarantine RSS feeds IIS mode access control list Ea Access to the RSS feeds can be restricted to specific users or groups Below you can configure the access control list for the feed URL RASS URL Access Control List Name Type SAMASTER DOMAIN Administrators roles Iv 0 D MASTER DOMAIN Enterprise Admins roles Iv E B MASTER DOMAINS Domain Admins roles M E amp MASTER DOMAINAdministrator uses M E SESBUILTIN Administrators roles iv O Add Remove i Cancel Screenshot 24 Quarantine RSS feeds Access Control Lists 32 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP 4 Use the Add and Remove buttons underneath the RSS URL Access Control List If you want to deny access to a listed account without removing it from the list select the check box under the Deny column 6 When ready click OK 7 If you want to specify a different virtual directory name you can do so by editing the entry in the RSS Virtual directory box 8 Click OK to save your changes A progress bar shows you the progress while applying the new settings GFI MailSecurity SwitchBo
112. ed Enable the Directory Harvesting filter on quarantined emails GFI MailSecurity for Exchange SMTP Since GFI MailSecurity is usually installed as a first line of defense against email based threats it will process a lot of spam email because server level spam filters such as GFI MailEssentials are usually installed behind GFI MailSecurity For this reason GFI MailSecurity will process a lot of spam email Some of the spam email contains malicious attachments such as viruses trojans and so on and will thus be blocked by GFI MailSecurity and stored in the quarantine store for review Spam email quarantined by GFI MailSecurity will thus clutter the quarantine store with many useless emails making the administrative review process more complex To eliminate malicious spam email from the quarantine store you can enable the Directory Harvesting filter on the quarantine store The Directory Harvesting filter will scan emails that GFI MailSecurity blocks before they are stored in the quarantine store If all the recipients of the blocked email are non local or do not exist on the organizations Quarantine e 115 Active Directory or email server GFI MailSecurity will delete the blocked email instead of storing it in the quarantine store The Directory Harvesting filter determines if a user exists or is local by performing user lookups against the Active Directory or LDAP server you configure To enable the Directory Harvesting filte
113. ed in this search folder Items that have been quarantined for at least the number of days you specify will be automatically deleted from the quarantine system V Enable Auto purging Automatically purge items older than days s Keyword search Quarantine reason Item subject r Sender r Recipient Search options Quarantined by IV Attachment Checking z Vv only Item direction V Inbound z Date filter F Date Day from Time from hh mm ss am jpm S r pz Day to Time to hh mm ss am pm 53 m fizoo00 rm Specific date Save folder Screenshot 87 New Search Folder properties page e Item direction Select this option to limit the items included in this search folder to either Inbound or Outbound emails NOTE 1 Leave this option unselected if you want to include both Inbound and Outbound emails in this Search Folder GFI MailSecurity for Exchange SMTP Quarantine 103 NOTE 2 This option is only enabled when GFI MailSecurity is not installed on a Microsoft Exchange machine or if it is the Item source selected was Gateway e Date Select this option to group emails by date Specify a date in the relevant box or alternatively click the calendar 2 button and select the required date from the calendar window Specify a Date Range You can also group emails by Date Range To do so click Date
114. eeceeeeeseceeeeeseaeeesseeceeeeaeaeeeeeaeeeeeeeeeeeeseeeaeentes 10 Preparing to install GFI MailSecurity on an IIS mail relay Server n 11 Step 1 Verify installation of IIS SMTP and WWW SEIVICES c0 ccceseeeeeees 11 Step 2 Specify mail relay server name and assign an IP ccssseeeeestteeeees 11 Step 3 Configure the SMTP service to relay mail to your mail SONET scene ihe ctadadineadeaiaa saa inh venta aeaaaass paces Dedaasaaa suis legwiabaanarahdqendwidhsanatendamegaagneatecnhis 12 Step 4 Secure your mail relay Server ceeeeeeecceceeeeeeeeeeeeeeceeeeeseaeeeeeeeeeeeeeaas 14 Step 5 Configure your mail server to relay email via the Gateway Server EATE E eens eC ert cert cdo eat ds bccn pee teh essa be 16 Step 6 The MX record of your domain must point to the mail relay SOVE cates el aati ceectdet teria viv hi E ana de Saestuaitasntades 17 Step 7 Test your new mail relay SCrVel cceccceceeeceeeeeeeeeeeceeeeeseaeeeseeeeeeeetaas 18 Step 8 Install GFI MailSecurity on the mail relay server ccceeeeeeeereeee 18 Preparing to install GFI MailSecurity on your Mail SCrVel cccceeeeeeeseeeeeteteeeeees 18 Installing GFI MailSe Curity ccccececeeeeeeeeceeeeeeeeceeeeeceaeeesaaeeeeaeeseeeeeseaeeesaeeseneeseeeeess 18 GFI MailSecurity Post Installation WiZard 0 ccccceeesceceeeeeeeeeeeeeeeseeeeeseaeeesaeeseneeenaees 23 Adding GFI MailSecurity to the Windows DEP Exception List
115. eeeeeeeeeeeeeeeeeeeseeeaeeeeeeaaeeeseeaaeeeeeeaaeeeeseaeeeeneaas 151 Report browsing Options aai aa aaa E AAAA 152 Report storage and distribution Options ccceeececeeeeeeeeeeceeeeeeeeeeeeennaeeeeees 152 Adding default reports to the list of favorite reports ccecceceeeeeseeeeeeeeteeeeeeeeaees 152 GFI MailSecurity ReportPack Custom reports 153 Mirou CION 2a vo Ail eae eal he ee 153 Creating a New CUSTOM report 00 ee ee ee eee tent eeee eee tees caus sae seaeseaeeeaeeneeeseeeteneeeeeenaes 153 Generate a c stom report se ica eruat aa clea ccttinnd teendies aus eed ch aaraa aa 155 Editing a CUSLOM M6 POMiesiccsscecs ecteuevsssekssteseedhena ters nAra Ee a EAEAN a Erara ant aE 156 Deleting a cuStom report c1 c2 eset ecteeet a periur eana Aaen Enae sae le cestteataxbeecus E EEANN aE 156 Adding custom reports to the list of favorite reports ssssesseseisseersserrrssrerrssrenss 156 GFI MailSecurity ReportPack Scheduling reports 157 IMtOGUCHON 22 cei See icp ia ea Maeda ee ahh Lda een eee 157 Scheduling a report isien aiae beaded aiaa ii aa aaan a eels 157 Viewing the list of scheduled reports asssssessssesssrnesssnnesrsnnnsrnnnennnnnnsrnnnnsnnnnnnnnnnnnnnnnnne 162 Viewing the scheduled reports activity sssseessrsesssrnesrsrnesrnnnesnnnnnernnnnnnnnesnnnnnnnennnne 162 Enable disable a scheduled report s assssssssrnesssrnesrsnnesrnnnanrnnnnnnnnnnnnnnnennnnnnnnnnnnnnnnnene 163 Editi
116. either by querying your Active Directory requires installing this software in Active Directory mode or by importing the list from your SMTP Server requires installing this software in SMTP mode The mode to be used depends entirely on your network setup and the machine on which you will be installing this mail security software You can choose the required access mode during the installation of GFI MailSecurity Typical deployment scenarios Installing GFI MailSecurity on your mail server GFI MailSecurity Internet on Mail Server Figure 1 Installing GFI MailSecurity on your mail server You can install GFI MailSecurity directly on your mail server without any additional configuration required Moreover you can also choose any of the two installation modes i e Active Directory mode or SMTP mode to define how GFI MailSecurity will retrieve the list of email users since your mail server will have access to both the Active Directory as well as to the list of SMTP users which is contained on the mail server itself NOTE GFI MailSecurity can be only installed in the following Microsoft Exchange 2007 installations GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 5 e Edge Server Role e Hub Transport Role and any other Microsoft Exchange 2007 server roles which are irrelevant to GFI MailSecurity e Mailbox and Hub Transport Server Role and any other Microsoft Exchange 2007 server roles which are irrelevant to
117. emails per month forthe selected period Generated om 1 10 2007 For period 11102005 14102007 Processed Emails Processed Emails January February March April May June July August September October November December ftware Ltd Page 1 of 1 Blocked emails per month This report combines data from the period you select into the twelve months to show you how many emails were blocked due to a security threat for each month of the year The same data is also presented as an area graph GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List e 183 Bik GFi SECURITY amp MESSAGING SOFTWA Report Title Blocked emails per month Composite Description The Blocked emails per month report shows the composite amount of blocked emails per month forthe selected period Generated om 1 10 2007 For period 11102005 1 10 2007 Blocked emails Month Blocked Emails January 33 February 55 March 33 April 33 May 4 June 44 July 22 August 33 September 33 October 88 November 33 December 44 495 Page 1of1 Administrative Reports Processed and blocked emails per four hours This report combines data from the period you select into a single day to show you how many emails were processed blocked due to a security threat and what percentage of the processed emails was blocked email in four hour blocks starting from midnight The same data is also presented as an area graph
118. enenees 91 Configuring the Email Exploit Engine properties ceccceeeecceseeeeeeseeeereeeens 92 Email Exploit Engine updates asee heen saraan O EE E ENEE AE AE AREA EEREN 94 Triggering the Email Exploit Engine update manually s 94 The HTML Sanitizer 95 Introduction to the HTML Sanitizer cccccccceeeeeceeeeeeeneeeeeaeeeeeeeseeeeeseeeesaeeeeeeseeeees 95 Why remove HTML scripts eccceceeeeeeeeeeenee cee eeeeaeeeeaaeeeeeeeseaeeeeaaeseeneeeeeeees 95 Configuring the HTML Sanitizer cccccceccceceeeceeeeeeeeeeeceneeeeaaeseeaeeseeeeeseaeeesaeeseneeenaees 95 Patch Checking 97 Introduction to Patch Checking c ccceecceeeeeeeeeeeeeeeeeceaeeecaaeeeeaeeseeeeeseaeeeeaeeneeeseeneees 97 Downloading and installing Software patches 0 eee eeeeneeeeeenneeeeeenaeeeeeeaeeeseeaaeeeeeeaas 97 Quarantine 99 Introduction to the Quarantine Store cecceeceeeeeeeeeeeeeeeeeeeaeeeeaeeseeeeeseaeeesaeeeeeeseeeeess 99 The Quarantine Store ececccccccecceeceeseeeeeeeeceeeeeeaaeeeeaeeseeeeceaeeseaaesgeneeseeeeesaaeeseaaeeseneeeaas 99 Searching for emails in the Quarantine Store c ccceeeeeeeeeeeeeeeeeeeneeeeeeeees 100 Search FolderS sipini elie end sien ed land eee eee teeta 101 What is a Search folder ceesceceecceeeneeeeeeeeeneeceaeeeeaaeeeeneeseeeeesaeeeeaaesseneeesaes 101 Why are search folders USCPUI ccccceeeeeceeeeeeeeeeeeaeeeeaeeseeeeeseaeeesaeeneaeessaees 101 Grouping quara
119. eneral Settings j Decompression Configures administrator s email autoupdater local domains and Trojan amp Executable Scanner smtp bindings for MailSecurity Email Exploit Engine 2 HTML Sanitizer 1 0 Version Information 2 Patch Checking Displays version information 4h Reporting E Realtime Monitor a Licensing W Quarantine Options Quarantine RSS Feeds yp Quarantine Displays licensing information Information Store Protection t Today Configures information store protection options L Yesterday t This week R f Content Checking L Allitems Configures a list of content checking rules Attachment Checking Configures a list of attachment checking rules t Search Folders Screenshot 26 GFI MailSecurity accessed under local mode only Accessing the configuration from a remote machine To access the GFI MailSecurity configuration or quarantine store from a remote machine follow these steps 1 Start Microsoft Internet Explorer 2 In the address bar specify the following address http lt machine name gt lt virtual directory name gt to access the configuration or http lt machine name gt lt virtual directory name gt quarantine to access the quarantine store directly For example http win2k3entsvr master domain com mailsecurity for the configuration or http Awin2k3entsvr master domain com mailsecurity quarantine for the quarantine store
120. eo 14 02 09 SMTP O Attachment Checking Ion Trojan amp breached trojan and 7 4 Executable executables scanner adam external com Scanner policy jsmith master funky 31 01 2007 Gateway domain game 17 07 37 SMTP Page s lt 1 Edit search folde elete sea folder Item source View all z Screenshot 90 List of Quarantined Emails in selected Search Folder NOTE You can sort the quarantined emails by clicking on any of the column headings If you click the same column heading the sort order switches between ascending and descending 2 Select the check box of the email s you want to approve and click Approve items NOTE 1 If you want to approve all the listed emails you do not need to select all the check boxes individually Just click Approve all NOTE 2 To refresh the information click Update NOTE 3 If an email matches more than one search folder the administrator does not need to approve the same email from each search folder If you approve an email from a search folder GFI MailSecurity removes it from the Quarantine Store and so it does not list in any of the other search folders Deleting emails from the Quarantine Store To delete emails from the Quarantine Store 1 Expand the GFI MailSecurity gt Quarantine node and select the sub node that contains the email s you want to delete for example select the Today node if you want to delete emails that were quarantined today
121. eports panel button and then click on the Scheduled Reports List node GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Scheduling reports e 163 2 Right click on the scheduled report you want to disable and then click Disable The status of scheduled reports is indicated by an icon to the left of each scheduled report as follows 5 Indicates that the scheduled report is disabled Indicates that the scheduled report is enabled To enable a scheduled report follow these steps 1 Click on the Scheduled Reports panel button and then click on the Scheduled Reports List node 2 Right click on the scheduled report you want to enable and then click Enable Editing a scheduled report To make changes to the configuration settings of a scheduled report 1 Click on the Scheduled Reports panel button and then click on the Scheduled Reports List node 2 Right click on the scheduled report you want to re configure and then click Properties to load the Schedule Reports Wizard 3 Use the wizard to modify the scheduled report settings as required For information on how to configure the parameters of a scheduled report refer to the Scheduling a report section earlier in this chapter Deleting a scheduled report To delete a scheduled report 1 Click on the Scheduled Reports panel button and then click on the Scheduled Reports List node 2 Right click on the scheduled report you want to delete a
122. es automatically or to notify the administrator whenever new updates are available To configure automatic updates 1 Click the GFI MailSecurity gt Email Exploit Engine node 2 Click the Updates tab 3 Select the Automatically check for updates check box to enable the auto update feature 4 From the Downloading option list select one of the following download options e Only check for updates Select this option if you want GFI MailSecurity to just check and notify the administrator whenever updates are available for the Email Exploit Engine NOTE This option will NOT download the available updates e Check for updates and download Select this option if you want GFI MailSecurity to check and automatically download any updates available for the Email Exploit Engine 5 Specify how often you want GFI MailSecurity to check download updates for the Email Exploit Engine by typing an interval in hours 6 Click Apply General Actions Updates Ea Email Exploit Updates Automatic update options Configure the automatic update options Vv Automatically check for updates Downloading option Check for updates and download X Download check after the specified number of hours 1 Last update Update options Enable email notifications upon successful updates Notifications will always be sent for unsuccessful updates Click the button below to force the updater service to download the most
123. et Explorer 6 or higher e NET Framework version 1 1 Installation procedure The GFI MailSecurity 10 0 ReportPack installation wizard will perform the following operations during the installation process e Verify that you are running the latest version of the GFI ReportCenter framework If you are installing the framework for the first time or the currently installed framework version is outdated the installation wizard will automatically download the latest one for you e Automatically install all the required components including the GFI ReportCenter framework the GFI MailSecurity 10 0 ReportPack default reports and the Report Scheduling service To install the GFI MailSecurity 10 0 ReportPack follow these steps 1 Double click on MSEC10ReportPack exe GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Installation e 143 ie GFI MailSecurity 10 ReportPack InstallShield Wizard xj Welcome to the InstallShield Wizard for GFI MailSecurity 10 ReportPack The InstallShield R Wizard will install GFI MailSecurity 10 ReportPack on your computer To continue click Next WARNING This program is protected by copyright law and international treaties a gt a a UFI Screenshot 111 Installation welcome page i Cancel 2 In the welcome page click Next to continue the installation fe GFI MailSecurity 10 ReportPack InstallShield Wizard GFI Report Center Framework detection GFI Re
124. ewly created database node right click the Users sub node and then click New Database User Database User Properties New User xi General l x Permissions new BUILTIN Administrators Login name User name Database role membership Permit in Database Role a public db_owner db_accessadmin db_securityadmin db_ddladmin db_backupoperator db_datareader db_datawriter db_denydatareader db_denydatawriter db_marc_archive Properties Screenshot 104 Creating a login GFI MailSecurity for Exchange SMTP 5 From the Login name list select lt new gt SQL Server Login Properties New Login xi General Server Roles Database Access amp Name MaiSecurityUser Authentication C Windows Authentication Domain Security access Grant access Deny access SOL Server Authentication Password a Defaults Specify the default language and database for this login ama Pal Database msec reporting database 7 Language l lt Default gt e Screenshot 105 Specifying authentication mode 6 In the SQL Server Login Properties dialog box type the login name for example MailSecurityUser in the Name box Under the Authentication area click SQL Server Authentication and then type a password in the Password box 7 Select the database you have just created from the Databas
125. fic for each day of the week Through this report you can determine on which days of the week the mail server receives the most emails 178 e GFI MailSecurity ReportPack Default Reports List GFI MailSecurity for Exchange SMTP B lt GFi SECURITY amp MESSAGING sorrwane JP Report Title Inbound email traffic per week days Composite Description The Inbound emailtraffic perweek days report shows the composite amount of inbound emails per week days forthe selected period Generated om 1 10 2007 For period 1 1 2006 1 1 2007 Email Traffic F 8 3 i Page 1 of 1 Outbound email traffic per week days This report combines the amount of emails sent during a particular period into a single week to present a bar graph showing outbound traffic for each day of the week Through this report you can determine on which days of the week your organization sends the most emails GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List e 179 Bc GFi SECURITY amp MESSAGING SOFTW Report Title Outbound email traffic per week days Composite Description The Outbound emailtraffic perweek days report shows the composite amount of outbound emails perweek days forthe selected period Generated om 1 10 2007 For period 14 1 2006 1 4 2007 Email Traffic F 3 a i Page 1 of 1 Monthly email traffic This report shows you how many emails were received and sent per mont
126. fy click Check all attachments having file extensions in the GFI MailSecurity for Exchange SMTP Configuring Content Checking e 73 list If you want to scan all the attachments except the ones you specified in the list click Check all except attachments having file extensions in the list NOTE Enter the filename extension only for example if you want to scan text files enter txt only not txt or txt 12 If you want the Content Checking rule to check the email subject click the Subject tab to specify the keywords that will infringe this rule if found in the email subject 13 In the Subject tab select the Enable subject content checking check box 14 To add a keyword type it in the Enter phrase box and then click Add The new keyword is displayed in the Phrases list General Body Subject Actions Users Folders gz Content Checking Actions IV Enable subject content checking Block emails with the following phrases in the Subject field Enter phrase Phrases personal information Remove Selected Options 7 Match whole words only Screenshot 63 Content Checking Subject Tab 15 If you want to match only whole words select the Match whole words only check box 16 Next configure what actions you want GFI MailSecurity to take on the emails that infringe this rule from the Actions tab 17 Select the Block email and perform this action check box if you want to
127. g Engines Please select and use the following fields to perform quarantine content search Decompression Search in sender recipients J Trojan amp Executable Scanner Email Exploit Engine 2 HTML Sanitizer Ear eaei Patch Checking Search Reporting Realtime Monitor earch in quarantine reason Quarantine Options Quarantine RSS Feeds t amp Quarantine Search Quarantined Items Folder o 0 o 1 Current search folders Folder Items Auto purging New search folder E ical a O Trusted sites Screenshot 84 Quarantine Store status page Searching for emails in the Quarantine Store Quick Search Please select and use the following fields to perform quarantine content search Search in sender recipients CO ee Search in subject CC er Search in quarantine reason CO ee Screenshot 85 Quarantine Store Quick Search To search for emails in the GFI MailSecurity Quarantine Store follow these steps 1 Click on either the GFI MailSecurity gt Quarantine node or the GFI MailSecurity gt Quarantine gt Search Folders node 2 From the Quick Search area use one of these methods to perform the search e Search in sender recipients Specify an email address and click Search to find quarantined emails sent from or received by that email address e Search in subject Specify a keyword or phrase and click Search to
