Symantec Mail Security For Domino 4.0 for PC
Contents
1. Content Filtering Rule Lotus Notes E la x Fie Edt View Create Actions Text Help CECOP CAEN l z x a aya Address er gt O aQ gt Symantec Mail Security for i Settings Document for Unassign X dig Content Filtering Rule x E fclose Fsave Sopen Group Document X Delete D Help A Content Filtering Rule Unassigned Servers Symantec Bete Rule Action S Expression om i i C em p v comparison ha Ets rom Match List Add List of Expressions C AND OR Eal Sa el g T Edit Delete fel m i a 4 Notes Admin a B 4 Astar A A A content Fitering Rule FERED 20m Under Attribute in the drop down list select the appropriate attribute Under Comparison in the drop down list select the appropriate comparison option Comparison options change depending on the attribute that you select Under Value type the threshold value Value options change depending on the attribute that you select Click Add On the Action bar click Save 122 Filtering spam and unwanted content Working with content filtering rules To add multiple expressions to a content filtering rule 1 After you define the first content filtering rule expression in the Content Filtering Rule document on the Rule tab click AND or OR to create a rule with multiple expressions When building multiple expressions in a rule you must use all AND or all OR expressi2. m Checking a LiveUpdate status See LiveUpdate status errors on page 49 Server status errors You can check the status of your Lotus Domino server from the Settings database to ensure that antivirus content filtering and spam detections are activated You can also check the status of your license and the date of your most recent virus definitions See Checking server status on page 46 When a server status cannot be determined because of an unresponsive server you receive the following error message Waiting for response from server Click Check Statistics again When no response occurs after 5 minutes a communication error with NNTASK might have occurred See documentation for more information When you receive this message one of the following events might have occurred m NNTASK might be under a heavy load and unable to immediately respond to the user s status request m NNTASK might not be running on the server m The network might be slow After you resolve the issue close the Server Status document and check the server status again 48 Installing Symantec Mail Security for Domino Troubleshooting status errors If Symantec Mail Security for Domino can confirm that the connection with NNTASK has failed you receive the following error message Error communicating with NNTASK Click Close and try again Close the Server Status document and check the server status again License insta
3. m Message Server message m Link Icon link to the incident that triggered the server message appears only for virus infection content filtering or spam incidents Using the Symantec Mail Security for Domino Log 169 Managing the Log Table 10 2 Message and incident document information Product Information The Symantec Mail Security for Domino Version Information document contains the following information m Server Server on which Symantec Mail Security for Domino is installed m Virus Definitions version Active virus definitions set used for scanning m Symantec Mail Security for Domino version Product version number Scan Reports The Scan Report document contains the following information m Server Server on which the scan was performed m Date Date and time that the scan was performed m Database Names of the databases that were scanned Documents scanned Number of documents that were scanned within a database Documents violated Number of documents that contain scan violations When a document violation is detected the scan report document also includes information about the document ID UNID author date and time that the document was modified recipients the alert notification and the document disposition A summary appears at the end of the scan report which contains the following information Total databases scanned Total documents scanned Total documents violate
4. Introducing Symantec Mail Security for Domino How Symantec Mail Security for Domino works Symantec Mail Security for Domino sends a subset of security and application events to SESA The events that Symantec Mail Security for Domino generates include failed virus definitions updates scans that fail to complete within their configured intervals servers that are no longer detecting viruses virus incidents and other violations and cases in which the number of scan threads that are running falls below two See Integrating Symantec Mail Security for Domino with SESA on page 201 For more information about SESA see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator s Guide Integrating with other Symantec products Symantec Mail Security for Domino detects the operation of several Symantec products and prevents virus detection conflicts when multiple products are on the same computer Symantec Mail Security for Domino detects whether any of the following products are running to help prevent virus detection conflicts Norton AntiVirus for Windows NT m Norton AntiVirus Corporate Edition m Symantec AntiVirus Corporate Edition m Symantec Client Security Virus definitions files can be shared when one or more of these Symantec products run on the same computer When LiveUpdate is performed from one of these programs it automatically updates the virus def
5. Modifying the number of processing threads Symantec Mail Security for Domino automatically configures the optimum number of processing threads The minimum number of threads is two per processor The maximum number of threads is four per processor The default configuration ensures the best performance for your Lotus Domino server However you can modify the number of processing threads if necessary Warning If you are uncertain about how a change to the number of processing threads might affect your Domino server you should maintain the default settings Modifying the number of processing threads could result in an adverse affect on server performance To modify the number of processing threads 1 Turn off the Domino server 2 Inthe Domino program directory make a backup copy of the Notes ini file 3 Open Notes ini in a text editor 4 Add the following settings SAVMailThreads value SAVWriteThreads value where value is the newly computed number of threads 5 Save the Notes ini file 6 Exit the text editor 7 Restart the Domino server Optimizing Symantec Mail Security for Domino performance The following settings let you manage resource demands Scan only specific You can exclude specific databases or directories from scans that databases might not be at risk for virus infection or require content filtering See Specifying what to scan on page 74 44 Installing Symantec Mail Security for
6. When you select Item s from match list any match lists that have been created appear You then select the match list that you want to filter content against See Creating a content filtering rule that uses a match list on page 126 AND OR Appends an AND or OR conjunction to the expression which sets up its relationship to the next expression Final or single expressions do not require a conjunction When building multiple expressions in a rule you must use all AND or all OR expressions AND and OR conjunctions cannot be mixed in the same rule Add Adds the expression to the List of Expressions List of Expressions Lists all of the expressions that you have created for the content filtering rule that you are configuring Edit Redisplays the selected expression in the List of Expressions so that you can modify the elements of the expression as necessary Delete Deletes the expression that is selected in the List of Expressions Filtering spam and unwanted content 121 Working with content filtering rules Build expressions for a content filtering rule You can define and add multiple content filtering rule conditions and edit or delete expressions Your first expression must be an If statement To create an expression for a content filtering rule 1 In the Content Filtering Rule document on the Rule tab under Expression ensure If is selected This option is enabled by default
7. duraria Settings ay database navigation pane It aJ S24 Notes Admin alicam The configuration settings for Symantec Mail Security for Domino are made in the Settings database When you open the database to the Settings view you must select which server group the options that you configure should apply See Creating a server group on page 69 The Group server group name document contains the configuration tabs on which you configure all Symantec Mail Security for Domino options 45 46 Installing Symantec Mail Security for Domino Checking server status Document title 2828828 e Figure 2 2 shows the Group document for the Unassigned Server group Figure 2 2 Symantec Mail Security for Domino Group document Settings Document for Unassigned Servers Lotus Notes laj xj File Edit View Create Actions Text Help E Workspace gt Symantec Mail Securty for di Settings Document for Unassign x TJctose QYsave Delp F Show Server Status Group Unassigned Servers symantec Configuration Antivirus Anti spam Content Filtering Scan LiveUpdate Licensing Servers Auto Protect Inclusions Exclusions Native MIME Backup Disclaimers Logging Trusted Server Alerts Server Group Unassigned Servers These are the servers that you have not assigned to a specific group Dl doesfinfo a T K jf 4 SO Notes Admin Je Checking se
8. on page 188 Managing the Quarantine 185 Managing quarantined documents You can release documents that are held in the Quarantine if you have the appropriate Quarantine roles For virus infected documents you must first delete the infected attachment before releasing the document Documents held in the Quarantine for virus infections are rescanned before they are sent to their destinations Symantec Mail Security for Domino treats documents that are unscannable contain encrypted container files or exceed container limits as scan error violations Scan error violation documents are not scanned when they are released from the Quarantine For documents and email messages that trigger a content filtering rule violation if you have the appropriate Quarantine roles you can view the body of the message that triggered the violation Documents held in the Quarantine for content filtering rule violations are not rescanned when they are released from the Quarantine See About releasing documents from the Quarantine on page 189 When Symantec Mail Security for Domino scans a document it is possible that the document might trigger multiple types of violations For example a document might contain a virus a content filtering rule violation and an encrypted container file When a document contains multiple violation types Symantec Mail Security for Domino quarantines the document based on the most severe violation that it detects
9. Certain Symantec products are subject to export controls by the U S Department of Commerce DOC under the Export Administration Regulations EAR see www bxa doc gov Violation of U S law is strictly prohibited You agree to comply with the requirements of the EAR and all applicable international national state regional and local laws and regulations including any applicable import and use restrictions Symantec products are currently prohibited for export or re export to Cuba North Korea Iran Iraq Libya Syria and Sudan or to any country subject to applicable trade sanctions Licensee agrees not to export or re export directly or indirectly any product to any country outlined in the EAR nor to any person or entity on the DOC Denied Persons Entities and Unverified Lists the U S Department of State s Debarred List or on the U S Department of Treasury s lists of Specially Designated Nationals Specially Designated Narcotics Traffickers or Specially Designated Terrorists Furthermore Licensee agrees not to export or re export Symantec products to any military entity not approved under the EAR or to any other entity for any military purpose nor will it sell any Symantec product for use in connection with chemical biological or nuclear weapons or missiles capable of delivering such weapons 7 General If You are located in North America or Latin America this Agreement will be governed by the laws of the State o
10. Symantec Mail Security for Domino Implementation Guide 9 symantec l Symantec Mail Security for Domino Implementation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Documentation version 4 0 PN 10215778 Copyright Notice Copyright 2004 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec the Symantec logo and Norton AntiVirus are U S registered trademarks of Symantec Corporation and its subsidiaries LiveUpdate Bloodhound NAVEX Symantec AntiVirus Research Center SARC Symantec AntiVirus Symantec Mail Security and Symantec Security Response are trademarks of Symantec Corporation and its subsid
11. m About LiveUpdate m About shared virus definitions files m Configuring LiveUpdate on a proxy server m Using LiveUpdate with a firewall m Updating virus protection m Checking the status of your content license m Managing the Definitions database About LiveUpdate Symantec Mail Security for Domino relies on up to date information to detect and eliminate viruses One of the most common reasons that you might have a virus problem is that your protection files are not current Symantec regularly supplies updated virus definitions files which contain the necessary information about all newly discovered viruses When you have more than one Symantec product installed on your Lotus Domino server you need only perform one LiveUpdate session The virus definitions are shared by the other Symantec products See About shared virus definitions files on page 150 When LiveUpdate runs it determines how to connect automatically You can force LiveUpdate to connect with a specific method For example you might have an Internet proxy See Configuring LiveUpdate on a proxy server on page 151 150 Configuring LiveUpdate About shared virus definitions files LiveUpdate requires an Internet connection With LiveUpdate Symantec Mail Security for Domino connects automatically to a Symantec Web site to determine if your virus definitions need updating If so it downloads the proper files and installs them in the proper locations
12. 210 installing Agent 206 SESA continued recognizing Symantec Mail Security for Domino 205 running the SESA Integration Wizard 205 security events 204 uninstalling 211 Settings database about 20 replicating database 65 shared virus definitions files 150 spam email See anti spam filtering statistics 167 status errors 47 Striker technology 93 Symantec Mail Security for Domino about 15 accessing remotely 40 accessing through Lotus Notes 39 getting more information 28 installing 31 integrating with other Symantec products 22 licensing requirements 31 55 maintaining protection 149 optimizing performance 43 system requirements 30 uninstalling 54 upgrading 33 what s new 16 Symantec Serial Number Certificate 56 Symantec Web site 157 system requirements 30 T technical support 3 threshold values content filtering 130 tokens customizing email alerts 80 Trojan horses 91 trusted servers 79 U uninstallation SESA 211 Symantec Mail Security for Domino 54 user interface See also databases Action bar 45 Group document 45 46 navigation pane 44 Index 217 user interface continued views 44 V views Backup Documents 198 Log 165 Quarantined Documents 185 violations multiple types 185 virus See also antivirus protection See also scans how Symantec Mail Security for Domino protects against 23 mass mailer infected messages 25 95 outbreaks 99 154 virus definitions files about 92 137 149 Definti
13. Administering Symantec Mail Security for Domino on multiple servers Customizing server groups To remove a server from a server group 1 Inthe Settings view double click the server group that contains the server that you want to remove from the server group 2 Under Servers In Group select the server that you want to remove from the group 3 Click Remove Selected Server s from Group 4 Onthe Action bar click Save Deleting a server group You can delete an entire server group from the listing of server groups When you delete a server group you delete all of the configuration settings that are associated with the group such as antivirus settings content filtering rules and anti spam configurations These settings cannot be restored after they are deleted The Unassigned Servers server group cannot be deleted To delete a server group 1 Inthe Settings view select the server group that you want to delete 2 On the Action bar click Delete Server Group 3 Inthe confirmation window click Yes Setting global scanning options This chapter includes the following topics m About global scanning options m Configuring global scanning options About global scanning options Symantec Mail Security for Domino lets you customize scanning options The settings that apply to all scanning for a particular server group are contained within the Settings database on the Configuration tab Settings that are unique to a specific
14. The Log views categorize information to facilitate reviewing and analyzing information For example if you only want to see information about viruses that were detected select the Virus Incidents view If you only want to see how many violations have occurred based on a specific content filtering rule select the Statistics Content Filtering Violations All view See Understanding the Log views on page 165 Symantec Mail Security for Domino provides several options for managing the Log database You can view details about incidents and information messages export incidents to Microsoft Excel and manage the Log size See Managing the Log on page 168 Symantec Mail Security for Domino lets you create custom queries that you can run as needed or on a scheduled basis You can choose what information to include in the query such as what type of scan detected the incident the name of the virus or content filtering rule that triggered the incident and how Symantec Mail Security for Domino disposed of the document See Customizing queries on page 174 Using the Symantec Mail Security for Domino Log 165 Understanding the Log views Understanding the Log views You can see the Log data in several views on the Lotus Notes or Web client Symantec Mail Security for Domino lets you view virus content filtering and spam detection data separately Table 10 1 lists the Symantec Mail Security for Domino Log views Table 1
15. are activated by license When a license expires you must renew the license subscription When no license is installed limited functionality is available For complete scanning functionality and product and virus definitions updates for Symantec Mail Security for Domino you need the following licenses Product license A product license is required to activate Symantec Mail Security for Domino scanning operations which include auto protect scheduled scans and scan now See About scanning on page 137 56 Activating your Symantec Mail Security for Domino licenses Activating a license file Content license A content license is required to update Symantec corporate software with the latest associated content such as new virus definitions through LiveUpdate A valid content license ensures that servers remain protected with the latest virus definitions See About LiveUpdate on page 149 A license affects the relevant behavior only For example when a product license is missing or invalid you can access the interface to view and modify settings and run reports but you cannot perform any of the scanning functions When a content license is missing or invalid you cannot download virus definitions updates which keep protection current You must activate the product license to perform any of the scanning processes and the content license to perform LiveUpdates To activate a license you must obtain a license file f
16. extensions that are commonly at risk of infection If your environment uses nonstandard file name extensions you can add them to the list Note To enhance protection during virus outbreaks you should scan all files Specify what to scan Symantec Mail Security for Domino lets you use exclusion and inclusion lists to customize scanning options To exclude specific databases and directories from scanning 1 Inthe Settings view double click a server group 2 Inthe Group document on the Configuration tab on the Inclusions Exclusions tab under Databases check Exclude specified databases and directories from scans 3 Under Databases and directories to exclude from scans type the databases and directories that you want to exclude from scanning Separate multiple entries with semicolons Do not use wildcard characters 4 Onthe Action bar click Save To scan only specific file extensions 1 Inthe Settings view double click a server group 2 Inthe Group document on the Configuration tab on the Inclusions Exclusions tab under Attachments check Scan attachments with specified file extensions Scan all attachments regardless of extension is selected by default This is the most secure setting 76 Setting global scanning options Configuring global scanning options 3 Under Specified file extensions edit the inclusion list to add the file name extensions that you want to scan Omit the period before the file name
17. gt TJ close Help Unscanned Release Quarantined Content Filtering Violation I symantec Basics Server docs info Scanned 01 15 2004 02 52 48 PM Findings The body violated the content filtering rule Confidental information No attempt was made to repair Restored No Document details Author notes admin info Subject Top Secret Body Whatwe discussed in the meeting today was strickly confidential Body Created 01 15 2004 02 52 17 PM Modified 01 15 2004 02 52 47 PM Accessed 01 15 2004 Updated by notes adminfinfo docsinto Recipients a docsfinfo dev Database d docs mailddocs nsf Scan details Scan type RealTime Writes Definitions date 01 14 2004 Scan actions Repair Quarantine JI 4 52 Notes Admin ea To create a comment in the Quarantined Document In the Quarantined Document in the Comments field type your comments To modify attachments In the Quarantined Document on the Action bar select one of the following Save Attachments For each attachment you are prompted to save the file to a location that you select Add Attachment You are prompted to type the path of the file that you want to add After adding the attachment press F9 to refresh the document Delete Attachments For each attachment you are prompted to confirm the action before it is deleted After deleting the attachment press F9 to refresh the document Managing the Quarantine 197 Managing quarantined
18. portion of the path should correspond to the domain that is managed by the selected SESA Management Server Under Agent Start Up Mode select one of the following m Start SESA Agent Automatically The SESA Agent starts automatically whenever the computer is restarted m Start SESA Agent Manually You must manually restart the SESA Agent each time that the computer is restarted Check Start the SESA Agent at installation completion to have the SESA Agent start immediately after the installation finishes If you leave the box unchecked you must manually start the SESA Agent after the installation is complete The installer proceeds from this point with the installation When the installation is complete the Agent is installed and is listed as SESA AgentStart Service in the Services Control Panel You must log off Symantec Mail Security for Domino before you install the SESA Agent Integrating Symantec Mail Security for Domino with SESA 209 Configuring logging to SESA Installing the SESA Agent manually by command line As an alternative to using the SESA Agent Installer you can install the SESA Agent by command line using the SESA installation CD Install the SESA Agent manually by command line To install the SESA Agent you do the following m Prepare to install the SESA Agent m Install the SESA Agent by command line m Start the SESA AgentStart Service To prepare to install the SESA Agent 1 On the computer on which S
19. system administrator Use tokens to customize the subject or body of the email message alert as necessary See About tokens for customizing email message alerts on page 80 4 To include the action that was taken by Symantec Mail Security for Domino in the email message alert to the document author click Report action taken by Symantec Mail Security for Domino This option is enabled by default 5 To include information about the violation from the Log in the email message click Include violation information from the log This option is enabled by default 6 Onthe Action bar click Save To set alert statistics options 1 Inthe Alert Notification document on the Statistics tab check Gather statistics for this alert This option lets you gather statistics in the Lotus Domino Log Notes Alerts and Events page for the particular alert that you are configuring If you enable this option you must specify the name of the alert statistic and an alert threshold 2 Under Statistic alert threshold type the number of times that the alert statistic must be logged to the Lotus Domino Log before the administrator receives notification of the statistic You set notification options in the Lotus Notes Statistics and Events database For more information see your Lotus Notes documentation 89 90 Setting global scanning options Configuring global scanning options 4 Under Alert statistic name type the name of the alert statisti
20. 1 Inthe Group document on the Content Filtering tab on the Rules tab double click the rule that you want to delete 2 Inthe Content Filtering Rule document on the Action bar click Delete 124 Filtering spam and unwanted content Using a match list 3 Inthe SMSDOM Settings dialog box click Yes to confirm that you want to delete the content filtering rule 4 Onthe Action bar click Save Using a match list Match lists let you create a custom list of words and phrases that are standard for or particular to your company or industry and for which you might want to filter content After you develop a match list you can create a content filtering rule that uses words and phrases in the match list How a match list works When you use a match list in a content filtering rule you typically select a comparison value of either Contains or equals These values operate differently on words in a match list Use the value to detect exact matches for words Use the Contains value to detect words that contain the letters Match list names are case sensitive Words and phrases within the match list are not case sensitive For example if the word Free is included in the match list a content filtering rule violation occurs only when the document contains an exact match of the word Free However if the word Free is in your match list and you select Contains as your comparison value then a content filtering rule violation occurs whe
21. 10 displays the author s name in green 18 point italic type and then returns it to black 10 point normal type Setting global scanning options 81 Configuring global scanning options Substitution tokens use different delimiters than formatting tokens Offset substitution tokens with the percentage character Offset format tokens with braces Note Tokens that contain the percentage character are used for the email message subject and body Tokens that contain braces are only used for the email message body You can use the tokens that are described in Table 5 1 to customize email message alerts Table 5 1 Email message alerts tokens DBName Document s database name DBTitle Document s database title DocumentUniqueID Unique ID of the document UNID NoteID NOTEID of the document Author Most recent author of the document Created Creation time and date of the document Modified Time and date of last modification to the document Accessed Time and date that the document was last accessed InfectedAttachment Name of the first infected attachment Virus Name of the first virus found lt fieldname gt Value of the lt fieldname gt in the document When a document does not contain a specified field leave the token blank lt servername gt Name of the Lotus Domino server lt font style gt Value of the fon
22. 4S0E SFooere a Address oro O Q SJ Workspace gt Symantec Mail Security for Ey symantec EJ New Serwer Group C Edit Setinge L Delete Server Group Help f Copy Settings to New Group dyana F Scheduled Scans I Alert Notifications I Content Filtering Rules I Content Filtering Words I Content Filtering Match Lists R Symantec Mail Security Settings for Server Group amp for Domino Unassigned Servers Settings i Log Quarantine Help op g o assigned X E New Server Group name Gl Senvare In New Group Create Copies of CE It 4 S24 Notes Admin r 3 Inthe New Server Group name box type a name for the new server group 4 Under Servers In New Group select the servers that you want to add to the group 5 Under Create Copies of check the settings that you want to copy to the new server group and then click OK 6 On the Servers tab click Add Server s to Group 7 Select one or more servers to add to the server group and then click OK 8 Under Servers In Group select the servers to remove from the group if any and then click Remove Selected Server s from Group 9 Onthe Action bar click Save Removing a server from a server group If you remove a server from your system configuration or you decide to move a server from one server group to another you can delete the server from an existing server group 72
23. 56 Distributing license files to multiple Domino servers ccccceceseeseseseseeees 60 RENEWING LICENSES on eeeesesssseseseseesesescesessscesesceseseeecsesceseseeeeseseeseseeeeseeeseeseeeeseeees 60 Chapter 4 Administering Symantec Mail Security for Domino on multiple servers About administering Symantec Mail Security for Domino on multiple SOLVEDS Saanaa oea T Naa hash aieetie AEE eas 63 Managing multiple Servers cccceccesesseseseseeseseeseseseeceseseeseseeecseseeceseeesseseeeeseeees 64 About replicating Symantec Mail Security for Domino databases 64 Creating replica databases on an additional Server ceccseeeeeees 66 Customizing server groups sasona E S EE 69 Creating a Server group serrurier E A a 69 Copying settings to create a new server group sseesererssssesereessseses 70 Removing a server from a server group s ss sssessreseessessressessreseessressese 71 Deleting a serv r SOUP sosisini a e E E E RS 72 Chapter 5 Chapter 6 Chapter 7 Contents Setting global scanning options About global scanning Options ccccessssssesseceseeseseeseseseeeeseseeseseeeeseeeseeseees 73 Configuring global scanning options cccscsesssessseseceseseseseessessssseeeeeseseaees 74 Specifying what to scan w ccceesessssssesssecesesesesessssesseessecsesesesessssseeseesecsesees 74 Customizing the native MIME message cscesessssesesseeesesseeeseeseseeeeees 76 Creating backup
24. A LiveUpdate connection can be made even when your organization uses a firewall See Using LiveUpdate with a firewall on page 152 See Updating virus protection on page 153 You must have a valid content license to use LiveUpdate A content license is a grant by Symantec Corporation for you to update Symantec corporate software with the latest associated content such as new virus definitions When you do not have a content license or your license expires your product does not receive the most current virus definitions and your servers are vulnerable to threats See Checking the status of your content license on page 158 If you intend to replicate virus definitions across multiple servers you must create a Definitions database When Symantec Mail Security for Domino performs a LiveUpdate the most current virus definitions set is stored in the Definitions database You can create your own virus definitions set modify which definitions set to use for scanning and manage the size of the Definitions database See Managing the Definitions database on page 159 About shared virus definitions files Symantec Mail Security for Domino can share virus definitions files when it runs on the same computer as any of the following Symantec antivirus products Norton AntiVirus for Windows NT m Norton AntiVirus Corporate Edition m Symantec AntiVirus Corporate Edition m Symantec Client Security When LiveUpdate is per
25. CD ROM drive The installation program launches automatically If it does not run cdstart exe from the installation CD 2 On the Symantec Mail Security for Domino installation screen click Install Symantec Mail Security for Domino to begin the installation process 3 Read the on screen instructions and then click Next to continue 4 Indicate that you accept the terms of the Symantec software license agreement and then click Next You must accept the terms of the license agreement for the installation to continue 5 If you have multiple Lotus Domino partitions on the same server in the Select Servers dialog box select the partitions on which to install Symantec Mail Security for Domino 6 To optionally select additional partitions click Add Additional Partitions and then in the Select data directory dialog box type the partition path or navigate directories to select a path and then click OK 7 When the installation program is complete click Exit 8 Restart the Lotus Domino server When the Lotus Domino server is restarted the Symantec Mail Security for Domino databases are created from templates and are placed in the SAV Installing Symantec Mail Security for Domino 33 Upgrading Symantec Mail Security for Domino subdirectory of your default Data directory A ReadMe text file and a PDF version of the Symantec Mail Security for Domino Implementation Guide are also placed in this directory Upgrading Symantec Mail Se
26. IF phrase any number of AND phrases and any number of UNLESS phrases but it cannot contain an OR phrase when it already has an AND phrase Likewise when you start with an OR phrase you can add more OR phrases or UNLESS phrases but not an AND phrase 112 Filtering spam and unwanted content Working with content filtering rules An expression phrase consists of the following elements Attribute The part or characteristic of the email message or document that you want to scrutinize for violations Attributes include Sender Author Subject Body Size of entire email message or document in bytes Encryption Flag true or false Internet Domain Domino Server Domino Domain Attachment name Attachment extension Attachment size in bytes and Content Score Comparison The comparison that you want to make between the attribute and the value that when matched to the attribute constitutes a content filtering rule violation Operators include Contains Does not contain equals lt gt does not equal gt greater than and lt less than The availability of certain operators is limited by the attribute that is selected Value The numeric value or alphanumeric text string that you type as the criteria to match The attributes of Size Attachment size and Content Score are numeric values The Encryption Flag Attribute is a Boolean True or False value while the rest are alphanumeric text strings When you select Item
27. Lists tab under Word Phrase double click the word or phrase that you want to edit In the Content Filtering Match List Word document make revisions as necessary On the Action bar click Save To delete a word or phrase in a match list 1 3 4 In the Group document on the Content Filtering tab on the Match Lists tab under Word Phrase double click the word or phrase that you want to delete In the Content Filtering Match List Word document on the Action bar click Delete In the confirmation dialog box click Yes On the Action bar click Save Symantec Mail Security for Domino automatically deletes a match list when all of the words or phrases within the match list are deleted Creating a content filtering rule that uses a match list After you have built your match list you can create content filtering rules that use the match list To create a content filtering rule that uses a match list 1 2 3 In the Group document on the Content Filtering tab click the Rules tab On the Action bar click New Rule In the Content Filtering Rule document on the Basics tab set the basic options See Setting the basic options for a content filtering rule on page 110 Filtering spam and unwanted content 127 Filtering content with word categories 4 Onthe Rule tab set the If attribute and then select comparison options See Creating a content filtering rule on page 109 5 Under Value check Item s
28. Qseorch Favorites Beda Shy I ins Address https icensing symantec com icenseapp isp z es symantec support united states T global sites T products and services F purchase Enter Serial Number F support gt Please enter the serial number printed on your certificate or upgrade insurance notice security response F downloads Serial Number CeL about symantec Licensing and Registration Example F8573329133 search H feedback help y submit a 1995 2003 Symantec Corporation All rights reserved Supported Languages Legal Notices Privacy Policy Use this site in English Acc der ce site en fran ais SEF GB fad PP OR Utilizza il sito in italiano Lesen Sie diese Website auf Deutsch cOWebt4 FE ASE CHA Usar este site em portugu s BIS Hay wy APOE APD Utilice este sitio en espa ol REFS Ste a If you are using Microsoft Internet Explorer you must be using 128 bit encryption to view the site 2 Inthe Serial Number box type the 11 digit serial number When you are registering multiple types of licenses use either of the serial numbers 3 Click submit 4 Follow the instructions on the Symantec Web site to register your license and receive your license file Symantec will send you an email message that contains the license file in an attachment If the email message does not arrive within two hours an error might have occurred such as an invalid email address entry Try to obtai
29. SESA AgentStart Service 1 ou F amp F U N On the computer on which you installed the SESA Agent on the Windows taskbar click Start gt Settings gt Control Panel In the Control Panel window double click Administrative Tools In the Administrative Tools window double click Services In the Services dialog box right click SESA AgentStart Service Click Start Configuring Symantec Mail Security for Domino to log events to SESA After you have installed the local SESA Agent to handle communications between Symantec Mail Security for Domino and SESA you must configure Symantec Mail Security for Domino to communicate with the Agent by specifying the IP address and port number on which the Agent listens You must also ensure that logging to SESA is activated These settings are located on the Symantec Mail Security for Domino Settings database To configure Symantec Mail Security for Domino to log events to SESA 1 2 In the Settings view double click a server group On the Configuration tab on the Logging tab under Where to Log check Enable SESA logging In the SESA agent IP address Port Number box type the IP address and port on which the local SESA Agent listens The default IP setting is 127 0 0 1 the loopback interface which restricts connections to the same computer The port number that you type here must match the port number on which the local SESA Agent listens The default port is 8086 On the Action b
30. Symantec Mail Security for Domino lets you choose which databases and directories to scan You can exclude specific databases or directories from scans that might not be at risk for virus infection or require content filtering For example you might have documentation or reference databases that are not at risk because they cannot be modified by users Symantec Mail Security for Domino databases sav nsf savlog nsf savquar nsf savhelp nsf and savdefs nsf are automatically excluded from scans By default Symantec Mail Security for Domino scans all document attachments regardless of extension This is the most secure setting but imposes the heaviest demand on resources You can limit which types of file attachments are scanned by using an inclusion list You specify the file name extensions that you want to scan in the inclusion list Only the file types that are listed in the inclusion list are scanned which can Setting global scanning options 75 Configuring global scanning options optimize performance However this is the least secure configuration because there is an unlimited number of possible file name extensions that are not scanned If you configure Symantec Mail Security for Domino to scan attachments using an inclusion list container files and the files within the container are scanned only if their file name extensions are listed in the inclusion list Symantec Mail Security for Domino provides a default list of file name
31. an event management system that employs data collection services for events that are generated on computers that are managed by Symantec security products The event categories and classes include antivirus content filtering network 202 Integrating Symantec Mail Security for Domino with SESA Interpreting Symantec Mail Security for Domino events in SESA security and systems management The range of events varies depending on the Symantec applications that are installed and managed by SESA You can monitor and manage these security related events through the SESA Console The SESA Console is the common user interface that provides manageable integration of security technologies Symantec or otherwise Symantec Security Services and Symantec Security Response You can query filter and sort data to reduce the security related events that you see through the SESA Console which lets you to focus on threats that require your attention You can configure alert notifications in response to events and generate save and print tabular and graphical reports of event status based on filtered views that you create SESA is purchased and installed separately SESA must be installed and working properly before you can configure Symantec Mail Security for Domino to log events to SESA For more information see the SESA documentation Interpreting Symantec Mail Security for Domino events in SESA SESA provides extensive event management capabi
32. and the metacharacters and By using the Subject attribute the operator and the regular expression as the value you can build a content filtering rule to catch any email message whose subject line ends with a trailing number a probable sign that the message is spam See Metacharacters on page 114 114 Filtering spam and unwanted content Working with content filtering rules As another example you might want to filter email message attachments with certain file name extensions To detect message attachments with the file name extensions exe com or zip you could write three different expressions phrases each focusing on one of the extensions A more practical and faster way to do it is to use the pipe metacharacter which creates an OR expression for example Attachment ext comlexe zip This example matches any first level extension names that equal com exe or zip Note For content filtering only first level attachments refer to the outer most file attachment The content filtering engine does not evaluate any file name extension inside the outer attachment for example the compressed files in a zip file Metacharacters Table 7 2 lists the metacharacters that you can use in regular expressions to build content filtering rules Some characters are not considered special unless you use them in combination with other characters Note You can use metacharacters in regular expression
33. attachment icon By default it saves the deleted attachment as a backup document in the Quarantine When scan now scanning is enabled if Symantec Mail Security for Domino detects a virus inside a container file it deletes the container file and everything in it When a container file is comprised of both infected and uninfected files the entire container file and all the files inside it might be deleted If you choose to quarantine infected documents you must open those documents in the Quarantine to process the infected documents You must have the appropriate Role assignments to view quarantined documents See About releasing documents from the Quarantine on page 189 See Assigning Quarantine roles on page 186 Configuring scan now settings You can change settings as necessary to run scan now scans After you configure a scan now scan you can run it at any time by clicking Start the Scan on the Action bar of the Scan Now tab Configure scan now settings To configure scan now scans set the following options m Basics Defines which directories and subdirectories are included in the scan Scanning for viruses spam and content filtering rule violations 141 About scan now scanning What to Scan Contains settings for which types of attachments to scan whether to perform content filtering whether to scan native MIME message bodies and the dates and time to perform incremental scans Actions Specifies how to d
34. continues to own the Software You will have certain rights to use the Software after Your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to You Except as may be modified by an applicable Symantec license certificate license coupon or license key each a License Module that accompanies precedes or follows this license and as may be further defined in the user documentation accompanying the Software Your rights and obligations with respect to the use of this Software are as follows You may A use the number of copies of the Software as have been licensed to You by Symantec under a License Module If the Software is part of a suite containing multiple Software titles the number of copies You may use may not exceed the aggregate number of copies indicated in the License Module as calculated by any combination of licensed Software titles Your License Module shall constitute proof of Your right to make such copies If no License Module accompanies precedes or follows this license You may make one copy of the Software You are authorized to use ona single computer B make one copy of the Software for archival purposes or copy the Software onto the hard disk of Your computer and retain the original for archival purposes C use the Software on a network provided that You have a licensed copy of the Software for each computer that can ac
35. data m Sending notifications when a threat or violation is detected m Managing single and multiple Lotus Domino servers Protecting against computer viruses Symantec engineers track reported outbreaks of computer viruses to identify new viruses After a virus is identified information about the virus a virus signature is stored in a virus definitions file This file contains the necessary information to detect and eliminate the virus When Symantec Mail Security for Domino scans for viruses it is searching for these virus signatures Symantec Mail Security for Domino also uses Symantec Bloodhound heuristics technology to scan for viruses for which no known definitions exist Bloodhound heuristics technology scans for unusual behaviors such as self replication to target potentially infected documents Symantec Mail Security for Domino scans document writes and email messages that are sent to mailboxes on Lotus Domino servers including files in compressed and encoded formats such as Zip It also decomposes and scans file attachments for viruses 23 24 Introducing Symantec Mail Security for Domino What you can do with Symantec Mail Security for Domino You can configure Symantec Mail Security for Domino to scan the Domino server on a regular schedule or you can manually start a scan at any time The auto protect feature detects viruses in real time as email messages are routed through the Lotus Domino server or as documents are
36. documents To release a document from the Quarantine after viewing it 1 Inthe Quarantined Document on the Action bar click Unscanned Release 2 Inthe confirmation dialog box click Yes 3 When you are prompted to save your changes click Yes Released documents remain in the Quarantine until Symantec Mail Security for Domino purges them or you delete them To release a document from the Quarantine without viewing it 1 Inthe Quarantine view in the left pane under Quarantined Documents click Content Filtering Violations 2 Inthe right pane select the document that you want to release Symantec Mail Security for Domino Quarantine Lotus Notes la xj File Edit View Create Actions Help EP Workspace Symantec Mail Security for 4 symantec f open EY Delete TY close gf Set Purge Options DHelp G Unscanned Release Symantec Mail Security Date Restored Database Author Violation Recipients for Domino docs info amp Ca m B Quarantine iBackup Documents Quarantined Documents EAI Quarantined Documents By Recipient E By SMTPOriginator a E virus Infections fal Information No Violation Sl Waring Violation Removed Critical Violation Remaining iq i Cit SO Notes Admin a 4 3 Onthe Action bar click Unscanned Release 4 Inthe confirmation dialog box click Yes Released documents remain in the Quarantine until Symantec Mail Secur
37. extension Separate multiple entries with semicolons You can use wildcard characters The question mark that is used in several of the default file name extensions represents a single character Reset to defaults restores the default Specified file name extensions list 4 Onthe Action bar click Save Customizing the native MIME message You can configure Symantec Mail Security for Domino to scan for malicious HTML in MIME message bodies If Symantec Mail Security for Domino detects malicious code in a MIME encoded message it deletes the entire message body and replaces it Infected message bodies cannot be repaired You can customize the replacement text message To customize the native MIME message 1 Inthe Settings view double click a server group 2 Inthe Group document on the Configuration tab on the Native MIME tab under Replace deleted MIME message bodies with the following text type your customized message 3 Onthe Action bar click Save Creating backup documents When you configure Symantec Mail Security for Domino to repair or delete infected attachments you have the option to save backup copies of the infected documents to the Quarantine to protect data In the Quarantine click Backup documents to view the list and delete or restore backups You must have the appropriate Role assignments to view quarantined documents See Managing backup documents on page 198 See Assigning Quarantine roles
38. following directory on each Domino server C Program Files Common Files Symantec Shared Licenses Distribute each license file using a You can configure your distribution tool to copy distribution tool each license file to the following folder on each Domino server C Program Files Common Files Symantec Shared Licenses Renewing licenses When a server has an expired content license or when the content license is missing or invalid for any reason content updates are not applied to your product Likewise when a product license is invalid Symantec Mail Security for Domino no longer scans documents which renders your server vulnerable to virus attacks When a license expires you must renew your Maintenance Agreement to receive content updates and resume scanning functions Warning License files are digitally signed If you attempt to edit a license file you will corrupt the file and render it invalid Activating your Symantec Mail Security for Domino licenses 61 Renewing licenses To renew a license Doone of the following If you have purchased Symantec Mail Security for Domino through the Symantec Value or Elite Enterprise Licensing programs contact your administrator or reseller to see if your Maintenance Agreement has been renewed and if new content and product licenses are available After your Maintenance Agreement is renewed you receive new serial numbers that you can register to obtain your new content an
39. for Domino Components of Symantec Mail Security for Domino m How Symantec Mail Security for Domino works m What you can do with Symantec Mail Security for Domino m Where to get more information about Symantec Mail Security for Domino About Symantec Mail Security for Domino Symantec Mail Security for Domino is a complete customizable and scalable antivirus anti spam and content filtering solution It protects your Lotus Domino server from viruses and destructive programs and it filters unwanted and unsolicited content Symantec Mail Security for Domino lets you specify the actions to take and notifications and alerts to issue when a threat or violation is detected The criteria that are used to identify threats and violations are customizable Symantec Mail Security for Domino scans Notes database document writes and email messages that pass through the Lotus Domino server Symantec Mail Security for Domino identifies spam messages and uses a white list to reduce the incidents of false positives In addition it lets you filter undesirable content such as offensive language and confidential information You can create and save multiple sets of criteria for use by Symantec Mail Security for Domino You 16 Introducing Symantec Mail Security for Domino What s new in Symantec Mail Security for Domino can also manage one or more Domino servers with Symantec Mail Security for Domino The Lotus Domino environment is only one
40. gt Programs gt Symantec Mail Security for Domino gt LiveUpdate In the LiveUpdate dialog box click Configure On the ISP tab click Customized settings for LiveUpdate Under Use this Dial up Networking connection do one of the following m Inthe drop down list select the appropriate connection m If the connection that you want to use is not found in the drop down list click Add and then follow the Location Information Wizard instructions to add a connection Type your ISP user name and password Click OK Using LiveUpdate with a firewall When a firewall is in place LiveUpdate might not be able to connect to the Internet because the system account does not have rights to the firewall Use LiveUpdate with a firewall You can use LiveUpdate with a firewall regardless of whether the firewall supports user accounts You can also use LiveUpdate when your organization uses an internal LiveUpdate server Configuring LiveUpdate 153 Updating virus protection To use LiveUpdate with a firewall that supports user accounts Configure a firewall rule to permit the LiveUpdate connection for the user account of the computer that runs LiveUpdate If your firewall has validation rules that are independent of user accounts LiveUpdate does not work directly To use LiveUpdate with a firewall that does not support user accounts Ifthe firewall requires a user name and password create an FTP proxy server that requires the same
41. in the Lotus Domino Log In addition you can log virus and content filtering rule violation alerts to the Statistics view of the Symantec Mail Security for Domino Log This gives you more information about the types of alerts that Symantec Mail Security for Domino generates The Symantec Mail Security for Domino and Lotus Domino Logs store an aggregate total of detected virus or content filtering rule violations You can sort Symantec Mail Security for Domino alerts into finer classes and store individual statistics based on these classes and you can set up administrator notifications based on these statistics Setting global scanning options 83 Configuring global scanning options Configure alert options To create or modify an alert configure the following options Basics Sets the basic options for the alert Alert Condition Sets the conditions for which Symantec Mail Security for Domino generates an alert Alert Messages Sets notification options for the administrator document author and document recipients Statistics Sets the options to gather alert statistics When you no longer need an alert you can delete it from the list of alerts To create or modify an alert 1 2 In the Settings view double click a server group In the Group document on the Configuration tab on the Alerts tab do one of the following m Double click an existing alert to modify it m Onthe Action bar click New Alert to create a new al
42. name extensions 74 91 114 files unscannable 19 97 185 firewalls LiveUpdate connection 152 FTP proxy server LiveUpdate connection 151 G Group document 45 46 H Help 21 heuristic technology Bloodhound 23 92 137 HTTP proxy server LiveUpdate connection 151 ID signed documents 97 incident severities Symantec Mail Security for Domino Log 163 incident severities continued Symantec Mail Security for Domino Quarantine 184 infected files creating backup copies 76 disposing of 24 managing 190 iNotes email handling 164 installation post installation tasks 36 procedures 31 requirements 30 SESA Agent 206 upgrade to Symantec Mail Security for Domino 33 Intelligent Updater 157 interface See also databases Action bar 45 Group document 45 navigation pane 44 views 44 Internet Explorer 31 40 ISP proxy server LiveUpdate connection 151 J Java Runtime Environment JRE 18 207 L license activating licenses 56 checking status 58 content license 56 distributing to multiple servers 60 licensing requirements 31 55 LiveUpdate 150 notifications of expiration dates 58 product license 55 renewing 60 Symantec Serial Number Certificate 56 troubleshooting license installation status errors 48 upgrading from Symantec AntiVirus Filtering for Domino 57 LiveUpdate about 149 connecting through firewalls 152 licensing requirement 56 Index 215 LiveUpdate continued notifications 153 performing on demand from
43. on page 186 Setting global scanning options 77 Configuring global scanning options To create backup documents 1 Inthe Settings view double click a server group 2 Inthe Group document on the Configuration tab on the Backup tab under Back up documents before repairing or deleting check Yes See Upgrading Symantec Mail Security for Domino on page 33 3 Onthe Action bar click Save Configuring disclaimer options Some organizations are required to post disclaimers that indicate that an email message has been scanned The text that you specify for the disclaimer displays in the header or footer of an email message When this option is enabled Symantec Mail Security for Domino inserts your specified disclaimer in every email message as it passes to its destination Disclaimers are only applied to email messages that are sent to or received from addresses that contain different base domains For example an email message sent from mailer1 domain com to mailer2 domain com would not receive a disclaimer An email message sent from mailer1 domain com to mailer3 company com would receive a disclaimer The disclaimer is placed on all incoming and outgoing email messages regardless of what type of scanning is performed that is virus anti spam or content filtering Symantec Mail Security for Domino uses a field called a disclaimer mark to tag email messages Symantec Mail Security for Domino uses this tag to detect whether a dis
44. particular server in which Symantec Mail Security for Domino was able to repair a document when a virus was found See Configuring queries on page 174 After you create a custom query you can run it on demand or on a scheduled basis After you configure a scheduled query you must enable it with the Scheduled Report agent When you no longer need a query or completed report you can delete it from the Reporting view See Working with queries on page 180 See Enabling the scheduled reports agent on page 181 Before you run a query ensure that the following requirements are met m Inthe Access Control List for the Log database the Anonymous account must have Read Public Documents and Write Public documents rights m The Domino HTTP process must be running and set to TCP port 80 Configuring queries You can configure a query to run once during a time period that you specify or you can run it repeatedly on a schedule that you create You can also create and save queries to run on demand After you run a query in Symantec Mail Security for Domino the completed report appears in the Completed Reports view of the Log Using the Symantec Mail Security for Domino Log 175 Customizing queries Configure queries To configure a query create a new query or modify an existing one set basic options for the query provide specific query information and define the output criteria To create or edit a query 1 Inthe
45. s from Match List one or more match lists display if you have created any You then select a match list as the criteria to match See Creating a content filtering rule that uses a match list on page 126 The attribute that you select determines which operators that you can use Some attributes have more operators than others For example if you select Sender Author as the attribute then the available operators are Contains Does not contain and lt gt However if you choose Encryption Flag as the attribute then only the operator is available Most attributes Attachment name Attachment ext Body Domino Domain Domino Server Internet Domain Sender Author and Subject take alphanumeric text strings as their values This means that even if you type a number in the Value box Symantec Mail Security for Domino considers it text not a number Because they allow for regular expressions text strings give you flexibility in extending your text searches to find more than just a direct match Regular expressions include metacharacters or wildcard characters to help you broaden the search capabilities of a given rule See About Regular expressions on page 113 Selecting Content Score as the attribute instructs Symantec Mail Security for Domino to use Dynamic Document Review to analyze the content based ona Filtering spam and unwanted content 113 Working with content filtering rules score and one or more diction
46. the Definitions purge agent on page 161 m Scheduled reports agent Runs scheduled queries in the Log database By default this agent runs scheduled queries once a day and posts the queries in the Completed Reports view See Enabling the scheduled reports agent on page 181 For a user to enable disable or modify an agent the administrator must grant rights to run unrestricted agents in the Server Document for the Domino Directory Public Address Book that belongs to the server To grant rights to run unrestricted agents 1 On the Lotus Notes workspace open Domino Administrator 2 On the Configuration tab in the left pane double click Server 3 Inthe left pane under Server click All Server Documents 4 In the right view pane double click the server on which Symantec Mail Security for Domino runs ol On the Action bar click Edit server 6 Onthe Security tab do one of the following m If you are running Lotus Domino 6 x under Programmability Restrictions in the Run unrestricted methods and operations box add the users to whom you want to grant rights to enable disable or modify agents m If you are running Lotus Domino 5 x under Agent Restrictions in the Run unrestricted LotusScript Java agents box add the users to whom you want to grant rights to enable disable or modify agents 7 Onthe Action bar click Save amp Close Installing Symantec Mail Security for Domino 43 Post installation tasks
47. the violation You must have the CFContentViewer role to see the content that triggered the violation Unscanned Release scan error violations and content filtering rule violations only Releases scan error violation or content filtering rule violation documents but flags them so that the scan engine does not process them again for violations If the document is subsequently routed to another server or is modified Symantec Mail Security for Domino scans it again as a new document When you release a document Symantec Mail Security for Domino changes the Restored field from No to Yes You must have the CFReleaser role to release documents that contain content filtering violations only You must have the VirusReleaser role to release documents that contain any scan error violations See About multiple violation types on page 190 About releasing documents from the Quarantine One of the actions that you can perform in the Quarantine is to release a document to its destination When you release a content filtering rule violation document it is not rescanned before it goes to its destination You must delete infected attachments before you can release an infected document from the Quarantine The document is rescanned before it reaches its destination to ensure it is free from viruses Documents that contain encrypted containers exceed container limits or are unscannable are treated as scan error violation
48. thresholds that are established through content filtering rules match lists and word categories Documents that contain violations are disposed of according to the content filtering configuration settings About Symantec Mail Security for Domino databases Table 1 3 lists the databases that comprise Symantec Mail Security for Domino Table 1 3 Symantec Mail Security for Domino databases Symantec Mail The Settings database contains the antivirus anti spam content Security for Domino filtering and logging configurations in addition to LiveUpdate and Settings database licensing information for your Lotus Domino servers sav nsf The icon for this database is identified as SMSDOM Settings 4 0 on the Notes client Symantec Mail The Log database contains server messages product information Security for Domino violation incidents and log reports Log database The icon for this database is identified as SMSDOM Log 4 0 on the savlog nsf Notes client Table 1 3 Introducing Symantec Mail Security for Domino 21 How Symantec Mail Security for Domino works Symantec Mail Security for Domino databases Symantec Mail Security for Domino Quarantine database savquar nsf The Quarantine database contains quarantined and backup documents You can view detailed information about a quarantined or backup document and you can release a document to its destination Infected documents are only released when the infected
49. to scan all attachments on the next scheduled scan date On the Action bar click Save 148 Scanning for viruses spam and content filtering rule violations About scheduled scanning To configure scheduled scan action settings 1 3 In the Scheduled Scan document on the Actions tab under When a virus is detected select one of the following Log only Logs the detection but leaves the virus untreated Delete the infected Strips the infected attachment making it unrecoverable attachment Quarantine the Holds the infected document in the Quarantine for document administrator review Repair the infected Automatically eliminates the virus and repairs any damage attachment When Symantec Mail Security for Domino cannot repair the document the selected If unable to repair option applies This option is enabled by default Under If unable to repair select one of the following m Log only m Delete the infected attachment m Quarantine the document This option is enabled by default On the Action bar click Save To delete a scheduled scan 1 In the Group document on the Scan tab on the Scheduled Scans tab in the list of scheduled scans double click the scheduled scan that you want to delete In the Scheduled Scan document on the Action bar click Delete In the confirmation dialog box click Yes On the Action bar click Save Configuring LiveUpdate This chapter includes the following topics
50. under If unable to connect to LiveUpdate server specify the retry frequency when a connection cannot be made to a LiveUpdate server The default setting is to make 3 attempts and to retry each attempt every 20 minutes On the Action bar click Save 156 Configuring LiveUpdate Updating virus protection To set LiveUpdate notification options 1 Inthe Group document on the LiveUpdate tab on the Notifications tab under When to notify select any of the following When New Definitions Arrive When Product Updates Arrive When Errors Occur When Up to Date When definitions are older than 14 days When license enters warning period or is expired notify me every 14 days Symantec Mail Security for Domino has performed a LiveUpdate and new virus definitions were downloaded Symantec Mail Security for Domino has performed a LiveUpdate and product updates were downloaded and installed A LiveUpdate was not performed Possible reasons include a lost connection with the LiveUpdate server or errors in downloading virus definitions files or product updates LiveUpdate has confirmed that virus definitions and product updates are all up to date The active virus definitions set is older than the number of days that are specified The default setting is 14 days The content license and product license are in the warning period or have expired The default setting is 14 days 2 Under Specified users to notify sele
51. without any interruption in protection See Configuring LiveUpdate on page 149 Establishing antivirus scanning policies Customize your antivirus protection by configuring the following settings m Basics Set the Bloodhound heuristic detection level enable mass mailer clean up enable HTML scanning define the directory for temporary files and set the memory limits for extracting attachments See Setting basic antivirus options on page 94 m Container Limits Define the limits for which container files are extracted See Setting container limits on page 96 m Actions Specify how Symantec Mail Security for Domino should handle infected documents how to dispose of an infected document that cannot be repaired whether to repair signed documents and how to address documents that cannot be scanned See Defining antivirus action policies on page 97 m Outbreak Detection Establish the criteria and actions for virus outbreaks See Managing outbreak detection on page 99 Setting basic antivirus options Symantec Mail Security for Domino lets you customize your level of protection against viruses from zero protection to a high level of protection A high level of protection increases protection of your system however server performance might be affected At lower levels of protection the possibility that an unknown virus might escape detection increases but the trade off between system performance decr
52. 0 1 Symantec Mail Security for Domino Log views Server Messages Logs server related events and displays them by date type and message By default the Server Messages view sorts by date but you can sort data by other columns Product Information Logs the Symantec Mail Security for Domino product versions the servers on which the product is installed and the version of the most recent virus definitions Scan Reports Logs summaries of scheduled and scan now scans and displays them by date type infected documents cleaned documents and quarantined documents By default the Scan Reports view sorts by date but you can sort data by other columns 166 Using the Symantec Mail Security for Domino Log Understanding the Log views Table 10 1 Symantec Mail Security for Domino Log views Incidents Logs virus detections spam detections scan error violations and content filtering rule violations and displays them separately or together Incidents are reported by document not by database Symantec Mail Security for Domino uses them to calculate statistics By default the Incidents view sorts by date but you can sort data by other columns The Incidents views are as follows m All Incidents Displays incidents that are logged by all scanning types The violation column lists the names of viruses and content filtering rule violations and gives spam detection scores It also includes incidents of scan error violati
53. 1 Onthe Lotus Notes client open the Definitions database using a Notes ID that has the appropriate rights to disable or enable the Definitions purge agent 2 On the Action bar click Set Purge Options 162 Configuring LiveUpdate Managing the Definitions database Type the number of most recent definitions sets to save including the most current The default setting is 5 In the Purge Options dialog box click Set Server to Execute Agent In the Choose Server To Run On dialog box select the server on which the agent should run and then click OK In the Purge Options dialog box click Enable Purge Agent If you receive an error message that indicates that you do not have execution access privileges contact your administrator to grant you the appropriate purge agent rights See Granting rights to run unrestricted agents on page 41 Click OK Using the Symantec Mail Security for Domino Log This chapter includes the following topics m About logging m Understanding the Log views m Managing the Log m Customizing queries About logging The Symantec Mail Security for Domino Log stores server messages product information reports of virus incidents content filtering rule violations spam detections scan summaries predefined statistical reports and custom queries Server messages and incidents are reported with the following severities m Information blue No violation occurred with the event m S
54. 6 mass mailer cleanup 95 NAVEX technology 93 outbreak detection 25 99 Striker technology 93 updating with LiveUpdate 153 updating without LiveUpdate 157 application events 203 attachments exclude from scanning 74 auto protect scan 138 backup files about 183 managing 198 backup options configuring 76 backup options continued migrating from Symantec AntiVirus Filtering for Domino 34 base scores 129 Bloodhound heuristic technology 23 92 137 Bloodhound Macro 92 bonus scores 129 browser requirements 31 c CFContentViewer Quarantine role 187 CFReleaser Quarantine role 187 CFViewer Quarantine role 187 compressed file See container files console See Domino console container files container limits about 19 91 setting 96 disposing of 140 144 Quarantine 185 scanning 75 content filtering about 24 105 assigning scores to custom categories 131 base scores 129 bonus scores 129 building custom dictionary 132 match lists 124 dictionary based 127 Dynamic Document Review DDR 105 matching words and evaluating context 129 metacharacters 114 operation 105 127 options 110 regular expressions 113 scoring messages 129 thresholds 130 content filtering rules default 108 214 Index content filtering rules continued defining with scores 134 violation files 194 content license 31 33 56 custom dictionary building 132 email alert tokens 80 native MIME message 76 queries 174 custom categories 131 134 custom