128. g for reporting purposes select the Enable Reporting check box If clear this check box no reporting data will be logged 3 In the reporting page you can see the details of the currently configured reporting database such as the database type and the location of the database To change the current database settings expand the Reporting node and click the Configure Database sub node 4 In the Configure Reporting page you can configure the reporting database as follows Reporting e 119 120 e Reporting Configuring a Microsoft Access database backend Apply Cancel Reporting e Configure Reporting Current Database Settings Current type Microsoft Access Current location C Program Files GFI ContentSecurity MailSecurity data reports mdb New Database Settings Database type e MS Access C SQL Server Microsoft Access reporting File C Program Files GFI ContentSecurityiMailSecurityidata reports mdb Trusted sites Screenshot 101 Configuring a Microsoft Access database backend 1 Click MS Access and type the complete path including the filename of the database file in which the statistical data must be stored If you only specify a filename the database file is created in the default path i e C Program Files GFI ContentSecurity MailSecurity data lt filename mdb gt 2 Click Apply GFI MailSecurity for Exchange SMTP Configuring a Micro
129. h in a table The report further includes a stacked bar graph of the data present in the table to help you visualize traffic trends over the period selected for the report Since the amount of emails sent or received per month is stacked on the same bar you can visually determine the ratio of emails sent versus received on the mail server This report can help you decide whether you need to upgrade the mail server hardware to handle the increasing mail flow for example 180 e GFI MailSecurity ReportPack Default Reports List GFI MailSecurity for Exchange SMTP B lt GFi SECURITY amp MESSAGING sorrwane i il Report Title Monthly email traffic Description The Monthly email traffic report shows the amount ofinbound and outbound emails per month forthe selected period Generated om 1 10 2007 For period 12112005 5 3 2006 Email Traffic December Jan vat Febra March2006 Apii2006 May 2006 2005 2006 2006 2005 Date Inbound Outbound December2005 55 January 2006 77 February 2006 110 March 2006 66 April 2006 77 May 2006 88 Page 1of 1 Processed and blocked emails per month This report combines data from the period you select into the twelve months to show you how many emails were processed blocked due to a security threat and what percentage of the processed emails was blocked email for each month of the year The same data is also presented as an area graph Apart from getting a picture of how email traffi
130. he General tab displays information on the scanning engine This includes the Virus database version and release date License details for the current anti virus engine are also displayed AVG web site For more information about the virus patterns included in the AVG engine visit the AVG website at http www grisoft com Kaspersky configuration NOTE The Kaspersky virus engine must be purchased separately This engine is not included in the base product As standard GFI MailSecurity includes both the Norman and the BitDefender anti virus engines For pricing information on adding the Kaspersky anti virus engine please visit the GFI website www afi com Apply Cancel General Actions Updates K Kaspersky AntiVirus M Enable Gateway Scanning SMTP M scan Inbound Emails through SMTP Transport Event Sink M Scan Outbound Emails through SMTP Transport Event Sink I Enable Information Store Virus Scanning SAPI Kaspersky Scanner Engine Version Information Scanner engine version 4 0 2 29 Virus signature count 219228 Virus signature date 2006 10 16 Anti Virus engine licensing Anti Virus Engine Licensing Status Licensed Automatic Updates Licensing Status License expires 01 March 2009 x aspx engine KASPERSKY Trusted sites h Screenshot 43 Anti virus Scanning Engines Kaspersky configuration page General Tab To configure the Kaspersky engine 1 Expand the GFI MailSecurity g
131. he information link An incorrect patch installation might cause a product malfunction or degrade its performance NOTE 2 If available GFI MailSecurity also includes links to Knowledge Base articles related to the listed patches This is denoted by the KB Article caption in the KB link column of the patch To access the Knowledge Base information click the KB Article caption link NOTE 3 GFI MailSecurity sends an email notification to the administrator whenever new software patches are discovered 98 e Patch Checking GFI MailSecurity for Exchange SMTP Quarantine Introduction to the Quarantine Store As outlined earlier in the manual you can configure GFI MailSecurity to quarantine the emails that fail any of the content policy or content security checks You can then review the quarantined emails and either approve or delete them You can approve delete quarantined emails either directly from the Quarantine Store or through a Quarantine Action Form e Approve Delete directly from the Quarantine Store recommended For more information on how to review emails in the Quarantine Store refer to the Approving emails from the Quarantine Store section further on in this chapter e Approve Delete from a Quarantine Action Form GFI MailSecurity sends the Quarantine Action Form through email to the administrator on the administrator s email address or to a specific email address belonging to an authorized person who can review q
132. he rules that you want to remove NOTE You can select all check boxes in one go by selecting the check box next to the Rule column heading at the top left of the list 3 Click Remove Selected to delete the selected rules GFI MailSecurity for Exchange SMTP Configuring Content Checking e 77 Make changes to an existing content checking rule To modify an existing rule 1 Click the GFI MailSecurity gt Content Checking node 2 From the Content Checking page in the right window click the name of the rule that you want to modify The content checking rule will be loaded 3 Make the required changes for example rename the rule etc in the rule properties and click Apply Changes will take effect immediately Enabling disabling rules You can check and change the status of a rule i e enabled disabled from the Content Checking page To enable or disable an existing rule 1 Click the GFI MailSecurity gt Content Checking node 2 From the Content Checking page in the right window select the check box of the rule s that you want to enable or disable 3 Click Enable Selected or Disable Selected accordingly The status change is displayed immediately under the Status column Changing the rule priority The content checking rule priority is used to determine what rule conditions should be checked for first and so on The Content Checking page lists the Content Checking rules in the same order as they will be ch
133. heck password protected archives check box to enable this filter 4 Specify what to do with emails containing password protected archives by selecting one of the following options e Quarantine Select this option to quarantine the emails that contain a password protected archive The administrator can later review these quarantined emails and approve or delete them accordingly e Automatically Delete Select this option to delete emails containing password protected archives 5 Click the Actions tab to configure any actions to be performed whenever an email containing a password protected archive is detected and blocked For more information on how to configure actions refer to the Configuring decompression filter actions section in this chapter 6 Click Apply Check corrupted archives This filter allows you to quarantine or delete emails that contain corrupted archives The configuration options of this filter are identical to those of the Check password protected archives For more information on how to configure these options refer to the Check password protected archives section above 80 e Decompression engine GFI MailSecurity for Exchange SMTP Check for recursive archives General Actions PN 5S Decompression engine M check for recursive archives Decompression engine options and actions Maximum number of recurring archives Please select the action to take when this rule is violated
134. hed Trojan and Executables scanner policy Threat Trojan amp File coolgame exe breached the following Trojan amp Executable Scanner rule s Checks Executable if the executable tries to change keyboard mouse or display settings Scanner CheckUIChange Attachment File coolgame exe triggered rule CONTENT POLICY Block all potentially malicious Checking attachments Claimed extension exe listed in block extension list fun 03 jpq 22 91Kb Triggered rule CONTENT POLICY Block most common image attachments jpg etc fun 04 gif 22 91Kb Triggered rule CONTENT POLICY Block most common image attachments jpg etc fun 02 jpg 22 91Kb Triggered rule CONTENT POLICY Block most common image attachments jpg etc Module Threat Attachment File fun 02 jpg triggered rule CONTENT POLICY Block most common image Checking attachments jpg etc Claimed extension jpg listed in block extension list fun O1 jpg 22 91Kb Triggered rule CONTENT POLICY Block most common image attachments jpg etc Message Text Text Body HTML Bod Please click here to see quarantined content The message body might contain malicious content Instead of displaying the message body the threat description is being shown The following table shows the threat details for this message body To view the actual message body please click the link above Plugin Threat Content Words in body triggered
135. hen the last report was generated e Next Generation Shows when the next report will be generated e Description The description you specified when creating the scheduled report Viewing the scheduled reports activity GFI ReportCenter also includes a schedule activity monitor through which you can view events related to the generation of scheduled reports To open the schedule activity monitor click on the Scheduled Reports panel button and then click the Scheduled Reports Activity node The activity information is displayed in the right pane of the GFI ReportCenter management console 162 GFI MailSecurity ReportPack Scheduling reports GFI MailSecurity for Exchange SMTP GFI ReportCenter 3 5 lo x File Tools Help gt 2 ts Description Product Selection G 1 17 2007 1 02 54 PM GFI MailSecurity 10 0 ReportPack Information Finished generating sche amp 1 17 2007 1 02 54 PM GFI MailSecurity 10 0 ReportPack Information Scheduled report emaile e 1 17 2007 1 02 52 PM GFI MailSecurity 10 0 ReportPack Information Scheduled report exporte o 1 17 2007 1 02 30 PM GFI MailSecurity 10 0 ReportPack Information Generating scheduled re 121772007 1 02 29 PM GFI MailSecurity 10 0 ReportPack Information Starting to generate sche GrI MailSecurity 10 0 ReportPack z ve Favorite Reports ia Default Reports Custom Reports l Scheduled Reports G Options V Help
136. her to scan email bodies and attachments and the keywords an email must contain to trigger this Content Checking rule Click the Body tab to configure these options 7 To configure this rule to check email bodies you need to select the Block emails if content is found matching these conditions message body attachments check box 8 You then need to specify the conditions that will infringe this rule while scanning the bodies and attachments content To enter a new condition type the keywords in the Edit condition box Click the required logical operator button to insert that operator at the current cursor location in the Edit condition box When the condition is complete click Add Condition to add the new condition to the rule The new condition is then displayed in the Current conditions list For example to enter the following condition confidential information AND top secret you would perform the following steps In the Edit condition box type confidential information Click AND to the right of the box Type top secret and click Add Condition NOTE To remove a condition select it from the Current conditions list and click Remove To modify an existing condition select it from the Current conditions list to display it in the Edit condition box Modify the condition as required and then click Update to save your changes 72 e Configuring Content Checking GFI MailSecurity for Exchange SMTP General Body Subject
137. hment Checking 2 Virus Scanning Engines g Decompression Trojan amp Executable Scanner Email checking cc ESE This scanner can be applied to both inbound and outbound emails Select below eu HTML Sanitizer Patch Checking check inbound emails li Reporting check outbound emails amp Realtime Monitor Quarantine Options Quarantine RSS Feeds Quarantine Trusted sites Screenshot 79 Email Exploit Engine General Tab 3 Click on the Actions tab to set what actions you want GFI MailSecurity to take on emails containing email exploits 4 You can choose either one of the following options e Quarantine email Select this option to quarantine the email containing the email exploit for review by an administrator For more information refer to the Quarantining chapter in this manual 92 e The Email Exploit Engine GFI MailSecurity for Exchange SMTP e Delete email Select this option to delete the email containing the email exploit completely 5 When an email exploit is detected you can also choose to inform the administrator and or user by sending email notifications You can configure the required notifications by selecting any of the following options e Notify local user Select this option if you want to notify the email local users when this filter detects an email exploit NOTE If a threat is detected in an outbound email the recipients will receive the original email with the malicio
138. ht of the OPML entry click Reset all the URLs and then click Apply You then need to update all the RSS subscriptions in your RSS feed reader to point to the new URLs 7 Click Apply How do I subscribe to a quarantine search folder RSS feed To subscribe to an RSS feed follow these steps 1 Right click on the RSS icon to the left of the quarantine search folder to which you want to subscribe 114 e Quarantine GFI MailSecurity for Exchange SMTP RSS Feeds 2 5 To subscribe to all enabled fee Default quarantine folder Today WSS Open Link Sg Open Link in New Window RSS Save Target As Print Target Custo Show Picture RSS Save Picture As E mail Picture Print Picture Go to My Pictures Set as Background Set as Desktop Item Gut Copy Copy Shortcut Paste Add to Favorites Properties Screenshot 98 Copy RSS feed URL 2 Click Copy Shortcut 3 Use your favorite RSS feed reader application to create a new RSS feed subscription Use the RSS feed URL copied in the previous step to specify the location of the feed NOTE If you want to subscribe to all the enabled quarantine search folder RSS feeds in one go copy the shortcut of the OPML icon RSS feed reader applications usually have an option to import RSS feeds from an OPML file An OPML file is an XML file that contains a list of RSS feeds in this case all the quarantine search folder RSS feeds that are enabl
139. ick Settings under the Send by mail group to display the Email Alerts Options dialog box Specify the following parameters e To CC Specify the email address es where you want to send the scheduled report e From Specify the email account that will be used to send the report 160 GFI MailSecurity ReportPack Scheduling reports GFI MailSecurity for Exchange SMTP GFI MailSecurity for Exchange SMTP e Server Specify the machine name or IP address of your SMTP outbound email server If the specified server requires authentication select the SMTP Server requires login check box and specify the logon credentials in the User name and Password boxes e Report format Reports are sent via email as attachments Select the file format in which you want to send the scheduled report from the list Click OK to close the Email Alerts Options dialog box Email Alerts Options x Email Options EE You can override the default email options for this scheduled report To custommanager gficom c From GFiReporCenter 127 001 Server mailfaxsrv Pot 25 SMTP Server requires login User name Password Report format Adobe Acrobat pdf Cancel Apply Screenshot 132 Custom scheduled email distribution options 8 Click Next to continue 9 If you are scheduling a custom report go to point 10 below If you are scheduling a default report the Date Filters page is displayed so that
140. ick the GFI MailSecurity gt Realtime Monitor node to open the Realtime Monitor page This page displays the GFI MailSecurity email statistics and event log The GFI MailSecurity Statistics area shows the e Number of processed items number of emails which were successfully scanned by the product e Number of quarantined items number of emails which were directed to quarantine Realtime Monitor e 125 e Number of unprocessed emails in the last 24 hours number of emails that are not processed by GFI MailSecurity and not delivered to the recipient One reason this can happen is when the email is corrupted spam and therefore could not be processed successfully A copy of these emails can be found at lt GFl Content Security MailSecurity FailedMails gt folder NOTE For more information about unprocessed emails refer to http kbase gfi com showarticle asp id KBID003263 In the GFI MailSecurity Activity Log select the Enable Auto Refresh check box and specify a time interval in seconds for automatic refresh of the Realtime Monitor Alternatively click on Refresh to refresh the activity manually In the Event area the page displays the date and time when GFI MailSecurity receives and scans an email as well as the sender recipient and subject of every email scanned 126 e Realtime Monitor GFI MailSecurity for Exchange SMTP Miscellaneous Version Information E GFI MailSecurity Settings fo ersion Infor
141. ilSecurity 10 0 ReportPack follow these steps 1 Click on the Options panel button 2 Right click on the Import Export Configuration node and then click Import Export Configuration GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Exporting Settings e 173 Import Export Configuration Import Export Ee GFI MailSecurity 10 0 ReportPack Import Export Configuration The import export configuration functionalities can be used to perform backups of scheduled reports custom reports favorite reports and other options The exported configurations can also be imported into a separate ReportCenter instance provided that the same ReportPacks exist on both instances Specify the action to perform Import configuration options Export configuration options Specify the path and filename of the file to import export fe MSEC10RPConfiguration xml oe Screenshot 142 Export setting dialog box 3 Click Export configuration options 4 Type the full path including filename with extension XML in the box provided to specify where you want the exported settings to be saved 5 Click OK to start the export process 6 When the settings are exported successfully the following dialog box is displayed GFI ReportCenter i Ee Export process completed successfully Details i Exporting settings for GFI MailSecurity 10 0 ReportPack Exporting custom reports Exporting scheduled
142. ines an email the administrator receives an email containing an HTML Quarantine Action Form The form contains details related to the quarantined email including the reason why it was blocked and any attachments that were included in the email f http win2k3entsyr MSEC jackb master domain com Attachment Checking Triggered rule Co Mi EG Breply to all S Forward 9 e X From Administrator Sent Mon 05 02 2007 15 07 To Administrator Cc Subject MSEC jackb master domain com Attachment Checking Triggered rule CONTENT POLICY Block all potentially malicious attachments Attachments GFiMailSecurity Dear Administrator Quarantine Action Form On the 05 February 2007 GFI MailSecurity quarantined the following item Item ID z Highest Priority Module Attachment Checking Subject prank call From adam external com To jackb master domain com Threats detected Filename Reason n Attachment Checking Triggered rule CONTENT POLICY U O funny mp3 258 Block all potentially malicious attachments Please select from the following options More details Sanitize and Approve Delete and Notify El Unknown Zone Mixed Screenshot 94 HTML approval form Through the HTML Quarantine Action Form the administrator can approve or delete the email mentioned in the form by clicking on Approve or Delete accordingly If the administrator approves the quarantined email GFI MailSecurity will forward th
143. ing an interval value in hours Triggering the virus update manually To check download updates for the current Virus Scanning Engine immediately click Download updates Setting the Virus Scanning Engines scan priority To configure the execution order of the Virus Scanning Engines follow these steps 1 Click the GFI MailSecurity gt Virus Scanning Engines node Engine Status license Priority a AVG Anti Virus patawa eS Enabled Licensed 0 amp t Information Store scanning Enabled S BitDefender Anti Virus paravay Sean nal Enabled Licensed 1 as Information Store scanning Enabled N Norman Anti Virus gatevay scanning Enabled Licensed 2 t Information Store scanning Enabled v McAfee Anti Virus Garava PEATE Enabled Licensed 3 amp t Information Store scanning Enabled JZ Kaspersky Anti Virus Gateway scanning Enabled Licensed 4 as Information Store scanning Enabled Screenshot 49 Virus Scanning Engines scan priority list 2 In the right pane the Virus Scanning Engines are listed in descending order of priority NOTE The priority assigned to each virus scanner determines the sequence when each anti virus engine gets to scan the content The scanner with priority 0 is the first to start scanning an email Upon completion the Virus Scanning Engine with priority 1 scans the email and so on This means that the Virus Scanning Engine listed at the top of the list is the first to scan emails if it is enabled 3 To