55. Administrator account 206 Integrating Symantec Mail Security for Domino with SESA Configuring logging to SESA IP Address of SESA Directory The IP address of the computer on which the SESA Directory is installed may be the same as the SESA Manager IP address if both are installed on the same computer When you are using authenticated SSL instead of SESA default anonymous SSL you must type the host name of the SESA Directory computer For example mycomputer com For more information about SESA default anonymous SSL and upgrading to authenticated SSL see the Symantec Enterprise Security Architecture Installation Guide SSL Port The number of the SESA Directory secure port The default port number is 636 6 Follow the on screen instructions to install the appropriate SESA Integration Package and complete the SESA Integration Wizard 7 Repeat steps 1 through 6 on each SESA Manager computer to which you are forwarding Symantec Mail Security for Domino events Installing the local SESA Agent using the Agent Installer The local SESA Agent handles the communications between Symantec Mail Security for Domino and SESA and is installed on the same computer that is running Symantec Mail Security for Domino The local SESA Agent is provided as part of the software distribution package for Symantec Mail Security for Domino A separate installation package for installing the Agent sesa_agent_installer exe is located in the ADMTOOLS SE
56. Domino About the Symantec Mail Security for Domino user interface Scan only certain file extensions Do not scan items from a trusted server Stop rules processing after the first content violation Ignore specific server processes from auto protect scanning Symantec Mail Security for Domino is configured by default to scan all files regardless of extension Although this is the most secure setting it also imposes the heaviest demand on resources You can choose to scan the file name extensions that are commonly at risk of infection See Specifying what to scan on page 74 Symantec Mail Security for Domino lets you increase Lotus Domino email delivery performance by reducing scanning redundancy through the use of trusted servers A trusted server is typically one that you know to be safe from outside security breaches by means of a firewall or similar protection device or software and that is already scanning email traffic for viruses and content filtering rule violations See Configuring trusted server options on page 79 You can configure Symantec Mail Security for Domino to stop the processing of other content filtering rules after the first content filtering rule violation is detected This option optimizes performance by preventing unnecessary further processing of a document See Setting the action options for a content filtering rule on page 122 Symantec Mail Security for Domino can be conf
57. Domino server 154 from Notes client 154 replicating Definitions database 150 scheduling 153 troubleshooting LiveUpdate status errors 49 updating virus protection 94 150 153 using proxy servers 151 Log about 20 26 163 customizing queries 174 deleting documents 172 enabling scheduled reports agent 181 exporting incidents to Microsoft Excel 171 managing 168 purging 172 replicating database 65 running queries 180 views 165 logging options configuring 78 Lotus Domino server checking server status 46 troubleshooting status errors 47 maintain protection 149 mass mailer cleanup 16 25 95 match list building 124 metacharacters available characters 114 examples in regular expressions 117 order of precedence 116 Microsoft Excel 171 migration from Symantec AntiVirus Filtering for Domino 34 multiple servers 184 See also server groups administering Symantec Mail Security for Domino on multiple servers 63 creating replica databases 66 Definitions database 159 distributing license files 60 managing 27 64 replicating databases 64 scheduled scans 144 216 Index N native MIME 76 95 NAVEX technology 93 notifications See alerts 0 on demand scans See scan now Operating System Event Log 78 outbreak detection about 25 91 management 99 100 P partitions installing on 31 upgrading on 33 performance optimization 43 post installation tasks 36 processing threads 43 product license 31 33 55 protection maintai
58. For example if a document contains a virus infection and a content filtering rule violation it is quarantined by Symantec Mail Security for Domino as an infected document See About multiple violation types on page 190 You manage the Quarantine by performing specific tasks such as viewing and adding comments to a Quarantine Document adding saving or deleting attachments releasing documents from the Quarantine or deleting documents from the Quarantine view See Managing quarantined infected documents on page 190 About Quarantined Documents views Most of the Quarantined Documents views show when the document was quarantined which database was affected who authored the document and which virus or content filtering rule was involved The views also show whether the document was released or restored to its original database 186 Managing the Quarantine Managing quarantined documents Table 11 1 lists the Quarantined Documents views Table 11 1 Quarantined Documents views All Quarantined All quarantined documents Documents By Recipient Email messages or documents sorted by recipient By SMTPOriginator Email messages that were received from the Internet sorted by email message origin Content Filtering Email messages or documents that contain at least one content Violations filtering rule violation Virus Infections Email messages or documents that contain at least one virus infection Yo
59. Heuristic tab check Enable the heuristic anti spam detection engine To log anti spam events check Log heuristic anti spam events Under Engine Sensitivity Level in the drop down list select the sensitivity level of the anti spam engine The default level is 1 Low Under Spam mail subject check Prepend text to subject line of detected spam mail to prepend the subject line text and then type your customized text message The default text is Spam When no text is typed in the box the subject line is not modified To add a new field in the header under Spam mail header check Add new header to the detected spam mail In the Header text field type the header field name The default header field name is X_Bulk On the Action bar click Save 104 Filtering spam and unwanted content Filtering spam Managing a white list The white list helps you prevent false positive spam detections You can add domains to the white list to ensure that standard business email communications are delivered without unnecessary delay Email messages from domains that are contained in the white list bypass anti spam scanning but they are scanned for viruses and content filtering rule violations according to scanning policies that you configure The Internet domain names can be absolute domain names or base domain names Mailer1 domain com and mailer2 domain com are examples of absolute domain names When added to the white list email mes
60. Log view in the left pane click Reporting 2 Under Reporting click Queries FO symantec Mall Securky for Domino Log LotwsNOteS e File Edit View Create Actions Help Jo ERARE amp OelsFooueD tepe DAQE Address x ero O a 3 S Symantec Mail Security for X 4 S symantec f open OY Delete TYcioce New Scheduled Report Options B Help fa Symantec Mail Security Enabled Report Description Pate S for Domino Server Messages Product Information Scan Reports Gilncidents E Statistics Reporting Completed aa el Information No Violation Server Waming No Violation g Warning Violation Removed Citical Violation Remaining E ol 4 O 4 Notes Admin 3 Doone of the following m Tocreate anew report on the Action bar click New To modify an existing query select an existing query and then on the Action bar click Open To set basic options 1 Inthe Custom Query document on the Basics tab under Report Description type a description or title for the query This description appears in the Reporting Completed Reports and Queries views 176 Using the Symantec Mail Security for Domino Log Customizing queries 2 Under Report Type select one of the following Manual Specifies a one time only query to run in a time range that you specify under Manual Reporting Range This option is enabled by default Schedul
61. NG OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software 5 U S Government Restricted Rights RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 United States of America 6 Export Regulation
62. S oss ccsasiecececetesidasdncateaviuters ddan scaosteaveatercsenvaseeasesveveitestiaeneauaees 194 Managing backup documents ccececesessesesesseseessceseseeceseeeeseeseeeseeeeseseeeeaeeees 198 Purging the Quarantine erranera uE aa E ETE NK 199 Integrating Symantec Mail Security for Domino with SESA ADOUCSESA orsoni rentar an ena e a r r Aden 201 Interpreting Symantec Mail Security for Domino events in SESA 202 Application events that are sent to SESA ou ccccceceseessesceeeeseseeseesees 203 Security events that are sent to SESA oo ccccesesesesseceseeeeseseeeeseereseees 204 Configuring logging to SESA o cccccssssssesssssscssssesesesesseseseseeeseseseseseeseseneseeeees 204 Configuring SESA to recognize Symantec Mail Security FOE DOMINO aenea a EEE EEEE 205 Installing the local SESA Agent using the Agent Installer 206 Installing the SESA Agent manually by command line 209 Configuring Symantec Mail Security for Domino to log events to SESA Uninstalling SESA ssessessesesesesessesrerssssesresorerressserereses Uninstalling the SESA Integration Package cccesseseeseeseeeteeeees 211 Uninstalling the local SESA Agent ccccccessesesesseseseeeeseeeeeseeeeeeseeens 211 13 14 Contents Introducing Symantec Mail Security for Domino This chapter includes the following topics m About Symantec Mail Security for Domino m What s new in Symantec Mail Security
63. SA _Agent_Installer directory on the distribution CD for Symantec Mail Security for Domino When you have more than one SESA enabled product installed on a single computer these products can share a local SESA Agent However each product must register with the Agent Thus even if an Agent has already been installed on the computer for another SESA enabled security product you must run the installer to register Symantec Mail Security for Domino The local SESA Agent is preconfigured to listen on IP address 127 0 0 1 and port number 8086 Symantec Mail Security for Domino uses this information to communicate with the Agent If you must change the IP address or port number for the Agent you must do so through the SESA Console After an Agent is installed it is controlled through the SESA Console even though it is running on the same computer that is running the security product You must also update through the Symantec Mail Security for Domino Settings database the Integrating Symantec Mail Security for Domino with SESA 207 Configuring logging to SESA information that Symantec Mail Security for Domino uses to contact the local SESA Agent For more information see the SESA documentation See Configuring Symantec Mail Security for Domino to log events to SESA on page 210 Before you install the SESA Agent install the Java Runtime Environment JRE version 1 3 1_02 on the server on which the SESA Agent will be installed Thi
64. Settings Document for Unassign X di Content Filtering Rule X gh Content Filtering Named List X4 T Close fsave Kopen Group Document Delete B Help Content Filtering Match List Word Unassigned Servers symantec ListName H Word Servers This word is valid for Accon All servers in this group The following servers separated by commas al 22828 4 SO 4 Notes Admin 3 Inthe Content Filtering Match List Word document in the List Name box do one of the following m Ifyou are creating a new match list type a name for the match list Match list names are case sensitive m If you have already created a list and want to assign the new word or phrase to the existing match list in the drop down list select the match list name 4 Inthe Word box type a custom word or phrase to add to the match list Words in the match list are not case sensitive 126 Filtering spam and unwanted content Using a match list 5 6 Select one of the following m All servers in this group Applies the word or phrase to all servers in the server group This option is enabled by default m The following servers Applies the word or phrase to specific servers Select the servers from the drop down list Separate multiple entries with commas On the Action bar click Save To edit a word or phrase in a match list 1 3 In the Group document on the Content Filtering tab on the Match
65. Size or Attachment size Author Selects the alerts that are caused by violations in document authors The violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified attribute is Sender Virus Selects the alerts that are caused by viruses that are found in documents or attachments Scan Error Selects the alerts that are caused by scan error violations that are found during antivirus scanning Attachments that exceed any of the container limits or are encrypted container files are reported as scan error violations Content Selects the alerts that are caused by violations in the contents of documents or attachments The violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified attribute is Body 86 Setting global scanning options Configuring global scanning options 4 To specify the action that was taken when a violation was detected under Action Taken select any of the following Ignored document Copied document Cleaned document Removed attachment document Quarantined document Selects the alerts that are generated from documents on which Symantec Mail Security for Domino only logs the event but does not act Selects the alerts that are generated from documents that Symantec Mail Security for Domino copies to the Quarantine database a
66. Status and then click Check Statistics See Checking server status on page 46 To receive notification when a license is about to expire 1 2 In the Settings database double click a server group In the Group document on the LiveUpdate tab on the Notifications tab under When to notify check When license enters warning period or is expired notify me every 14 days The default setting is 14 but you can change the number of days In the Specified users to notify list select whom to notify when the license is about to expire On the Action bar click Save 60 Activating your Symantec Mail Security for Domino licenses Distributing license files to multiple Domino servers Distributing license files to multiple Domino servers When you have more than one Domino server to license you can use a distribution method to install multiple license files on multiple Domino servers To distribute license files do any of the following Send each license file by email as an You or another user with the appropriate access attachment to an email account that rights can then download each license file and can be accessed on the Domino install it to the following directory SERVERS C Program Files Common Files Symantec Shared Licenses Copy each license file to a network You or another user with the appropriate access share to which the appropriate users rights can then download each license file and have access save it to the
67. Stop i symantec Delete attachments greater than Smegs in size Delete launchable attachments Delete Visual Basic Script attachments Quarantine documents with questionable content X X XIX ALARGO MP H Notes Admin I In the Content Filtering Rule document on the Basics tab check Enable this rule On the Action bar click Save Creating a content filtering rule To create a content filtering rule specify the basic settings and set up as many conditional expressions as you need to categorize the objectionable content that you are trying to block You can then specify how to handle a document that violates the content filtering rule To create a content filtering rule 1 In the Group document on the Content Filtering tab on the Rules tab on the Action bar click New Rule In the Content Filtering Rule document on the Basics tab set the basic options See Setting the basic options for a content filtering rule on page 110 109 110 Filtering spam and unwanted content Working with content filtering rules 5 6 On the Rules tab use expressions to define the content filtering rule See Understanding content filtering rule expressions on page 111 See Building expressions for a content filtering rule on page 119 On the Actions tab set the action options See Setting the action options for a content filtering rule on page 122 On the Act
68. You can create custom word categories that include confidential terms and monitor messages for words in those categories This helps ensure confidentiality and reduces possible legal liability How dictionary based content filtering works To evaluate content against your own custom words and categories or against the vendor Symantec supplied words and categories you build a content filtering rule using the Content Score attribute In the rule you assign one or more scores thresholds to one or more categories that you select Symantec Mail Security for Domino then matches text in document writes and the subject lines and message bodies of email messages against words that belong to the set 128 Filtering spam and unwanted content Filtering content with word categories of selected categories These words have predefined scores The more strongly representative the word or phrase is of a particular category the higher the score Symantec Mail Security for Domino assigns each document a score based on the total number of target words found When a score exceeds your specified threshold for a particular expression in a rule the content filtering engine considers that expression violated The entire rule might be violated depending on whether it contains OR expressions or AND expressions When it contains OR expressions a violation of any one expression violates the entire rule When it contains AND expressions all expressions in the rul
69. abase for changes Any changes made to the Symantec Mail Security for Domino Settings database on any of the Domino servers are distributed to the other replicas when a manual or scheduled replication occurs After replication the new settings are automatically reloaded All Settings database options are replicated among the Domino servers Note You can avoid replication save conflicts by permitting only the Domino administrator in charge of antivirus policy to modify the Symantec Mail Security for Domino Settings database on each of the Domino servers Log database Choose a computer to act as the hub for the Log When you replicate the Log database the hub receives violation incidents and reports from the other Domino servers that run Symantec Mail Security for Domino See Using the Symantec Mail Security for Domino Log on page 163 To centralize logging of violation incidents and reports initiate pull replication to the Symantec Mail Security for Domino Log hub server from the spoke servers If you do not need to centralize logging you may use push pull replication 66 Administering Symantec Mail Security for Domino on multiple servers Managing multiple servers Quarantine database You can replicate the Quarantine database to create a central repository of quarantined documents although you might find it unnecessary The Quarantine database provides access to quarantined and backup documents Symantec Mail Securit
70. access certain information Only the tasks that you can perform or information that you can access will appear on the Web browser screen The following tasks and data are not available through the Web browser Settings database This database is inaccessible through a Web browser Log database m Export incidents to Microsoft Excel m Open links in the Server Messages or Incidents views m Open Virus Spam Detection or Content Filtering statistics in the Statistics view m Enable the purge agent m Enable the scheduled reports agent See About logging on page 163 Quarantine database m Release infected documents or content filtering rule violation documents from the Quarantine m View the Quarantined Content Filtering Violation report m Enable the purge agent See About the Quarantine on page 183 Definitions database m Set active definitions m Enable the purge agent See Managing the Definitions database on page 159 Help database Context sensitive Help for group options is unavailable through a Web browser To access Symantec Mail Security for Domino databases over the Internet you must load HTTP on the Domino server You can do so by typing LOAD HTTP at the Domino server command prompt Alternatively you can add HTTP to the entries in the ServerTasks line of the Notes ini file For more information see your Lotus Notes documentation Installing Symantec Mail Security for Domino Post installation tas
71. ail Security for Domino places the entire email message and any attachments in the Quarantine database regardless of which part of the email message is infected or has offending content It does not forward any part of the email message Symantec Mail Security for Domino can also quarantine infected Lotus Notes database documents See Managing quarantined documents on page 184 As a data safety precaution administrators can configure Symantec Mail Security for Domino to store a backup copy of any document or email message or that contains content filtering rule violations or infected attachments See Managing backup documents on page 198 See Creating backup documents on page 76 184 Managing the Quarantine Managing quarantined documents To prevent the Quarantine database from growing too large Symantec Mail Security for Domino can routinely purge documents from the Quarantine See Purging the Quarantine on page 199 The separation of the Quarantine from the Log lets Symantec Mail Security for Domino replicate the Log database and gather statistical information for multiple servers without simultaneously having to handle the additional overhead and disk space that quarantined and backup documents require Symantec Mail Security for Domino displays quarantined documents separately from backup documents You can further sort these views by recipient SMTP originator content filtering rule violations and
72. ail Security for Domino comes with a dictionary of commonly filtered words and phrases which is organized into categories You can use these word categories in content filtering rules or you can create your own custom word category A custom word category is a user customized repository of inappropriate words and phrases Each word and phrase is assigned a score which is added to the overall content score Custom word categories let you determine the relative weight that is assigned to a word or phrase when you use content scoring in a content filtering rule See Filtering content with word categories on page 127 Working with content filtering rules Table 7 1 lists the tasks that you can use to customize content filtering Table 7 1 Content filtering rule tasks View content filtering rules Symantec Mail Security for Domino lets you view all status of the default content filtering rules as well as the rules that you have created You can view whether the rule is enabled You can also view a description of the content filtering rule and for which type of scan the rule applies See Viewing content filtering rules status on page 107 Enable the content filtering rule To activate content filtering for any type of scanning process you must enable the rules processing option See Enabling the content filtering process on page 108 Enable default content filtering Select the pre configured content filteri
73. al SESA Agent and to log events to SESA See Configuring Symantec Mail Security for Domino to log events to SESA on page 210 Configuring SESA to recognize Symantec Mail Security for Domino To configure SESA to receive events from Symantec Mail Security for Domino run the SESA Integration Wizard that is specific to Symantec Mail Security for Domino on each computer that is running the SESA Manager The SESA Integration Wizard installs the appropriate integration components for identifying Symantec Mail Security for Domino to SESA You must run the SESA Integration Wizard for each SESA Manager computer to which you are forwarding events from Symantec Mail Security for Domino To configure SESA to recognize Symantec Mail Security for Domino 1 On the computer on which the SESA Manager is installed insert the Symantec Mail Security for Domino CD into the CD ROM drive At the command prompt change directories on the CD to ADMTOOLS SESA_SIPI_ FOR_SMSDOM At the command prompt type java jar setup jar The SESA Integration Wizard starts Click Next until you see the SESA Domain Administrator Information window In the SESA Domain Administrator Information window type the specific information about the SESA Domain Administrator and the SESA Directory SESA Domain Administrator The name of the SESA Directory Domain Name Administrator account SESA Domain Administrator The password for the SESA Directory Domain Password
74. ar click Save Integrating Symantec Mail Security for Domino with SESA 211 Uninstalling SESA Uninstalling SESA When Symantec Mail Security for Domino is no longer forwarding messages to SESA you can uninstall the SESA components Uninstalling the SESA Integration Package You can uninstall the SESA Integration Package from each computer that is running the SESA Manager To uninstall the SESA Integration Package 1 On the taskbar click Start gt Run 2 At the command prompt type java jar setup jar uninstall Uninstalling the local SESA Agent The local SESA Agent is automatically uninstalled when you uninstall Symantec Mail Security for Domino When more than one product is using the Agent the uninstall script removes only the Symantec Mail Security for Domino registration and leaves the Agent in place When no other security products are using the Agent the uninstall script uninstalls the Agent as well 212 Integrating Symantec Mail Security for Domino with SESA Uninstalling SESA Numerics 32 bit data 30 96 157 A Access Control List 38 174 187 Action bar 45 alerts about 27 configuring 80 mass mailer cleanup 95 outbreak detection 91 anti spam filtering about 24 102 configuring settings 103 white list 24 102 104 antivirus protection See also LiveUpdate See also scans about 23 91 94 Bloodhound heuristic technology 23 92 137 Blood hound Macro 92 configuring settings 94 container file limits 9
75. ary content categories that you specify for that rule Symantec Mail Security for Domino considers any document with a score that exceeds your specified threshold value to be a content filtering rule violation and it takes the action that you have specified for the rule The threshold for a content filtering rule violation might be a single word phrase or name which might appear in the subject line or body of a message or it might be multiple occurrences as determined by the content score engine See Filtering content with word categories on page 127 About Regular expressions A regular expression is a set of symbols and syntactic elements that is used to match patterns of text Symantec Mail Security for Domino performs matching on a line by line basis It does not evaluate the line feed newline character at the end of each input expression phrase You can build regular expressions using a combination of normal alphanumeric characters and metacharacters also called wildcard characters Metacharacters let you perform pattern matching in text For example many spam messages contain a trailing number at the end of the subject line text as in the following sample subject line Here s a hot stock pick 43234 An example of how to write a rule to detect email message subject lines that have trailing numbers using regular expressions is as follows 0 9 This regular expression contains the normal alphanumeric characters 0 9
76. ases and directories on the Configuration gt Inclusions Exclusions tab See Specifying what to scan on page 74 This option is enabled by default Under Attachments select one of the following m Scan all attachments regardless of extension Scans all attachments This option provides the greatest protection against virus attacks and is enabled by default m Scan attachments with specified file extensions Scans only those attachments with file name extensions that are listed in the Specified file extensions option on the Configuration gt Inclusions Exclusions tab To scan for content filtering rule violations under Content Filtering check Scan for Content Filtering rule violations Scanning for content filtering violations is not safe for most databases Only apply content filtering rules to databases that need to be scanned for a specific type of content filtering rule violation To scan native MIME message bodies under Native MIME message bodies check Scan for malicious HTML in message bodies When this option is enabled the message body of the infected document is replaced with the text that is specified on the Configuration gt Native MIME tab See Customizing the native MIME message on page 76 To prevent rescanning of documents under Incremental Scan check Scan only documents modified since last scheduled scan lt last scheduled scan date and time gt Click Reset incremental scan date to reset the date
77. ask is shutdown DATA_SCAN_CANCEL Informational DATA_SCAN Scheduled Scan sent to run for a set amount of time and does not finish before that time is over OnDemand Scan stopped from console Task is shutdown before OnDemand or Scheduled Scan can finish DATA_SCAN END Informational DATA_SCAN OnDemand or Scheduled Scan completes successfully Task is shut down for Real time scan DATA_SCAN_PAUSE Informational DATA_SCAN Before Updating Settings Before Updating Definitions DATA_SCAN_RESUME Informational DATA_SCAN After Updating Settings After Updating Definitions DATA_SCAN START Informational DATA_SCAN Initialize time for Real time An OnDemand or Scheduled Scan starts VIRUS_DEFINITION_UPDATE Informational DEFUPDATE Definitions are updated 204 Integrating Symantec Mail Security for Domino with SESA Configuring logging to SESA Security events that are sent to SESA Table 12 2 lists the security events that Symantec Mail Security for Domino can send to SESA Table 12 2 Security events that are sent to SESA GENERIC_CONTENT Warning DATA_INCIDENT Content filtering rule name SPAM_CONTENT Warning DATA_INCIDENT Spam score UNSCANNABLE VIOLATION Warning DATA_INCIDENT Virus scan error VIRUS Warning Deleted Repaired DATA_VIRUS_INCIDENT Detect viruses Minor Quarantined Massemailer Major Infected Log only cleanup Con
78. ate if a connection fails and whom to notify when the license is about to expire or when new definitions arrive 154 Configuring LiveUpdate Updating virus protection During a virus outbreak you might want to perform a LiveUpdate session immediately to receive the most current virus definitions Symantec Mail Security for Domino lets you run LiveUpdate on demand from the Notes client or from the Domino server console When you run LiveUpdate on demand Symantec Mail Security for Domino uses the connection and download settings that you configured in the Settings database Scheduling LiveUpdate You can customize LiveUpdate by configuring the following options Basics Enable LiveUpdate indicate whether to save virus definitions file to the Definitions database indicate on which servers the virus definitions apply and select the day and time to run LiveUpdate sessions Connection Specify how often to attempt to reconnect if the connection with LiveUpdate fails Notifications Specify whom to notify for LiveUpdate related events To set LiveUpdate basic options 1 2 In the Settings view double click a server group In the Group document on the LiveUpdate tab on the Basics tab check Enable LiveUpdate This option is enabled by default To replicate the virus definitions database to other Domino servers check Save downloaded virus definitions in the SMSDOM Definitions database The Definitions database is only requir
79. ation http securityresponse symantec com Provides access to the Virus Encyclopedia which contains information about all known viruses information about virus hoaxes and access to white papers about virus and virus threats in general Installing Symantec Mail Security for Domino Before you This chapter includes the following topics Before you install System requirements Installing Symantec Mail Security for Domino Upgrading Symantec Mail Security for Domino Post installation tasks About the Symantec Mail Security for Domino user interface Checking server status Troubleshooting status errors Initiating tasks from the Domino console Uninstalling Symantec Mail Security for Domino install Before you install Symantec Mail Security for Domino become familiar with where the Symantec Mail Security for Domino setup program installs the Symantec Mail Security for Domino software You should also ensure that your environment meets the system requirements The Symantec Mail Security for Domino setup program reads the Windows registry to locate the Lotus Domino server and default data directories In 30 Installing Symantec Mail Security for Domino System requirements addition to Symantec Mail Security for Domino registry keys the directories that are created by default as necessary are as follows Lotus Domino Lotus Domino Data SAV Symantec Mail Security for Domino engine Symantec Mail Security for Do
80. attachment is removed Documents that are quarantined are stored in the Quarantine until you delete them or until they are purged The icon for this database is identified as SMSDOM Quarantine 4 0 on the Notes client Symantec Mail Security for Domino The Help database contains information about the product and the online Help for Symantec Mail Security for Domino Help database The icon for this database is identified as SMSDOM Help 4 0 on savhelp nsf the Notes client Symantec Mail The Definitions database contains updated virus definitions Security for Domino Definitions database savdefs nsf Create this database only if you plan to replicate virus definitions across multiple Domino servers See To create a replica Definitions database on page 68 The icon for this database is identified as SMSDOM Definitions 4 0 on the Notes client About zero maintenance management Symantec Mail Security for Domino is self monitoring which means that it has a heartbeat function that monitors scan threads to ensure that they are working When problems occur Symantec Mail Security for Domino posts the events to the Symantec Mail Security for Domino Log You can also configure Symantec Mail Security for Domino to post events to Symantec Enterprise Security Architecture SESA SESA is an event management system that uses data collection services for events that Symantec and supported third party products generate 22
81. attachments regardless of extension Scans all attachments This option provides the greatest protection against virus attacks and is enabled by default m Scan attachments with specified file extensions Scans only those attachments with file name extensions that are listed in the Specified file extensions option on the Configuration gt Inclusions Exclusions tab 142 Scanning for viruses spam and content filtering rule violations About scan now scanning 8 To scan for content filtering rule violations under Content Filtering check Scan for Content Filtering rule violations Scanning for content filtering violations is not safe for most databases Only apply content filtering rules to databases that need to be scanned for a specific type of content filtering rule violation To scan native MIME message bodies under Native MIME message bodies check Scan for malicious HTML in message bodies To limit the scan to documents that are modified after the date that you select under Incremental Scan check Scan only documents modified since Type the date and time for the incremental scan Symantec Mail Security for Domino uses the current date format that is set on the system regardless of what is typed On the Action bar click Save To configure scan now actions settings 1 In the Group document on the Scan tab on the Actions tab under When a virus is detected select one of the following Log only Logs the detection b
82. attribute and the value Available comparison options change depending on the attribute that you select For example if you select Size as the attribute the available comparison options are gt greater than lt less than equal to and lt gt not equal to Other attributes might yield different sets of options When you select the Body attribute along with the comparison options you also see an option to ignore the case which lets you specify a value in any combination of uppercase or lowercase letters 120 Filtering spam and unwanted content Working with content filtering rules Table 7 5 Content filtering expression options Value Specifies the word phrase or numerical quantity that limits the attribute of the rule in one way or the other as defined by the selected comparison relationship The type of attribute that is selected dictates the type of value that you enter For example if you select the Size attribute you must type a number as the value When you type file name extensions omit the dot before the extension Values can include single byte or multi byte characters When you select Content Score as the Attribute in the value box Symantec Mail Security for Domino provides the list of word categories from which you can select You must also type the numerical value for the comparison with the Content Score See Creating a content filtering rule that uses word categories on page 134
83. ave the latest virus definitions 0115 2004 05 28 PM Warning SMSDOM detected the spam violation Spam score 99 in database DOCS Scan Reports Mailbox document NTO000093A author notes admin info component Message Incidents body The document is identified as spam mail Statistics 01 15 2004 05 27 PM Warning SMSDOM detected the spam violation Spam score 99 in database DOCS Mailbox document NTO0000936 author notes admin into component Message body Reporting The document is identified as spam mail 01 15 2004 04 36 PM Server Warning SMSDOM Your content license has EXPIRED the grace period ends in 12 day s 01 15 2004 04 36 PM Server Warning SMSDOM Your product license has EXPIRED the grace period ends in 12 day s 01 15 2004 02 52 PM Warning SMSDOM detected the content fitering rule violation Confidental information in database d docs document NT0000091 A author notes adminjinfo components The document was QUARANTINED 0115 2004 12 22 PM Critical SMSDOM detected the viruses Another World 707 Jeru 1808 Gergana 182 W95 Horn 1862 Hydra 1 Jeru 1808 Frere Jac in database c docs document NT00000916 author notes admin nfo components world707 amg jeru amg 7 gergana amg horn1862 amg hydra amg frere amg The document was Information No Violation QUARANTINED Server Waming Violation eno ye a 011512004 12 22 PM Critical SMSDOM detected the viruses Another World 707 Jeru 1808 Gergana 182 Waming Viola
84. avenue in which a virus can penetrate your site For complete virus protection ensure that every computer and workstation at your site is protected by a desktop antivirus solution What s new in Symantec Mail Security for Domino Table 1 1 lists the new product features in Symantec Mail Security for Domino Table 1 1 New features Spam detection Symantec Mail Security for Domino scans incoming email messages to determine whether they are spam based on the contents of the messages compared to known spam characteristics Symantec Mail Security for Domino uses a heuristic anti spam engine to detect unwanted email messages and a white list to eliminate the incidents of false positives See Filtering spam on page 102 Lotus Notes and Symantec Mail Security for Domino fully supports installation Domino 6 5 support and operation on Lotus Domino 6 5 servers and clients See System requirements on page 30 Mass mailer cleanup This feature enhances virus outbreak management by automatically deleting infected mass mailer messages and their attachments during a mass mailer outbreak No anti spam or content filtering scans are performed on mass mailer infected messages which frees critical system resources that are needed during an outbreak See Setting basic antivirus options on page 94 Encrypted container You can specify how to dispose of a container file that cannot be file disposition scanned because it is encr
85. c Symantec Mail Security for Domino prepends the SAV Alerts prefix to the name that you specify On the Action bar click Save To delete an alert 1 2 In the Settings view double click a server group In the Group document on the Configuration tab on the Alerts tab double click the alert that you want to delete On the Action bar click Delete In the confirmation dialog box click Yes Establishing antivirus protection This chapter includes the following topics m About antivirus protection m Establishing antivirus scanning policies About antivirus protection Symantec Mail Security for Domino detects viruses worms and Trojan horses in all major file types for example Windows files DOS files Microsoft Word and Excel files The outbreak detection feature automatically detects virus outbreaks and sends an alert notification to whomever you designate Symantec Mail Security for Domino also includes a decomposer that handles most container compressed and archive file formats and nested levels of files including Zip and RAR To enhance scanning performance Symantec Mail Security for Domino contains default settings that limit the depth to which container or compressed files are scanned but you can modify these settings You can also limit scanning to certain file types based on file name extension See Specifying what to scan on page 74 Symantec Mail Security for Domino uses the following te
86. cess the Software over that network D use the Software in accordance with any written agreement between You and Symantec and E after written consent from Symantec transfer the Software on a permanent basis to another person or entity provided that You retain no copies of the Software and the transferee agrees in writing to the terms of this license You may not A copy the printed documentation that accompanies the Software B sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software C use the Software as part of a facility management timesharing service provider or service bureau arrangement D use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version Upon upgrading the Software all copies of the prior version must be destroyed E use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and or upgrade insurance or have otherwise separately acquired the right to use such later version F use if You received the software distributed on media containing multiple Symantec products any Symantec software on the media for which You have not received permission in a License Module nor G use the Software in any manner not author
87. checked by default When the installation is complete click Exit Restart the Lotus Domino server When the Lotus Domino server is restarted the databases that you choose to keep during the installation process will be upgraded You can verify that the previous databases were properly upgraded by viewing the server console messages Any new databases are created from templates and placed in the SAV subdirectory of your default Data directory A ReadMe text file and a PDF version of the Symantec Mail Security for Domino Implementation Guide are also placed in this directory 36 Installing Symantec Mail Security for Domino Post installation tasks Post installation tasks After you install or upgrade to Symantec Mail Security for Domino you should perform the post installation tasks that are described in Figure 2 1 Table 2 1 Post installation tasks Sign the Symantec Mail Security for Domino databases Before you open the databases for the first time sign the Symantec Mail Security for Domino databases with a trusted Notes ID file using the Domino Administrator client See Signing Symantec Mail Security for Domino databases on page 37 Set access control The access control settings establish who can access the Symantec Mail Security for Domino databases See Setting access control for Symantec Mail Security for Domino databases on page 38 Place Symantec Mail Security for Domino database
88. chment where the cumulative size of all extracted files exceeds 200 MBs m Attachment where the number of files extracted exceeds 5000 3 On the Action bar click Save Defining antivirus action policies Action policies define what action Symantec Mail Security for Domino takes when a virus is detected or when a document is unable to be scanned Unscannable documents might include encrypted container files or files that result in a scan error for any reason If you choose the option to Delete the infected attachment Symantec Mail Security for Domino saves the deleted attachment as a backup document in the Quarantine by default When Symantec Mail Security for Domino detects a virus inside a container file it deletes the container file and everything in it When a container file is comprised of both infected and uninfected files the entire container file and all the files inside it might be deleted Symantec Mail Security for Domino scans ID signed documents for viruses but it must break the signature to repair an infected document When the Repair signed documents option is enabled Symantec Mail Security for Domino breaks the signature and attempts to repair the document 98 Establishing antivirus protection Establishing antivirus scanning policies When the Repair signed document option is not enabled and Symantec Mail Security for Domino detects a virus in an ID signed document it treats the document as unrepairable If this op
89. chnologies to protect your system from viruses Bloodhound Provides heuristic detection of new or unknown viruses m NAVEX Provides protection from new classes of viruses automatically through LiveUpdate m Striker Detects polymorphic viruses 92 Establishing antivirus protection About antivirus protection When a new virus is identified information about the virus a virus signature is stored in a virus definitions file The virus definitions file is updated automatically through LiveUpdate When Symantec Mail Security for Domino scans for viruses it searches for these virus signatures To supplement the detection of virus infections by virus signature Symantec Mail Security for Domino uses Bloodhound technology Bloodhound technology uses heuristics to detect new or unknown viruses based on the general characteristics that are exhibited by known viruses About Bloodhound heuristic technology Symantec engineers have developed two types of heuristics for the detection of unknown viruses The first Bloodhound is capable of detecting over 80 percent of new and unknown executable file viruses The second Bloodhound Macro detects and repairs over 90 percent of new and unknown macro viruses Bloodhound requires minimal overhead because it examines only programs and documents that meet stringent prerequisites If Symantec Bloodhound technology identifies suspicious behavior in an executable file it copies the file into its
90. ck the appropriate server group On the LiveUpdate tab on the Basics tab click Enable LiveUpdate This option is enabled by default Check Save downloaded virus definitions in the SMSDOM Definitions database Click All servers in this group You must select this option to avoid replication save conflicts On the Action bar click Create SMSDOM Definitions Database to create the Definitions database Ensure that you the administrator and LocalDomainServers are in the Access Control List of savdefs nsf with Manager access and that Delete Documents is enabled The LocalDomainServers group contains all of the servers to which you plan to replicate See Setting access control for Symantec Mail Security for Domino databases on page 38 Create replicas of the hub for the Definitions database on the other Domino servers that run Symantec Mail Security for Domino The savdefs nsf database must reside in the lt Domino server data directory gt SAV directory on the other Domino servers and must be named savdefs nsf The next time that a scheduled LiveUpdate runs updated virus definitions are downloaded to the Definitions database The new virus definitions set is marked as active The updated definitions are distributed to the other replicas when a manual or scheduled replication occurs Administering Symantec Mail Security for Domino on multiple servers 69 Customizing server groups Customizing server groups When setting u
91. claimer message has already been added to the email message This prevents servers that use the same disclaimer mark from adding the same header or footer message multiple times as an email message passes through routing servers The first time that Symantec Mail Security for Domino adds your specified disclaimer header or footer text to the email message it also adds your custom disclaimer mark Choose a unique string that another organization is unlikely to use for example your organization s name You can use one disclaimer mark across all server groups in your organization or you can use different disclaimer marks for each server group To configure disclaimer options 1 Inthe Settings view double click a server group 2 Inthe Group document on the Configuration tab on the Disclaimers tab in the Disclaimer mark box type the appropriate disclaimer mark 78 Setting global scanning options Configuring global scanning options 3 4 To enable disclaimers do one of the following m Under Disclaimer headers check Enable disclaimer headers and then type the text that you want to appear in the disclaimer header m Under Disclaimer footers check Enable disclaimer footers and then type the text that you want to appear in the disclaimer footer On the Action bar click Save Configuring logging options You can select which events are logged and to which logging destinations Symantec Mail Security for Domino automatica
92. criteria consist of the detection method to use basic or advanced and the number of times that suspicious incidents must occur over a specified time to qualify as an outbreak The basic detection method tallies all of the viruses that are detected The advanced detection method only tallies viruses that have the same characteristics For example given a threshold of 10 viruses in 10 minutes acount of nine KakWorm infections and nine Nimda infections would cause the basic option to trigger an outbreak but not the advanced option However a count of 10 KakWorm and two Nimda infections would cause both the basic and advanced options to trigger an outbreak 100 Establishing antivirus protection Establishing antivirus scanning policies m Define who to notify when the criteria for a virus outbreak are met The outbreak management settings in Symantec Mail Security for Domino are enabled by default Symantec Mail Security for Domino is configured to report an outbreak incident in the Symantec Mail Security for Domino Log when it detects more than 30 viruses of any type within 10 minutes You must specify who to alert when an outbreak occurs You can change the number of virus detections that are necessary to trigger an outbreak notification and the time span in which the possible infections are detected There are no set guidelines to use when specifying frequencies so take into account the threat potential of the type of documents that are be
93. ct the server on which the agent is to run and then click OK In the Purge Options dialog box click Enable Purge Agent to enable the agent If you receive an error message that indicates that you do not have execution access privileges contact your administrator to grant you the appropriate purge agent rights See Granting rights to run unrestricted agents on page 41 Click OK Integrating Symantec Mail Security for Domino with SESA This chapter includes the following topics m About SESA m Interpreting Symantec Mail Security for Domino events in SESA m Configuring logging to SESA m Uninstalling SESA About SESA In addition to using the Symantec Mail Security for Domino Log you can also log events to the Symantec Enterprise Security Architecture SESA SESA is an underlying software infrastructure and a common user interface framework It integrates multiple Symantec Enterprise Security products and third party products to provide a central point of control of security within an organization It provides a common management framework for SESA enabled security products such as Symantec Mail Security for Domino that protect your IT infrastructure from malicious code intrusions and blended threats SESA increases your organization s security posture by simplifying the task of monitoring and managing the multitude of security related events and products that exist in today s corporate environments SESA includes
94. ct who should receive the email notifications 3 Onthe Action bar click Save Configuring LiveUpdate 157 Updating virus protection Performing LiveUpdate on demand You can immediately update virus definitions using the Lotus Notes client or the Domino server To perform LiveUpdate on demand using the Lotus Notes client 1 Inthe Settings view double click a server group 2 Inthe Group options on the LiveUpdate tab on the Action bar click Run LiveUpdate Now 3 Inthe LiveUpdate Status document on the Action bar click Check LiveUpdate Status A status message appears when LiveUpdate completes the updates See LiveUpdate status errors on page 49 To perform LiveUpdate on demand using the Domino server 1 On the Domino server on the Windows taskbar click Start gt Programs gt Symantec Mail Security for Domino gt LiveUpdate 2 Follow the on screen instructions to update virus definitions Updating virus protection without LiveUpdate Symantec provides the latest virus definitions files for download on the Symantec Web site http www symantec com through Intelligent Updater The name of the Intelligent Updater file which changes with each update uses the following format yyyymmdd vvv Pbb exe yyyyYear mm Month dd Day vvv Version P Processor I Intel A Alpha bb Platform 16 16 bit 32 32 bit For example 20040204 003 I32 exe is the February 4 build version three Intel 32 bit update for Win
95. curity for Domino Symantec Mail Security for Domino supports upgrades from Symantec AntiVirus Filtering for Domino version 3 0 x or later to version 4 0 You must have a valid content license and product license to receive updated virus definitions files through LiveUpdate and to operate any of the Symantec Mail Security for Domino scanning functions For more information about how to obtain and install your license file after you complete the upgrade to Symantec Mail Security for Domino open the Settings database and select the Licensing tab See About licensing on page 55 If you have multiple Lotus Domino partitions on the same server you must have a separate Symantec Mail Security for Domino database for each partition The installation program detects multiple partitions and lets you specify the partitions on which to install Symantec Mail Security for Domino To facilitate enterprise wide management of Symantec Mail Security for Domino you can replicate the Symantec Mail Security for Domino databases to other servers that run Symantec Mail Security for Domino With replication you can configure Symantec Mail Security for Domino settings from a single server report virus incidents and statistics for all servers and use a single virus definitions update to maintain current protection for all servers See About administering Symantec Mail Security for Domino on multiple servers on page 63 When you upgrade to Sy
96. d Total documents clean Total documents quarantined Total documents deleted Total documents ignored Time to complete the scan 170 Using the Symantec Mail Security for Domino Log Managing the Log Table 10 2 Message and incident document information All Incidents Virus The Incident document contains the following information Incidents Spam m Server Server on which the incident occurred Detection Incidents Content Filtering Incidents m Scanned Date and time that the incident was detected m Findings Name of the viruses or content filtering rules that triggered the violation Action Final disposition of the document Author Email message author Subject Email message subject line Created Date and time that the document was created Modified Date and time that the document was last modified Accessed Date that the document was last accessed Updated by Server on which the document was updated Recipients Intended recipients of the email message Database Database on which the message was created Scan type Type of scan that detected the incident Definitions date virus infections only Date of the active definitions set See Managing the Definitions database on page 159 m Scan actions Action tab settings in the Settings database for that particular scan auto protect scans scheduled scans scan now and content filtering scans See Defining antivirus action policies on
97. d product license files If you purchased Symantec Mail Security for Domino Small Business Edition for details about how to renew the content and product licenses for your product visit the following Web site http www symantecstore com renew 62 Activating your Symantec Mail Security for Domino licenses Renewing licenses Administering Symantec Mail Security for Domino on multiple servers This chapter includes the following topics About administering Symantec Mail Security for Domino on multiple servers m Managing multiple servers m Customizing server groups About administering Symantec Mail Security for Domino on multiple servers You can simplify the creation and management of Symantec Mail Security for Domino databases across multiple Lotus Domino servers Choose a single server on which to manage Symantec Mail Security for Domino and receive updated virus definitions Use Lotus Domino replication technology to synchronize the Symantec Mail Security for Domino databases on the managed server with other servers You can also use the replication process to send statistics and reports on incidents for all of the servers to the managed server See Managing multiple servers on page 64 For more information about database replication see your Lotus Domino documentation 64 Administering Symantec Mail Security for Domino on multiple servers Managing multiple servers Use server groups to simplify the manage
98. days of the week that you want to the scheduled scan to run All of the days are selected by default Under Times and or time ranges type a single time for the scan to start or time ranges for the scan to start and stop The default settings are 4 00 A M 6 00 A M To immediately perform a scan after virus definitions files are updated check Also run this scan after a successful LiveUpdate On the Action bar click Save To configure what to scan settings for scheduled scans 1 In the Scheduled Scan document on the What to scan tab under Databases select one of the following m All databases in the default directory Scans every database in the Domino Data directory default location for each server in the server group This option is enabled by default m The following databases and directories Scans only the databases and directories that you specify Type the databases and directories to scan Separate multiple entries with semicolons To scan subdirectories check Include subdirectories Enabling this option scans the descending subdirectories of the default data directory or the directories that you specified This option is enabled by default Scanning for viruses spam and content filtering rule violations 147 About scheduled scanning To exclude specific databases or directories from the scan under Databases check Exclude specified databases and directories from scan You must first select these datab
99. document details and scan details If you are assigned the CFContentViewer role you can view the body of the document that contains the violation Managing the Quarantine 195 Managing quarantined documents Create a comment in the Quarantined Document Add your customized comments in the Quarantined Document Modify save delete or add attachments Save attachments to a specified location delete attachments or add your own attachment to the file before you release the document Release a document from the Quarantine Release a document from Quarantine Content filtering rule violation documents are not rescanned when they are released from the Quarantine Delete a content filtering rule violation document from the database Delete the quarantined document and all of its attachments from the Quarantine database To view the Quarantined Document 1 In the Quarantine in the left pane under Quarantined Documents select one of the following views m All Quarantined Documents m By Recipient BySMTPOriginator Content Filtering Violations In the right pane double click a document to view the Quarantined Document 196 Managing the Quarantine Managing quarantined documents 3 Onthe Action bar click View Content Violations Quarantined Document Lotus Notes lal x File Edt view Create Actions Text Help gagag 2809C8o8H E Workspace E Symantec Mail Security for x iy Quarantined Document
100. documents cccceeescesesseseseseeseseeeeceseeeeseeseeseeseseeeaees 76 Configuring disclaimer Options ccccesessssssesecesecesesesesessesssseseeseseseeees 77 Configuring logging Options cccescesesesessssesesececesesesesesesssssessesesesesees 78 Configuring trusted server options cccssesesesececesesesessesesesseeessesesesees 79 Configuring alerts 0 ccccscsesesesesessssssscscesesesesesssseseseccsesesesesessessesessssesesees 80 Establishing antivirus protection About antivirus protection 00 ccccccscssesseseescescsscsecssescsscscseesecsceseseeseesses 91 Establishing antivirus scanning policies cccececceessseesesseeeseeeeseeeeeeseeeeseees 94 Setting basic antivirus options e eee ceseeseeeceseseeceseeeceseeeeseteseeseeeees Setting container limits 2 0 0 ccc eseesesesseseeeseseeeeseseeceseseeceseeeeseeeeeseeeees Defining antivirus action policies Managing outbreak detection 00 0 eecececessscesesseseseeeeseseeeeceseeeeseeesseseeeees Filtering spam and unwanted content About D LLEI a a TEE E E A he nstetre ieee 101 Filtering spami se E teen E EEEE ES E NEESS 102 Configuring anti spam settings cccccceesesesesesssseseceeeseesseseseseseeeeeees 103 Managing a White list 0 0 ccc cecssesesseseseseeseseseeseseeeesesesecseseeseseseeseeeees 104 Filtering unwanted content oo cece ssesseseseseeceseecesesceceseeeseeseceseeeeseseneeaeeees 105 Working with content filtering rules oo eee
101. dows 9x NT 2000 Note Use the Windows NT version of Intelligent Updater for Symantec Mail Security for Domino 158 Configuring LiveUpdate Checking the status of your content license To update virus protection without LiveUpdate 1 In a Web browser type the following address www symantec com On the Symantec home page click the Downloads link On the downloads Web page click the Virus Definitions Updates link On the Security Response Web page click the Download Virus Definitions Intelligent Updater Only link In the list of Symantec products click Norton AntiVirus for Lotus Notes The program file supports multiple versions of Symantec antivirus software including Symantec Mail Security for Domino Click Download Updates Click the program file to begin the download Save the definitions update program to any directory on the server Run the definitions update program The update program reads the Windows NT registry and installs the necessary files in the proper locations When the update is complete delete the definitions update program Checking the status of your content license A content license is required to update Symantec corporate software with the latest associated content such as new virus definitions through LiveUpdate A valid content licenses ensures that servers remain protected with the latest virus definitions A license affects the relevant behavior only When a content license is
102. e DDR is a multilingual context sensitive content analysis technology that evaluates documents against scoring thresholds that you define When documents exceed the scores Symantec Mail Security for Domino handles the document according to the settings that you configure Symantec Mail Security for Domino lets you create content filtering rules to apply to Notes document writes and incoming email messages The rules provide a front end defense against unwanted content for a server group These rules expand the control that administrators have to block objectionable email messages and other documents that are created in Lotus Notes databases You can set up edit or delete as many content filtering rules as you need Each rule specifies the category to search subject line sender or file size for example and defines the condition that triggers a content filtering rule violation You can enable or disable the content filtering process or individual rules See Creating a content filtering rule on page 109 106 Filtering spam and unwanted content Working with content filtering rules You can create match lists and custom word categories and then use them in content filtering rules Match lists let you create a list of words and phrases that are tailored to your company or industry You can then create a content filtering rule to evaluate content for words in your match list See Using a match list on page 124 Symantec M
103. e SESA Agent is already installed on the same computer this option does not display 208 Integrating Symantec Mail Security for Domino with SESA Configuring logging to SESA 10 11 In the Primary SESA Manager IP address or host name box type the IP address or host name of the computer on which the primary SESA Manager is running If SESA is configured to use anonymous SSL the default setting type the IP address of the primary SESA Manager If SESA is configured to use authenticated SSL type the host name of the primary SESA Manager for example computer company com In the Primary SESA Manager port number box type the port number on which the SESA Manager listens The default port number is 443 If you are running a Secondary SESA Manager that is to receive events from Symantec Mail Security for Domino do the following m Inthe Secondary SESA Manager IP address or host name box type the IP address or host name of the computer on which the Secondary SESA Manager is running m Inthe Secondary SESA Manager port number box type the port number on which the Secondary SESA Manager listens The default port number is 443 In the Organizational Unit Domain name box type the organizational unit distinguished name to which the Agent will belong If the organizational unit is unknown or not yet configured this setting can be left blank Use the following format ou Europe ou Locations dc SES o symc_ses The domain s dc
104. e Software You have licensed is a specified Symantec AntiVirus tm for a corresponding third party product or platform You may only use that specified Software with the corresponding product or platform You may not allow any computer to access the Software other than a computer using the specified product or platform In the event that You wish to use the Software with a certain product or platform for which there is no specified Software You may use Symantec AntiVirus Scan Engine B If the Software you have licensed is Symantec AntiVirus utilizing Web Server optional licensing as set forth in the License Module the following additional use s and restriction s apply i You may use the Software only with files that are received from third parties through a web server ii You may use the Software only with files received from less than 10 000 unique third parties per month and iii You may not charge or assess a fee for use of the Software for Your internal business C If the Software You have licensed is Symantec AntiVirus Corporate Edition You may not use the Software on or with devices on Your network running embedded operating systems specifically supporting network attached storage functionality without separately licensing a version of such Software specifically licensed for a specific type of network attached storage device under a License Module D If the Software You have licensed is Symantec Mail Security for a corres
105. e body of the email message for the alert The default text is Please contact your system administrator Use tokens to customize the subject or body of the email message alert as necessary See About tokens for customizing email message alerts on page 80 To include the action that was taken by Symantec Mail Security for Domino in the email message alert to the document author click Report action taken by Symantec Mail Security for Domino This option is enabled by default To include information about the violation from the Log in the email message click Include violation information from the log This option is enabled by default On the Action bar click Save Setting global scanning options Configuring global scanning options To set alert message options for the document recipient 1 Inthe Alert Notification document on the Alert Messages tab on the Document Recipient tab check Send following alert to intended recipients 2 Under Custom text to document recipients in the Subject field type the subject line of the email message for the alert The default text is SMSDOM detected a violation in a document sent to you Use tokens to customize the subject or body of the email message alert as necessary See About tokens for customizing email message alerts on page 80 3 Inthe Body field type the body of the email message for the alert The default text is SMSDOM has detected a violation Please contact your
106. e must be violated before Symantec Mail Security for Domino flags the document as violating the entire rule When an entire rule is violated Symantec Mail Security for Domino takes action based on the action settings for the content filtering rule Content dictionaries and categories Symantec Mail Security for Domino includes a dictionary or repository of commonly filtered words and phrases These words and phrases are organized into categories against which you can run content filtering rules The contents of the vendor supplied word categories are proprietary and cannot be viewed or modified You can also create your own custom word categories and words against which to filter When you add a word or phrase to a custom word category that already exists in a vendor supplied category your custom entry supersedes the vendor supplied entry Custom words and categories are stored in sav nsf apart from the vendor supplied database Whether you use the vendor supplied categories of words or your own words and categories you can select which categories of words to turn on or off for scoring in a content filtering rule When Symantec Mail Security for Domino finds a word in a category that is turned off it ignores it for the purposes of scoring Note You can only create custom word categories in single byte ASCII characters You can add words to that category in single byte or multi byte characters but the words must be in the default lang
107. e same manner as any Lotus Domino add in software Symantec Mail Security for Domino includes a setup option that lets you retain existing Symantec Mail Security for Domino databases To uninstall Symantec Mail Security for Domino 1 2 Turn off the Lotus Domino server If a Notes client is running on the server exit the client As a best practice always run the Lotus Notes or Web client on a computer other than the Lotus Domino server On the Domino server on which Symantec Mail Security for Domino is installed on the Windows taskbar click Start gt Programs gt Symantec Mail Security for Domino gt Uninstall Symantec Mail Security for Domino In the confirmation window click Yes When prompted to keep existing Symantec Mail Security for Domino databases and statistics select the databases and statistics descriptions that you want to keep When the uninstallation is complete in the Remove Programs From Your Computer dialog box click OK You can also uninstall Symantec Mail Security for Domino from the Control Panel by using the Add Remove Programs option Activating your Symantec Mail Security for Domino licenses This chapter includes the following topics About licensing Activating a license file Distributing license files to multiple Domino servers Renewing licenses About licensing Key features for Symantec Mail Security for Domino which include scanning functionality and virus definitions updates
108. e violation To view content filtering rules status 1 2 In the Settings view double click a server group In the Group document on the Content Filtering tab click the Rules tab to display the list of content filtering rules and their statuses 107 108 Filtering spam and unwanted content Working with content filtering rules Enabling the content filtering process To configure Symantec Mail Security for Domino to perform content filtering you must enable the content filtering rules processing Symantec Mail Security for Domino applies only the content filtering rules that are enabled during a content filtering scan You must also enable the individual content filtering rules that you want to use during the scanning process See Setting the basic options for a content filtering rule on page 110 To enable the content filtering process 1 Inthe Group document on the Content Filtering tab on the Basics tab check Enable rules processing 2 On the Action bar click Save Enabling default content filtering rules Symantec Mail Security for Domino has several default content filtering rules that are preconfigured for you Default content filtering rules are part of the Unassigned Servers settings To use any of these rules you must copy the Unassigned Server settings to a new server group which you must create You can disable or delete any rules that are no longer needed See Copying settings to create a new Se