144. installation However it will not let you change the destination folder ce GFI MailSecurity for Exchange SMTP InstallShield Wizard x Ready to Install the Program p9 The wizard is ready to begin installation S 5 As Click Install to begin the installation The installation will upgrade ContentSecurity in the Following folder C Program Files GFI ContentSecurity None of your existing configuration settings will be lost during the upgrade IF you would like to exit the wizard click Cancel Installshield i Cancel Screenshot 31 Upgrading from GFI MailSecurity 9 to GFI MailSecurity 10 3 To continue the installation click Install For a detailed description of the installation procedure refer to the Installing GFI MailSecurity section earlier in this chapter NOTE During an upgrade you are also asked to upgrade your quarantine database to the new Firebird database format For more information refer to the Quarantine Upgrade tool section in this manual 38 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP Quarantine Upgrade tool Starting from GFI MailSecurity 10 SR8 Quarantine information is stored in a Firebird database format instead of Microsoft Access database For upgrades between version 9 and 10 and between previous builds of version 10 to GFI MailSecurity 10 SR8 the Quarantine upgrade tool automates to the migration of pre existing quarantine data to the new Firebird dat
145. ir processing priority From this page you can also create new content checking rules as well as delete and modify existing content checking rules Creating a Content Checking rule To create a Content Checking rule 1 Click the GFI MailSecurity gt Content Checking node 2 From the Content Checking page in the right window click Add Rule 3 In the General tab enter the name for the new Content Checking rule The rule name should ideally describe what content this rule blocks so that you can easily distinguish rules if you have multiple Content Checking rules configured 4 Select whether this rule applies to inbound and or outbound emails by selecting the respective check boxes GFI MailSecurity for Exchange SMTP Configuring Content Checking 71 General Body Subject Actions UsersiF olders S Content Checking Options Rule name Please specify a friendly name for this rule Confidential Information Rule Email checking This rule can be applied to both inbound and outbound emails Select below M check inbound emails I Check outbound emails PGP Encryption This rule can be set to block any PGP encrypted mail Enable or disable this option below I Block PGP encrypted emails Screenshot 61 Content Checking General Tab 5 If you want PGP encrypted emails to infringe this rule select the Block PGP encrypted emails check box 6 Next you need to configure whet
146. ke changes to an existing rule To modify an existing rule 1 Click the GFI MailSecurity gt Attachment Checking node 2 From the Attachment Checking page in the right window click the name of the rule that you want to modify 3 Make the required changes for example Rename the rule etc in the rule properties and click Apply to accept the changes you made Changes will take effect immediately Enabling disabling rules You can check and change the status of a rule i e enabled disabled from the Attachment Checking page To enable or disable an existing rule 1 Click the GFI MailSecurity gt Attachment Checking node 2 From the Attachment Checking page in the right window select the check box of the rule s that you want to enable or disable 3 Click Enable Selected or Disable Selected accordingly The status change is displayed immediately under the Status column Changing the rule priority Attachment Checking rules are applied in the same order from top to bottom as they are listed in the Attachment Checking page However you can change the sequence priority of a rule as follows 1 Click the GFI MailSecurity gt Attachment Checking node 2 From the Attachment Checking page in the right window click the up or down arrows to respectively increase or decrease the priority of the required rule s Repeat until the rule reaches the desired position in the list i e until the rule is assigned
147. lSecurity with the local installation of Microsoft Exchange Server 2007 so that it can process and scan the emails passing through the server To complete the GFI MailSecurity Post Installation Wizard follow these steps 1 Click Next in the welcome page GFI MailSecurity Post Installation Wizard Welcome to the GFI MailSecurity Post Installation Wizard This wizard will install GFI MailSecurity components on the local Microsoft Exchange Server 2007 so that GFI MailSecurity can process the emails passing through Exchange To continue click Next Cancel Screenshot 11 GFI MailSecurity Post Installation Wizard welcome page 2 The wizard will collect information from the Microsoft Exchange Server 2007 installation such as the list of local domains and the server roles installed for example Hub Transport Server Role GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 23 H GFI MailSecurity Post Installation Wizard Information collection Collecting the list of accepted domains on the Exchange Server Please wait while the wizard collects the required information Cancel Screenshot 12 Collecting information from Microsoft Exchange Server 2007 3 The wizard will display the accepted domain list collected from Microsoft Exchange Server 2007 If you need to specify another local domain type it in the Local domains box and click Add If you want to remove a domain that you
148. lation of GFI MailSecurity but can still be changed from the GFI MailSecurity configuration GFI MailSecurity gt Settings node gt General tab For more information refer to the Define the administrator s email address section in the General Settings chapter 9 Select the Log rule occurrence to this file check box and specify a log file name in the box below if you want to log all rule activity to a log file You can specify either the file name only or else the full path to a custom location on disk NOTE You can configure an attachment rule using any combination of actions For example you can opt not to block emails containing the attachment but to simply notify the user or log the occurrence to file 10 Now you must specify the users to whom this rule applies By default GFI MailSecurity will apply the rule to all email users However if you want this rule to affect a selection of users only click the Users Folders tab 66 e Configuring Attachment Checking GFI MailSecurity for Exchange SMTP General Actions Users F olders Attachment Checking Users Folders Please select users this rule will apply to C Only this list all except this list John Smith jsmith master domain com Screenshot 57 Attachment Checking Users Folders Tab 11 Choose one of the following options e Only this list Select this option if you want to apply this rule to all email users groups or public folders present in the list
149. lease visit http Awww gfi com company contact htm NOTE Before you contact our Technical Support team please have your Customer ID available Your Customer ID is the online account number that is assigned to you when you first register your license keys in our Customer Area at http customers qfi com We will answer your query within 24 hours or less depending on your time zone GFI MailSecurity for Exchange SMTP Troubleshooting e 135 Build notifications We strongly suggest that you subscribe to our build notifications list This way you will be immediately notified about new product builds To subscribe to our build notifications visit http Avww gfi com pages productmailing htm 136 e Troubleshooting GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Introduction About GFI ReportCenter GFi MailSecurity Other GFi Products Database s Storing Reporting Data GFi ReportCenter GFi MailSecurity ReportPack Other GFi ReportPacks Email Reports Save Reports Print Reports Figure 4 GFI ReportCenter is a centralized reporting framework GFI ReportCenter is a centralized reporting framework that utilizes the installed product ReportPacks to provide you with a list of available reports that you can generate The information contained in the report is based on the data collected by the specific GFI product A ReportPack is thus a plug in for GFI ReportCenter that exposes a set of reports that are u
150. lick the Users Folders tab General Body Subject Actions UsersFolders Zol Content Checking Actions Please select users this rule will apply to Only this list all except this list John Smith jsmith master domain com Remove Screenshot 65 Content Checking Users Folders Tab 21 Choose one of the following options Only this list Select this option if you want to apply this rule to all email users groups or public folders present in the list All except this list Select this option if you want to apply this rule to all email users groups or public folders NOT present in the list 22 To add email users user groups and or public folders to the list click the Add button J http master domain com default Microsoft Internet Explorer User Lookups D Configure Users Check Names r Name Email Address Email Aliases Vv lt i John Smith jsmith master domain com No other aliases Screenshot 66 Add Users Dialog 23 In the add users window specify the name of the email user user group or public folder that you wish to add to the list 24 Click Check Names to query the Active Directory or the imported list of SMTP addresses depending on how you installed GFI 76 e Configuring Content Checking GFI MailSecurity for Exchange SMTP MailSecurity to check if the specified entry exists Any user group or public folder that matches will be listed below NOTE You do not need to i
151. lick on the Custom Reports panel button to bring up the list of custom reports available 2 Right click on the custom report you want to permanently remove from the list and then click Delete 3 In the Confirm dialog box click Yes Adding custom reports to the list of favorite reports GFI ReportCenter 3 5 File Tools Help gt TISO kB Product Selection GFI MailSecurity 10 0 ReportPack v Custom Reports E GFI MailSecurity 10 0 ReportPack E i blocked sod Yaar ct Pay z Monthy ae traffic Year 2006 Run Edit Delete Add To Favorites List Scheduled Report Screenshot 126 Add custom report to favorites list You can group and access frequently used reports through the Favorite Reports panel button To add a custom report to the list of favorite reports 1 Click on the Custom Reports panel button to bring up the list of custom reports 2 Right click on the custom report that you want to add to the favorites list and then click Add to Favorites List 156 e GFI MailSecurity ReportPack Custom reports GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Scheduling reports Introduction With GFI ReportCenter you can schedule reports You can either schedule a report to be generated once on a particular date or else to be generated periodically starting from a particular date With scheduling you can thus automate the generation of reports as well as schedule the generation
152. lorer xi A Enable information store protection from the Information Store Protection node before enabling Information Store Scanning for virus engines Screenshot 41 Enable Information Store protection before configuring a Virus Scanning Engine AVG configuration NOTE The AVG virus engine must be purchased separately This engine is not included in the base product As standard GFI MailSecurity includes both the Norman and the BitDefender anti virus engines For pricing information on adding the AVG anti virus engine please visit the GFI website www afi com 48 e Configuring virus checking GFI MailSecurity for Exchange SMTP General Actions Updates x AVG AntiVirus I Enable Gateway Scanning SMTP M Scan Inbound Emails through SMTP Transport Event Sink MV Scan Outbound Emails through SMTP Transport Event Sink I Enable Information Store Virus Scanning SAPI AVG Scanner Engine Version Information Scanner engine version 1 1 394 Scanner engine release date 2006 05 12 13 00 00 Virus database version 268 13 4 475 Virus database release date 2006 10 13 18 30 00 Anti Virus engine licensing Anti Virus Engine Licensing Status Licensed Automatic Updates Licensing Status License expires 01 March 2009 l 7 Trusted sites Screenshot 42 Anti virus Scanning Engines AVG configuration page General Tab To configure the AVG engine 1 Expand the GFI MailSecurity gt Virus Scan
153. low GFI MailSecurity SwitchBoard x Please make sure that http 127 0 0 1 is present in the Internet Explorer list of Trusted Sites before accessing the GFI MailSecurity Configuration in local user interface mode Screenshot 18 Local host address must be added to trusted sites list 4 To configure access security click Security next to the Virtual Directory box 5 In the IIS mode access control list dialog box you can configure who gets access to the configuration pages and the quarantine store in separate access control lists 28 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP IIS mode access control list EI When in IIS mode access to the configuration and quarantine URLs can be restricted to specific users or groups Below you can configure access control lists for both URLs You can drag and drop items between locations Configuration URL Access Control List Name Deny a E MASTER DOMAIN Administrators roles Vv E i m oi Iv E amp MASTER DOMAIN Administrator users M E BUILTIN Administrators roles M E Add Remove Quarantine URL Access Control List Name Type Deny a E MASTER DOMAIN Administrators roles Vv E E MASTER DOMAIN Enterprise Admins roles Vv O SEMASTER DOMAIN Domain Admins roles M 0 amp MASTER DOMAIN Administrator users Vv E BUILTIN Administrators les M 0 Add Remove Screenshot 19 Configuration Quarantine
154. lt report To generate a default report 1 Click on the Default Reports panel button to bring up the list of default reports available GFI ReportCenter 3 5 File Tools Help gt 22 BAeIO De E Product Selection GFI MaiSecurity 10 0 ReportPack 7 Inbound amp Ou Default Reports The Inbound amp Outbound outbound emails per weet el GFI MailSecurity 10 0 ReportPack Executive Reports E Viruses blocked monthly Sample Report Layout E Inbound amp Outbound email traffic per papilla Inbound email traffic per week days Run For last 3 Months Outbound email traffic per week days Run For last 6 Months E Monthly email traffic Run for last 12 Months GFi Processed amp Blocked emails per mon Custom Report Processed emails per month Scheduled Report p Blocked emails per month Add To Favorites List Report Title E Administrative Reports Description E Processed amp Blocked emails per four hours E Processed emails per four hours Blocked emails per four hours Daily Processed amp Blocked emails Processed amp Blocked emails per week Monthly Processed amp Blocked emails Generated a For period Screenshot 117 Generating a default report 2 Right click on the report you want to generate and click on one of the Run for last options Example Generating a Monthly email traffic report based on the last 12 months data
155. mail address is specified during the installation of GFI MailSecurity but can still be changed from the GFI MailSecurity configuration GFI MailSecurity gt Settings node gt General tab For more information refer to the Define the administrator s email address section in the General Settings chapter General Body Subject Actions Users F olders f amp Content Checking Actions I Block email and perform this action G Quarantine email Delete email C Move to folder Notification options Vv Notify administrator Iv Notify local user Logging options Iv Log rule occurrence to this file ContidentialRulelnfringed tet Screenshot 64 Content Checking Actions Tab 19 Select the Log rule occurrence to this file check box and specify a log file name in the box below if you want to log all rule activity to a log file You can specify either the file name only or else the full path to a custom location on disk NOTE You can configure a content checking rule using any combination of actions For example you can opt not to block emails infringing the rule but to simply notify the administrator or log the occurrence to file GFI MailSecurity for Exchange SMTP Configuring Content Checking e 75 20 Now you must specify the users for whom this rule applies By default GFI MailSecurity will apply the rule to all email users However if you want this rule to affect only a selection of users c
156. main must point to the mail relay server NOTE If your ISP manages the DNS server ask this provider to update it for you Since the new mail relay server must receive all inbound email first you must update the MX record of your domain to point to the IP of the new mail relay Gateway server Otherwise email will continue to go to your mail server and by pass GFI MailSecurity GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 17 Verify the MX record of your DNS server as follows 1 Open the command prompt type nslookup and press Enter 2 Type set type mx and press Enter 3 Type your mail domain and press Enter 4 The MX record should return a single IP that must correspond to the IP of the machine running GFI MailSecurity WINNT System32 cmd exe nslookup osoft Windows 2000 Version 5 00 21951 gt set type mx gt qatest com veri server Rdaress 192 168 a 1 iqatest com MK preference 14 mail exchanger qatest com qatest com internet address 192 168 6 153 gt Screenshot 8 Checking the MX record of your domain Step 7 Test your new mail relay server Before you proceed to install GFI MailSecurity verify that your new mail relay server is working correctly 1 Test the IIS SMTP inbound connection of your mail relay server by sending an email from an external account to an internal user you can use web mail for example MSN Hotmail if you do not have an external acc
157. master domain com Email address found Logging options M Log occurrence to this file quarantinespamemail b Trusted sites Screenshot 99 Directory Harvesting filter 3 Select the Enable directory harvesting protection check box 4 If you installed GFI MailSecurity in AD mode click Use native Active Directory lookups and skip to step 7 If you want you can choose to use LDAP lookups as outlined in the next step 5 If you installed GFI MailSecurity in SMTP mode click Use LDAP lookups 6 Specify the LDAP server name or IP in the Server box and the port number default 389 in the Port box If your LDAP server requires authentication ensure that the Anonymous bind check box is clear and enter the authentication details in the User and Password boxes 116 e Quarantine GFI MailSecurity for Exchange SMTP 7 Click Update DN list to populate the Base DN list and select the appropriate entry from the list 8 To test your LDAP configuration settings specify a valid email address in the Email address box and click Test If the lookup succeeds Email address found is displayed underneath the Email address box NOTE 1 If you installed GFI MailSecurity in Active Directory user mode on a DMZ the Active Directory of a DMZ normally does not include all the network users i e email recipients and as a result you will be getting many false positives In such cases we r
158. mation Version Information a Licensing y Information Store Protection Version Information 2 Content Checking Ed Attachment Checking 2B vrus Scarning Engines 3 Decompression Product name GFI MailSecurity for Exchange SMTP 8 Trojan amp Executable Scanner Company name GFI Software Ltd 8 Email Exploit Engine 2 HTML Sanitizer 4 Patch Checking ili Reporting ion E Realtime Monitor ild 20070122 Quarantine Options Quarantine R55 Feeds Quarantine Current build version information Check if newer build exists fe E Done Trusted sites Screenshot 108 Version Information page To view the GFI MailSecurity version information click the GFI MailSecurity gt Version Information node The version information page displays the GFI MailSecurity version number currently installed and the build information To check whether you have the latest build of GFI MailSecurity installed on your machine click Check if newer build exists NOTE Please always quote your GFI product Version and Build information when requesting for GFI support Additional Copyright Information Some components of GFI MailSecurity have been created using software developed by third party software developers Their software license information is included below Libxml2 The MIT License Copyright C 1998 2003 Daniel Veillard All Rights Reserved Permission is hereby granted free of charge
159. mp Outbound email traffic per week days E E E T mine scsmels alazen Screenshot 139 Product Selection list 1 Select GFI MailSecurity 10 0 ReportPack from the Product Selection list 2 Click on the Options panel button 3 Right click on the Licensing node and then click Set Licensing GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack General options e 169 x M Curent license key o ReportPack GFI MailSecurity 10 0 ReportPack Licensing status Evaluation version Evaluation status 30 days evaluation 11 days passed License key Evaluation M New license key A Enter your new ReportPack license key e Cancel Apply Screenshot 140 Licensing dialog 4 Type in the GFI MailSecurity 10 0 ReportPack license key 5 Click OK Viewing the current licensing details To view your current licensing details click on the Options panel button and select the Licensing node The licensing details are displayed in the right pane of the management console Viewing the GFI MailSecurity 10 0 ReportPack version details To view the version information of the GFI MailSecurity 10 0 ReportPack 1 Select GFI MailSecurity 10 0 ReportPack from the Product Selection list 2 Click on the Options panel button and then click on the Version Information node The version details will be displayed in the right pane of the management console Checking the w