109. eases The Bloodhound heuristic virus technology is an advanced heuristic technology that detects a high percentage of new or unknown viruses that have not yet been Establishing antivirus protection 95 Establishing antivirus scanning policies analyzed by antivirus researchers Symantec Mail Security for Domino lets you set the resource demand level In most cases the default Med medium setting is appropriate When the mass mailer cleanup feature is not enabled an infected mass mailer email message is treated the same as a virus infected message When it is enabled when Symantec Mail Security for Domino detects that an email message is a mass mailer worm or virus it automatically deletes the infected email message and all of its attachments To reserve system resources no anti spam or content filtering scan is performed on mass mailer email messages Symantec Mail Security for Domino also will not create a backup copy before it deletes the email message or its attachments even if you have selected this option on the Configuration gt Backup tab Mass mailer detection is logged to the specified logging destinations You can view the Server Status document to determine whether the mass mailer cleanup feature is enabled and you can see a count of how many mass mailer email messages were deleted The line items in the Server Status document for Files Infected and Files Deleted include mass mailer email messages along with regular type
110. ecurity for Domino can perform the following types of scans m Auto protect Detects viruses in real time as email messages and documents are routed through the Lotus Domino server See About auto protect scanning on page 138 m Scan now Lets you perform a scan on demand See About scan now scanning on page 139 m Scheduled scan Lets you configure Symantec Mail Security for Domino to scan the Domino server on a regular schedule See About scheduled scanning on page 143 About auto protect scanning Auto protect provides continuous protection against viruses spam and content filtering rule violations When you enable auto protect scanning Symantec Mail Security for Domino scans email messages as they pass through the Domino server and scans documents as they are written Infected documents spam messages and content filtering rule violations are detected on a real time basis If you turn off the auto protect scanning feature viruses spam and content filtering rule violations can only be detected by performing scheduled scan or scan now The auto protect feature for email routing and document writes is enabled by default to provide you with the most secure settings upon installation Warning Turning off the auto protect feature leaves your server vulnerable to attacks You should keep this feature enabled Scanning for viruses spam and content filtering rule violations 139 About scan now scanning Con
111. ed Specifies that the query be run on a schedule that you specify under Scheduling 3 To specify the period of time that the query is to gather information under Manual Reporting Range do the following m Type a beginning and end date or click the calendar to select a date m Type a beginning and end time or select a time in quarter hour increments from the list Use the DOWN ARROW to scroll and click the check mark to close the view and insert your selection 4 To specify the interval in which to run the query under Scheduling check Enable Scheduled Report and then select one of the following Daily This option runs the query every day at 3 00 A M Weekly After you set and save the Run Interval to Weekly the query runs at 3 00 A M It runs every 7 days thereafter at 3 00 A M For example if you set the configuration on Monday at 10 00 A M the query will run the next morning at 3 00 A M The query will run again the following Tuesday morning at 3 00 A M and each Tuesday morning at 3 00 A M thereafter until the configuration is changed or the agent is disabled Monthly After you set and save the Run Interval to Monthly the query runs at 3 00 A M It runs every 30 days thereafter at 3 00 A M For example if you set the configuration on Monday at 10 00 A M the query will run the next morning at 3 00 A M The query will run again in another 30 days at 3 00 A M and every 30 days at 3 00 A M thereafter until the conf
112. ed if you plan to replicate virus definitions to other servers When you select this option Symantec Mail Security for Domino automatically creates a Definitions database if one does not exist Leave this option unchecked when you have Symantec Mail Security for Domino installed on a single Domino server or you do not plan to replicate the Definitions database Select one of the following m All servers in this group LiveUpdate downloads virus definitions files to all of the servers in the selected server group This option is enabled by default m The following server If you choose to replicate virus definitions then you must select an individual server to run LiveUpdate otherwise you may experience save conflicts Select the appropriate server Ensure that Save downloaded virus definitions in the SMSDOM Definitions database is checked Configuring LiveUpdate 155 Updating virus protection Under Time of day to run type the time of day or a range in which to run LiveUpdate If you are configuring LiveUpdate on a high traffic network select an off peak time The default setting is 3 00 A M Under Run LiveUpdate select the frequency in which to run LiveUpdate Generally weekly updates are sufficient In a critical installation run LiveUpdate daily The default setting is daily On the Action bar click Save To set LiveUpdate connection options 1 In the Group document on the LiveUpdate tab on the Connection tab
113. eeeseseeceseeeeseseeeeseeees 39 Accessing Symantec Mail Security for Domino ceeeeeeeseeseteeees 39 Granting rights to run unrestricted agents ccecesesseeeeteeeeseeeeeeees 41 Modifying the number of processing threads cccsseseseseseseeeseeees 43 Optimizing Symantec Mail Security for Domino performance 43 About the Symantec Mail Security for Domino user interface 44 Checking Server status cviseicelcvcsesescssteckeeee eect ER E EE e E 46 Troubleshooting status errors ccccceesssssseseseeseseseecesesceseeeceseeeeseeeeeeseeeeseseeees 47 Server Status Errors nieno a A E OE E E NEA 47 License installation status errors ssesseessseseseseeseeseeresreseesesseseesesresrese 48 Scan status errors ini EAE AA ea 49 LiveUpdate status errors cceeccsccscesesscssessesesscsesscscescsscsecsecseesesecseesseases 49 Initiating tasks from the Domino console c cecessesesssesesesesesesstseeeseeseesesesees 50 Performing tasks from the Domino console ceesssssesseseseseeeseseseseeees 50 Performing on demand scanning from the Domino server CONSOLES neern EE Eear E E E E A a E aa 52 Uninstalling Symantec Mail Security for Domino cceeeeseseseeeeeees 54 Chapter 3 Activating your Symantec Mail Security for Domino licenses About licensing e aa e a a EEEN EE E ATE E 55 Activating a license file oo ecccecsesssssssssssessesesesesesssssesesecescsesesesseseeseesseseaees
114. eleted attachment as a backup document in the Quarantine When scheduled scanning is enabled if Symantec Mail Security for Domino detects a virus inside a container file it deletes the container file and everything in it When a container file is comprised of both infected and uninfected files the entire container file and all the files inside it might be deleted If you choose to quarantine infected documents you must open those documents in the Quarantine to process the infected documents You must have the appropriate Role assignments to view quarantined documents See About releasing documents from the Quarantine on page 189 See Assigning Quarantine roles on page 186 Scanning for viruses spam and content filtering rule violations About scheduled scanning Configuring scheduled scans You can create new scheduled scans or modify existing ones When you no longer need a scheduled scan you can delete it from the scheduled scan list Configure scheduled scans After you create a scheduled scan you must configure the following scan settings m Basics Provides a description of the scan the option to enable the scan and a list of servers that are included in the scan m Schedule Contains the scheduled date and time for the scheduled scan m What to Scan Contains settings for which databases and directories to scan which types of attachments to scan whether to perform content filtering when scanning whether to
115. ent filtering rules as you need Each rule specifies the category to search and defines the condition that triggers a content filtering rule violation See Filtering unwanted content on page 105 Filtering spam Symantec Mail Security for Domino uses a pattern matching engine to compare the content of incoming email messages to a list of spam characteristics A message that contains many spam characteristics is more likely to be spam than a message that contains few spam characteristics Based on this analysis Symantec Mail Security for Domino estimates the likelihood that the message is spam Symantec Mail Security for Domino lets you configure the threshold for marking an email message as spam When the anti spam detection level is set to Low messages must contain many spam characteristics before they are flagged as spam When the level is set to High messages that contain only a few spam characteristics are flagged See Configuring anti spam settings on page 103 To reduce the incidents of false positives and to enhance scanning performance use the white list to identify which email messages can bypass anti spam scanning When Symantec Mail Security for Domino encounters a message that contains an address in the white list it lets the message bypass anti spam scanning This ensures that messages from trusted senders do not get marked as spam See Managing a white list on page 104 Symantec Mail Security for Domi
116. er World 707 a docs infotde iy 01 15 2004 1218 PM no DOCS Mailbox notes admin info Movie Pi Wom d docs info dev c Quarantine 01 15 20041218PM_ no a docs notes admin info Movie Pi Wom ddocs info dev c S 0 15 2004 12 17 PM no DOCS Mailbox notes admin info W95 Hom 1862 b docs info dev 01 15 2004 12 17 PM no a docs notes admin info WS95 Hom 1862 b docs info dev iBackup Documents Quarantined Documents EAI Quarantined Documents By Recipient By SMTPOriginator Ea E Content Filtering Violations a Information No Violation Sy Waring Violation Removed Critical Violation Remaining TE i 4 Notes Admin 4 C 4 In the right pane select the documents that you want to release from the Quarantine On the Action bar click Release from Quarantine Documents will be rescanned and then delivered to their destinations In the confirmation dialog box click Yes Released documents remain in the Quarantine until Symantec Mail Security for Domino purges them or you delete them 194 Managing the Quarantine Managing quarantined documents To delete a quarantined document from the database 1 Inthe Quarantine in the left pane under Quarantined Documents select one of the following views m All Quarantined Documents m By Recipient BySMTPOriginator m Virus Infections 2 Inthe right pane select the document that you want to delete 3 Onthe Action bar click Delete A black X appears to the lef
117. er expression on either side of the pipe For example exe com zip matches exe com or zip string Brackets Inside the brackets matches a single character or collating element as in a list The string inside the brackets is evaluated literally as if an escape character were placed before each character in the string m Ifthe initial character in the brackets is a circumflex then the expression matches any character or collating element except those inside the bracket expression m Specify character ranges with a dash between two characters or collating sequences to indicate the range of all characters or collating sequences between the explicit ones on either side of the dash The range does not refer to the native character set For example in the POSIX locale a z means all lowercase letters even when they do not agree with the binary machine ordering However because many other locales do not collate in this manner avoid ranges in strictly conforming POSIX 2 applications A collating sequence might explicitly be an endpoint of a range For example ch 11 is valid however equivalence or character classes might not be valid For example a z is illegal m Ifthe first character after any potential circumflex is a dash or a closing bracket then that character matches only a literal dash or closing bracket 116 Filtering spam and unwanted content Working with content filte
118. er service 4 D databases about 20 accessing through Lotus Notes 39 accessing through Web browser 40 directory location 29 exclude from scanning 74 migrating from Symantec AntiVirus Filtering for Domino 33 placing icons on Notes workspace 39 replicating 66 setting access control 38 signing with Notes ID 37 decomposer 91 96 Definitions database about 21 maintaining current virus definitions files 159 purging database 161 replicating 66 150 denial of service attacks 96 dictionary based content filtering about 127 base scores 129 bonus scores 129 building custom categories and words 131 defining content filtering rules with scores 134 matching words and evaluating context 129 metacharacters 114 operation 127 regular expressions 113 scoring messages 129 thresholds 130 word chain 129 disclaimers 77 document disposition antivirus scanning 24 137 configuring alerts 80 document disposition continued console on demand scans 52 content filtering rule violations 102 122 encrypted container files 16 Log query 164 scan error violations 19 scanerrors 17 Domino console 78 Domino console commands 50 53 Domino server log 78 Dynamic Document Review DDR 17 105 E email blocking content 101 105 customizing tokens 80 disclaimers 77 filtering 117 iNotes 164 processing with content filtering 105 spam 117 encrypted container files 19 97 185 events application 203 security 204 F false positives 101 102 104 file
119. ering and how Symantec Mail Security for Domino evaluates messages against the threshold values and categories that you specify in a content score rule See Filtering content with word categories on page 127 To create a content filtering rule that uses word categories 1 Inthe Group document on the Content Filtering tab click the Rules tab 2 On the Action bar click New Rule 3 Inthe Content Filtering Rule document on the Basics tab set the basic options See Setting the basic options for a content filtering rule on page 110 9 Filtering spam and unwanted content 135 Filtering content with word categories On the Rule tab in the Attribute drop down list click Content Score Content Filtering Rule Lotus Notes F laj x Fie Edt View Create Actions Text Help E Workspace GP Symantec Mail Security for x diy Settings Document for Unassign Xf di Content Fitering Rule gt E cose fsave SSopen Group Document X Delete D Help Content Filtering Rule Unassigned Servers I symantec l Basics Rule Action j pression Cit Attribute Valu C Unless Content Scor zj Categories LI allow a Add C Aleshol Tobacco Ba R C Anonymous Proxies i O cime x SI List of Expressions C AND oR Edit Delete i 2 4 Notes Admin e In the Comparison drop down list select gt greater than or lt less than If you select gt messages
120. ert To set the basics alert options 1 In the Alert Notification document on the Basics tab click Enable this alert to enable the alert that you are configuring This option is enabled by default Under Description type a unique description so that you can identify it in the Alerts view Under Servers This alert is valid for select one of the following m All servers in this group Generates alerts for every server in the selected server group This option is enabled by default m The following servers Generates alerts for only the servers that you select in the drop down list Separate multiple entries with commas Under Email address from which the alerts are sent in the drop down list select the return address of an administrator who can act on response messages On the Action bar click Save 84 Setting global scanning options Configuring global scanning options To set alert condition options 1 In the Alert Notification document on the Alert Condition tab under Scan Type select any of the following On Demand Scheduled Real Time Mail Real Time Writes Selects the alerts that are generated by violations that are found during scan now on demand scans Selects the alerts that are generated by violations that are found during scheduled scans Selects the alerts that are generated by violations that are found during auto protect email message scans Selects the alerts that are generated b
121. erver Warning purple No violation occurred with the event but the server might be experiencing other problems such as a possible virus outbreak or a disabled or disconnected SESA Agent m Warning green A violation occurred with the event but the violation is not deemed critical m Critical red A violation occurred with the event and it remains 164 Using the Symantec Mail Security for Domino Log About logging Note When Symantec Mail Security for Domino detects a virus in an email message that originated from the iNotes Web Access mail client it logs the virus incident twice in the Symantec Mail Security for Domino Log database It processes the virus detection as two separate incidents because when a user sends an email message using iNotes Web Access the Lotus Domino Web server task writes the message to both the user s mail database and the Mail box Consequently Symantec Mail Security for Domino detects a virus in both databases The Lotus Domino Web server task writes the iNotes Web Access email message to both databases even if the user has set Lotus Notes Preferences not to save sent email messages in the user s mail database You can access the Log database through the Lotus Notes client or through a Web client See Accessing Symantec Mail Security for Domino on page 39 The incident and information messages that are sent to the Symantec Mail Security for Domino Log are accessed through views
122. ervers in the server group This option is enabled by default m The following servers Applies the word to specific servers Select the servers from the drop down list Separate multiple entries with commas On the Action bar click Save 133 134 Filtering spam and unwanted content Filtering content with word categories To edit a custom word phrase or word category name 1 Inthe Group document on the Content Filtering tab click Word Categories 2 Under Word Phrase double click the word or phrase that you want to edit 3 Inthe Content Filtering Word document make your revisions 4 On the Action bar click Save To delete a custom word or phrase 1 Inthe Group document on the Content Filtering tab click Word Categories 2 Under Word Phrase double click the word or phrase that you want to delete 3 Inthe Content Filtering Word document on the Action bar click Delete 4 Inthe confirmation dialog box click Yes 5 On the Action bar click Save Symantec Mail Security for Domino automatically deletes the custom word category when all of the words or phrases within the category are deleted Vendor supplied word categories cannot be deleted Creating a content filtering rule that uses word categories You create a content filtering rule that works with scored content by using the Content Score attribute to define the rule Before you define a content score rule ensure that you understand dictionary based content filt
123. es General product information features language availability local dealers Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about Symantec Value License Program Advice on Symantec s technical support options Nontechnical presales questions Missing or defective CD ROMs or manuals Symantec Software License Agreement SYMANTEC CORPORATION AND OR ITS SUBSIDIARIES SYMANTEC IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND SYMANTEC BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY OR LOADING THE SOFTWARE YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK THE I DO NOT AGREE OR NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE 1 License The software and documentation that accompanies this license collectively the Software is the proprietary property of Symantec or its licensors and is protected by copyright law While Symantec
124. es heuristic detection of new or unknown viruses 20 Introducing Symantec Mail Security for Domino How Symantec Mail Security for Domino works NAVEX which provides protection from new classes of viruses automatically through LiveUpdate and Striker which detects polymorphic viruses When Symantec Mail Security for Domino finds a match the file is considered infected and the document is disposed repaired deleted quarantined or logged and delivered according to the configuration settings When Symantec Mail Security for Domino receives an email message with an attachment from an Internet source it decodes and decompresses the attachment and then scans it After scanning for viruses Symantec Mail Security for Domino checks the domain addresses of incoming email messages against a white list if the white list feature is enabled Messages sent from white listed domains automatically bypass the heuristic anti spam engine and are scanned for content filtering rule violations All other messages are scanned by the anti spam engine and are scored based on their probability of being spam You can adjust the anti spam engine sensitivity level When antivirus and anti spam scanning are complete documents are then scanned for content filtering rule violations if content filtering rules processing is enabled Symantec Mail Security for Domino uses Dynamic Document Review DDR technology to analyze the content Documents are scored against
125. es the configurations that you defined in the Settings database on Scan Now tab However you can use scan commands to modify how Symantec Mail Security for Domino disposes of documents that contain violations Perform on demand scanning from the Domino server console The scan commands that you type at the console differ depending on how you want to dispose of a document that contains a scanning violation Table 2 3 lists the scan commands that you can use to dispose of documents that contain violations Table 2 3 Document violation scan commands eae A Action Perform an action D Delete Delete documents that contain a violation N Ignore Log the violation but do nothing with the document Q Quarantine Quarantine documents that contain violations R Repair Repair documents that contain violations U Unrepairable Dispose of unrepairable documents You must specify how to dispose of unrepairable documents When you configure Symantec Mail Security for Domino to attempt to repair an infected document you must also specify what action to take when the document cannot be repaired Installing Symantec Mail Security for Domino 53 Initiating tasks from the Domino console Table 2 4 lists the scan commands that you can use to dispose of unrepairable documents Table 2 4 Unrepairable document scan commands D Delete Delete documents that contain a violation N Ignore Log the violation but do nothing with t
126. esesseseseeeeeseseseseseeeteseeeseeees 106 Viewing content filtering rules status oc cecesessseceseseeteteesteeeseeees 107 Enabling the content filtering process ccccceesesesessesesessseeeseeeseseeees 108 Enabling default content filtering rules 0 0 0 eesseseseseseeeseeeseseeees 108 Creating a content filtering rule 0 ceseessseseeeseeeeeseseseseseeeeeees 109 Deleting a content filtering rule oo eccsesesssssececesesesesesteseseeeseeeees 123 Using amatch list ss cc 2 e war EE O vie avencna teenies 124 How a match list works wo cce cc cecccccsscsscssscssecsecsecssessscssessessecsssssseeessesaees 124 Building a match list 2c52cnccesecewarihaaui E dates E 124 Creating a content filtering rule that uses a match list oe 126 Filtering content with word categories cccceesessssecesseeeseeseeeseeseseteeeeseeees 127 How dictionary based content filtering works cceeeseseseeeeeeteeees 127 Building a custom Word Category cccceccscesssesessesesseseseeeeseseeeeseeesaeseeeens 131 Creating a content filtering rule that uses word categories 134 11 12 Contents Chapter 8 Chapter 9 Chapter 10 Scanning for viruses spam and content filtering rule violations About scanning eyre eoe neces norte nnenneneen sce ee ae About auto protect scanning 0 Configuring auto protect settings About scan now Scanning eee Configuring scan now settings About
127. essages product information scan reports and violation incidents See Viewing message and incident documents on page 168 m Export incidents to Microsoft Excel Export items from the Incidents view to a Microsoft Excel spreadsheet See Exporting incidents to Microsoft Excel on page 171 m Delete items from the database Delete messages and incidents from the Log database on demand See Deleting items from the Log on page 172 m Purge items from the Log Enable the purge agent to regularly purge items from the Log database See Enabling the Log purge agent on page 172 Viewing message and incident documents When an incident or a message is logged a document that contains details about the incident or message is created in the appropriate Log view The Statistics and Reporting views do not contain incident or message documents The information that is contained in the document varies depending on whether the item is a server message product information a scan report or an incident Table 10 2 lists the information that is contained within a document by view type Table 10 2 Message and incident document information Server Messages The Server Message document contains the following information m Server Server on which the incident occurred m Date Date and time that the incident occurred or the message was logged m Type Type of server message information server warning warning critical
128. est way to register your service is to access the Symantec licensing and registration site at www symantec com certificate Alternatively you may go to www symantec com techsupp ent enterprise html select the product that you wish to register and from the Product Home Page select the Licensing and Registration link 4 Technical support Contacting Technical Support Customers with a current support agreement may contact the Technical Support group by phone or online at www symantec com techsupp Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www secure symantec com platinum When contacting the Technical Support group please have the following Customer Service Product release level Hardware information Available memory disk space NIC information Operating system Version and patch level Network topology Router gateway and IP address information Problem description m Error messages log files m Troubleshooting performed prior to contacting Symantec m Recent software configuration changes and or network changes To contact Enterprise Customer Service online go to www symantec com select the appropriate Global Site for your country then select Service and Support Customer Service is available to assist with the following types of issues Questions regarding product licensing or serialization Product registration updates such as address or name chang
129. ext For example if the word cancer succeeds breast in a word chain it is likely that the message is about a medical condition and is appropriate By creating and evaluating word chain structures the content filtering engine is able to catch these differences in meaning and adjust scoring accordingly Each word that follows the matched word is added to a chain until the following occurs m Two successive nondictionary words are found At that point the comparison process continues with the next word in the text block m The end of the block is reached At that point the processing of the next text block begins Calculating base and bonus scores After Symantec Mail Security for Domino processes the document text it calculates the total score for the message This total score is cumulative across all enabled word categories Symantec Mail Security for Domino does not produce scores for each word category separately 130 Filtering spam and unwanted content Filtering content with word categories Symantec Mail Security for Domino uses the following categories of scores when assigning values m Base score The primary value that is assigned to a word or phrase Base scores can be positive or negative integers The severity of a word s base score is relative to the scores of the other words in the category m Bonus score A secondary value that is assigned to a word or phrase A bonus score can be positive or negative integers Bonu
130. f California United States of America Otherwise this Agreement will be governed by the laws of England and Wales This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software The disclaimers of warranties and damages and limitations on liability shall survive termination Software and documentation is delivered Ex Works California U S A or Dublin Ireland respectively ICC INCOTERMS 2000 This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec Should You have any questions concerning this Agreement or if You desire to contact Symantec for any reason please write to i Symantec Customer Service 555 International Way Springfield OR 97477 U S A ii Symantec Enterprise Customer Service PO BOX 5689 Dublin 15 Ireland or iii Symantec Customer Service 1 Julius Ave North Ryde NSW 2113 Australia 8 Additional Uses and Restrictions A If th
131. f desired savquar nsf databases in the lt Domino server data directory gt SAV directory on the other Domino servers The Lotus Domino server default data directory is lt drive gt Lotus Domino Data SAV 6 Install Symantec Mail Security for Domino on the other servers but keep the already replicated sav nsf savlog nsf and savquar nsf databases The option to keep existing databases is part of the Symantec Mail Security for Domino installation program To create replica databases when Symantec Mail Security for Domino is installed on the additional server 1 On each additional server in the Domino server console type the following TELL SAV QUIT 2 Replicate the Symantec Mail Security for Domino Settings Log and if desired Quarantine databases from the hub Domino server to the additional Domino servers in the lt data directory gt SAV directory 3 When you are prompted to overwrite the existing sav nsf savlog nsf or savquar nsf databases click Yes This overwrites the existing databases with the new replicas 68 Administering Symantec Mail Security for Domino on multiple servers Managing multiple servers 4 At each additional server in the Domino server console restart Symantec Mail Security for Domino by typing the following LOAD NNTASK To create a replica Definitions database 1 Select a Domino server in your organization to use for downloading updated virus definitions In the Settings view double cli
132. f your Symantec Serial Number Certificate does not arrive within three to five business days of receiving your software contact Symantec Customer Service at 800 721 3934 or your reseller to check the status of your order If you have lost your Symantec Serial Number Certificate contact License Support See Where to get more information about Symantec Mail Security for Domino on page 28 If you are upgrading to Symantec Mail Security for Domino from a previous version of Symantec Antivirus Filtering for Domino you must install the product and content licenses for the product to be fully functional You must install the license files on each server on which Symantec Mail Security for Domino is installed regardless of whether the computer is partitioned or is a cluster member For example if the physical computer has multiple partitioned Domino servers you only need to install one content license file and one product license file on the computer Likewise you must install one content license file and one product license file on each member of a Domino cluster A license file cannot be replicated When you have more than one license file to install on multiple Domino servers you can use your preferred distribution method See Distributing license files to multiple Domino servers on page 60 Activate a license file You must complete the following steps to activate a license m Obtain the license file from Symantec by comple
133. figuring auto protect settings With auto protect continuous scanning you can monitor email routing and document writes You can also identify which server processes to ignore You should not remove the default processes from the list of processes to ignore To configure auto protect settings 1 Inthe Settings view double click a server group 2 Inthe Group document on the Configuration tab on the Auto Protect tab under Enable Scanning for select any of the following m Email routing m Document writes Both options are enabled by default 3 To modify the default list of processes to ignore under Ignore the following server processes do any of the following m Type the process that you want to add to the list m Delete the process that you want to remove from the list By default Symantec Mail Security for Domino excludes compact fixup updall and update It automatically excludes Symantec Mail Security for Domino processes Reset to defaults returns the server processes to the default settings 4 Onthe Action bar click Save About scan now scanning In addition to auto protect and scheduled scanning you can perform a server scan on demand Scan now scans let you scan all of the databases in the default data directory or specific directories that you select You specify which exclusions to apply how to handle attachments whether to scan native MIME message bodies whether to scan for content filtering rule violations whether t
134. figuring logging to SESA The logging of events to SESA is in addition to logging events in the Symantec Mail Security for Domino Log database Logging to SESA is activated independently of the Symantec Mail Security for Domino Log If you have purchased SESA you can send a subset of the events that are logged by Symantec Mail Security for Domino to SESA To configure logging to SESA you must complete the following steps m Configure SESA to recognize Symantec Mail Security for Domino In order for SESA to receive events from Symantec Mail Security for Domino you must run the SESA Integration Wizard that is specific to Symantec Mail Security for Domino on each computer that is running the SESA Manager The SESA Integration Wizard installs the appropriate integration components for identifying the individual security product in this case Symantec Mail Security for Domino to SESA See Configuring SESA to recognize Symantec Mail Security for Domino on page 205 m Install a local SESA Agent on the computer that is running Symantec Mail Security for Domino The local SESA Agent handles the communications between Symantec Mail Security for Domino and SESA See Installing the local SESA Agent using the Agent Installer on page 206 Integrating Symantec Mail Security for Domino with SESA 205 Configuring logging to SESA Configure Symantec Mail Security for Domino through the administrative interface to communicate with the loc
135. followed by any character followed by the letter c Matches any line that contains exactly one character The newline character is not counted a b c d Matches any string that begins with the letter a followed by either zero or more instances of the letter b or zero or more instances of the letter c followed by the letter d a z Matches any line that contains a word that consists of lowercase alphabetic characters delimited by at least one space on each side 118 Filtering spam and unwanted content Working with content filtering rules Table 7 4 Examples of regular expressions that filter email messages text 1 Both expressions match lines that contain at text text least two occurrences of the string text space alnum Matches any character that is either a whitespace character or alphanumeric SBN ese Neese Matches any file name that has two three letter extensions for example Filename gif exe This regular expression is helpful in blocking email message attachments with double extensions For example If Attachment Name Part Matches a sentence such as Number L upper 1 number included is a description of Part Number ZZ487584 and we have it in stock Note that the first two characters of the part number are uppercase and are the same character 0 9a zA Z lt gt 0 9a zA Z Matches an embedded comment in t