160. n Licensing HTML Sanitizer Information Store Protection Content Checking 4 l configure HTML Sanitizer Attachment Checking a Virus Scanning Engines a a fy B Ed g W A 2 The HTML Sanitizer scans the HTML body part of an email and any attachments with Decompression extension htm html and sanitizes the content by removing all the scripting code The content layout and formatting of the email are not altered The HTML Sanitizer Trojan amp Executable Scanner guarantees that the emails end users receive are free from HTML scripting code and thus safe for viewing ry Email Exploit Engine j 7 Enable the HTML Sanitizer Patch Checking Reporting Email checking Realtime Monitor Select the emails you want the HTML Sanitizer to scan and clean Quarantine Options M check inbound emails Quarantine R55 Feeds M Check outbound emails Quarantine gt tal fy Trusted sites Screenshot 82 HTML Sanitizer configuration page Configure the HTML Sanitizer as follows 1 Click the GFI MailSecurity gt HTML Sanitizer node 2 From the HTML Sanitizer configuration page select the Enable the HTML Sanitizer check box to enable the HTML Sanitizer The HTML Sanitizer e 95 3 Select the emails you want to check for HTML scripts and clean by selecting any of the following options e Check inbound emails Select this option to scan and clean HTML scripts from all inbound emails e Check outbo
161. n at the bottom of the General tab displays information on the scanning engine This includes the Virus Scanning Engine version virus signature count and the date of the current virus signature files License details for the current anti virus engine are also displayed Kaspersky web site For more information about the virus patterns included in the Kaspersky engine visit the Kaspersky website at http Avww kaspersky com GFI MailSecurity for Exchange SMTP Configuring virus checking e 51 BitDefender configuration General Actions Updates Ss BitDefender AntiVirus M Enable Gateway Scanning SMTP lM scan Inbound Emails through SMTP Transport Event Sink M Scan Outbound Emails through SMTP Transport Event Sink I Enable Information Store Virus Scanning SAPI Macro Checking Do not check macros Block all documents containing macros BitDefender Version Information Build AMCORE v1 0 build 2310 i386 Apr 17 2006 16 24 38 Signatures 476454 Anti Virus engine licensing Anti Virus Engine Licensing Status Licensed Automatic Updates Licensing Status License expires 01 March 2009 Trusted sites Y Screenshot 44 Virus Scanning Engines BitDefender configuration page General Tab To configure the BitDefender engine 1 Expand the GFI MailSecurity gt Virus Scanning Engines node and then click BitDefender 2 To scan SMTP traffic using this Virus Scanning Engine select
162. nd then click Delete 3 In the Confirm dialog box click Yes 164 GFI MailSecurity ReportPack Scheduling reports GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Configuring default options Introduction While installing the GFI MailSecurity 10 0 ReportPack you configured some default settings that are used by the GFI ReportCenter when distributing reports by email and storing reports to disk as well as on which GFI MailSecurity reporting database you want to base the reports If the need arises you can re configure these settings from the GFI ReportCenter management console as shown in the following sections Which GFI MailSecurity reporting database is being used GFI ReportCenter 3 5 B 10 x File Tools Help B GFi SECURITY amp MESSAGING SOFTWA X 4 lt Database Source Selection Product Selection GFI MailSecurity 10 0 ReportPack bl GFI MailSecurity 10 0 ReportPack Copyright c 2000 2007 GFI Software Ltd GFI MailSecurity 10 0 ReportPack Database Source Import Export Configuration Version Information amp Licensing Database Type MS SQL Server Database Path 192 168 0 211 NOTE To change the database backend between different database types right click on Database Source and select Set Database Source ve Favorite Reports iv Default Reports Custom Reports L Scheduled Reports T Options 2 Help 200
163. need to install GFI MailSecurity again entering the purchased license key will be sufficient ie GFI MailSecurity for Exchange SMTP InstallShield Wizard Active Directory Qt BS Py Access to active directory users Does this server have access to all email users in Active Directory a Yes all email users are available on Active Directory Rules will be based on Active Directory users No I do not have Active Directory or my network does not have access to Active Directory DMZ Rules will be based on SMTP email addresses Installshield i Cancel Screenshot 9 Define if the server has access to all email users in the Active Directory GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity 19 4 Setup will now ask you to select the mode that GFI MailSecurity will use to retrieve the list of your email users You must select one of the following options e Yes all email users are available on Active Directory Select this option to continue installing GFI MailSecurity in Active Directory mode In this mode GFI MailSecurity creates user based rules for example Attachment Checking rules based on the list of users available in the Active Directory This means that the machine on which GFI MailSecurity is being installed must be behind your firewall for example Mail Server and must have access to the Active Directory containing all your email users i e the machine on which
164. ng y Information Store Protection B Content Checking E Attachment Checking E Virus Scanning Engines g Decompression r 18 Email Exploit Engine AI HTM Sanitizer B Patch Checking 1 Reporting E Realtime Monitor 4 Quarantine Options Quarantine R55 Feeds Quarantine Cancel General Actions Updates Trojan amp Executable Scanner I Enable Trojan amp Executable scanner Email checking This scanner can be applied to both inbound and outbound emails Select below I check inbound emails I check outbound emails Security settings GFI Content Security contains built in intelligence to rate the risk level of an executable Select the level of security you would like to use This will determine what risk ratings are allowed through High Security Quarantines almost all executables If the executable contains any signature it will get quarantined Medium Security Quarantines suspicious executables If the executable contains 1 high risk signature or a combination of high risk and low risk signatures it will get quarantined C Low Security Quarantines executables that are most probably malicious If the executable contains at least 1 high risk signature it will get quarantined Trusted sites Screenshot 75 Trojan and Executable Scanner General Tab To configure the Trojan amp Executable Scanner 1 Click the GFI MailSecurity gt Trojan amp Exec
165. ng p Remove Selected Enable Selected Disable Selected Add Rule Virus Scanning Engines ey Decompression Trojan amp Executable Scanner 0O ti e Email Exploit Engine E HTL Sanitizer Patch Checking Attachment Checking I Rule Status Priority CONTENT POLICY Block all potentially malicious attachments Enabled 1 av T CONTENT POLICY Block most common image attachments jpg etc Enabled 2 aw T CONTENT POLICY Block most common video attachments avi etc Enabled 3 t 7 CONTENT POLICY Block most common audio attachments mp3 etc Enabled 4 aw yli Reporting Realtime Monitor fo Quarantine Options Quarantine RSS Feeds th Quarantine fa http win2k3entsvr MailSecurity versioninfo aspx K Trusted sites Screenshot 54 Attachment Checking page In GFI MailSecurity you can configure attachment rules from the Attachment Checking node This page contains the options that enable you to create delete enable or disable rules In addition it lists all the existing attachment rules including their status and the order in which these rules are applied to emails i e priority Creating an Attachment Checking rule To create an Attachment Checking rule 1 Click the GFI MailSecurity gt Attachment Checking node 2 From the Attachment Checking page in the right window click Add Rule GFI MailSecurity for Exchange SMTP Configuring Attachment Ch
166. ng a scheduled report sie taran aAA EAEE e AEAEE A 164 Deleting a scheduled report cessassion iiiaae EnEn EE EE AATE AE E 164 GFI MailSecurity ReportPack Configuring default options 165 INtOCUCHION jasa eioi di ieee ein ii leis 165 Which GFI MailSecurity reporting database is being used ccceeeeeereeeeeeees 165 Configuring the GFI MailSecurity reporting database Source s s s 166 Configuring default scheduling options ccccceseceeeeeeeeeeeeeaeeeeeeeseeeeesaeeeeaaeeeeeeeeeas 167 GFI MailSecurity ReportPack General options 169 Entering your license key after installation ecceeeseseeeeeeeeeeeeeeeteeeeeenaeeeeeenaeeeeee 169 Viewing the current licensing details cececeeceececeeeeeeeeeeeeeeeeeeseeenaeaeeeeeeeeeeeeaees 170 Viewing the GFI MailSecurity 10 0 ReportPack version detailS 0 ccceseeeeee 170 Checking the web for newer builds eccccceeeeeeeeceeeeeceeeeeaaeeeeaeeseaeeesaeeesaeeeeeeeeaas 170 GFI MailSecurity ReportPack Exporting Settings 173 INTOGUCHION iea aie al el ois een lean eines 173 Exporting the GFI MailSecurity 10 0 ReportPack Settings ccceeeseeeeeeeetees 173 Importing the GFI MailSecurity 10 0 ReportPack Settings c ceceeeeeeeeeeeeeees 175 GFI MailSecurity ReportPack Default Reports List 177 Executive Reports ernn ie ea AEE le nee de eee 177 Viruses Blocked Monthly eeecccceeeeeeeeeeeeeeeeeeeeeaeeeeeeeaeeeseea
167. ning Engines node and then click AVG 2 To scan SMTP traffic using this Virus Scanning Engine select the Enable Gateway Scanning SMTP check box You now need to select whether you want to scan inbound and outbound emails using this Virus Scanning Engine To scan inbound emails select the Scan Inbound Emails through SMTP Transport Event Sink check box To scan outbound emails select the Scan Outbound Emails through SMTP Transport Event Sink check box 3 If you installed GFI MailSecurity on the Microsoft Exchange machine you will also have the option to scan the Information Store using this Virus Scanning Engine To scan the Information Store select the Enable Information Store Virus Scanning VSAPI check box NOTE When GFI MailSecurity is installed on a Microsoft Exchange Server 2007 machine information store scanning is available only when the Mailbox Server Role and Hub Transport Server Role are installed 4 The configuration settings required in the Actions and Updates tabs are identical for all the installed virus scanning engines For more information on how to configure these parameters refer to the Virus scanner actions and Virus scanner updates sections in this chapter GFI MailSecurity for Exchange SMTP Configuring virus checking e 49 5 After you have configured all the required parameters click Apply All changes and configuration settings will take effect immediately NOTE The section at the bottom of t
168. ninstall GFI MailSecurity from Node2 3 Using the Cluster Administrator console make Node2 active 4 Uninstall GFI MailSecurity from Node1 5 The uninstallation of GFI MailSecurity on an Active Passive cluster is now complete Installing GFI MailSecurity on an Active Active Cluster Installing GFI MailSecurity on an Active Active cluster is currently not supported Which installation mode should use Active Directory mode When installed in Active Directory mode GFI MailSecurity creates user based rules such as Attachment Checking and Content Checking rules based on the list of users available in Active Directory This means that the machine running GFI MailSecurity must be behind your firewall and must have access to the Active Directory containing all your email users i e the machine must be part of the Active Directory domain You can install GFI MailSecurity in Active Directory mode directly on your mail server as well as on any other domain machine that is configured as a mail relay server in your domain SMTP mode In SMTP mode GFI MailSecurity will create user based rules such as Attachment Checking and Content Checking rules based on the list of email users addresses available on your mail server This means that you must install GFI MailSecurity in SMTP mode if your machine does not have access to the Active Directory containing all your email users This includes machines that are not part of your Active Directo
169. nistrator in keeping an eye on the GFI MailSecurity quarantine store RSS feeds can now be enabled on the quarantine folders If you enable RSS feeds on a quarantine folder the administrator can use an RSS feed reader to subscribe to the quarantine folder RSS 112 e Quarantine GFI MailSecurity for Exchange SMTP feed Through the RSS feed reader the administrator is periodically informed of new blocked content in the quarantine store NOTE For a list of freely available RSS feed readers please visit http kbase gfi com showarticle asp id KBID002661 The RSS feed readers listed support authentication and have been tested with the quarantine RSS feeds feature of GFI MailSecurity How do I configure RSS on a quarantine folder To enable RSS feeds on specific quarantine folders follow these steps 1 Click the GFI MailSecurity gt Quarantine RSS Feeds node J GFI maisecurity T Settings Apply Cancel Settings saved version Information Quarantine RSS Feeds Licensing Information Store Protection Configure RSS feeds on the quarantine search folders Content Checking HP Attachment Checking Virus Scanning Engines GFI MailSecurity uses RSS Really Simple Syndication feeds to inform you when new items are blocked in the quarantine g Decompression 4 Trojan amp Executable Scanner h Email Exploit Engine 2 HTML Sanitizer 4 Patch Checking hi Reporting Realtime Monitor 4 Qua
170. nnector name 3 Click Forward all mail through this connector to the following smart host type in the IP of the GFI MailSecurity server the mail relay Gateway server and then click OK NOTE Always enclose the IP address within square brackets For example 100 130 130 10 4 Select the SMTP Server that must be associated to this SMTP Connector Click the Address Space tab and then click Add Click SMTP and then click OK to accept the changes 5 Click OK All emails will now be forwarded to the GFI MailSecurity machine If you have Lotus Notes 1 Double click the Address Book in Lotus Notes 2 Click on Server item to expand its sub items 3 Click Domains and then click Add Domains 4 In the Basics section click Foreign SMTP Domain from the Domain Type field and in the Messages Addressed to area type in the Internet Domain box 5 Under the Should be routed to area specify the IP of the machine running GFI MailSecurity in the Internet Host box 6 Save the settings and restart the Lotus Notes server If you have an SMTP POP3 mail server 1 Start the configuration program of your mail server 2 Search for the option to relay all outbound email via another mail server This option will be called something like Forward all messages to host Enter the computer name or IP of the machine running GFI MailSecurity 3 Save the new settings and restart your mail server Step 6 The MX record of your do
171. nput the full name of the user user group or public folder It is enough to enter at least three characters GFI MailSecurity will list all the names that contain the specified characters For example if you input ott GFI MailSecurity will return names like Scott Adams and Freeman Prescott if they are available 25 Select the check box at the start of the listed name s to indicate the ones that you wish to add to the list and click OK NOTE 1 You can select all the listed names at once by selecting the check box next to the Name column heading at the top left of the list NOTE 2 Repeat steps 22 to 25 to add all the users you want to the list NOTE 3 To remove entries from the list select the user user group public folder you want to remove and click Remove NOTE 4 If no names are included in the list GFI MailSecurity will automatically apply this rule to all the email users in Active Directory SMTP address list 26 Click Apply Remove content checking rules Content Checking ES Content Checking Rule Status Priority CT CONTENT POLICY Block Racial Content Enabled oO a r CONTENT POLICY Block Sexual Content Enabled 1 a F oe Trusted sites Z Screenshot 67 Content Checking Removing rules To remove a Content Checking rule 1 Click the GFI MailSecurity gt Content Checking node 2 From the Content Checking page in the right window select the check boxes of t
172. nt of your firewall Users Firewall GFI MailSecurity Perimeter Gateway Server Mail Server Microsoft Exchange 2000 2003 2007 Internet Figure 3 Installing GFI MailSecurity on a separate machine on a DMZ If running a Windows 2000 2003 firewall such as Microsoft ISA Server a good way to deploy GFI MailSecurity is to install it on a separate machine in front of your firewall or on the firewall itself This allows you to keep your corporate mail server behind the firewall GFI MailSecurity will act as a smart host mail relay server when installed on the perimeter network also Known as DMZ demilitarized zone NOTE In a Microsoft Exchange Server 2007 environment the mail relay server in the DMZ can be a machine running Microsoft Exchange Server 2007 with the Edge Transport Server Role installed When GFI MailSecurity is not installed on your mail server e You can perform maintenance on your mail server whilst still receiving email from the Internet e Fewer resources are used on your mail server e Additional fault tolerance if anything happens to your mail server you can still receive email This email is then queued on the GFI MailSecurity machine NOTE GFI MailSecurity does not require a dedicated machine when not installed on the mail server For example you can install GFI MailSecurity on your firewall i e on your ISA Server or on machines running other applications such as GFI MailEssentials In
173. ntined emails in Search Folders 101 Changing Search Folder properties ccccceeceeceeeeeeeeeeeeeeseeeeesaeeeeneeeeeeees 105 Deleting Search Folders aneia iaaa aaa a aaa a aa aaea dea av aiaa iae 105 Approving emails from the Quarantine Store eesseesseesseeseeneeennnn nennen nsen neen nens 105 Deleting emails from the Quarantine StOre ccccceeeeceeseeeeeeeeceeeeeseeeesaeeeeeeeesaees 106 Rescanning emails from the Quarantine Store c ccccccceeeseceeseceeeeeeeeeessaeeeeneeeeaees 107 View the full security threat report of an email ssssssssssssssirssssrnssrirrnsrirnssrinnssrnnnss 108 Enable email approval via HTML approval forms ssssssssssssessssessssrresssrrssrrnssrernsserensss 110 How to approve or delete quarantined emails from an email CON EEA A EAE E E A EAE E 111 Quarantined mail from the user point Of VIEW eeececeeeceeeeeeeeeeeeeeeeeseaeeeeeaeeeseeeeaes 111 Enable quarantine RSS feeds cccccceeeeceeceeeeeneeeeeeeeceaeeesaaeeeeneeseaeeesaeeeseaeeseneeeeaees 112 Whatis RSS irian riaient aa eea e aeae aade a aa adaa eraat 112 How does GFI MailSecurity use RSS cece eee ceeeeeenee scenes tee eeeaeeeeeeeeeeeees 112 How do configure RSS on a quarantine folder 113 GFI MailSecurity for Exchange SMTP Contents e iii How do subscribe to a quarantine search folder RSS feed ceeeeee 114 Enable the Directory Harvesting filter on quarantined emails 115 Repor
174. o install Cancel Screenshot 14 Server roles detected and list of components to install 6 Click Next to install the required GFI MailSecurity components GFI MailSecurity Post Installation Wizard Installation Summary The following GFI MailSecurity components will be installed The wizard detected the following Exchange Server 2007 roles Hub Transport Client Access The following GFI MailSecurity components will be installed YSAPI Routing Transport Agent SMTP Transport Agent Click Nest to install Installing components I LLLI Cancel Screenshot 15 Installing the required GFI MailSecurity components 7 In the finish page the GFI MailSecurity Post Installation wizard will list the GFI MailSecurity components that it successfully installed Click Finish to close the wizard and complete the installation of GFI MailSecurity on a Microsoft Exchange Server 2007 machine GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 25 H GFI MailSecurity Post Installation Wizard The GFI MailSecurity Post Installation Wizard completed successfully The following GFI MailSecurity components were installed VSAPI Routing Transport Agert SMTP Transport Agent Screenshot 16 GFI MailSecurity Post Installation Wizard finish page Adding GFI MailSecurity to the Windows DEP Exception List Data Execution Prevention DEP is a set of hardware and software technol
175. oad check after the specified number of hours Last update Never Update options IV Enable email notifications upon successful updates Notifications will always be sent for unsuccessful updates Click the button below to force the updater service to download the most recent updates Download updates Screenshot 48 Virus Scanning Engines Configuration page Updates Tab You can configure GFI MailSecurity to download virus scanner updates automatically or to notify the administrator whenever new updates are available To configure the automatic updates of a particular virus scanner 1 Select the virus scanner that you want to configure and from the right window click the Updates tab 2 Select the Automatically check for updates check box to enable the auto update feature 3 From the Downloading options list select one of the following GFI MailSecurity for Exchange SMTP Configuring virus checking e 57 e Only check for updates Select this option if you want GFI MailSecurity to just check and notify the administrator whenever updates are available for this virus scanner NOTE This option will NOT download the available updates e Check for updates and download Select this option if you want GFI MailSecurity to check and automatically download any updates available for this virus scanner 4 Specify how often you want GFI MailSecurity to check download updates for this Virus Scanning Engine by specify
176. ocessed emails per four hours Composite Description The Processed emails per four hour report shows the composite amount of processed emails in four hour blocks for the selected period Generated on 29 08 2006 For period 22 08 2006 29 08 2006 Process ed emails Hour 04 00 03 00 12 00 16 00 20 00 00 00 SECURITY amp MESSAGING SOFTW Processed Emails 320 667 252 575 274 844 301 962 263 159 191 729 1 604 936 Page 1 of 1 Blocked emails per four hours This report combines data from the period you select into a single day to show you how many emails were blocked due to a security threat in four hour blocks The same data is also presented as an area graph 186 e GFI MailSecurity ReportPack Default Reports List GFI MailSecurity for Exchange SMTP B lt GFi SECURITY amp MESSAGING SOFTW Report Title Blocked emails per four hours Composite Description The Blocked emails per four hour report show s the composite amount of blocked emails in four hour blocks for the selected period Generated on 29 08 2006 For period 22 08 2006 29 08 2006 Blocked emails Enalle Hour Blocked Emails Page 1 of 1 Daily processed and blocked emails This report displays how many emails were processed blocked due to a security threat and what percentage of the processed emails was blocked email for each day in the period you select Furthermore this report provi
177. of reports License scheme and evaluation period Evaluation period All GFI ReportCenter features can be used during the evaluation period The default evaluation period for this product is of 10 days However you can apply for a 30 day product evaluation key by filling in the online registration form on the GFI website http www agfi com downloads register aspx pid msec amp vid 10 32 amp lid en when downloading the product This will also qualify you for free email support After you download the product you will receive an email containing a 30 day evaluation license key Purchasing a license key You can purchase a license key online by visiting the GFI website https www qfi com pages cart orderform aspx To license the product you do not need to re install the GFI ReportCenter framework and GFI MailSecurity 10 0 ReportPack You only need to type the license key in the Licensing node provided in the management GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Introduction e 141 console For more information refer to the Entering your license key after installation section in this manual 142 e GFI MailSecurity ReportPack Introduction GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Installation System requirements Install the GFI MailSecurity 10 0 ReportPack on a computer that meets the following requirements e Windows 2000 SP4 XP SP2 2003 operating system e Intern
178. ogies that perform memory checks to help prevent malicious code from running on a system The DEP technology is available only on Microsoft Windows XP with Service Pack 2 Microsoft Windows Server 2003 x32 Edition with Service Pack 1 and Microsoft Windows Server 2003 x64 Edition On Microsoft Windows Server 2003 x32 Edition with Service Pack 1 and Microsoft Windows Server 2003 x64 Edition DEP is by default turned on for all programs and services except those that the administrator selects If you installed GFI MailSecurity on Microsoft Windows Server 2003 x32 Edition with Service Pack 1 or Microsoft Windows Server 2003 x64 Edition you will need to add the GFI MailSecurity scanning engine executable GFiScanM exe and the Kaspersky Virus Scanning Engine executable kavss exe to the Windows Data Execution Prevention DEP exception list To add the GFI executables in the DEP exception list follow these steps 1 From the Start menu load the Control Panel and choose the System applet 2 From the Advanced tab click Settings under the Performance area 3 Click the Data Execution Prevention tab 4 Click Turn on DEP for all programs and services except those select 26 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP 5 Click Add and from the dialog box browse to the GFI MailSecurity installation folder lt GFl ContentSecurity MailSecurity gt and choose GFiScanM exe 6 Click Add and from the dialog
179. on on how to reprocess unprocessed emails click here Email Exploit Engine Patch Checking Reporting M Enable Auto Refresh Refresh time interval in seconds Quarantine Options SOPM e Sb ewGMewere Refresh Event 05 02 2007 15 07 58 Item was processed ok 05 02 2007 15 07 57 Item was processed ok 05 02 2007 15 07 56 Recipients 05 02 2007 15 07 56 Subject Notification GFI MailSecurity detected a threat 05 02 2007 15 07 56 Sender O TEST ORGANIZATION OU FIRST ADMINISTRATIVE GROUP CN RECIPIENTS CN ADMINISTRATOR 05 02 2007 15 07 56 Processing new item 05 02 2007 15 07 56 Item was processed ok 05 02 2007 15 07 55 Item was processed ok 05 02 2007 15 07 55 Recipients 05 02 2007 15 07 55 Subject Notification GFI MailSecurity detected a threat 05 02 2007 15 07 55 Sender O TEST ORGANIZATION OU FIRST ADMINISTRATIVE GROUP CN RECIPIENTS CN ADMINISTRATOR 05 02 2007 15 07 55 Processing new item 05 02 2007 15 07 55 Item was processed ok 05 02 2007 15 07 54 Recipients 05 02 2007 15 07 54 Subject Notification GFI MailSecurity detected a threat 05 02 2007 15 07 54 Sender O TEST ORGANIZATION OU FIRST ADMINISTRATIVE GROUP CN RECIPIENTS CN ADMINISTRATOR xl Quarantine RSS Feeds Quarantine E Done Trusted sites Screenshot 107 Realtime Monitor page Monitoring email activity GFI MailSecurity for Exchange SMTP Cl
180. onfiguration page Norman website For more information about the virus patterns included in the Norman Virus Control NVC engine visit the NVC website at http www norman com GFI MailSecurity for Exchange SMTP Configuring virus checking e 55 Virus scanner actions General Actions Updates aR Virus Scanner Actions Actions Please select the actions to take when a virus is found O Quarantine item C Delete item Notification options E Notify administrator E Notify local user Logging options Vv Log occurrence to this file virusscanner tet Screenshot 47 Virus Scanning Engine Configuration page Actions Tab In GFI MailSecurity you can configure what each of the installed Virus Scanning Engines should do whenever an infected email is detected To configure the actions of a virus scanner 1 Select the virus scanner that you want to configure and click the Actions tab 2 Choose one of the following options e Quarantine item Select this option if you want to quarantine all virus infected emails detected by this Virus Scanning Engine You can subsequently review approve delete all the quarantined emails e Delete item Select this option to delete all virus infected emails detected by this Virus Scanning Engine NOTE This option overrides the settings configured in the General tab i e If in the General tab you selected Block all emails containing a macro i e quarantine all emails even
181. orman Virus Scanning Engine are identical to those of the BitDefender engine For more information on how to configure these options refer to the BitDefender Configuration section earlier in the manual NOTE The section at the bottom of the General tab displays information on the scanning engine This includes the Virus Scanning Engine version virus signature count and the date of the current virus signature files License details for the current anti virus engine are also displayed 54 e Configuring virus checking GFI MailSecurity for Exchange SMTP General Actions Updates IN Norman AntiVirus M Enable Gateway Scanning SMTP M Scan Inbound Emails through SMTP Transport Event Sink M Scan Outbound Emails through SMTP Transport Event Sink Enable Information Store Virus Scanning VSAPI Macro Checking Do not check macros Block all documents containing macros Norman Scanner Engine Version Information Scanner engine version 5 90 23 Binary viruses signature version 05 90 0 Binary viruses signature date 2006 10 13 02 03 04 Binary viruses signature count 489513 Macro viruses signature version 05 90 0 Macro viruses signature date 2006 10 09 11 33 23 Macro viruses signature count 19952 Anti Virus engine licensing Anti Virus Engine Licensing Status Licensed Automatic Updates Licensing Status License expires 01 March 2009 gt Trusted sites Z Screenshot 46 Virus Scanning Engines Norman c
182. ort on disk select the Export to file check box The report will be saved in the format and to the location on disk specified in the Default Scheduling Options dialog box For further information refer to the Configuring default scheduling options section further on in the manual If you want to specify custom export to file settings for this scheduled report click Settings under the Export to file group to display the Report Storage Options dialog box In the Report Destination box specify the location on disk where you want this scheduled report to be saved and then select an export format from the Report format list Click OK to close the Report Storage Options dialog box Report Storage Options x Folder Options s You can override the default folder options for this scheduled SP report Report Destination C Program Files Common Files GFl ReportCenter Framewor Report format Adobe Acrobat pdf Cancel A p p ly Screenshot 131 Custom scheduled report storage options 7 If you want to send the generated scheduled report by email select the Send by mail check box The report will be sent to the recipients using the SMTP server specified in the Default Scheduling Options dialog box For further information refer to the Configuring default scheduling options section further on in the manual If you want to specify custom send by email settings for this scheduled report cl
183. orum User to user technical support is available via the web forum The forum can be found at http forums qfi com Request technical support If you have referred to this manual and our Knowledge Base articles and you still cannot solve issues with the software contact the GFI Technical Support team by filling in an online support request form or by phone e Online Fill out the support request form on http support gfi com supportrequestform asp Follow the instructions on this page closely to submit your support request e Phone To obtain the correct technical support phone number for your region please visit http Awww gfi com company contact htm NOTE Before you contact our Technical Support team please have your Customer ID available Your Customer ID is the online account number that is assigned to you when you first register your license keys in our Customer Area at http customers gfi com We will answer your query within 24 hours or less depending on your time zone GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Troubleshooting e 191 Build notifications We strongly suggest that you subscribe to our build notifications list This way you will be immediately notified about new product builds To subscribe to our build notifications visit http Avww gfi com pages productmailing htm 192 e GFI MailSecurity ReportPack Troubleshooting GFI MailSecurity for Exchange SMTP
184. ou specify must be identical to the ones specified when creating the login account for your database on GFI MailSecurity for Exchange SMTP Reporting e 121 122 e Reporting Microsoft SQL Server For more information refer to step 6 in the Creating a new database on Microsoft SQL Server section below Creating a new database on Microsoft SQL Server 1 Open the SQL Server Enterprise Manager Start gt Programs gt Microsoft SQL Server gt Enterprise Manager and expand the Microsoft SQL Server node where you want to create the database Joj x lat Q erve erp e Manage onsole Roo oso Q erve Q erve oup oca do D Gil Eile Action View Tools Window Help e Amix enr eSa RB C Console Root Databases 12 Items E Microsoft SQL Servers EJ SQL Server Group E local Windows NT ERS w U U MA2006Q1 MARCDB master model msdb w U U newdb Northwind pubs MA2006Q2 MA2006Q03 MA2006Q4 All Tasks u u F View gt a New Window from Here Refresh WJ Export List F u E u Help pubs tempdb Data Transformation Services tempdb Management Replication Security Support Services Meta Data Services DDDD2 2 4 4 4 5 8 4 8 8 H AeA AA Screenshot 103 Creating a new database 2 Right Click the Databases node and then click New Database 3 Type the database name in the dialog box for example MailSecurityReports and then click OK 4 Expand the n
185. ount available Verify that the email client received the email 2 Test the IIS SMTP outbound connection of your mail relay server by sending an email to an external account from an email client Verify that the external user received the email NOTE Instead of using an email client you can send email manually through Telnet This will give you more troubleshooting information For more information refer to this Microsoft Knowledge Base article http support microsoft com support kb articles Q153 1 19 asp Step 8 Install GFI MailSecurity on the mail relay server For information on how to install GFI MailSecurity refer to the Installing GFI MailSecurity section in this chapter Preparing to install GFI MailSecurity on your mail server No additional configuration is required if you are installing GFI MailSecurity directly on your mail server For information on how to install GFI MailSecurity refer to the Installing GFI MailSecurity section below Installing GFI MailSecurity Before you install GFI MailSecurity check the points below 1 Make sure that you are logged on as Administrator or you are using an account with administrative privileges 18 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP 2 Save any pending work and close all open applications on the machine 3 Check that the machine you are installing GFI MailSecurity on meets the system and hardware requirements specified earlier in
186. per week Monthly Processed amp Blocked emails of Favorite Reports al Default Reports Custom Reports L Scheduled Reports D Options 2 Help Current Page No 1 Total Page No 1 Zoom Factor Page Width Screenshot 110 The GFI ReportCenter management console The GFI ReportCenter management console is split into two panes the navigation panel to the left of the screen and the report viewing pane to the right The navigation panel consists of the Product Selection list from where you can select the GFI product ReportPack you want to use and various panels as outlined below through which you can access all the features of GFI ReportCenter e Click on the Default Reports panel button to access the default list of reports that can be generated for the selected product For more information on default reports refer to the GFI MailSecurity 10 default reports section in this manual e Click on the ve Favorite Report panel button to access your favorite most used reports For more information on how to add reports to this list refer to the Adding default reports to the list of favorite reports and Adding custom reports to the list of favorite reports sections in this manual e Click on the Custom Reports panel button to access the list of customized reports you created for the selected product For more information on how to crea
187. phrase in the quarantine reason Type a keyword in the box next to this option e Item subject Select this option to include all the emails containing a specific keyword or phrase in the email subject Type a keyword phrase in the box next to this option e Sender Select this option to include ONLY the emails sent from a particular email address Type the sender email address in the box next to this option e Recipient Select this option to include ONLY the emails sent to a particular email address Type a recipient email address in the box next to this option e Quarantined by Select this option to group emails quarantined by a specific but not necessarily unique filter in this search folder Select a filter from the list next to this option for example Attachment Checking NOTE Since GFI MailSecurity can block an email for multiple security threats or content policy infringements you can choose to include only emails that were blocked by one specific filter This is possible by selecting the only check box next to the filters list 102 Quarantine GFI MailSecurity for Exchange SMTP New Search Folder a Use this page to create and edit search folders Define a new folder Search folder name Inbound emails blocked by attachment checking Item source Please select item source Gateway Auto Purging With the auto purge option you can automate the management of the items stor
188. plain text body HTML body and any attachments 4 To return to the list of quarantined emails click Back NOTE 1 From this page you can also approve delete or re scan the particular email you are currently viewing by clicking the respective button If you want to delete an email and inform the intended recipients of the action taken click Delete and Notify instead of Delete NOTE 2 If you want to download the quarantined item click Download Item NOTE 3 Unless the source of the item is Information Store VSAP I you can approve a sanitized version of the email by clicking Sanitize and Approve When you click this option GFI MailSecurity removes the email from the quarantine store and sends it to the intended recipients but before doing so all the body parts that have a security threat are removed from the email thus rendering it safe 108 e Quarantine GFI MailSecurity for Exchange SMTP Quarantined email TN Showing details for quarantined item 8 Sanitize and Approve Rescan Delete lI Delete and Notify Download item Back Item Information Source Gateway SMTP 07 02 2007 Dater 09 49 48 Subject Free game and funny pics etd Trojan amp Fi 8 d t I iaaa acam external com Module Executable To jackb master domain com Scanner Scan Modules Trojan amp Executable Scanner Attachment Checking Content Checking Filename size Threat Description exe 1008Kb Breac
189. port once on the following day time then select the date and time from the calendar If you want to generate this report periodically starting from a particular date click Generate this report every Specify an interval amount and then select a value from the Interval list From the Start date time calendar select on which day you want to start generating this scheduled report Click Next to continue to the Advanced Settings page where you can configure report distribution and storage options Schedule Report Wizard Advanced Settings Customize report distribution and storage options You can send the generated report by email to a target recipient list or save the generated report in a folder on your file system Click on the Settings button of the relevant section in the dialog to further configure report sending saving options J Export to file Click on the Settings button to customize the report storage options and specify the file format and destination folder where this report will be stored Settings V Send by mail lt Click on the Settings button to customize and configure the email settings which will be used for report distribution i Settings lt Back se Cancel Screenshot 130 Scheduled report storage and distribution options GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Scheduling reports e 159 6 If you want to save the generated scheduled rep
190. port Center framework was not Found on the system GFI MailSecurity 10 ReportPack requires GFI Report Center framework version 3 5 in order to run You need to download and install the GFI Report Center framework version 3 5 in order to proceed Download and install the GFI Report Center framework version 3 5 Twill manually install GFI Report Center framework version 3 5 and restart this installation Installshield Screenshot 112 GFI ReportCenter framework detection dialog 3 If the current version of your GFI ReportCenter framework is not compatible with the GFI MailSecurity 10 0 ReportPack you will be prompted to download and install an updated version To download the latest version of the GFI ReportCenter automatically leave the dialog options as default and click Next 144 e GFI MailSecurity ReportPack Installation GFI MailSecurity for Exchange SMTP ie GFI MailSecurity 10 ReportPack InstallShield Wizard xi Check for latest build availability Check for a newer version of GFI MailSecurity 10 ReportPack This installation can check whether there is a newer build for GFI MailSecurity 10 ReportPack downloadable from the GFI web site This procedure will require an internet connection in order to connect to the GFI web site Check for a newer build of GFI MailSecurity 10 ReportPack on the GFI web site Do not check for a newer build Installshield e Cancel Screenshot 113 Che
191. port scheduling service GFI ReportCenter framework The GFI ReportCenter framework is the management console through which you can navigate generate customize and schedule the reports included in the GFI MailSecurity 10 0 ReportPack If you have other GFI products ReportPacks installed on the same machine you can use the GFI ReportCenter to make use of those reports as well 138 o GFI MailSecurity ReportPack Introduction GFI MailSecurity for Exchange SMTP GFI ReportCenter 3 5 z lol xi Fie Tools Help CE ook AES B dre nOxdendee MainReport a EGFi sounn a wessaaie sorraaga Report Title Inbound amp Outbound email traffic perweek das Composite Description The Inbound amp Outbound email traffic perweek days report shows the composite amount of inbound and outbound emails perweek days forthe selected period Generated ort 1 16 2007 For period 14M 2008 1 1 2007 el GFI MailSecurity 10 0 ReportPack E E Executive Reports Viruses blocked ee Inbound email traffic per we Outbound email traffic per week days Monthly email traffic E Processed amp Blocked emails per month Processed emails per month Email Traffic E Blocked emails per month B Administrative Reports Processed amp Blocked emails per four hours Processed emails per four hours Blocked emails per four hours E Daily Processed amp Blocked emails Processed amp Blocked emails
192. ports Default reports can also serve as the base template for the creation of customized reports that fit specific date ranges Report scheduling service The report scheduling service controls the scheduling and automatic generation and distribution of reports You can select in which output format you want the scheduling service to generate the reports A variety of formats are available such as DOC PDF RTF and HTML You can also configure the scheduled report to do automatically one of the following once the report is generated send the report by email save on a disk or both Key features Centralized reporting GFI ReportCenter is a one stop centralized reporting framework which enables the generation and customization of graphical and tabular reports for a wide array of GFI Products Default reports The GFI MailSecurity 10 0 ReportPack ships with a default set of graphical and tabular reports These reports can be generated immediately after the installation without any further configuration effort The default reports in the GFI MailSecurity 10 0 ReportPack are organized into two different report type categories e Executive Reports e Administrative Reports Distribution of reports via email With GFI ReportCenter you can distribute reports by email You can also configure scheduled reports to be automatically distributed by email when generated 140 e GFI MailSecurity ReportPack Introduction GFI MailSecurity fo