136. following Ignored document Copied document Cleaned document Removed attachment document Quarantined document This option queries for only those documents for which Symantec Mail Security for Domino does not act This option queries for only those documents for which Symantec Mail Security for Domino creates a backup copy after it detects a violation This option queries for only those documents that Symantec Mail Security for Domino repairs This option queries for only those documents or attachments that Symantec Mail Security for Domino deletes This option queries for only those documents or attachments that Symantec Mail Security for Domino quarantines All options are enabled by default 6 To select all of the options under Scan Type Violation Type and Action Taken click Select All 7 Onthe Action bar click Save Note Symantec Mail Security for Domino cannot query for scan error violations Using the Symantec Mail Security for Domino Log 179 Customizing queries To set output options 1 To select the level of detail for the query in the Custom Query document on the Output tab under Report Type select one of the following Summary Totals Only Shows the total numbers of incidents For each incident shows the date and time that the violation was detected the document author the server on which the violation occurred the action Symantec Mail Security for Domino took with the docu
137. formed from one of these programs it automatically updates the virus definitions files that are used by all of the installed Symantec products If you intend to replicate virus definitions files using the Symantec Mail Security for Domino Definitions database savdefs nsf you must perform LiveUpdate using Symantec Mail Security for Domino Configuring LiveUpdate 151 Configuring LiveUpdate on a proxy server When other Symantec antivirus products are installed on the same computer as Symantec Mail Security for Domino you must log on to the other products before Symantec Mail Security for Domino You might also need to modify some scanning configurations for some of the products See Integrating with other Symantec products on page 22 Configuring LiveUpdate on a proxy server Some organizations use proxy servers to control connections to the Internet To use LiveUpdate you might need to specify the address and port of the proxy server as well as to a user name and password LiveUpdate can use an HTTP FTP or ISP proxy server Configure LiveUpdate on a proxy server When Internet Explorer is running on the Lotus Domino server and is already configured to use a proxy server no further configuration is necessary If needed you can modify the proxy server configuration settings through LiveUpdate To configure FTP settings for LiveUpdate 1 On the Lotus Domino server on the Windows taskbar click Start gt Programs gt Sy
138. from Match List 6 Under Match Lists in the drop down list select the match list that contains the words and phrases that you want to filter and then click Add 7 Onthe Action tab set the action options See Setting the action options for a content filtering rule on page 122 8 Onthe Action bar click Save When you are ready to process the rule ensure that it is enabled on the Basics tab In addition ensure that rules processing is enabled on the Content Filtering gt Rules tab See Enabling the content filtering process on page 108 Filtering content with word categories Content filtering is typically used to monitor the mail system and block messages that contain specific types of content Dictionary based content filtering lets you filter the subject lines and bodies of messages by comparing their content against words in dictionary categories Symantec Mail Security for Domino supplies categories and words but you can also create your own For example in most organizations sending messages with explicit sexual or violent content is not considered an appropriate use of the mail system and violates corporate conduct guidelines Dictionary categories such as Violence and Sex Acts are designed to flag these types of messages by matching words in the message against words in the dictionary In addition an organization might want to prevent the spread of confidential legal information outside of the organization
139. from defects for a period of sixty 60 days from the date of delivery of the Software to You Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error free TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY 4 Disclaimer of Damages SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA ARISI
140. fter it detects a violation You must select the Copy the document option on the Content Filtering gt Action tab when you configure the content filtering rule for the violation Selects the alerts that are generated from documents that Symantec Mail Security for Domino repairs The alerts are generated by scans that are configured to repair the infected attachments You configure this option on the Antivirus gt Actions tab Selects the alerts that are generated from documents or attachments that Symantec Mail Security for Domino deletes The alerts are generated by scans that are configured to delete infected attachments You configure this option on the Antivirus gt Actions tab Alerts might also be generated by content filtering rule violations for which any delete option is specified on the Content Filtering gt Action tab Selects the alerts that are generated from documents or attachments that Symantec Mail Security for Domino quarantines The alerts are generated by scans that are configured to quarantine infected documents You configure this option on the Antivirus gt Actions tab Alerts might also be generated by content filtering rule violations for which the Quarantine the document option is selected on the Content Filtering gt Action tab Setting global scanning options 87 Configuring global scanning options 5 Under Document Origin select any of the following Internet Selects the alerts that are genera
141. g database regardless of the Output Format that you choose This option is enabled by default 180 Using the Symantec Mail Security for Domino Log Customizing queries Write Report to File This option writes the query to a file which is saved to the location that you select Click the button next to the file name box to select the file The format of the file is determined by the Output Format This option is enabled by default Send Report InEmail Sends the query through email to the person that you select To Click the drop down list to open the Lotus Notes Select Addresses dialog box 4 On the Action bar click Save 5 To return to the Queries view on the Action bar click Close Working with queries You can create manual queries to run on demand or you can schedule queries to run at the times that you specify For easier identification in the Queries view you can specify in the description that the query is scheduled or manual When you create a scheduled query and enable it a check mark appears next to it in the Queries view However before the query can run you must also enable the schedule reports agent which enables all of the scheduled queries to run See Enabling the scheduled reports agent on page 181 Manual queries are always turned off because you run them on demand only Manual queries do not have a check mark under the Enabled column in the Queries view to distinguish them from the scheduled que
142. he document Q Quarantine Quarantine documents that contain violations If you do not specify an unrepairable document scan command Symantec Mail Security for Domino uses the settings that are defined on the Scan Now gt What to Scan tab When Symantec Mail Security for Domino detects a virus inside of a container file it deletes the container file and everything in it When a container file is comprised of both infected and uninfected files the entire container file and all of the files inside it might be deleted To scan documents using Scan Now tab settings At the command prompt type TELL SAV SCAN lt database gt To scan documents without attempting to repair infected documents At the command prompt type TELL SAV SCAN A lt scan command gt lt database gt For example to scan the InfoDocs database and quarantine any violations at the command prompt type TELL SAV SCAN AQ INFODOCS To scan documents and attempt to repair infected documents At the command prompt type TELL SAV SCAN AR U lt scan command gt lt database gt For example to scan the InfoDocs database attempt to repair infected documents but delete files that cannot be repaired at the command prompt type TELL SAV SCAN AQ UD INFODOCS 54 Installing Symantec Mail Security for Domino Uninstalling Symantec Mail Security for Domino Uninstalling Symantec Mail Security for Domino You can uninstall Symantec Mail Security for Domino in th
143. he middle of meaningful HTML text Embedding comments within HTML text is a trick that spam senders use to bypass most pattern matching software 0 9 Matches a subject in an email message that might look like the following Earn big money today 434323 Note that the metacharacters and mark the beginning and end of the line These characters are optional depending on whether you use the comparison Contains or equals When you create your content filtering rule using the content filtering engine automatically surrounds the regular expression with these two metacharacters to find an exact match When you use Contains the two metacharacters are not included Filtering spam and unwanted content 119 Working with content filtering rules Building expressions for a content filtering rule Table 7 5 lists the expression options for a content filtering rule Table 7 5 Content filtering expression options If Sets up the expression to be a condition of the content filtering rule The first expression that you create must consist of an IF expression Unless Sets up the expression to be an exception to all conditional IF expressions Attribute Selects the basis for the rule For example if you select Sender as the attribute the content filtering rule only applies to documents or email messages that are created by the sender that you specify Comparison Selects the relationship between the
144. iaries Java and all Java based trademarks Sun Sun Microsystems the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems Inc Microsoft Windows Windows NT MS DOS and the Windows logo are registered trademarks or trademarks of Microsoft Corporation in the United States and other countries Lotus and Domino are registered trademarks of IBM in the United States and other countries NetScape Navigator is a registered trademark of Netscape Communications Corporation in the United States and other countries Intel and Pentium are registered trademarks of Intel Corporation Adobe Acrobat and Reader are registered trademarks of Adobe Systems Incorporated in the United States and other countries THIS PRODUCT IS NOT ENDORSED OR SPONSORED BY ADOBE SYSTEMS INCORPORATED PUBLISHERS OF ADOBE ACROBAT Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Printed in the United States of America 10 9 8 7 6 5432 1 Technical support 3 Technical support As part of Symantec Security Response the Symantec global Technical Support group maintains support centers throughout the world The Technical Support group s primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base The Technical Support group wor
145. icons on To more easily access the Symantec Mail Security for Domino databases you can add the database icons to your Lotus Notes workspace ene See Placing Symantec Mail Security for Domino database icons Workspace on your Lotus Notes workspace on page 39 Access the Symantec Symantec Mail Security for Domino can be accessed from the Mail Security for Lotus Notes client or a Web browser client Domino databases See Accessing Symantec Mail Security for Domino on page 39 Grant rights to run unrestricted agents This option gives a user the rights to enable disable or modify unrestricted agents See Granting rights to run unrestricted agents on page 41 Modify the number of processing threads Symantec Mail Security for Domino automatically configures the optimum number of scanning threads but you can modify the number of scanning processing threads if necessary See Modifying the number of processing threads on page 43 Maximize product performance Configure Symantec Mail Security for Domino to maximize performance See Optimizing Symantec Mail Security for Domino performance on page 43 Installing Symantec Mail Security for Domino 37 Post installation tasks Signing Symantec Mail Security for Domino databases The first time that you restart the Lotus Domino server after installation Symantec Mail Security for Domino attempts to digitally sign portions
146. ident data select one or more incidents to export A black check mark appears next to the selected items To unselect an item click in the column again On the Action bar click Export to Excel 172 Using the Symantec Mail Security for Domino Log Managing the Log 4 Inthe Export to Excel dialog box type the path and file name of the new Microsoft Excel file 5 Click OK This creates a Microsoft Excel spreadsheet that contains the incidents that you selected The spreadsheet is organized by the columns in the selected Incidents view Deleting items from the Log You can enable the Log purge agent to regularly delete items from the Log You can also delete an item on demand to clear the Log view See Enabling the Log purge agent on page 172 To delete items from the Log 1 Inthe Log in the left pane select the view that contains the information that you want to delete 2 Inthe right pane click in the column to the left of the incident or message that you want to delete A black check mark appears next to the selected items To unselect an item click in the column again 3 Onthe Action bar click Delete A black X appears to the left of the item which indicates that it is selected for deletion To unselect the document click it and then on the Action bar click Delete 4 Press F9 to refresh the view 5 Inthe confirmation dialog box click Yes Enabling the Log purge agent To prevent the Log databa
147. iew in the right pane click in the column to the left of the completed reports that you want to delete A black check mark appears next to the selected items To unselect an item for deletion click in the column again 2 Onthe Action bar click Delete A black X appears to the left of the item which indicates that it is selected for deletion To unselect an item click it and then on the Action bar click Delete 3 Press F9 to refresh the view 4 Inthe confirmation dialog box click Yes Enabling the scheduled reports agent You must enable the scheduled reports agent to run scheduled queries This agent runs all of the scheduled queries that are enabled signified by a check mark under the Enabled column in the Queries view once a day Query results are posted in the Completed Reports view You must individually enable each scheduled query that you want to run See Working with queries on page 180 Manual queries do not need to be individually enabled or disabled 182 Using the Symantec Mail Security for Domino Log Customizing queries The first time that you enable the scheduled reports agent Symantec Mail Security for Domino prompts you for the server on which to run the agent Symantec Mail Security for Domino replicates the scheduled reports agent To enable the scheduled reports agent you must have rights to run unrestricted agents in the Server Document for the Domino Directory Public Address Book that be
148. iguration is changed or the agent is disabled This option is enabled by default Using the Symantec Mail Security for Domino Log 177 Customizing queries Quarterly After you set and save the Run Interval to Quarterly the query runs at 3 00 A M It runs every 120 days thereafter at 3 00 AM For example if you set the configuration on Monday at 10 00 A M the query will run the next morning at 3 00 A M The query will run again in another 120 days at 3 00 A M and every 120 days at 3 00 A M thereafter until the configuration is changed or the agent is disabled 5 On the Action bar click Save To set query information options 1 Inthe Custom Query document on the Query Information tab under Author select the author source of the violation The selections are populated from Symantec Mail Security for Domino incidents reports The default setting is Any Author 2 Under Server select the server from which the violation originated The selections are populated from the Domino Directory 3 To specify the type of scan to query for Under Scan Type select any of the following On Demand Queries for violations found in scan now scans Scheduled Queries for violations found in scheduled scans Real Time Mail Queries for violations found in auto protect email scans Real Time Writes Queries for violations found in auto protect database writes scans All options are enabled by default 4 To specify the type of violation t
149. igured to bypass specific server processes from auto protect scanning Symantec Mail Security for Domino provides a default list of server processes that can be ignored See About auto protect scanning on page 138 About the Symantec Mail Security for Domino user interface When you open any of the Symantec Mail Security for Domino databases you see the database view When you double click any item in the right pane you open a Notes document The document title appears below the Action bar A view can easily be distinguished from a document because a view contains a navigation pane on the left From the Settings navigation pane you can open the Log Quarantine and Help databases The ability to open the Symantec Mail Security for Domino databases from the navigation pane is only available in the Settings database Installing Symantec Mail Security for Domino About the Symantec Mail Security for Domino user interface Figure 2 1 shows the Settings database view Figure 2 1 Symantec Mail Security for Domino Settings view Symantec Mail Security for Domino Lotus Notes RTE File Edit View Create Actions Help E Workspace Gp Settings Document for Unassign gt Symantec Mail Security for X Cf New Serer Group 9 Edit Settings C Delete Sever Group Help E Copy Settings to New Group Symantec Mail Security Settings for Server Group for Domino nassioned Servers Y Settings Q EEE
150. ile menu click Database gt Open 2 Inthe Open Database dialog box under Server select the server on which you installed Symantec Mail Security for Domino 3 Under Database in the SAV directory double click SMSDOM Settings 4 0 the Settings database This opens the Settings database and places the Settings database icon on your Lotus Notes workspace 4 Follow steps 1 3 to place the Help Log and Quarantine database icons on your Notes workspace Accessing Symantec Mail Security for Domino Symantec Mail Security for Domino runs as a Domino server task Every time that you start the server Symantec Mail Security for Domino protection begins You access management and configuration tasks through the Lotus Notes client or a Web client Accessing Symantec Mail Security for Domino from Lotus Notes To access Symantec Mail Security for Domino from Lotus Notes on the workspace double click the database icon that you want to open 40 Installing Symantec Mail Security for Domino Post installation tasks Accessing Symantec Mail Security for Domino remotely from a Web browser In addition to accessing Symantec Mail Security for Domino from the Lotus Notes client you can access the Log Quarantine Definitions and Help databases remotely over the Internet using Internet Explorer 6 0 SP1 or later When you access Symantec Mail Security for Domino remotely from a Web browser you will only be able to perform specific tasks or
151. iltering rule violation When you create one or more rules that use the same group of categories more than once Symantec Mail Security for Domino evaluates that group of categories against the email message only once This optimizes performance When you create a rule with a combination of categories for example If Content Score gt 50 using categories sex drugs alcoholism OR Content Score gt 90 using categories sex then Symantec Mail Security for Domino evaluates the sex category twice Whenever rules contain duplicate combinations of categories across multiple rules or in the same rule Symantec Mail Security for Domino filters content Filtering spam and unwanted content 131 Filtering content with word categories only once for any email message or document Given all of the variables that can potentially affect document content scoring you should test the content filtering rule before you put it into operation Use the following guidelines to test your content filtering rules m Use different threshold values and observe the number of violations that are triggered m Use messages that contain known content violations that use different threshold settings and observe whether the specific messages trigger rule violations Assigning scores to custom word categories Part of the process of building custom word categories involves assigning scores to words When you use custom word categories you must do the followi
152. includes document details message header information and scan details Create a comment in the Quarantined Document Add your customized comments in the Quarantined Document Modify save delete or add attachments Save attachments to a specified location delete infected attachments or add your own attachments to a document before you release it Release the document from the Quarantine Release a document from Quarantine after the infection is deleted Delete an infected document from the database Delete the quarantined document and all of its attachments from the Quarantine database To view a Quarantined Document 1 2 On the Lotus Notes client open the Quarantine database In the left pane under Quarantined Documents select one of the following views m All Quarantined Documents m By Recipient BySMTPOriginator C Virus Infections 192 Managing the Quarantine Managing quarantined documents In the right pane double click a document Quarantined Document Lotus Notes F lej xj File Edt view Create Actions Text Help E Workspace E Symantec Mail Security for x i Quarantined Document x TJ Close QYsave ERelease BySave Attachments Gp Add Attachment LA Delete Attachments Help Quarantined Document symantec Basics Server docafinto Scanned 01 15 2004 12 22 09 PM Findings The attachment world707 amg WORLD707 COM contained the virus Another World 707 and was repa
153. ing monitored the size of your email system the amount of mail that is typically processed and the stringency with which you want to define an outbreak As your outbreak settings are tested you can fine tune the values that you use Symantec Mail Security for Domino logs virus detections and possibly sends alerts when it detects an outbreak so your goal is to strike a balance between catching outbreaks and issuing too many unnecessary notifications To manage outbreak detection 1 Inthe Settings view double click a server group 2 Inthe Group document on the Antivirus tab on the Outbreak Detection tab check Enable virus outbreak detection This option is enabled by default 3 Under Detection Type select one of the following m Basic Add all viruses to virus count This option is enabled by default m Advanced Add only viruses with similarities to virus count 4 Under Threshold and Notification do any of the following m Type the number of viruses to be detected within the specified time frame The default setting is 30 m Type the specified time frame in minutes in which the number of detected viruses is considered an outbreak The default setting is 10 m Inthe drop down list select the names of those to whom email notifications should be sent 5 On the Action bar click Save Filtering spam and unwanted content This chapter includes the following topics m About filtering m Filtering spam m Filteri
154. ing the Quarantine on page 183 Keeping virus protection definitions up to date Symantec Mail Security for Domino relies on up to date information to detect and eliminate viruses One of the most common reasons computers are vulnerable to virus attacks is that virus definitions files are not updated regularly Symantec regularly supplies updated virus definitions files Using LiveUpdate Symantec Mail Security for Domino connects to a Symantec server over the Internet and automatically determines if virus definitions need to be updated If they do the virus definitions files are downloaded to the proper location and installed Note To receive new virus definitions through LiveUpdate you must have a valid content license See Activating your Symantec Mail Security for Domino licenses on page 55 See Configuring LiveUpdate on page 149 Symantec Mail Security for Domino gathers and stores the following information in the Log database m Server messages Server related events Product information Product version servers on which the product is installed and virus definitions versions m Scan reports Summaries of scheduled and manual scans m Incidents Virus scan errors spam and content filtering rule violations m Statistics Predefined statistical reports of Log data m Reporting Custom reports or queries that you create See Using the Symantec Mail Security for Domino Log on page 163 Introduci
155. initions files that are used by all of the installed Symantec products See About shared virus definitions files on page 150 Note If you intend to replicate virus definitions using the Symantec Mail Security for Domino Definitions database savdefs nsf you must run LiveUpdate from Symantec Mail Security for Domino See About replicating Symantec Mail Security for Domino databases on page 64 By default Symantec Mail Security for Domino uses the Windows TEMP directory when it processes scans but you can change this directory See Setting basic antivirus options on page 94 Introducing Symantec Mail Security for Domino What you can do with Symantec Mail Security for Domino In some cases you might have to modify the configurations of the following Symantec antivirus products to prevent their scanning of this directory m The auto protect feature of Norton AntiVirus for Windows NT m The file system realtime protection feature of Norton AntiVirus Corporate Edition or Symantec Client Security What you can do with Symantec Mail Security for Domino Symantec Mail Security for Domino provides the following features to protect and enhance your Lotus Domino server m Protecting against computer viruses m Identifying unwanted email messages m Filtering undesirable message content m Managing virus outbreaks m Isolating infected attachments m Keeping virus protection definitions up to date m Analyzing
156. ion Symantec Mail Security for Domino evaluates certain metacharacters before others Table 7 3 lists the order in which Symantec Mail Security for Domino evaluates metacharacters from highest to lowest precedence Table 7 3 Metacharacter order 0 Precedence override OR List Table 7 3 Filtering spam and unwanted content 117 Working with content filtering rules Metacharacter order Escape Start with Examples of regular expressions that filter email messages You can link several regular expressions to form a larger one to match certain content in email messages Table 7 4 provides examples of regular expressions that show how pattern matching is accomplished through the use of metacharacters and alphanumeric characters Table 7 4 Examples of regular expressions that filter email messages abc Matches any line of text that contains the three letters abc in that order Your results might differ depending on the comparison operator that you use to create the content filtering rule For example if you build a rule to match the word free and use the Contains comparison then the content filtering engine detects all words that contain the word free instead of an exact match for example Freedom However if you use the equal comparison then the content filtering engine detects only exact matches of the word Free Matches any string that begins with the letter a
157. ion bar click Save On the Action bar click Close to return to the Content Filtering tab When you are ready to process the rule ensure that it is enabled on the Basics tab In addition ensure that rules processing is enabled on the Content Filtering gt Rules tab See Enabling the content filtering process on page 108 Setting the basic options for a content filtering rule When setting up a content filtering rule you must enable the rule and set up the basic options Warning Applying most content filtering rules to Domino databases will cause severe data loss and may destabilize servers To set the basic options for a content filtering rule 1 In the Content Filtering Rule document on the Basics tab check Enable this Rule This option is enabled by default Under Description type a description for the content filtering rule Provide a meaningful name for the content filtering rule so that you can identify it in the content filtering rules status and in the Symantec Mail Security for Domino Log Under This rule is for select any of the following Email routing Applies the content filtering rule to email messages This option is enabled by default Document writes Applies the content filtering rule to documents that are saved to the Lotus Domino databases not recommended Scheduled Scans Applies the content filtering rule to scheduled scans You must also enable the option to scan for content fil
158. ions dialog box do any of the following m Under Server Messages type the number of days to wait to purge server messages The default setting is 30 m Under Incidents type the number of days to wait to purge all virus incidents The default setting is 365 m Under Scan Reports type the number of days to wait to purge all scan reports The default setting is 30 After Symantec Mail Security for Domino purges the items it waits again for the specified number of days before it purges the next batch of items 4 Click Set Server to Execute Agent 5 Inthe Choose Server To Run On dialog box select the server and then click OK 174 Using the Symantec Mail Security for Domino Log Customizing queries 6 Inthe Purge Options dialog box click Enable Purge Agent If you receive an error message that indicates that you do not have execution access privileges contact your administrator to grant you the appropriate purge agent rights See Granting rights to run unrestricted agents on page 41 7 Toexit the dialog box click OK Customizing queries Symantec Mail Security for Domino lets you create custom queries to run on demand or by schedule You can design report queries with as much detail and control as needed To design a query you specify the conditions of the scan anti spam filtering or content filtering rule For example you can create a query to collect information about scheduled scans that were performed on a
159. ired The attachment jeru amg JERU COM contained the virus Jeru 1808 and was repaired The attachment gergana amg GERGWAELXE contained the virus Gergana 182 and could NOT be repaired The attachment horn1 862 amg S4DU M81 EX4 contained the virus W95 Horn 1862 and could NOT be repaired The attachment hydra amg HYDRA COM contained the virus Hydra 1 and was repaired The attachment frere amg FREREEXA contained the virus Jeru 1808 Frere Jac and could NOT be repaired Restored No Comments Document details BAAAB G289Ce8oH Author notes adminfinfo Subject Virus Found in message Pictures you must see Created 01 15 2004 12 20 50 PM Modified 01 15 2004 12 22 07 PM Accessed 01 15 2004 Updated by notes adminsinfo docsfinfo notes adminfinfo Recipients a docsfinfo dev Database DOCS Mailbox mail box X Message Header Information Scan details Scan type RealTime Mail Definitions date 01 14 2004 Scan actions Repair Quarantine C Untagged jt 4 F2 Notes Admin gt This document contains the Action bar icons that a user with the VirusReleaser role would see To create a comment in the Quarantined Document In the Quarantined Document in the Comments field type your comments To modify attachments In the Quarantined Document on the Action bar select one of the following m Save Attachments For each attachment you are prompted to save the file to a location that you select m Add At
160. ispose of infected documents that are found during the scan To configure scan now basic settings 1 2 4 In the Settings view double click a server group In the Group document on the Scan tab on the Scan Now tab on the Basics tab under What to scan on lt server name gt select one of the following m All databases in the default data directory Scans every database in the Domino Data directory default location for each server in the server group This option is enabled by default m The following databases and directories Scans only the databases and directories that you specify Type the database and directories to scan Separate multiple entries with semicolons To scan subdirectories check Include subdirectories Enabling this option scans the descending subdirectories of the default data directory or the directories that you specified This option is enabled by default On the Action bar click Save To configure scan now what to scan settings 1 2 In the Group document on the Scan tab click the What to Scan tab To exclude specific databases or directories from the scan under Databases check Exclude specified databases and directories from scan You must first select these databases and directories on the Configuration gt Inclusions Exclusions tab See Specifying what to scan on page 74 This option is enabled by default Under Attachments select one of the following m Scan all
161. ity for Domino purges them or you delete them 198 Managing the Quarantine Managing backup documents To delete a content filtering rule violation document from the database 1 In the Quarantine in the left pane under Quarantined Documents select one of the following views m All Quarantined Documents m By Recipient BySMTPOriginator Content Filtering Violations In the right pane select the document that you want to delete On the Action bar click Delete A black X appears to the left of the document which indicates that it is selected for deletion To unselect the document click it and then on the Action bar click Delete Press F9 to refresh the view In the confirmation dialog box click Yes Managing backup documents You can configure Symantec Mail Security for Domino to make a backup copy of infected documents before it attempts to repair or delete them See Creating backup documents on page 76 You can manage backup documents in one of the several views All Backup Documents All backup documents By Recipient Backup email messages or documents sorted by recipient By SMTPOriginator Backup email messages or documents that were received over the Internet with violations sorted by email origin Virus Infections Backup email messages or documents with virus infections Content Filtering Backup email messages or documents with content filtering Violations rule violations Manage backup doc
162. ized by this license 2 Content Updates Certain Software utilize content that is updated from time to time including but not limited to the following Software antivirus software utilize updated virus definitions content filtering software utilize updated URL lists some firewall software utilize updated firewall rules and vulnerability assessment products utilize updated vulnerability data these updates are collectively referred to as Content Updates You shall have the right to obtain Content Updates for any period for which You have purchased maintenance except for those Content Updates that Symantec elects to make available by separate paid subscription or for any period for which You have otherwise separately acquired the right to obtain Content Updates Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You provided however that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase This License does not otherwise permit the licensee to obtain and use Content Updates 3 Limited Warranty Symantec warrants that the media on which the Software is distributed will be free
163. ks To access Symantec Mail Security for Domino remotely from a Web browser 1 2 Open Internet Explorer 6 0 SP1 or later In the address field of the browser type the IP address of the Domino server on which Symantec Mail Security for Domino is installed followed by the path name of the Symantec Mail Security for Domino database that you want to access For example http 192 168 156 99 SAV savlog nsf Type your server login user name and password Z symantec Mail Security for Domino Log Microsoft Internet Explorer zz la x File Edit View Favorites Tools Help Back gt OA A Asearch Favorites Meda F B B Links gt Address http 10 113 15 251 5av Savlog nsf z c E symantec 3 Symantec Mail Security 2 Move te Trash O Emoty Trash 3 Close O Hep for Domino pate iwe Message s 7 docs nfo 0116 2004 04 36 PM Server Warning SMSDOM Your content license has EXPIRED the grace period ends in 11 day s Log 01 16 2004 04 36 PM Server Warning SMSDOM Your product license has EXPIRED the grace period ends in 11 day s 01 16 2004 09 55 AM Warning SMSDOM detected the content filtering rule violation Confidental information in database a docs document NTOO0009B6 author notes admin info component A backup copy of the document was created Server Messages e Product Information 01 16 2004 03 00 AM Information SMSDOM LiveUpdate verified you already h