193. quarantine delete or move the blocked emails to a particular folder Additionally select one of the following options Quarantine email Select this option to quarantine the email containing the infringing content for review by an administrator For more information refer to the Quarantining chapter in this manual Delete email Select this option to delete the email completely 74 e Configuring Content Checking GFI MailSecurity for Exchange SMTP Move to folder This option will move the email to the specified folder Type the folder name in the box provided underneath this option 18 Content Checking rules can be configured to send email notifications to the administrator and or user whenever an email infringes a rule You can configure the required notifications by selecting any of the following options Notify local user Select this option if you want to notify the email local users when the email infringes this content checking rule NOTE If a threat is detected in an outbound email the recipients will receive the original email with the malicious parts removed A security notice is attached to the email to inform the recipients what email parts were removed and for what reason This behavior is always enabled and is not affected by this setting Notify administrator Select this option if you want to send email notifications to the administrator whenever an email infringes this content checking rule The administrator s e
194. r Exchange SMTP Report export to various formats By default GFI ReportCenter allows you to export reports to various formats Supported formats include HTML PDF XLS DOC and RTF You can configure a preferred report output format to be used as a default output format for scheduled reports When creating or editing a scheduled report you can choose to use the default output format or else select another output format for the specific scheduled report Printing All the reports generated by GFI ReportCenter are printer friendly and can be easily printed by clicking the amp button on top of the report viewing pane Report scheduling With GFI ReportCenter you can schedule reports to be generated on a pre defined schedule as well as at specified intervals For example you can schedule lengthy reports to be generated after office hours This allows you to maximize the availability of your system resources during working hours and avoid any possible disruptions to workflow Report customization The default reports that ship with every ReportPack can serve as the base template for the creation of customized reports You can customize a report by configuring a fixed or variable date range Favorites GFI ReportCenter allows you to create bookmarks to your most frequently used reports both default and custom Wizard assisted configuration Wizards are provided to assist you in the configuration scheduling and customization
195. r based rules such as Attachment Checking rules and Content Checking rules To add a new local user follow these steps 1 Enter the email address in the Email address box 2 Click Add NOTE GFI MailSecurity uses the local domains list configurable from the Local Domains tab to determine whether a new email address is local or not A notification dialog box is displayed if you enter a non local user as shown in the screenshot below Microsoft Internet Explorer x A The email address entered must belong to one of the local domains in the Local Domains tab Screenshot 38 Non local user entered 3 Repeat steps 1 and 2 to add more than one local user 4 Click Apply GFI MailSecurity for Exchange SMTP General settings e 45 To remove a local user follow these steps 1 Select the local user you want to remove from the Local Users list 2 Click Remove 3 Repeat steps 1 and 2 to remove more than one local user 4 Click Apply 46 e General settings GFI MailSecurity for Exchange SMTP Configuring virus checking Configuring Virus Scanning Engines The virus checking feature of GFI MailSecurity scans all SMTP traffic inbound and outbound emails for viruses using multiple Virus Scanning Engines When GFI MailSecurity is installed on the Microsoft Exchange server machine you can also configure GFI MailSecurity to scan the information store for viruses NOTE When GFI MailSecurity is installed on a Microsoft Exchange
196. r on the quarantine store follow these steps 1 Click the GFI MailSecurity gt Quarantine Options node 2 Click the Directory Harvesting tab EE crt mailsecurity caret foe C m Version Information Licensing Quarantine Mode Directory Harvesting Content Checking amp Directory Harvesting Attachment Checking gt amp 4 0 x y Information Store Protection B 4 Virus Scanning Engines If you enable directory harvesting protection on the quarantining system GFI Q3 Decompression MailSecurity will delete items that have only non existent recipients instead of storing them in the quarantine A Trojan amp Executable Scanner p This feature will automatically keep your quarantine store clean from malicious spam t 8 Email Exploit Engine email 2 HTML Sanitizer 4 Patch Checking tl Reporting Lookup options E Realtime Monitor c i Use native Active Directory lookups amp Quarantine Options re ig Use LDAP look Quarantine RSS Feeds a aiaia rar Quarantine Enable directory harvesting protection LDAP Settings Server jwin2k3entsvr Port i389 O Use SSL Base DN DC masterdomain DC com I Anonymous bind Update DN list User administrator Password For security reasons the length in the password box above does not necessarily reflect the true password length Email address test Email address jjackb
197. r than 7 d x A Search Folders mai i gin ems older than ay s Emails blockec ers o Items older than 1 day s E Emails blocked by Email Exploit Engine a r older v EA Emails blocked by virus scanners New search folder Trusted sites Screenshot 88 Search Folder Contents Summary NOTE Click the Search Folder node to view the amount of emails matching each Search Folder 104 e Quarantine GFI MailSecurity for Exchange SMTP Changing Search Folder properties JEE GFI maitsecurity la Settings Fo version Information A Licensing y Information Store Protection Quarantine eS Use this page to sort and manage quarantined items content checking Approve items Delete items Resean items Items per page I Attachment Checking a Delete all Rescan all Update Virus Scanning Engines E Decompression Trojan amp Executable Scanner EEN RSS feed disabled Configure RSS feeds Items in this search folder are automatically purged if they are older than 1 day s SE Emal Exploit Engine 7 ID Module Reason Sender Recipient s Subject Date Source BD HTML Sanitizer 4 Patch Checking Page s sli Reporting it let Item source Viewall SSO E Realtime Monitor 4 Quarantine Options Quarantine RSS Feeds lt gt Quarantine IA Today EQ Yesterday LQ This week EQ Allitems E Search Folders E Emails blocked by Email
198. rantine Options 8 Quarantine RSS Feeds To read Quarantine RSS Feeds you can use an RSS feed reader program to subscribe to the feed To subscribe to a feed copy the URL associated with the orange RSS button to the left of the Quarantine folder you want to monitor and use it to create a new subscription in the RSS feed reader NOTE Only users given access privilege through the GFI MailSecurity SwitchBoard tool are allowed to subscribe to the Quarantine RSS feeds Please visit http kbase gfi com showarticle asp id KBID002661 for a list of freely available RSS feed readers which are known to support authentication and have been tested out with the GFI MailSecurity Quarantine RSS Feeds Enable Quarantine RSS Feeds If the above checkbox is unchecked no feeds will be generated regardless of the individual filter s settings RSS Feeds Quarantine Sli To subscribe to all enabled feeds copy the URL associated with the orange OPML Edit button a Default quarantine folder RSS Feed Status Interval Maximum Items EE Today Enabled 10 minutes 100 Edit SEFF Yesterday Disabled 10 minutes 100 Edit BEEJ This Week Disabled 10 minutes 100 Edit LEED All Items Disabled 10 minutes 100 Edit RSS Feed Status Interval Maximum Items 10 minutes 100 Edit 10 minutes 100 Edit Custom quarantine folder BEJ Emails blocked by Email Exploit Engine Disabled Emails blocked by virus scanners Enabled Trusted sites Screensho
199. ration Conversion Failed x x The user lookup mode of your MailSecurity 8 configuration does not match user lookup mode of your MailSecurity 9 configuration Screenshot 30 User lookup mode mismatch 9 When the migration process completes a Configuration was successfully converted information dialog box will be displayed Click OK to close the information dialog box and click the close button I to close the migration tool GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 37 10 You now need to start all the services that you stopped in step 4 above from the Services control applet 11 Use the GFI MailSecurity 10 configuration to check that the GFI MailSecurity 8 settings were migrated correctly Upgrading from GFI MailSecurity 9 to GFI MailSecurity 10 NOTE The upgrade process cannot be reverted If you upgrade GFI MailSecurity to version 10 you cannot go back to version 9 of the product If you are currently using GFI MailSecurity 9 you can upgrade your current installation The GFI MailSecurity 9 configuration settings are kept You need to enter the fully purchased license key after the upgrade completes For information on how to obtain the new license key visit http customers gfi com To upgrade 1 Launch the GFI MailSecurity 10 setup file on the machine on which you have installed GFI MailSecurity 9 2 Setup will now proceed to install GFI MailSecurity 10 in exactly the same manner as a new
200. rator will be sent to this ernail address fen HTML Sanitizer 2 Patch Checking Administrator Email Administrator master domain com ili Reporting Realtime Monitor NOTE GFI MailSecurity will communicate this email address to the GFI servers GFI will only use this email address to send important GFI MailSecurity notices E Quarantine Options directly to the administrator Quarantine RSS Feeds Fr Quarantine Trusted sites Screenshot 33 GFI MailSecurity general settings page The Settings node allows you to configure a number of general options including the administrator s email address the Update URLs the list of Local Domains the SMTP server bindings and the management of the user list when GFI MailSecurity is installed in SMTP mode only To configure the general settings click the GFI MailSecurity gt Settings node Define the administrator s email address GFI MailSecurity can be configured to send email notifications to the administrator whenever a security threat is found in an email To set up the administrator s notification address 1 Click the Settings node to open the General Settings page in the right window 2 In the General tab specify the email address where you wish to send email notifications addressed to the administrator in the Administrator Email box 3 Click Apply GFI MailSecurity for Exchange SMTP General settings e 41 Configuring
201. re actions refer to the Configuring decompression filter actions section in this chapter 6 Click Apply Scan within archives Through the Scan within archives option you can disable Attachment Checking and Content Checking of files in archives GFI MailSecurity for Exchange SMTP Decompression engine e 83 Configure this option as follows 1 Click the GFI MailSecurity gt Decompression node 2 From the list of filters in the right window click on Scan within archives 3 Select the Scan within archives check box to scan any archive attachments present in an email using the decompression and attachment scanning rules Configuring decompression filter actions General Actions A Decompression Engine Actions Notification options iv Notify administrator Iv Notify local user Logging options Iv Log occurrence to this file decompression log Screenshot 73 Decompression filter actions To configure the actions to be performed whenever a particular filter blocks emails containing archives 1 Click the GFI MailSecurity gt Decompression node and from the right window select the required filter 2 Click the Actions tab and select any of the following actions e Notify local user Select this option if you want to notify the email local users when the email contains an archive file that infringes a decompression engine rule NOTE If a threat is detected in an outbound email the recipients will
202. re these options refer to the BitDefender Configuration section earlier in the manual NOTE The section at the bottom of the General tab displays information on the scanning engine This includes the Virus Scanning Engine version virus signature count and the date of the current virus signature files License details for the current anti virus engine are also displayed GFI MailSecurity for Exchange SMTP Configuring virus checking e 53 General Actions Updates V McAfee AntiVirus M Enable Gateway Scanning SMTP M Scan Inbound Emails through SMTP Transport Event Sink M Scan Outbound Emails through SMTP Transport Event Sink IV Enable Information Store Virus Scanning SAPI Macro Checking Do not check macros C Block all documents containing macros McAfee Version Information Version 11 34 Signatures 213451 Scan dat build date 10 13 2006 Names dat build date 10 13 2006 Clean dat build date 10 13 2006 Anti Virus engine licensing Anti Virus Engine Licensing Status Licensed Automatic Updates Licensing Status License expires 01 March 2009 SNE l O Trusted sites Screenshot 45 Virus Scanning Engines McAfee configuration page General Tab McAfee website For more information about the virus patterns included in the McAfee engine visit the McAfee website at http www mcafee com Norman configuration The configuration options of the N
203. recent updates Download updates Screenshot 81 Email Exploit Engine Updates Tab Triggering the Email Exploit Engine update manually To check download updates for the Email Exploit Engine immediately click Download updates 94 e The Email Exploit Engine GFI MailSecurity for Exchange SMTP The HTML Sanitizer Introduction to the HTML Sanitizer The HTML Sanitizer scans and cleans from scripting code the email body parts that have the MIME type set to text html and all the attachments that have an extension of htm or html The HTML is cleaned from all the scripts rendering it harmless The HTML sanitization process is an automated process which does not require administrator intervention Why remove HTML scripts The introduction of HTML mail has allowed senders to include scripts in email that can be triggered automatically upon opening mail HTML scripts are used in a number of headline hitting viruses such as the KAK worm Moreover HTML scripts are often utilized in one off attacks directed towards particular users and particular companies Consequently it is best if all scripts are removed from within HTML emails The HTML Sanitizer included in GFI MailSecurity provides automated protection against HTML scripting threats Configuring the HTML Sanitizer GFI MailSecurity for Exchange SMTP 3 E GFI MailSecurity Settings Cancel version Informatio
204. res a list of content checking rules Attachment Checking Configures a list of attachment checking rules Trusted sites Screenshot 27 GFI MailSecurity accessed under IIS mode Entering your license key after installation The unregistered evaluation version of GFI MailEssentials expires after 10 days z GFI MailSecurity Settings version Information Licensing Content Checking Attachment Checking Virus Scanning Engines k SOrOM 8 bee RESO SES AntiSpam Decompression Email Exploit Engine HTML Sanitizer Patch Checking Reporting Realtime Monitor Quarantine Options Quarantine RSS Feeds Quarantine k GFiMailSecurity Information Store Protection Trojan amp Executable Scanner SECURITY amp MESSAGING SOFTW license key Enter the license key below If you are evaluating the product and do not have an evaluation license key issued by GFI you can use evaluation for the default evaluation license License key evaluation License key information License Type 10 day evaluation license License Status Evaluation expired Maintenance agreement N A Number of licensed users Unlimited Current number of users 2 Evaluation To extend your evaluation click on the Extend Evaluation button or click on the Buy Now button to purchase GFI MailSecurity Extend evaluation Ei Buy now E 7 E Trusted sites
205. rovides a total sum of emails processed and blocked for the period you select 188 e GFI MailSecurity ReportPack Default Reports List GFI MailSecurity for Exchange SMTP TA B lt GFi SECURITY amp MESSAGING SO Report Title Blocked emails per week Description The Blocked emails per week report shows the composite amount of blocked emails against processed emails per week for the selected period Generated on 09 08 2006 For period 09 08 2004 09 08 2006 Blocked emails Processed Processed Emails Blocked Emails Percentage of Blocked Emails 98 011 21 935 3 67 713 893 21 884 3 07 650 469 14 783 2 27 769 973 9 659 1 25 810 995 9 472 1 17 754 190 14 838 1 97 588 745 9 381 1 59 590 925 6 429 1 09 552 037 6 515 1 18 598 390 6 407 1 07 439 910 6 246 1 42 640 540 6 929 1 03 702 867 8 322 1 18 679 289 12 085 1 78 882 363 10 326 1 17 773 109 58 488 7 57 C E e OPA Pp Om eaRGRIS Monthly processed and blocked emails This report lists the amount of emails processed blocked due to a security threat and what percentage of the processed emails was blocked email for each month during the period selected Furthermore this report provides a total sum of emails processed and blocked for the period you select GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default Reports List e 189 B lt GFi Report Title Description Generated on For period Month December 2005
206. rules A few hours after this email was quarantined the virus signatures are updated The next day the administrator comes across this email while going through the quarantine store If rescanning of quarantined items was not possible the administrator would have only two options delete the email or approve it and release a virus unknowingly With the rescan option the administrator can choose to submit the email for rescanning This time around since the virus signatures where updated the email will infringe both a virus scanner rule as well as the same Content Checking rule When the administrator finds the same email in the Quarantine Store the reason for quarantining will be that a virus was detected The administrator will then most probably choose to delete the email To rescan emails from the Quarantine Store 1 Expand the GFI MailSecurity gt Quarantine node and select the sub node that contains the email s you want to rescan for example select the Today node if you want to rescan emails that were blocked today Alternatively you can use Quick Search to look for the emails that you want to rescan 2 Select the check box of the email s you want to rescan and click Rescan items NOTE 1 If you want to rescan all the listed emails you do not need to select all the check boxes individually Just click Rescan all NOTE 2 To refresh the information click Update GFI MailSecurity for Exchange SMTP Quarantine e 107
207. run a program or command whether or not the actual program or command is malicious In this manner the Email Exploit Engine works like an intrusion detection system IDS for email The Email Exploit Engine might cause more false positives but it is more secure than a normal anti virus package simply because it uses a different way of checking for e mail threats Furthermore the Email Exploit Engine is optimized for finding exploits in email and can therefore be more effective at this job than a general purpose anti virus engine Configuring the Email Exploit Engine Enable Disable email exploits To enable disable emails exploits 1 Click the GFI MailSecurity gt Email Exploit Engine gt Exploit List node GFI MailSecurity for Exchange SMTP The Email Exploit Engine e 91 2 From the Email Exploit Engine page in the right window select the check box of the exploit s that you want to enable or disable 3 Click Enable Selected or Disable Selected accordingly The status change is displayed immediately in the exploits Status column EE GFI maitsecurity z Email Exploit Settings Ta version Information Licensing 2 Email Exploit Engine Information Store Protection Content Checking Attachment Checking Enable Selected Disable Selected Virus Scanning Engines gt ID Description Last Updated Status Decompression z A cus iit B Trojan amp Executable Scanner A cLs ID
208. ry domain i e non domain machines as well as machines in a DMZ However you can still install GFI MailSecurity in SMTP mode on your mail server as well as on any other machine that has access to Active Directory containing all email users NOTE Both installation modes have the same scanning features and performance The only difference between Active Directory and SMTP GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 9 installation mode is the way that GFI MailSecurity accesses gathers the list of email users for generating its scanning rules and notifications System requirements To install GFI MailSecurity you need e Windows Server 2008 2003 x32 or x64 Edition or Windows 2000 Professional Server Advanced Server Service Pack 1 or higher or Windows XP NOTE Since the version of Internet Information Services IIS included in Windows XP is limited to serving only 10 simultaneous client connections installing GFI MailSecurity on a machine running Windows XP could affect its performance e Microsoft Exchange Server 2007 2003 2000 SP1 5 5 5 4 or Lotus Notes 4 5 and up or any SMTP POP3 mail server NOTE 1 If you are installing on Microsoft Exchange Server 2007 you need to have either an Edge Server Role Hub Transport Role or Mailbox Server Role and Hub Transport Server Role installed GFI MailSecurity cannot be installed on a Microsoft Exchange 2007 machine with only Mailbox Server Role installed NOTE
209. s GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default reports e 151 Report browsing options K4 gt gt Browse the generated report page by page ne Zoom in Zoom out Search the report for particular text or characters Go directly to a specific page 2 Breakdown the report into a group tree e g by date time lt 3 Print the report Report storage and distribution options D Export the report to a specific file format and save on a disk P Distribute the generated report by email NOTE For information on how to configure report storage and distribution options refer to the Configuring Advanced Settings section in this manual Adding default reports to the list of favorite reports File Tools Help 4 gt conns Product Selection GFI MailSecurity 10 0 ReportPack z Default Reports E keil GFI MailSecurity 10 0 ReportPack Executive Reports Run for last 3 Months Inbound err Run for last 6 Months Outbound RUN for last 12 Months Monthly em Custom Report Processed __ Scheduled Report E Processed Add To Favorites List Blocked emails per month Administrative Reports E Processed amp Blocked emails per four hours E Processed emails per four hours E Blocked emails per four hours E Daily Processed amp Blocked emails Processed amp Blocked emails per week Monthly Processed amp Blocked emails E Inbound amp Screenshot 120