164. ks collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion For example the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include m A range of support options that give you the flexibility to select the right amount of service for any size organization m Telephone and Web support components that provide rapid response and up to the minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection m Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program m Advanced features such as the Symantec Alerting Service and Technical Account Manager role offer enhanced response and proactive security support Please visit our Web site for current information about Support Programs The specific features available may vary based on the level of support purchased and the specific product that you are using Licensing and registration If the product that you are implementing requires registration and or a license key the fastest and easi
165. l messages and document writes from all servers in the server group This option is enabled by default m Trust the following servers Forgoes scanning of email messages that are received from the servers that you specify If you choose Trust the following servers do one of the following m Inthe server list select the servers to bypass scanning and then click OK m Type the server name in abbreviated or canonical format For example MAILHUB1 IT MYCO or CN MAILHUB1 0OU IT O MYCO Separate entries with commas On the Action bar click Save Configuring alerts You can configure Symantec Mail Security for Domino to automatically notify administrators when certain violations occur You can specify exactly what event must occur to trigger the notification whom to notify and what statistics to gather Symantec Mail Security for Domino lets you notify document recipients and document authors that a violation occurred and how it was handled You can customize your own notification messages to provide further information or instructions by using tokens For example if your policy is to quarantine infected documents your customized message can inform the intended recipients about who to contact to release the document About tokens for customizing email message alerts To create email message alerts more efficiently you can substitute tokens to represent custom text For example green 18 italicl courier Author black normal
166. lities such as common logging of normalized event data for SESA enabled security products like Symantec Mail Security for Domino The event categories and classes include antivirus content filtering network security and systems management SESA also provides centralized reporting capabilities including graphical reports The events that are forwarded to SESA by Symantec Mail Security for Domino take advantage of the existing SESA infrastructure for events You can create alert notifications for certain events Notifications include pagers SNMP traps email messages and operating system Event Logs You can define the notification recipients day and time ranges when specific recipients are notified and custom data to accompany the notification messages For more information about interpreting events in SESA and on the event management capabilities of SESA see the SESA documentation Symantec Mail Security for Domino can send the following types of events to SESA m Application events m Security events Integrating Symantec Mail Security for Domino with SESA 203 Interpreting Symantec Mail Security for Domino events in SESA Application events that are sent to SESA Table 12 1 lists the application events that Symantec Mail Security for Domino can send to SESA Table 12 1 APPLICATION_START Application events that are sent to SESA Informational BASE Task Initializes APPLICATION_STOP Informational BASE T
167. llation status errors At the end of the license installation process you receive a License Installation Status document which lets you verify that your license is properly installed See Activating a license file on page 56 When a license installation status cannot be determined because of an unresponsive server you receive the following error message Waiting for response from server Click Check License Installation Status again When no response occurs after 5 minutes a communication error with NNTASK might have occurred See documentation for more information When you receive this message one of the following events might have occurred m NNTASK might be under a heavy load and unable to immediately respond to the user s status request m NNTASK might not be running on the server m The network might be slow After you resolve the issue click Check License Installation Status or close the License Installation Status document and install the license file again If Symantec Mail Security for Domino can confirm that the connection with NNTASK has failed you receive the following error message Error communicating with NNTASK Click Close and try again After you resolve the issue click Check License Installation Status or close the License Installation Status document and install the license file again Installing Symantec Mail Security for Domino 49 Troubleshooting status errors Scan status err
168. lly logs the events that you designate to the Domino console and the Domino server log You can also log events to any of the following locations Symantec Mail Security for Domino Log Saves information to the Server Messages view of the Symantec Mail Security for Domino Log See Using the Symantec Mail Security for Domino Log on page 163 Operating System Event Log Saves information to the Windows Event Log SESA log Saves information to the SESA DataStore for viewing from the SESA Console See Application events that are sent to SESA on page 203 To configure logging options 1 2 In the Settings view double click a server group In the Group document on the Configuration tab on the Logging tab under What to log select one of the following m General messages m General messages and viruses that couldn t be eliminated m General messages and all virus events This option is enabled by default Setting global scanning options 79 Configuring global scanning options 3 Under Where to log select all of the logging destinations that apply m SMSDOM Log This option is enabled by default m Operating System Event Log m Enable SESA Logging The SESA Agent IP Address Port Number is configured upon software installation The default IP address and port is 127 0 0 1 This logging destination is in addition to the console window and Domino server log 4 Onthe Action bar click Save Configuring tru
169. longs to the server If you do not have the appropriate rights when you click Enable Scheduled Reports Agent in the Scheduled Reports Options dialog box the following error message appears You do not have execution access privileges for this agent on lt Server gt agent will not run Contact your system administrator to set the appropriate rights See Granting rights to run unrestricted agents on page 41 To enable the scheduled reports agent 1 Inthe Queries view on the Action bar click Scheduled Reports Options 2 Inthe Scheduled Reports Agent dialog box click Enable Scheduled Reports Agent 3 Select the server on which to run the agent 4 Click OK If you receive an error message that indicates that you do not have execution access privileges contact your system administrator to grant you the appropriate agent rights See Granting rights to run unrestricted agents on page 41 Managing the Quarantine This chapter includes the following topics m About the Quarantine m Managing quarantined documents m Managing backup documents m Purging the Quarantine About the Quarantine Symantec Mail Security for Domino can isolate scanned documents that have triggered violations It can also back up infected documents before you delete or attempt to repair them Quarantined and backup documents are stored in the Symantec Mail Security for Domino Quarantine database When an email message is quarantined Symantec M
170. main to the white list click Add anti spam white list domain s 4 Inthe Add anti spam white list domain s dialog box type the Internet domain addresses that you want to exclude from anti spam scanning Separate entries with a comma semi colon or by creating a new line Filtering spam and unwanted content 105 Filtering unwanted content 5 Click OK when you are finished The domain addresses appear in the Exclude the following white list domains box 6 Onthe Action bar click Save To delete an address from the white list 1 Inthe Exclude the following white list domains box click the domains that you want to delete from the white list A check mark appears to the left of the domains that you select 2 Click Remove selected anti spam white list domain s 3 Onthe Action bar click Save Filtering unwanted content Content filtering is typically used to monitor the mail system and block messages that contain specific types of content For example in most organizations sending messages with explicit sexual or violent content is not an appropriate use of the company mail system and violates corporate conduct guidelines In other cases an organization might want to prevent the spread of confidential information outside of the organization or block messages that could have adverse legal consequences for the organization Symantec Mail Security for Domino filters for unwanted content by using a Dynamic Document Review DDR Th
171. mantec Mail Security for Domino gt LiveUpdate 2 Inthe LiveUpdate dialog box click Configure 3 Onthe FTP tab click I want to customize my FTP settings for LiveUpdate When this setting is checked the Use a proxy server for FTP connections option appears and is checked by default 4 Inthe Address box type the IP address of the FTP proxy server 5 Inthe port box type the port number Typically the port number for FTP is 21 6 Click OK To configure HTTP settings for LiveUpdate 1 On the Lotus Domino server on the Windows taskbar click Start gt Programs gt Symantec Mail Security for Domino gt LiveUpdate 2 Inthe LiveUpdate dialog box click Configure 152 Configuring LiveUpdate Using LiveUpdate with a firewall 7 On the HTTP tab click I want to customize my HTTP settings for LiveUpdate When this setting is checked the Use a proxy server for HTTP connections option appears and is checked by default In the Address box type the IP address of the FTP proxy server In the port box type the port number Typically the port number for HTTP is 80 When a user name and password are required to access the HTTP proxy server under HTTP Authentication click Ineed authorization to connect through my firewall or proxy server and then type the user name and password Click OK To use an ISP dial up connection for LiveUpdate 1 o gt On the Lotus Domino server on the Windows taskbar click Start
172. mantec Mail Security for Domino you have the option to upgrade your previous databases Review the following information before you upgrade your databases m The editable text areas are copied into Symantec Mail Security for Domino exactly as they appear in Symantec AntiVirus Filtering for Domino 3 0 x For example if your native MIME header text was configured to read The body of this message was deleted by Symantec AntiVirus Filtering because it was infected it will read exactly the same after you upgrade to Symantec Mail Security for Domino The former product name is not automatically modified to read Symantec Mail Security for Domino 34 Installing Symantec Mail Security for Domino Upgrading Symantec Mail Security for Domino m Symantec AntiVirus Filtering for Domino 3 0 x had separate backup options for repairing and deleting attachments Symantec Mail Security for Domino combines these options If both options in Symantec AntiVirus Filtering for Domino 3 0 x were the same that is both are Yes or both are No when you upgrade to Symantec Mail Security for Domino that setting is the default setting If both options in Symantec AntiVirus Filtering for Domino 3 0 x were different that is one is No and the other is Yes the default setting in Symantec Mail Security for Domino is Yes See Creating backup documents on page 76 m Ifyou enabled any of the purge agents in Symantec AntiVirus Filtering for Domino you must e
173. ment and the violation name for example virus name or content filtering rule Detailed Report For each incident shows the date and time that the violation was detected the document author the server on which the violation occurred the action Symantec Mail Security for Domino took with the document and the violation name for example virus name or content filtering rule Detailed Report with Shows the total numbers of incidents For each incident Summary Totals shows the date and time that the violation was detected the document author the server on which the violation occurred the action Symantec Mail Security for Domino took with the document and the violation name for example virus name or content filtering rule This option is enabled by default Under Output Format select one of the following Plain Text CSV format When the selected Output Destination is the Log Report this option writes the query to a rich text field in the Log database When the destination is a file this option writes the query to a comma delimited file csv file This format can be imported into Microsoft Excel This option is enabled by default XML This option writes the query to an XML file You can use this format with many other programs HTML This option writes the query to an HTML file Under Output Destination select any of the following Log Report This option writes the query to the Symantec Mail Security for Domino Lo
174. ment of your servers Create server groups that have acommon purpose and therefore require the same protection for example email servers By grouping servers you apply a common set of protection settings once rather than repeatedly to each server In a large network with multiple servers that perform similar roles the reduction in configuration time and maintenance costs can be considerable See Customizing server groups on page 69 Managing multiple servers You can simplify the management of multiple Lotus Domino servers when you replicate the Symantec Mail Security for Domino databases The benefits of database replication are as follows m Configure and manage the product from one location m Ensure that all servers are configured exactly the same m Update virus definitions from one server m Collect and view reports and statistics for all servers in the managed server s Log See About replicating Symantec Mail Security for Domino databases on page 64 You can create replica databases on your additional servers using one of the following methods m Create the database replicas on additional servers before you install Symantec Mail Security for Domino m Create database replicas on additional servers after you install Symantec Mail Security for Domino If you intend to replicate the Definitions database you must configure Settings database options first See Creating replica databases on an additio
175. ments ccceceeeeseeseseeeeeeseeeesees 168 Exporting incidents to Microsoft Excel cccesssssesssesesesesesesesenseeeeees 171 Deleting items from the Log oo ccesessssseessesesesesssseseeeseseesseseseseseeeees 172 Enabling the Log purge agent 0 cceesccseesseceseeseseseeeeseeeeeeseeesseseeeeseees 172 CUSTOMIZING UCTICS si c5 laces asssixses E E EEA 174 Configuring Queries cie e recive ancien Biases ae 174 Working with Queries cccccccsssscssesssesssseseeseseseeeeseeeseseeeeseeeeseseeeeseeeaees 180 Enabling the scheduled reports agent cccccessesseseseeseseseeeeseeeeeeseees 181 Chapter 11 Chapter 12 Index Contents Managing the Quarantine About the Quarantine oo cccccscssccsscssecsscsscssscsscssessssescsssssscsesssscesesssessees 183 Managing quarantined documents 00 0 ceeceecesesseseseeeeseseeeeseseeceseseseeseeeeaeeees 184 About Quarantined Documents VIEWS ccccceecsscsscssesssesseesesseessessseees 185 Assigning Quarantine roles cccceccsssessesesseseseeceseseseeseseeeeseeeeseseeeeseeees 186 Actions to manage quarantined documents ccceseceseeceeteeeeseeee 188 About releasing documents from the Quarantine cee 189 About multiple violation types ccceccesssseseseeseseeeeseeseeeseeeeseeneeseeees 190 Managing quarantined infected documents cccesessseseseceseeesesesees 190 Managing quarantined content filtering rule violation CO CUMONTE
176. mino databases sav nsf savlog nsf savquar nsf and savhelp nsf If you are going to replicate virus definitions to other Domino servers that are running Symantec Mail Security for Domino savdefs nsf is created here after installation See About replicating Symantec Mail Security for Domino databases on page 64 Program Files Common Files Symantec Shared Virus definitions files used for all Symantec products Program Files Symantec LiveUpdate Technology to download virus System requirements definitions files and program updates used for all Symantec products You must have administrator level privileges to both Windows and the Lotus Domino server to install Symantec Mail Security for Domino Your environment must also meet the following minimum requirements Operating system Lotus Domino Lotus Notes Processor Windows 2000 Server SP3 and SP4 Windows 2000 Advanced Server SP3 and SP4 Windows Server 2003 Windows 2003 Enterprise Edition 32 bit only Domino Server 6 5 Domino Server 6 0 2 CF1 6 0 2 CF2 6 0 3 Domino Server 5 0 11 5 0 12 5 0 13 Lotus Notes Client 6 0 or later Lotus Notes Client 5 0 8 or later Note Lotus Notes does not need to be installed on the same computer as the Domino server 1 GHz Pentium or higher Installing Symantec Mail Security for Domino 31 Installing Symantec Mail Security for Domino Memory 128 MB minimum 256 MB recommended Performance is dependent on ser
177. missing or invalid you cannot download virus definitions updates which keep protection current Configuring LiveUpdate 159 Managing the Definitions database To check the status of your content license Doone of the following m Inthe Log database in the left pane click Server Messages m Inthe Group document on the Action bar click Show Server Status m Open the Domino console and at the command prompt type the following TELL SAV INFO ig Select doc Lotus Domino Server E E gt TELL SAU INFO Auto Protect EMail Scanning Write Scanning Mailer Cleanup ic Spam Detection Filtering Outbreak Detection SESA Logging Virus Definitions 0171872004 Spam Definitio 12 22 2663 Last Virus Found 62 07 2664 16 35 38 AM Description SMSDOM detected the viruses Bloodhound WordMacro B loodhound WordMacro in database DOCS Mailbox document NT Q 9AA author notes admin info components bhm9 Srep amg bhm Sur amg The document was QUARANTINED Quarantined Documen 2 Unrestored 2 Statisti Since 61 28 2664 63 13 23 PM Repaired Deleted repaired Messages Delete Spam Mails Detect Virus Scan Errors Current product license FULL LICENSE Final product license expiration NONE 2 1 6 1 a a 6 a a 8 1 Current content license FULL LICENSE Final content license expiration 10 26 7 2008 gt The status that is displayed either states that the content license is valid or that it has expired Managi
178. mits or it is unscannable for any reason it considers the document a scan error violation By default Symantec Mail Security for Domino logs the detection of encrypted container files However it quarantines all other types of scan error violation documents You can change how Symantec Mail Security for Domino disposes of these types of scan error violations See Setting basic antivirus options on page 94 When scan error violations are logged in the Log they appear in the All Incidents view and are assigned a severity indicator See Understanding the Log views on page 165 Because a scan error violation is unscannable when you release a scan error violation document from the Quarantine the document is not rescanned before it is sent to its destination Documents that contain scan error violations and virus infections are treated as infected documents in the Quarantine and are rescanned when they are released from the Quarantine See About releasing documents from the Quarantine on page 189 Scanning processes Symantec Mail Security for Domino uses several antivirus technologies to scan documents for viruses It looks for known viruses by comparing segments of your documents to the sample code inside of a virus definitions file The virus definitions file contains nonmalicious bits of code or virus definitions for thousands of viruses Symantec Mail Security for Domino uses Bloodhound technology which provid
179. multiple Lotus Domino servers Server groups let you group servers that have a common purpose and therefore require the same protection By grouping servers you only have to apply a common set of protection settings once rather than repeatedly to each server See Creating a server group on page 69 28 Introducing Symantec Mail Security for Domino Where to get more information about Symantec Mail Security for Domino Where to get more information about Symantec Mail Security for Domino Symantec Mail Security for Domino provides an extensive system of Help topics that you can access through the Help table of contents troubleshooting topics and index Context sensitive Help is available on each tab When you use the Lotus Notes client to view the Symantec Mail Security for Domino databases you can also access context sensitive Help for each group of options on that tab If you are connected to the Internet you can visit the Symantec Web site for more information about your product The following online resources are available to you http www symantec com techsupp ent Provides access to the technical enterprise html support Knowledge Base newsgroups contact information downloads and mailing list subscriptions http www symantec com licensing els help Provides information about en help html registration frequently asked questions how to respond to error messages and how to contact Symantec License Administr
180. n the license file through the Symantec Web site again Warning License files are digitally signed If you attempt to edit a license file you will corrupt the file and render it invalid Activating your Symantec Mail Security for Domino licenses 59 Activating a license file To install the license file 1 When you receive the email message from Symantec that contains the license file save the license file to a location that is easily accessible In the Settings view double click the server group on which you want to install the license On the Licensing tab on the Action bar click Install or Upgrade License In the Select the license file dialog box select the license file and then click Open If a security dialog box prompts you to select security settings select the appropriate settings and then click OK to install the license file to the server On the License Installation Status document on the Action bar click Check License Installation Status On the Action bar click Close when the License Installation Status reports that the license file is successfully installed See License installation status errors on page 48 To check the license status Doone of the following m Inthe Log database in the left pane click Server Messages m On the Domino server console at the command prompt type TELL SAV INFO m Inthe Settings database in the Group document on the Action bar click Show Server
181. n the Action tab under When a violation is detected select one of the following Log only Logs the violation only but it does nothing with the document This option is enabled by default Delete the Deletes just the attachment that has a name extension attachment s which content or size that has violated the content filtering rule meet the criteria Delete all Deletes all of the attachments even if the violation is detected attachments only in the email message text Quarantine the Holds the document in the Quarantine database for document administrator review To view or take action on quarantined documents you must have the appropriate role privileges See Managing quarantined documents on page 184 Copy the document to Creates a backup copy of the document that contains the the Quarantine content filtering rule violation and places it in the Backup database Documents view of the Symantec Mail Security for Domino Log Delete the document Deletes the document that triggered the content filtering rule violation 2 To stop the content filtering engine from evaluating the document for additional content filtering rule violations after the first violation is detected click Stop processing more rules 3 Onthe Action bar click Save Deleting a content filtering rule When you no longer need a content filtering rule you can delete it from the content filtering rules list To delete a content filtering rule
182. nable them again after you upgrade to Symantec Mail Security for Domino For a user to enable disable or modify a purge agent the administrator must grant rights to run unrestricted agents in the Server Document for the Domino Directory Public Address Book that belongs to the server See Enabling the Log purge agent on page 172 See Purging the Quarantine on page 199 See Enabling the Definitions purge agent on page 161 See Granting rights to run unrestricted agents on page 41 m Ifyou enabled the scheduled reports agent in Symantec AntiVirus Filtering for Domino you must enable it again after you upgrade to Symantec Mail Security for Domino For a user to enable disable or modify the scheduled reports agent the administrator must grant rights to run unrestricted agents in the Server Document for the Domino Directory Public Address Book that belongs to the server See Enabling the scheduled reports agent on page 181 See Granting rights to run unrestricted agents on page 41 When you finish installing Symantec Mail Security for Domino you should perform the post installation tasks See Post installation tasks on page 36 Before you upgrade to Symantec Mail Security for Domino turn off the Lotus Domino server and the Lotus Notes client or Web client if either is on the same computer as the server Installing Symantec Mail Security for Domino 35 Upgrading Symantec Mail Securit
183. nal server on page 66 About replicating Symantec Mail Security for Domino databases To replicate Symantec Mail Security for Domino databases across multiple servers you must first select a specific computer to host the hub for the databases Then you must create replicas of the databases on your additional servers The replicas must have the same names as the hub databases With Lotus Domino push pull replication technology data on the hub is copied to the corresponding databases on the additional servers Administering Symantec Mail Security for Domino on multiple servers 65 Managing multiple servers For more information about replication procedures see the appropriate Lotus Domino documentation Ensure that you replicate Symantec Mail Security for Domino databases only to other servers that are running the same version of Symantec Mail Security for Domino and that are on the same operating system Undesirable results are likely to occur when you replicate databases that are installed on different product versions or operating systems and Symantec cannot provide support for this configuration You can replicate the following Symantec Mail Security for Domino databases m Settings database sav nsf m Log database savlog nsf m Quarantine database savquar nsf m Definitions database savdef nsf Settings database Through replication the Symantec Mail Security for Domino server task NNtask monitors the Settings dat
184. nd sending alert email notifications when an outbreak is detected When your Domino server is attacked by a mass mailer worm or virus the mass mailer cleanup feature automatically deletes mass mailer infected email messages and their attachments See Managing outbreak detection on page 99 Isolating infected attachments Symantec Mail Security for Domino includes a Quarantine that stores documents or email messages that trigger violations during a scan Documents and email messages are placed in the Quarantine under the following circumstances Content filtering is configured to quarantine or copy documents when a content filtering rule violation occurs in a document write email message or attachment as specified by the content filtering rule m Any of the auto protect scan now or scheduled scans are configured to quarantine documents after a virus is detected 26 Analyzing data Introducing Symantec Mail Security for Domino What you can do with Symantec Mail Security for Domino m Any of the auto protect scan now or scheduled scans are configured to repair infected attachments but quarantine any documents that have attachments that cannot be repaired m Antivirus scanning is configured to quarantine any documents that contain scan error violations You have several options for disposing of a document in the Quarantine such as saving the document to another location or releasing the document See Manag
185. never the content filtering rule finds the letters Free for example as in Freedom Building a match list When you create a match list give it a name that best describes the category of words and phrases that you intend to include in the list You can create as many match lists as you need After you create a match list you can create a content filtering rule that uses the match list The criteria for the content filtering rule applies to any word or phrase that is in the match list Build a match list A match list contains the words and phrases that you assign to it You can add edit or delete words or phrases in a match list A match list must contain at least one word or phrase Filtering spam and unwanted content 125 Using a match list You can compose words in English or in single byte or multi byte international characters The content filtering engine treats the word or phrase that you type as a regular expression This means that you must use the escape character to turn off the special meaning of any metacharacters that you include in the word or phrase See Metacharacters on page 114 To add a word or phrase to a match list 1 Inthe Group document on the Content Filtering tab click the Match List tab 2 Onthe Action bar click New Word in Match List Content Filtering Named List Word Lotus Notes 15 x File Edit View Create Actions Text Help E Workspace gp Symantec Mail Security for X
186. ng m Assign scores that accurately reflect the extent to which the word is representative of the category A negative score can be used to offset the value of a prohibited word that is used in an appropriate context For example a negative score for the word cancer can offset the positive score of the word breast m Ensure that the threshold value for the content rule is set appropriately Use the following guidelines in choosing scores for custom words m Consider assigning a score of 25 to 50 when you are certain that the results will be found in the expected category in which 50 represents absolute certainty Assign a score of 0 to 25 based on the likelihood that a word will appear in the correct context m Test the words and categories against different threshold values in the content filtering rule and adjust the word score or threshold values accordingly If the default value of 50 is never attained and you are aware of several content filtering rule violations in a message that was passed over consider lowering the threshold until the message is triggered adding or rescoring the custom words or removing existing words Then investigate which words trigger the content rule and their scores Use this investigative work to fine tune the content filtering rule settings so that the rule is reliably triggered Building a custom word category Symantec Mail Security for Domino lets you build custom word categories to supplement the
187. ng Symantec Mail Security for Domino 27 What you can do with Symantec Mail Security for Domino Sending notifications when a threat or violation is detected Symantec Mail Security for Domino provides several options for notifying document authors document recipients and administrators of threats and violations You define the conditions in which to send an alert and determine how to dispense with the document that contains the violation You can also customize the alert message text for each alert condition that you define See Configuring alerts on page 80 Managing single and multiple Lotus Domino servers Symantec Mail Security for Domino can provide protection for one or more Lotus Domino servers You can simplify the creation and management of Domino databases across multiple Lotus Domino servers Choose a single server on which to manage Symantec Mail Security for Domino and receive updated virus definitions Use Lotus Domino replication technology to synchronize the Symantec Mail Security for Domino databases on the managed server with other servers You can also use the replication process to send reports on statistics and incidents for all of the servers to the managed server For more information about database replication see your Lotus Domino documentation See Managing multiple servers on page 64 See Updating virus protection on page 153 You can also set up server groups to simplify management of
188. ng rules that rules you want to use See Enabling default content filtering rules on page 108 Filtering spam and unwanted content Working with content filtering rules Table 7 1 Content filtering rule tasks Create a new content filtering Create your own content filtering rule to block rule sensitive or objectionable content See Creating a content filtering rule on page 109 Delete a content filtering rule Delete a content filtering rule that you no longer need See Deleting a content filtering rule on page 123 Viewing content filtering rules status Symantec Mail Security for Domino displays the status of default content filtering rules and any new rules that you have created on the Content Filtering gt Rules tab The list of rules shows whether the rule is enabled and the type of content or scan for which the rule is configured A green check mark indicates that the option is enabled for the rule A red X indicates that the option is not enabled The type of content or scans for which a content filtering rule can be applied are as follows m Email messages m Writes documents saved to the server m Scheduled scans m Scan now scans In addition the content filtering rules status displays whether the Stop option is enabled for each rule The Stop option stops the content filtering rule processing after Symantec Mail Security for Domino detects the first content filtering rul
189. ng the Definitions database The Definitions database stores LiveUpdate downloads which consist of virus definitions files Because the database can be replicated to other Domino servers that run Symantec Mail Security for Domino only a single LiveUpdate is needed to maintain current protection on all servers See Managing multiple servers on page 64 If you do not intend to replicate the Definitions database this database is not necessary for Symantec Mail Security for Domino operations The Definitions database hub stores the active definitions set in addition to the most recent definitions sets A definitions set consists of one or more virus definitions files 160 Configuring LiveUpdate Managing the Definitions database If you choose to replicate virus definitions and you have created a virus Definitions database you can manage this database as follows Create a new virus definitions set Select the definitions set to use for scanning Enable the Definitions purge agent to delete older definitions sets You can access the Definitions database through the Lotus Notes client or through a Web client See Accessing Symantec Mail Security for Domino on page 39 Creating a new virus definitions set LiveUpdate automatically places virus definitions files in the Program Files Common Files Symantec Shared VirusDefs directory which is used by all Symantec products However you can create your own virus defi