210. s in archive check This filter allows you to quarantine or delete emails that contain an excessive amount of compressed files within an attached archive You can specify the number of files allowed in archive attachments from the configuration options included in this filter To configure this filter 1 Click the GFI MailSecurity gt Decompression node 2 From the list of filters in the right window click on Check for amount of files in archives 3 Select the Check for amount of files in archives check box to enable this filter and specify the maximum amount of files allowed in an archive IMPORTANT If you disable the Check for amount of files in archives rule GFI MailSecurity will not scan or quarantine archive attachments thus bypassing the anti virus checking 4 Decide on what to do with emails containing archives that exceed the specified limit of contained files by selecting one of the following options e Quarantine Select this option to quarantine the emails that contain these archives The administrator can later review these quarantined emails and approve or delete them accordingly e Automatically Delete Select this option to delete emails containing archived files that when uncompressed contain more files than the limit specified 5 Click the Actions tab to configure any actions to be performed whenever this filter detects and blocks emails containing an archive For more information on how to configu
211. seful for a particular GFI product A ReportPack can be purchased as an add on to the GFI product An GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Introduction e 137 example of a ReportPack is the GFI MailSecurity 10 0 ReportPack further described in the following section About the GFI MailSecurity 10 0 ReportPack The GFI MailSecurity 10 0 ReportPack is a full fledged reporting companion to GFI MailSecurity With the GFI MailSecurity 10 0 ReportPack you can generate concise executive reports and detailed administrative reports From graphical traffic pattern reports for management to tabular daily processed emails vs blocked emails reports for technical staff the GFI MailSecurity 10 0 ReportPack generates uncluttered reports that are simple yet highly effective The reports provide you with the information you require to keep an eye on the GFI MailSecurity installation and the mail server The GFI MailSecurity 10 0 ReportPack allows for the creation of various graphical and text based reports showing e Inbound email Traffic e Outbound email Traffic e Viruses blocked e Security threats blocked e Virus outbreak trends e Security threats outbreak patterns e Mail server load patterns Components of the GFI MailSecurity 10 0 ReportPack When you install the GFI MailSecurity 10 0 ReportPack the following components are installed e GFI ReportCenter framework e GFI MailSecurity 10 0 default reports e Re
212. soft SQL Server database backend Reporting e Configure Reporting Current Database Settings Current type Microsoft Access Current location C Program Files GFI ContentSecurity MailSecurity data reports mdb New Database Settings Database type O MS Access amp SQL Server SQL server reporting Detected server local X C Manually specified server Password eereeeeeseeeeeeoe Database GFI MailSecurity Reporting Database Screenshot 102 Configuring SQL Server Database backend 1 Click SQL Server 2 Click Detected server and then select the SQL Server from the Server list or else click Manually specified server and in the box type the IP or server name where Microsoft SQL Server is hosted 3 Type the name of a user that is authorized to access the Microsoft SQL Server in the User box 4 Type the password for this account in the Password box 5 Click Get Database List to extract the database information from this server and populate the Database list 6 From the Database list select the database where you want to store the statistical data 7 Click Apply NOTE 1 Make sure that you have already created the database on Microsoft SQL Server before configuring this option For more information on how to create a database on SQL Server refer to the Creating a new database on Microsoft SQL Server section below NOTE 2 The user and password y
213. specify the GFI Update Server to which GFI MailSecurity will connect when checking for software updates refer to the Selecting an update server section in the General Settings chapter Downloading and installing software patches To check for GFI MailSecurity software updates 1 Click the GFI MailSecurity gt Patch Checking node and click Check for patches in the right pane window to connect to the GFI Update Server and check for available updates 2 If software patches exist for your version of GFI MailSecurity these are listed in the right window Otherwise you will be informed that no software patches are available From the list of available software GFI MailSecurity for Exchange SMTP Patch Checking e 97 updates in the right window click the Download link included in the last column of each patch This will start the download process Repeat the same procedure for all the listed updates 3 After all downloads are complete you can start installing the software updates Since the software patches vary in file format i e could be DLL files EXE files etc you must read the relative patch information for the installation instructions To access the installation instructions and other information relevant to a patch click the Information link provided in the list of available updates in the right window of GFI MailSecurity NOTE 1 It is important that you follow the exact patch instructions provided in t
214. splay the contents of a new message e Pro active scanning New items added to the Information Store are added to a queue for scanning When a mail client tries to access an item that is still in the queue it will be allocated a higher scanning priority so that it is scanned as soon as possible This is the default and recommended mode of operation since in general the delay associated with on access scanning is avoided because new items are added to the queue immediately and are usually scanned before a mail client requests access to the item GFI MailSecurity for Exchange SMTP Configuring virus checking e 61 6 To save and instruct GFI MailSecurity to make use of the new settings click Apply 62 e Configuring virus checking GFI MailSecurity for Exchange SMTP Configuring Attachment Checking Introduction to Attachment Checking This chapter explains how to set up Attachment Checking in GFI MailSecurity The Attachment Checking feature allows you to set up a policy regarding what types of email attachments you will allow on your mail server To set up such a policy GFI MailSecurity uses the concept of Rules A rule is a condition that you set such as block all executable attachments This means that an Attachment Checking rule allows you to block attachments of a certain type GFI MailSecurity Settings f version Information m A Licensing Eg Attachment Checking Information Store Protection amp Content Checki
215. ssssrreessrnesssrnssrnnnesrnnnnsrnnnnsnnnnennnnnnna 58 Setting the Virus Scanning Engines scan priority ccccccceeeeseeceeeeeseeeeeeseeeeeeeeeeaees 58 Configuring Virus Scanning optimizations ccceeececeeeeeeeeeeeeeeseeeeeseaeeesaeeeeneeesaees 58 Configuring Information Store SCANNING ccccceceeeeceeeeeeeaeeeeaeeseeeeessaeeesaeeeeneeeeaees 59 Configuring Attachment Checking 63 Introduction to Attachment Checking ccccceseeeceeeeeeeeeeeeeaeeeeeeeseeeeeseaeeesaeseeeeseeeeees 63 Creating an Attachment Checking rule ccccceeeeeceeeceeeeeeeeaeeeeaeeseeeeeseaeeesaeeneneeenaees 63 Removing attachment rules ranna eaS a EEEE eA EEOAE AE EE SSN 68 Make changes to an existing rule asssssessssesssrresssrnessnnesrrnnennnnnnstnnnnnnnnnennnnnnnnnnnanennnna 69 Enabling disabling rules isre EEEa EAEE e EAA AE aid 69 Changing the rule priority ccccceccseeesceceeeee tetr eeeeaeeeeeeeceaeeesaaeeseaaeseeeesaeeesaaeeseneeeeaees 69 Configuring Content Checking 71 Introduction to Content Checking ccccccceeeeeseeceeeeeeeeeeeeeaeeeeaeeseeeeeseaeeesaeeseeeseenees 71 Creating a Content Checking rule eccceccceceeeeeeeeeeeeeeceeeeeeaeeeeaeeseneeesaeeesaeeseneeenaees 71 Remove content Checking rules cccccccccecsecceceseseceeeeeeeceeeseeececeeseeeeeesnseaeeeeneeeeeeenaes 77 Make changes to an existing content checking rule 0 00 eee eee eeteeee ener ee eeteeeeeeeneeeee 78 Enabling
216. stalling GFI MailSecurity on an Active Passive Cluster NOTE Installing GFI MailSecurity on a Microsoft Exchange Server 2007 cluster environment is currently not supported To install GFI MailSecurity on an Active Passive cluster you must install GFI MailSecurity on each node NOTE Although you can install GFI MailSecurity on an Active Passive cluster bear in mind that you still need to configure and manage a GFI MailSecurity installation per node The configuration settings and quarantine emails are not shared between nodes On each node you have to do the following GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 7 e Install GFI MailSecurity on the node local hard drive NOTE Do not install GFI MailSecurity on the shared drive e Install the GFI MailSecurity WWW virtual directory on the node s Default Web Site e f you are installing on an IIS cluster make sure you bind GFI MailSecurity to the Clustered SMTP Virtual Server instance The following steps show you how to install GFI MailSecurity in a typical Active Passive Cluster environment For this scenario assume the cluster named MAILCLUSTER is made up of two nodes named Node1 and Node2 1 Using the Cluster Administrator console make Node active 2 Install GFI MailSecurity on the local hard drive of Node2 as described in the Installing GFI MailSecurity section of this chapter When you reach the IIS Setup step of the installation select
217. stem In general a hacker deploys a Trojan to create a backdoor on a system thus gaining unrestricted access to the system Signature based anti virus software are unable to detect one off Trojans Indeed any application that only uses signatures to detect malicious software will not be effective in detecting such threats These include specialized anti Trojan software The main reason is that signature based software can only detect known viruses and Trojans That is why such applications need frequent updates How does the Trojan amp Executable Scanner work GFI MailSecurity is able to rate the risk level of an executable file by decompiling the executable and detecting in real time what the executable might do Subsequently it compares capabilities of the executable to a database of malicious actions and then rates the risk level of this executable file With the Trojan amp Executable scanner you can detect and block potentially dangerous unknown or one off Trojans before they penetrate your network GFI MailSecurity for Exchange SMTP The Trojan amp Executable Scanner e 87 Configuring the Trojan amp Executable Scanner From the Trojan amp Executable Scanner node you can define the level of security that you require and the actions you want GFI MailSecurity to take on emails containing malicious executable files Configuring the security level E GFI MailSecurity la Settings fa Version Information aS Licensi
218. t Virus Scanning Engines node and then click Kaspersky 2 To scan SMTP traffic using this Virus Scanning Engine select the Enable Gateway Scanning SMTP check box You now need to 50 e Configuring virus checking GFI MailSecurity for Exchange SMTP select whether you want to scan inbound and outbound emails using this Virus Scanning Engine To scan inbound emails select the Scan Inbound Emails through SMTP Transport Event Sink check box To scan outbound emails select the Scan Outbound Emails through SMTP Transport Event Sink check box 3 If you installed GFI MailSecurity on the Microsoft Exchange machine you will also have the option to scan the Information Store using this Virus Scanning Engine To scan the Information Store select the Enable Information Store Virus Scanning VSAPI check box NOTE When GFI MailSecurity is installed on a Microsoft Exchange Server 2007 machine information store scanning is available only when the Mailbox Server Role and Hub Transport Server Role are installed 4 The configuration settings required in the Actions and Updates tabs are identical for all the installed Virus Scanning Engines For more information on how to configure these parameters refer to the Virus scanner actions and Virus scanner updates sections in this chapter 5 After you have configured all the required parameters click Apply All changes and configuration settings will take effect immediately NOTE The sectio
219. t 96 Quarantine RSS feeds 2 Select the Enable Quarantine RSS Feeds check box 3 Under the RSS Feeds area you can view a list of all the quarantine search folders both default and custom currently configured To configure RSS feeds for a particular quarantine folder click Edit to the right of the quarantine folder entry GFI MailSecurity for Exchange SMTP Quarantine e 113 RSS Feeds SIH To subscribe to all enabled feeds copy the URL associated with the orange OPML button Edit Default quarantine folder RSS Feed Status Interval Maximum Items Today Enabled 10 minutes 100 IV Enable Quarantine RSS feeds on this folder Refresh feed content every 10 minutes Feed should contain at most 100 items Please use the following address to subscribe to this feed http WINZK3ENTSVR 80 MailSecurityRS Si tssteed aspx feedName today xml amp uniqueid B6639C8A B27 E 403C AB3E 319C NoTrE 1f yau gwa avarya s to the RSS feeds from the GFI Mails ecuri ity SwitchBoard applic acianier agn sels ole urity on the RSS fee di nyone will be able to subscribe to this feed af you uspect unauthorized use opel of thi URL click the Rese Fe fo URL ii otto n to aan erate a new URL and click the Apply butto Yo u then need to modi fy the RSS si nee oes ate point to the new URL Bo Reset Feed URL Disabled 10 minutes 100 Edit Disabled 10 minutes 100 Edit Disabled 10 minutes 100 Edit Custom qu
220. t to which one you want to bind GFI MailSecurity You can select your virtual SMTP server both during the installation stage as well as from the Bindings tab after the installation To change the current SMTP Virtual Server 1 Click the Settings node to open the general settings page in the right window 2 Click the Bindings tab and select the required SMTP Virtual Server from the available list of servers present in your domain 3 Click Apply For more information on how to configure your SMTP service refer to the Installing and configuring IIS SMTP amp World Wide Web services section earlier in the manual Managing local users in SMTP mode When you install GFI MailSecurity in Active Directory mode the list of local users is stored in the Active Directory store When you choose to install GFI MailSecurity in SMTP mode the list of local users is stored in a database managed by GFI MailSecurity To populate and manage the user list when GFI MailSecurity is installed in SMTP mode a User Manager is available under the Settings node 44 e General settings GFI MailSecurity for Exchange SMTP General Updates Local Domains Bindings User Manager D User Manager Configure local users Email address Local Users Screenshot 37 User Manager The User Manager tab displays the current list of local users and it allows you to add or remove local users The list of local users entered here is used when configuring use
221. te custom reports refer to the Custom reports chapter in this manual e Click on the Scheduled Reports panel button to access the list of scheduled reports you created For more information on how to create scheduled reports refer to the Scheduling reports chapter in this manual e Click on the Options panel button to access the general configuration settings for the GFI product ReportPack selected in the Product Selection list GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Introduction e 139 e Click on the Help panel button to view the quick reference guide in the report pane of the GFI ReportCenter management console In the report viewing pane you can view and analyze generated reports maintain the list of scheduled reports and explore the samples and descriptions of the default reports When a report is generated you can click on the button to save the report to disk in various formats such as HTML Adobe Acrobat PDF Microsoft Excel XLS Microsoft Word DOC and Rich Text Format RTF If you want to send the generated report to someone by email click on the button GFI MailSecurity 10 0 default reports The GFI MailSecurity 10 0 default reports are a collection of pre configured reports that plug into the GFI ReportCenter framework The default reports included in the GFI MailSecurity 10 0 ReportPack are split into two groups executive reports and administrative re
222. the Description column heading at the top left of the list GFI MailSecurity for Exchange SMTP Decompression engine e 85 The Trojan amp Executable Scanner Introduction to the Trojan amp Executable Scanner GFI MailSecurity includes an advanced Trojan and Executable Scanner which is able to analyze and determine the function of an executable file This scanner can subsequently quarantine any executables that perform suspicious activities such as a Trojan What is a Trojan horse The Trojan horse got its name from the old mythical story about how the Greeks gave their enemy a huge wooden horse as a gift during the war The enemy accepted this gift and brought it into their fortress During the night Greek soldiers crept out of the horse and attacked the city In computers a Trojan horse is a way of penetrating a victim s computer undetected allowing the attacker unrestricted access to the data stored on that computer Subsequently the attacker can manipulate the data and can cause great damage to the victim just like the citizens of Troy A Trojan can be a hidden program that runs on your computer without your knowledge Furthermore hackers sometimes hide Trojans into legitimate programs that you normally use Difference between Trojans and viruses The difference between Trojans and viruses is that Trojans are often one off tailor made executables targeted to obtain information from a specific target user sy
223. the desired priority NOTE You can check the priority of rules from the Attachment Checking page The priority value of each rule is displayed in the Priority column GFI MailSecurity for Exchange SMTP Configuring Attachment Checking e 69 Configuring Content Checking Introduction to Content Checking This chapter will show you how to set up Content Checking in GFI MailSecurity The Content Checking feature allows you to create rules in which you define keywords and logical operators to filter emails that contain offensive or confidential information for example a E GFI MailSecurity A Content Checking Settings Ea Version Information 2h A Licensin ES Content Checking 2p Information Store Protection B HP Attachment Checking Enable Selected ES Virus Scanning Engines oo Decompression A Trojan amp Executable Scanner Ho Email Exploit Engine HTM Sanitizer 4 Patch Checking Rule CONTENT POLICY Block Racial Content CONTENT POLICY Block Sexual Content CONTENT POLICY Block Profanities F tll Reporting Realtime Monitor Quarantine Options Quarantine RSS Feeds E Quarantine E Done Trusted sites Screenshot 60 Content Checking page In GFI MailSecurity you can configure Content Checking rules from the Content Checking node This page lists all the existing content checking rules and it allows you to disable or enable them and set the
224. this chapter To install GFI MailSecurity follow these steps 1 Run the GFI MailSecurity setup program by double clicking on the MailSecurity10 exe file The installation wizard will perform some unpacking operations and then display the Welcome page Click Next to continue 2 Read the license agreement displayed in the License agreement page and click I accept the terms in the license agreement if you accept the terms of the license agreement Click Next to continue the installation NOTE If upgrading from a previous version than GFI MailSecurity 10 SR8 you will be asked to upgrade to the Firebird database Selecting import will prompt GFI MailSecurity to automatically launch the quarantine upgrade tool after the installation If you select not to import the quarantine database any previous quarantine data will not be used by the upgraded version For information on the quarantine upgrade tool refer to the Quarantine Upgrade tool section in this manual 3 Type the administrator email address in the Administrator Email box If you bought a license for GFI MailSecurity type it in the License Key box If you do not have a license yet and want to evaluate GFI MailSecurity leave the default evaluation license key in the License Key box Click Next to continue the installation NOTE When you use the evaluation license key you will be able to use GFI MailSecurity for 10 days If later you decide to buy GFI MailSecurity you will not
225. this file trojan tet Screenshot 76 Trojan and Executables Scanner Actions Tab 5 Click the Actions tab to configure the actions you want GFI MailSecurity to take on emails containing a malicious executable Select any of the following options e Notify local user Select this option if you want to notify the email local users when this filter detects a malicious executable NOTE If a threat is detected in an outbound email the recipients will receive the original email with the malicious parts removed A security notice is attached to the email to inform the recipients what email parts were removed and for what reason This behavior is always enabled and is not affected by this setting e Notify administrator Select this option to send email notifications to the administrator whenever an email containing malicious executable is quarantined e Log occurrence to this file Select this option to log the event whenever the Trojan amp Executable Scanner detects an infected email In the edit box below specify either the file name only or the full path to the log file 6 Click Apply Trojan amp Executable Scanner updates You can configure GFI MailSecurity to download Trojan amp Executable Scanner updates automatically or to notify the administrator whenever new updates are available To configure automatic updates 1 Click the GFI MailSecurity gt Trojan amp Executable Scanner node 2 Click the Upd
226. ting 119 Introduction to GFI MailSecurity Reporting ccccceceeeceeseeeeeeeeseeeeeseaeeesaeeeeeeeeeaees 119 Configuring the statistical information database cccccecseeeeseeseeeeeseeeeeeseeeeeneeees 119 Configuring a Microsoft Access database backend ccccesseeessesteeeeeseees 120 Configuring a Microsoft SQL Server database backend ccccesseeeeeneees 121 Creating a new database on Microsoft SQL Servel eecccceesceeessetteeeseeeees 122 Realtime Monitor 125 About the Realtime Monitor 0 0 eecceeeeceeeeeeeneeeeeeneeeeeeaaeeeeeeaaeeeeeeaaeeeeeeaaeeeeeeaeeeeneaas 125 Monitoring email Activity cece iriri isinnei iini eiii dekie iE reiii 125 Miscellaneous 127 Version Informatio M nesia cates eeseeeenddacodieiectbeescatsdaeeevdiyanscdtasiaesvetgecccadsdueesseyenecens 127 Additional Copyright Information ccccccceeceeeseeeeeneeceeeeeceaeeeeaaeseeeeeseeeesaeeneaeeeeenees 127 Libxml2 The MIT License ccccceceeeseeceeeeeeeeeeeaeeeceeeeeseesanaeeeseeeeeeeenanaeeneess 127 Advanced topics 129 Customizing the notification templates ccccceeeceeeeeeeeeeeeeaeeeeeeeseeeeeseaeeeeaaeeeeeeeteas 129 Variables used in XSL based notification templates ccceecseeeeseeeeeees 130 Notify user and notify manager notifications in notifyuser folder and notifymanager folder respectively eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaees 130 Setting Virus Scanning
227. ts group consists of eight reports that provide concise statistics and information on how GFI MailSecurity is performing These reports are useful for people in managerial and executive positions to get a quick glance at how effective GFI MailSecurity is in protecting their network and IT infrastructure from security threats delivered through email The following is the complete list of executive reports e Viruses blocked monthly e Inbound and outbound email traffic per week days e Inbound email traffic per week days e Outbound email traffic per week days e Monthly email traffic e Processed and blocked emails per month e Processed emails per month e Blocked emails per month Administrative Reports The administrative reports group consists of six reports that provide detailed statistics and information on how GFI MailSecurity is performing These reports are useful for the people that administer the mail server for example the network administrator The following is the complete list of administrative reports e Processed and blocked emails per four hours e Processed emails per four hours e Blocked emails per four hours e Daily processed and blocked emails GFI MailSecurity for Exchange SMTP GFI MailSecurity ReportPack Default reports e 149 e Processed and blocked emails per week e Monthly processed and blocked emails GFI MailSecurity default reports are accessed by clicking on the Default Reports panel button Generating a defau
228. ttp foca microsoft com https oca microsoft com http fwindowsupdate microsoft com htto windowsuodate com Remove J Require server verification https for all sites in this zone Screenshot 22 Trusted sites dialog 7 Click Close 8 Click OK in the Internet Properties dialog box to close it and save the new settings Securing access to the GFI MailSecurity Quarantine RSS feeds You can configure GFI MailSecurity to create quarantine RSS feeds on specific quarantine folders To configure who can subscribe to the quarantine RSS feeds follow these steps 1 Click the GFI MailSecurity SwitchBoard shortcut found under Start gt Programs gt GFI MailSecurity 2 In the GFI MailSecurity SwitchBoard dialog box click Security next to the RSS Virtual Directory box GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 31 GFI MailSecurity SwitchBoard IX 8 GFi MailSecurity User Interface Mode Tracing M Configuration user interface mode Select the user interface mode you want to use to configure and manage GFI MailSecurity Local mode Configure and manage GFI MailSecurity from this machine only IIS mode Configure and manage GFI MailSecurity remotely m IIS user interface mode options Website name Defaut Web Site http ZWIN2K3ENTSYR 80 x Virtual directory Mails ecurity Security RSS Virtual directory MaiS ecurityASS S
229. ty will import local domains from the IIS SMTP service If however you wish to add or remove local domains afterwards you must follow these steps 1 Click the Settings node to open the general settings page 2 Click the Local Domains tab and specify the name of the domain in the Domain box 3 Click Add to include the stated domain in the Local domains list If you want to remove a listed domain select it from the list and click Remove 4 Click Apply NOTE You can use the local domains option if you want to configure local mail routing in IIS differently for example to add domains that are local for mail routing purposes but which are not local for your mail server SMTP server bindings NOTE The SMTP Server bindings tab is not visible when GFI MailSecurity is installed on a Microsoft Exchange Server 2007 machine GFI MailSecurity for Exchange SMTP General settings e 43 General Updates Local Domains Bindings ae ele SMTP Bindings EE Configure SMTP bindings Select the SMTP server from the following list The SMTP server instance selected will also be used to send notifications 4 Default SMTP Virtual Server Screenshot 36 Binding GFI MailSecurity to a different SMTP Server GFI MailSecurity relies on the IIS SMTP service to send and receive SMTP mail By default it binds to your default SMTP virtual server However if you have multiple SMTP virtual servers installed on your machine you can selec
230. uarantined emails For more information refer to the Enable email approval via HTML approval forms section further on in this chapter The Quarantine Store To access the GFI MailSecurity Quarantine Store click the GFI MailSecurity gt Quarantine node From the Quarantine node the administrator authorized user can search for quarantined emails as well as approve or delete emails When you click the Quarantine node GFI MailSecurity displays the following e Quick Search You can search for quarantined emails by sender recipient subject or quarantine reason e Quarantined Items You can see how many emails are currently stored in the Quarantine Store and the amounts that match each quarantine search folder be it default or custom To view the quarantined emails contained in a search folder click on the quarantine search folder name Refer to the Grouping quarantined emails in Search Folders section further on in this chapter for information on how to create and use search folders To access this information from the navigation panel expand the Quarantine node and click ona sub node GFI MailSecurity for Exchange SMTP Quarantine e 99 100 e Quarantine E GFI MailSecurity Settings Quarantine Version Information i fa Use this page to perform quick searches and manage quarantined content in Licensing categories Information Store Protection Content Checking pttachent Checking Virus Scannin
231. und emails Select this option to scan and clean HTML scripts from all outbound emails 4 Click Apply 96 e The HTML Sanitizer GFI MailSecurity for Exchange SMTP Patch Checking Introduction to Patch Checking The Patch Checking feature verifies if there are any software patches available for your version of GFI MailSecurity by directly connecting querying the GFI Update Servers E GFI MailSecurity Settings fio version Information ote Q Licensing SS Patch checking Patch Checking fy Information Store Protection B Content Checking Attachment Checking ti Virus Scanning Engines g3 Decompression Check for patches A Trojan amp Executable Scanner t 8 Email Exploit Engine HTML Sanitizer 2 l Reporting E Realtime Monitor Ea Quarantine Options Quarantine RSS Feeds t ir Quarantine id E Done Trusted sites Screenshot 83 List of available patches If software updates are present on the GFI Servers this feature lists them out for you to download In addition the list of available updates includes links to information about each patch as well as to the relative GFI Knowledge Base articles if available NOTE 1 In order to keep GFI MailSecurity running efficiently we recommend that you periodically check for software updates These updates would help to ensure better performance and enhance the functionality of GFI MailSecurity NOTE 2 For more information on how to
232. unt of the files included in an archive You can configure this filter to quarantine or delete archives that exceed the specified file count or file size GFI MailSecurity components GFI MailSecurity scan engine The GFI MailSecurity scan engine analyzes the content of all inbound and outbound email If you install GFI MailSecurity on the Microsoft Exchange machine it will also scan the information store If installed on a Microsoft Exchange 2007 machine GFI MailSecurity will scan the information store only if the Mailbox Server Role is installed If you install GFI MailSecurity on a Microsoft Exchange 2007 machine with the Hub Transport Server Role it will also analyze internal email When GFI MailSecurity quarantines an email it informs the appropriate supervisor administrator via Email RSS feed depending on the options you configure GFI MailSecurity configuration Through the GFI MailSecurity configuration you can configure GFI MailSecurity to fit your needs 2 e About GFI MailSecurity GFI MailSecurity for Exchange SMTP File Edit View Favorites Tools Help GFiMailSecurity 36 a Settings version Information a Licensing y Information Store Protection B Content Checking 3 attachment Checking E Virus Scanning Engines g3 Decompression 8 Trojan amp Executable Scanner Email Exploit Engine 2 HTML Sanitizer 5 Patch Checking li Reporting El Realtime Monitor H Quarantine Options Quarantine
233. uring access to the GFI MailSecurity configuration quarantine section in this chapter NOTE 2 You will only be able to access the URL http MAILCLUSTER MailSecurity if you assign the IP address of the MAILCLUSTER machine to the Default Web Site for Node1 and Nodez2 during the IIS Setup installation step 8 The installation of GFI MailSecurity on an Active Passive cluster is now complete NOTE If Service Pack 2 for Microsoft Exchange Server 2003 is not installed on a Microsoft Exchange Server 2003 cluster installation Internet Information Services Web sites that are hosted on the cluster will not start automatically when an Exchange Server 2003 virtual 8 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP server fails over to a cluster node More information about this issue can be found in Microsoft Knowledge Base Article 885440 Due to the above the GFI MailSecurity configuration could become unavailable following a failover or moving of an Exchange Virtual Server from one node of the cluster to the other Installing Service Pack 2 for Exchange Server 2003 is thus recommended Guidelines on how to install Exchange Server 2003 service packs in a clustered Exchange Server environment can be found in Microsoft Knowledge Base Article 867624 To uninstall GFI MailSecurity from the MAILCLUSTER cluster environment outlined above follow these steps 1 Using the Cluster Administrator console make Node active 2 U
234. us lt B gt lt BR gt P gt he following action s were taken lt B gt Quarantined lt B gt lt P gt Additional information lt P gt lt table border 1 gt lt tr gt lt td gt Subject lt td gt lt td gt lt B gt Sample email subject lt B gt lt td gt lt tr gt lt tr gt lt td gt Sender lt td gt lt td gt lt B gt samplesender sampledomain com lt B gt lt td gt lt tr gt lt tr gt lt td colspan 2 align center gt Recipients lt td gt lt tr gt lt tr gt lt td colspan 2 gt lt B gt samplerecipient localdomain com lt B gt lt td gt lt tr gt lt table gt lt P gt Regards lt BR gt GFI ContentSecurity lt BODY gt lt HTML gt 130 Advanced topics GFI MailSecurity for Exchange SMTP XSL Template lt xml version 1 0 gt lt xsl stylesheet xmlns xsl http www w3 org 1999 XSL Transform version 1 0 gt lt xsl output method html omit xml declaration yes standalone no gt lt xsl template match properties gt lt HTML gt lt BODY gt On lt xsl value of select longdate gt an email was blocked which has violated the following rules lt P gt lt xsl for each select infringedrules rule gt lt B gt lt xsl value of select gt lt B gt lt BR gt lt xsl for each gt lt P gt The following action s were taken lt B gt lt xsl value of select action gt lt B gt lt P gt Additional information lt P gt
235. us parts removed A security notice is attached to the email to inform the recipients what email parts were removed and for what reason This behavior is always enabled and is not affected by this setting e Notify administrator Select this option if you want to send email notifications to the administrator whenever an email containing email exploits is detected The administrator s email address is specified during the installation of GFI MailSecurity but can still be changed from the GFI MailSecurity configuration GFI MailSecurity gt Settings node gt General tab For more information refer to the Define the administrator s email address section in the General Settings chapter General Actions Updates A Email Exploit Actions Actions Please select the action to take when one of the listed exploits is detected O Quarantine email C Delete email Notification options Iv Notify administrator E Notify local user Logging options Iv Log occurrence to this file EmailExploit tet Screenshot 80 Email Exploit Engine Actions Tab 6 Select the Log occurrence to this file check box if you want to log all email exploits detected to a log file In the box below specify either a file name only or the full path to the log file 7 Click Apply GFI MailSecurity for Exchange SMTP The Email Exploit Engine e 93 Email Exploit Engine updates You can configure GFI MailSecurity to download Email Exploit Engine updat
236. utable Scanner node 2 From the configuration options in the right window select the Enable Trojan amp Executable Scanner check box to activate this filter 3 Specify the emails you want to check for Trojans and other malicious executables by selecting any of the following options 4 foll Check inbound emails Select this option to scan inbound emails for Trojans and malicious executable files Check outbound emails Select this option to scan outbound emails for Trojans and malicious executable files Choose the required level of security by selecting one of the owing options High Security Select this option to quarantine almost all executables If the executable file contains any known malicious signature it will get immediately quarantined Medium Security Select this option to quarantines only suspicious executables If the executable contains one high risk signature or a combination of high risk and low risk signatures it will be quarantined 88 e The Trojan amp Executable Scanner GFI MailSecurity for Exchange SMTP e Low Security Select this option to quarantine all malicious executables If the executable contains at least one high risk signature it will be immediately quarantined Configuring actions General Actions Updates A Trojan amp Executable Scanner Actions Notification options Vv Notify administrator Vv Notify local user Logging options Vv Log occurrence to
237. vilian evil com SMTP Admini Stop this e mail Tell me more 210 vilian evil com SMTP Admiri Stop this e mail 4211 villian evil com SMTP Admiri Stop this e mail 212 vilian evilcom SMTP Admini Stop this e mail 213 villian evil com SMTP Admini Stop this e mail 4214 villian evil com SMTP Admiri Stop this e mai Current Progress 54 Processing C Documents and Settings richard Desktop quarantine tool QuarStore GFI MailSecurity Screenshot 32 Quarantine upgrade tool 1 Press Start button to start data migration 2 Press Pause Continue button to pause or continue data processing 3 Press Stop button to cancel your data migration and restart at a later stage by pressing Start again NOTE Upgrading your quarantine to the firebird database format might take long depending on the volume of your quarantine data GFI MailSecurity for Exchange SMTP Installing GFI MailSecurity e 39 General settings Introduction to settings GFI MailSecurity Cancel d Settings 4 9 version Information Licensing General Updates Local Domains Bindings Information Store Protection Content checking General Settings P Attachment Checking bt Virus Scanning Engines ney Decompression amp Trojan amp Executable Scanner Adminis tator emai A Email Exploit Engine Enter the administrator s email address in the field below Notifications sent to 3 the administ
238. xplorer To do this follow these steps 1 Click the Control Panel shortcut under the Start menu 2 From the Control Panel open the Internet Options applet 3 In the Internet Properties dialog box click the Security tab and then click the Trusted sites icon from the Web content zone list Internet Properties 24 xX General Security Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings amp Internet Local intranet Restricted sites Trusted sites Trusted sites This zone contains Web sites that you Sites trust not to damage your computer or _ data r Security level for this zone Custom Custom settings To change the settings click Custom Level To use the recommended settings click Default Level Custom Level Default Level Screenshot 21 Internet properties dialog 4 Click Sites 5 In the Trusted sites dialog box specify http 127 0 0 1 in the Add this Web site to the zone box 6 Click Add The local host address is added to the Web sites list 30 e Installing GFI MailSecurity GFI MailSecurity for Exchange SMTP Trusted sites 24 xX You can add and remove Web sites from this zone All Web sites in this zone will use the zone s security settings Add this Web site to the zone http 127 0 0 1 Add Web sites http master domain com http windowsupdate microsoft com h
239. y scanning Enabled A Wa Kaspersky Anti Virus Information Store scanning Enabled censed 2 bes Dad P K 5 Patch Checking A x S BitDefender Anti virus Gabeay scanning Enabled Awe Il Reporting nformation Store scanning Enable E Realtime Monitor f AVG Anti Virus 4 Quarantine Options Quarantine RSS Feeds a i h Quarantine Virus Scanning Optimizations m X E Done i Trusted sites 7 Screenshot 39 Virus Scanning Engines status page Licensed 3 ad Gateway scanning Enabled Information Store scanning Enabled Ucensed 4 e You can view the operational and license status of each Virus Scanning Engine along with the execution sequence of the installed Virus Scanning Engines by clicking on the GFI MailSecurity gt Virus Scanning Engines node GFI MailSecurity for Exchange SMTP Configuring virus checking e 47 The Virus Scanning Engines are listed in the same order of priority used by GFI MailSecurity to scan emails for viruses Priority 0 being the highest or top priority Each Virus Scanning Engine must be configured separately To configure virus checking click the required Virus Scanning Engine from the Status page on display in the right window Alternatively you can expand the Virus Scanning Engines node and click the required Virus Scanning Engine node for example Kaspersky NOTE If you are running GFI MailSecurity on a Microsoft Exchange machine and the Information Store Scanning st
240. you can specify a date range for the report In the Date Filters page you need to specify what period of data you want to include in the scheduled report You can either specify a fixed date range so that the report always includes the same data or else you can specify a variable date range for example for the last 6 months When you select a variable date range the data included in the scheduled report will vary depending on when the report is generated Click Next to continue 10 In the Schedule Report Wizard finish page click Finish to complete the wizard GFI MailSecurity ReportPack Scheduling reports e 161 Viewing the list of scheduled reports 101 File Tools Help ee Si Product Selection _ Schedule Name Next Generation a 2 Inbound email traffic per Inbound email traffic pe 2 1 2007 12 00 004M The GrI MailSecurity 10 0 ReportPack z ve Favorite Reports ia Default Reports Custom Reports L Scheduled Reports M Options 2 Help Screenshot 133 List of scheduled reports To view the list of scheduled reports click on the Scheduled Reports panel button and then click on the Scheduled Reports List node The following details are displayed e Schedule Name The custom name that was specified during the creation of the scheduled report e Report Name The name of the default or custom report scheduled e Last Generation Shows w
241. ze of uncompressed files in archives Enabled t Reporting o Check for amount of files in archives Enabled Realtime Monitor mj Scan within archives attachment checking Enabled oa Quarantine Options Quarantine RSS Feeds E Quarantine Trusted sites Screenshot 68 The decompression engine filters list The following is a list of archive filters included in the decompression engine e Check password protected archives e Check corrupted archives e Check for recursive archives e Check size of uncompressed files in archives e Check for amount of files in archives e Scan within archives You can configure each of the above listed filters separately This means that you can specify what each decompression filter should do with emails containing particular archives Decompression engine e 79 Configuring the decompression engine filters Check password protected archives General Actions K9 Decompression engine M check password protected archives Please select the action to take when this rule is violated O Quarantine C Automatically Delete Screenshot 69 Configuring password protected archives options This filter allows you to quarantine or delete emails that contain password protected archives To configure this filter 1 Click the GFI MailSecurity gt Decompression node 2 From the list of available filters in the right window click on Check password protected archives 3 Select the C
Download Pdf Manuals
Related Search