190. ng unwanted content m Working with content filtering rules m Using a match list m Filtering content with word categories About filtering Symantec Mail Security for Domino protects your servers from unwanted email messages for example spam and content Spam messages are unsolicited bulk email messages that typically contain advertising Symantec Mail Security for Domino scans the contents of incoming email messages to determine the likelihood that they are spam based on known spam characteristics You can select the sensitivity level of the anti spam scanning and configure the notification options The white list feature lets you specify domains that are permitted to bypass the anti spam scan which reduces the incidents of false positives See Filtering spam on page 102 Symantec Mail Security for Domino enhances mail security protection by blocking email messages and documents based on content You can search the subject lines or contents of email messages and their attachments for offensive 102 Filtering spam and unwanted content Filtering spam language confidential information and content with potential legal consequences To search for unwanted content you create content filtering rules When the content or some attribute of a document or email message violates a rule Symantec Mail Security for Domino disposes of the document based on the settings that you configure for that rule You can set up as many cont
191. ning 149 proxy servers LiveUpdate connection 151 purge agent 172 Definitions 161 granting rights 41 Log 172 Quarantine 199 Q Quarantine about 21 25 183 assigning roles 186 backup files about 183 managing backup files 198 managing content filtering rule violation files 194 managing infected files 190 multiple violation types 185 purging 199 releasing files 185 189 194 replicating database 66 setting backup file options 76 views Backup Documents 198 Quarantined Documents 185 queries custom 174 R ReadMe txt 33 real time scans See auto protect scan regular expressions about 113 filtering email 117 replication 64 150 requirements system 30 roles Quarantine 186 S scan error violation about 19 container limits 96 multiple violations 190 Quarantine 185 releasing from Quarantine 189 scan now 139 scans about 137 auto protect 138 licensing requirements 55 138 multiple violation types 185 scan now 139 scheduled scan 143 troubleshooting scan status errors 49 scheduled reports agent 181 scheduled scan 143 scores 131 security events 204 server groups See also databases See also multiple servers creating and managing 69 72 setting global options 73 Unassigned Servers 69 server message severities Symantec Mail Security for Domino Log 163 Symantec Mail Security for Domino Quarantine 184 server status checking 46 troubleshooting status errors 47 SESA application events 203 configuring logging to 204
192. nitions set that consists of the virus definitions files that you select To create a new virus definitions set 1 2 3 On the Lotus Notes client open the Definitions database In the Definitions view on the Action bar click New In the Definitions document in the Virus Definitions Date field modify the date for the new virus definitions set The default setting is the current date Place your cursor in the Virus Definitions field On the Lotus Notes file menu click File gt Attach In the Create Attachment s dialog box select the virus definitions files that you want to add to your new definitions set and then click Create Virus definitions files are typically stored in the following location Program Files Common Files Symantec Shared VirusDefs lt numbered_folder gt On the Action bar click Save Symantec Mail Security for Domino automatically calculates the Size of definition set field Configuring LiveUpdate 161 Managing the Definitions database Selecting the active definitions set Each time Symantec Mail Security for Domino performs a LiveUpdate the virus definitions set that is downloaded is added to the Virus Definitions view and is automatically selected as the active definitions set However you can select another definitions set for scanning The definitions set that you choose remains active until the next LiveUpdate runs The next definitions set that is downloaded by LiveUpdate becomes the acti
193. no only scans incoming email messages from Internet domains for spam detection System resources are conserved by letting internal email messages bypass anti spam scanning Filtering spam and unwanted content 103 Filtering spam Configuring anti spam settings Symantec Mail Security for Domino performs an analysis of the entire incoming email message for key characteristics of spam It weighs its findings against key characteristics of legitimate email messages and assigns an accuracy rating for example 98 about the certainty that the message is spam The rating in conjunction with the engine sensitivity level determines whether a message is considered spam The sensitivity of the anti spam engine can be adjusted to maximize detections and minimize false positives The sensitivity threshold can be set from 1 low to 5 high where 1 minimizes false positives and detections and 5 maximizes detections and false positives The default sensitivity level for the anti spam engine is 1 Low When you increase the sensitivity level more false positives are likely to occur You can prepend the email message subject line to notify the recipient that the email message is identified as spam You can also add a new field to the email message that provides the spam detection accuracy percentage To configure anti spam settings 1 2 In the Settings view double click a server group In the Group document on the Anti spam tab on the
194. ntec Mail Security for Domino See Upgrading Symantec Mail Security for Domino on page 33 If you have multiple Lotus Domino partitions on the same server the installation program detects each one and lets you specify the partitions on which to install Symantec Mail Security for Domino 32 Installing Symantec Mail Security for Domino Installing Symantec Mail Security for Domino To facilitate enterprise wide management of Symantec Mail Security for Domino you can replicate the Symantec Mail Security for Domino databases to other servers that run Symantec Mail Security for Domino With replication you can configure Symantec Mail Security for Domino settings from a single server report virus incidents and statistics for all servers and use a single virus definitions update to maintain current protection for all servers See About administering Symantec Mail Security for Domino on multiple servers on page 63 When you are finished installing Symantec Mail Security for Domino you should perform the post installation tasks See Post installation tasks on page 36 Before you install Symantec Mail Security for Domino turn off the Lotus Domino server and the Lotus Notes client or Web client if either is on the same computer as the server Restart these applications when the installation is complete To install Symantec Mail Security for Domino 1 Insert the Symantec Mail Security for Domino installation CD into your
195. ntined again but this time as a content filtering rule violation When a document contains a scan error violation and one or more content filtering rule violations it is quarantined as an infected document However when you release the document from the Quarantine it is not rescanned Because the document is not rescanned even when Symantec Mail Security for Domino is configured to quarantine content filtering rule violations the document is not returned to the Quarantine as a content filtering rule violation Managing quarantined infected documents You manage infected documents from the All Quarantined Documents By Recipient By SMTPOriginator or Virus Infections views Ensure that you have at least VirusViewer roles before you open the Quarantine or you will not see any quarantined documents See Assigning Quarantine roles on page 186 Before you can release an infected document from the Quarantine database you must ensure that it no longer contains infected attachments You can make an infected attachment safe by deleting it replacing it or repairing it You can release documents only when you are assigned the VirusReleaser role Managing the Quarantine 191 Managing quarantined documents Manage quarantined infected documents You can manage quarantined infected documents in any of the following ways View a Quarantined Document The Quarantined Document contains basic information about a specific violation which
196. o 2 Inthe Lotus Notes workspace right click the Quarantine database and then click Database gt Access Control 3 Inthe Access Control List dialog box ensure that the appropriate persons or groups to manage the Quarantine are added to the Access Control List as Managers with Delete Documents rights 188 Managing the Quarantine Managing quarantined documents 4 Inthe Roles box select one or more roles for each person or group to manage the Quarantine See Assigning Quarantine roles on page 186 5 Onthe Access Control List dialog box click OK Actions to manage quarantined documents Table 11 3 lists the actions that you can take to manage quarantined documents These items appear as icons on the Action bar in the Quarantine Document Only those actions that are appropriate to your role appear on the Action bar Table 11 3 Quarantined Document actions Save Attachments Saves a copy of the attachment or attachments in a location that you choose After you save a copy you should run another scan to repair it perhaps using updated virus definitions or forward it to Symantec Security Response formerly known as SARC for repair After it is repaired you can add the attachment to the quarantined document again and release it to its recipient If the attachment contains a content filtering rule violation you can save it in a location where someone can review it before deciding what further action to take You mu
197. o scan all documents or only those that were modified since a specified date and how to respond when a virus is detected You can perform a scan now scan through the user interface or from the Domino console See Initiating tasks from the Domino console on page 50 See Configuring scan now settings on page 140 140 Scanning for viruses spam and content filtering rule violations About scan now scanning To scan for content filtering rule violations you must first specify that the content filtering rule applies to Manual Scans scan now on the Content Filtering gt Basics tab when you create or modify a rule See Setting the basic options for a content filtering rule on page 110 Warning Scanning for content filtering violations is not safe for most databases Only apply content filtering rules to databases that need to be scanned for a specific type of content filtering rule violation For incremental scans Symantec Mail Security for Domino uses the current date format that is set on the system regardless of what is typed For example if you type 5 3 04 12 A M and the date format on your computer is set for MM DD YY HH MM AM PM Symantec Mail Security for Domino reflects the date as 05 03 04 12 00 A M You can also configure Symantec Mail Security for Domino to dispose of documents that contain violations When Symantec Mail Security for Domino deletes an attachment it adds explanatory text to the
198. o query for Under Violation Type select any of the following Virus This option queries for viruses found in Notes documents or email message attachments Available selections are populated from the cumulative total in the Incidents view After you select the Virus option in the box below Violation Type select the virus infection type that you want to query for or leave it at Any The list is populated with virus infection types that the Log has captured Spam This option queries for email messages that are identified by the heuristic anti spam engine as spam email 178 Using the Symantec Mail Security for Domino Log Customizing queries Virus Content This option queries for viruses found in Notes documents or email message attachments Available selections are populated from the cumulative total in the Incidents view After you select the Virus option in the box below Violation Type select the virus infection type that you want to query for or leave it at Any The list is populated with virus infection types that the Log has captured This option queries for violations in document contents The violation must match the conditions that are specified on the Content Filtering gt Rule tab where the specified attribute is Body All options are enabled by default 5 To specify documents that Symantec Mail Security for Domino handled in a specific way when it detected a violation Under Action Taken select any of the
199. of the Settings Log and Quarantine databases This is required for minimal operation of the software To minimize the impact on performance Symantec Mail Security for Domino does not attempt to sign every design element The first time that you attempt to open an unsigned database you are prompted whether to trust unsigned code Trusting unsigned code is a security risk because it violates the integrity of the workstation Before you open the databases for the first time sign the databases with a trusted Notes ID file using the Domino Administrator client To properly sign the Symantec Mail Security for Domino databases there are several options that you must configure In the Domino Administration client in the Sign Database dialog box ensure that the following settings are configured m Under What do you want to sign select All design documents m Uncheck Ensure that the Update existing signatures only faster m If you are using Domino 6 x repeat the database signing steps and Under What do you want to sign select All data documents Configure the ID as follows m The ID should sign all design documents and all data documents if you are using the Domino 6 x Administration Client not just those with existing signatures m It should be a trusted administrator s ID or server ID m The ID should have the right to run unrestricted LotusScript Java agents Domino 5 or run unrestricted Methods and Operations Domino 6
200. one of the following options for disposing of unrepairable infected documents m Log only m Delete the infected attachment m Quarantine the document This option is enabled by default Establishing antivirus protection 99 Establishing antivirus scanning policies To eliminate viruses from ID signed documents under Repair signed documents click Yes This option is enabled by default To dispose of an encrypted container file that cannot be scanned under When messages are unable to be scanned Due to encrypted containers select one of the following m Log only This option is enabled by default m Delete the infected attachment m Quarantine the document To dispose of the scan error file under Due to scan errors select one of the following m Log only m Delete the infected attachment Quarantine the document This option is enabled by default On the Action bar click Save Managing outbreak detection A virus outbreak is suspected when Symantec Mail Security for Domino detects an excessive number of viruses or events that exhibit virus like behavior on Domino servers When Symantec Mail Security for Domino suspects a virus outbreak prompt action is necessary The outbreak management feature lets you protect systems during an outbreak even before you have received the latest virus definitions Symantec Mail Security for Domino helps you manage virus outbreaks as follows Specify the criteria for an outbreak These
201. ons m Virus Incidents Lists incidents that are logged because of virus detections The virus column lists the name of the detected virus m Spam Detection Incidents Displays incidents that are detected by the anti spam engine The spam score column lists the spam percentage score Content Filtering Incidents Displays incidents that are logged because of content filtering rule violations The violation column lists the names of content filtering rule violations You can export selected incidents to a Microsoft Excel spreadsheet See Exporting incidents to Microsoft Excel on page 171 Table 10 1 Using the Symantec Mail Security for Domino Log 167 Understanding the Log views Symantec Mail Security for Domino Log views Displays predefined statistical reports of Log data Statistics When you select Virus Spam Detection or Content Filtering within the Statistics view you view data as follows Organizational Author Displays cumulative incidents sorted by the organization amp author column in the Log The All view shows the names and total counts of detections It shows quarantined and cleaned documents and violations that were only logged It also shows the name of the virus and content filtering rule violation and the spam score Organization Server Displays cumulative data from incidents sorted by the organization amp server database column in the Log The All view shows the names and total coun
202. ons AND and OR conjunctions cannot be used in the same rule 2 Under Expression select one of the following a If m Unless 3 Under Attribute in the drop down list select the appropriate attribute 4 Under Comparison in the drop down list select the appropriate comparison option Comparison options change depending on the attribute that you select 5 Under Value type the threshold value Value options change depending on the attribute that you select 6 Click Add 7 On the Action bar click Save To edit an expression 1 Under List of Expressions select the expression that you want to edit 2 Click Edit 3 Modify any of the expression options 4 To the right of the Value box click Save 5 On the Action bar click Save To delete an expression 1 Under List of Expressions select the expression that you want to delete 2 Click Delete 3 On the Action bar click Save Setting the action options for a content filtering rule You must configure how to dispose of documents that contain content filtering rule violations You can configure Symantec Mail Security for Domino to stop evaluating the document for additional content filtering rule violations after the first content filtering rule violation is found This helps optimize performance Filtering spam and unwanted content 123 Working with content filtering rules To set the action options for a content filtering rule 1 Inthe Content Filtering Rule Document o
203. ons database 159 directory location 30 setting active definitions set 161 shared definitions files 149 150 updating with LiveUpdate 153 updating without LiveUpdate 157 VirusReleaser Quarantine role 187 VirusViewer Quarantine role 187 Ww Web browser 31 40 white list about 101 102 104 creating 104 setting up 104 wildcard characters 112 Windows TEMP directory 22 95 word adding to custom categories 131 chain 129 match lists 124 matching content filtering 129 worms 91 Z zero maintenance management 21 218 Index
204. oose when you want the scan to begin and end When you enter a time range for example 04 00 06 00 A M the scan starts at 04 00 A M and ends at 06 00 A M even if it is not finished scanning all of the databases that it is configured to scan When a scan has remaining databases to examine at its stop time it continues where it left off at the next schedule time When you enter a single time for example 9 00 A M the scan always continues until it is completed regardless of the time required to do so For incremental scans Symantec Mail Security for Domino uses the current date format that is set on the system regardless of what is typed For example if you type 5 3 04 12 A M and the date format on your computer is set for MM DD YY HH MM AM PM Symantec Mail Security for Domino reflects the date as 05 03 04 12 00 A M Note For domains with multiple servers Symantec Mail Security for Domino lets you schedule the same scan to run on one or more servers You can schedule the scan itself from any server in the domain For server specific changes to scheduled scans the Settings database sav nsf must be replicated to the appropriate servers See Managing multiple servers on page 64 You can also configure Symantec Mail Security for Domino to dispose of documents that contain violations When Symantec Mail Security for Domino deletes an attachment it adds explanatory text to the attachment icon By default it saves the d
205. ors When you perform a scan now on demand scan from the Lotus Notes client you can check the status of the scan See Configuring scan now settings on page 140 When a scan status cannot be determined because of an unresponsive server you receive the following error message Waiting for response from server Click Check Scan Status again When no response occurs after 5 minutes a communication error with NNTASK might have occurred See documentation for more information When you receive this message one of the following events might have occurred m NNTASK might be under a heavy load and unable to immediately respond to the user s status request m NNTASK might not be running on the server m The network might be slow After you resolve the issue close the Scan Status document and perform scan now again If Symantec Mail Security for Domino can confirm that the connection with NNTASK has failed you receive the following error message Error communicating with NNTASK Click Close and try again Close the Scan Status document and perform scan now again LiveUpdate status errors When you perform an on demand LiveUpdate you can check the status of the LiveUpdate to ensure that the most current virus definitions were installed See Updating virus protection with LiveUpdate on page 153 When a LiveUpdate status cannot be determined because of an unresponsive server you receive the following er
206. ound Macro monitors the macros as they run to see if they copy themselves from the host document to another virtual document Bloodhound Macro also runs the copied macros and verifies whether they can further propagate About NAVEX technology NAVEX is a technology that lets you automatically update the antivirus scanning component of Symantec Mail Security for Domino during routine virus definitions updates This ensures that your antivirus protection stays current regardless of platform against new virus threats without the need for inline revisions or time consuming upgrades The antivirus scanning component is comprised of dozens of complex search algorithms CPU emulators and other program logic The scanning component examines a file to determine if it contains viruses The scanning component scans files and disks for virus fingerprints unique sequences of bytes that are known to be contained in viruses These fingerprints are stored in the virus definitions files that are downloaded at least once a week The scanning component also repairs infected documents Occasionally a new virus or class of virus emerges that cannot be detected by existing scanning components These viruses require new algorithms for detection and consequently a new scanning component NAVEX technology lets you quickly and efficiently upgrade the Symantec Mail Security for Domino scanning components About Striker technology Striker technology identifies
207. ow Symantec Mail Security disposes of infected documents or documents that contain violations Performing tasks from the Domino console You can manage several Symantec Mail Security for Domino operations and perform scanning functions from the Domino server console as shown in Figure 2 3 Installing Symantec Mail Security for Domino 51 Initiating tasks from the Domino console Figure 2 3 Domino console z Lotus Domino Server doc o 69 24 2663 251 Calendar Connector started 69 24 2663 HE Event Monitor started 69 24 2063 A z Releasing unused storage in database statrep 097 2472003 5 Schedule Manager started 09 24 2063 5 SchedMgr Validating Schedule Database 097 2472003 252 SchedMgr Done validating Schedule Database 09 24 2083 Stats agent started 09 24 2883 252 JUM Java Virtual Machine initialized HTTP Web Server started POP3 Server Started Maps Extractor started Database Server started 252 Maps Extractor Building Maps profile 097 2472003 52 Maps Extractor Maps profile built OK gt tell sav SMSDOM Valid commands are INFO Show summary information STAT RESET Reset all SMSDOM statistics JOBS Show upcoming scheduled scans SCAN lt names gt Start a database scan STOP lt n gt Stop the scan with ID number lt n gt QUIT End task Use load NTASK to reload 69 24 2063 11 57 68 AM Searching Administration Requests database gt a To perform tasks from the Domino console At the command promp
208. own virtual computer It then runs the file and probes for and assesses suspicious behavior such as whether the file has replicated itself a number of times in a specified period of time Because the problem file runs within a separate virtual computer that replicates the operating system environment the potentially infected document cannot harm other documents on the computer In most cases Bloodhound can determine in milliseconds whether a file or document is likely to be infected by a virus When it determines that a file is not infected it moves to the next file Bloodhound and executable viruses Bloodhound uses artificial intelligence AI technology to isolate and locate the various logical regions of each application that it is configured to scan It analyzes the program logic in each of these regions for virus like behavior and simulates this behavior to determine whether the program is a virus Bloodhound and macro viruses Symantec Bloodhound Macro technology uses a hybrid heuristic scheme to detect and repair more than 90 percent of all new and unknown macro viruses For example every time that Symantec Mail Security for Domino scans a Microsoft Word document Bloodhound Macro sets up a complete virtual environment into which it loads the document The macros that are contained in the document are run as they would be in the word processing application Establishing antivirus protection 93 About antivirus protection Bloodh
209. p a server group you decide which servers belong together and which set of protections to apply to them For example you can create a group of servers that are not used for mail routing and turn off email scanning for that group See Creating a server group on page 69 An Unassigned Servers server group always exists and contains any servers that are not assigned to a server group The Unassigned Servers server group cannot be deleted After you create a server group you can copy the settings to create new server groups See Copying settings to create a new server group on page 70 If you remove a server from your system or decide to move the server to a different server group you can remove it from the server group listing Servers that are listed in the Unassigned Servers server group cannot be deleted See Removing a server from a server group on page 71 You can delete an entire server group however all of the configuration settings for that group such as content filtering rules and anti spam settings are also deleted and cannot be restored The Unassigned Servers server group cannot be deleted See Deleting a server group on page 72 Creating a server group You can create as many server groups in the Settings database as needed A server group called Unassigned Servers always exists and contains any servers that are not assigned to another server group A server can only reside in one server grou
210. p at a time and the Unassigned Servers Group cannot be deleted 70 Administering Symantec Mail Security for Domino on multiple servers Customizing server groups To create a server group 1 2 On the Lotus Notes client open the Settings database In the Settings view on the Action bar click New Server Group le File Edt View Create Actions Text Help om 4al om 38 lI z z z a Address rv er gt O as Symantec Mail Security for x d New Settings Document X Close Fsave D Help L Show Server Status Group Ss symantec Add Server s to Group Remove Selected Server s from Group J ean a On the Configuration tab on the Servers tab beside Server Group type a name for the server group Click Add Server s to Group In the Add Server to Group dialog box select one or more servers and then click OK On the Action bar click Save Copying settings to create a new server group To save time you can copy the settings that you have configured for one server group to a new server group Administering Symantec Mail Security for Domino on multiple servers 71 Customizing server groups To copy settings to create a new server group 1 Inthe Settings view select the server group that you want to copy 2 Onthe Action bar click Copy Settings to New Group 2181 x File Edit View Actions Text Help OR fSA 6S ORS P5S
211. page 97 See Configuring scheduled scans on page 145 See Configuring scan now settings on page 140 See Creating a content filtering rule on page 109 m Link Link to the document in the Quarantine when applicable You must have the proper roles to view or take action on a quarantined document See Assigning Quarantine roles on page 186 Using the Symantec Mail Security for Domino Log 171 Managing the Log To view message and incident documents 1 2 On the Lotus Notes client open the Log database In the Log view on the left pane select one of the following views Server Messages Product Information Scan Reports All Incidents Virus Incidents Spam Detection Incidents Content Filtering Incidents In the right pane select the item for which you want to view a detailed report To open the document do one of the following m Double click the item m On the Action bar click Open Exporting incidents to Microsoft Excel Symantec Mail Security for Domino lets you export incidents that are stored in the Log to a Microsoft Excel spreadsheet You can select one or more incidents to export The option to export incidents to Microsoft Excel is available only in the Lotus Notes client To export incidents to Microsoft Excel 1 In the Log in the left pane select the Incidents view that contains the incidents that you want to export In the right pane to the left of the inc
212. polymorphic computer viruses which are the most complex and difficult viruses to detect Like an encrypted virus a polymorphic virus includes a scrambled virus body and a decryption routine that first gains control of the computer and then decrypts the virus body A polymorphic virus also adds a mutation engine that generates randomized decryption routines that change each time that a virus infects a new program As a result no two polymorphic viruses look alike Each time that Striker scans a new program file it loads the file into a self contained virtual computer The program runs in this virtual computer as if it were running on a real computer The polymorphic virus runs and decrypts itself Striker then scans detects and repairs the virus 94 Establishing antivirus protection Establishing antivirus scanning policies About LiveUpdate LiveUpdate ensures that your network is not at risk of infection from newly discovered viruses Updated virus definitions files contain the necessary information to detect and eliminate viruses They are supplied from Symantec at least every week and whenever a new virus threat is discovered Symantec Mail Security for Domino can be configured to poll the Symantec LiveUpdate servers to determine if updated virus definitions were posted When new virus definitions are available Symantec Mail Security for Domino downloads the files and installs them in the proper location Virus protection stays current
213. ponding third party product or platform You may only use that Software for the corresponding product or platform You may only use the Software for the number of units e g desktops mailboxes nodes servers etc specified in the License Module E If the Software You have licensed is Symantec Client Security this Software utilizes the Standard Template Library a C library of container classes algorithms and iterators Copyright c 1996 1999 Silicon Graphics Computer Systems Inc Copyright c 1994 Hewlett Packard Company Contents Technical support Chapter 1 Chapter 2 Introducing Symantec Mail Security for Domino About Symantec Mail Security for Domino 0 cc eeseeeseseseseseteeeteeseeeeeeeees 15 What s new in Symantec Mail Security for Domino cee eeseseeeteeeeeeeees 16 Components of Symantec Mail Security for Domino c ce ceeseeeeeeeeeeee 17 How Symantec Mail Security for Domino works ccccesesessessseeeseeeeeeeeeaees 19 About scan error Violations 0 eeceeseseeseseseceseseeeeeeeeeeeeeeceeeaeeeeeeeeeeeeeeees 19 SCANMING PLOCESSES reris aa E EEEn 19 About Symantec Mail Security for Domino databases cceccee 20 About zero maintenance management 2 00 ceeeeesseceseeeeceteeeteeteeeeseeees 21 Integrating with other Symantec Products cceeesecesesseseseeseseseeeees 22 What you can do with Symantec Mail Security for Domino eee 23 Protecting again
214. r numerous known viruses When Symantec Mail Security for Domino finds a match the document is considered infected and the document is disposed repaired deleted quarantined or logged and delivered according to your configuration settings When Symantec Mail Security for Domino receives an email message with an attachment from an Internet source it decodes and decompresses the attachment and then scans it for viruses Symantec Mail Security for Domino also uses Symantec Bloodhound heuristics technology to scan for viruses for which no known definitions exist Bloodhound heuristics technology scans for unusual behaviors such as self replication to target potentially infected documents 138 Scanning for viruses spam and content filtering rule violations About auto protect scanning Symantec Mail Security for Domino lets you filter undesirable message content by using dictionary based content filtering and content filtering rules that you create Symantec Mail Security for Domino uses a heuristic anti spam engine to scan messages for characteristics that are known to be spam and uses white lists to reduce the incidents of false positives Symantec Mail Security for Domino scans first for viruses then for spam detection and then for content filtering rules To perform any of the Symantec Mail Security for Domino scanning functions you must have a valid product license installed See About licensing on page 55 Symantec Mail S
215. riate level of detection The default setting is Med medium 3 To automatically delete infected mass mailer email messages and their attachments under Mass Mailer Cleanup click On This option is enabled by default 4 Toscan native MIME message bodies under Native MIME message bodies check Scan for malicious HTML in message bodies 5 Ifyou want to use a directory other than the Windows TEMP directory under Directory for temporary files type the new directory location If you are using a third party antivirus product configure the third party product not to scan this directory This prevents conflicts with Symantec Mail Security for Domino operations 6 To limit the RAM used to examine files in memory under Maximum memory to use per thread for extracting attachments type the appropriate number of kilobytes The default setting is 20000 7 Onthe Action bar click Save Setting container limits Symantec Mail Security for Domino contains a decomposer that extracts container files so that they can be scanned for viruses The decomposer continues to extract container files until it reaches the base file Symantec Mail Security for Domino imposes limits on file extraction These limits protect against denial of service attacks that are associated with overly large or complex container files that take a long time to decompose These limits also enhance scanning performance When a container file reaches any one of the set limi
216. ries Work with queries Symantec Mail Security for Domino lets you run manual queries on demand and view the query results in the Completed Reports view When you no longer need a manual or scheduled query or any of the completed query reports you can delete it from the Query or Completed Reports view To run a manual query and view it 1 Inthe Log view in the left pane click Reporting 2 Under Reporting click Queries 3 Inthe Queries view in the right pane double click the manual query to open it 4 Inthe Custom Query document on the Action bar click Run Report Now 5 To return to the Queries view on the Action bar click Close Using the Symantec Mail Security for Domino Log 181 Customizing queries 6 Inthe left pane under Reporting click Completed Reports 7 Double click the report to view it To delete queries in the Queries view 1 Inthe Queries view in the right pane click in the column to the left of the queries that you want to delete A black check mark appears next to the selected items To unselect an item for deletion click in the column again 2 On the Action bar click Delete A black X appears to the left of the item which indicates that it is selected for deletion To unselect an item click it and then on the Action bar click Delete 3 Press F9 to refresh the view 4 Inthe confirmation dialog box click Yes To delete reports in the Completed Reports view 1 Inthe Completed Reports v
217. ring rules Table 7 2 Metacharacters for in regular expressions char n A single character char followed by a number n in braces char n Matches the number of repetitions of the character For example X 3 matches XXX char min A single character char followed by a number min and a char min comma in braces Matches the minimum number of repetitions of the character For example X 3 matches at least three repetitions of X char min max A single character char followed by a pair of numbers in braces char min max Matches the minimum number of repetitions of the character but no more than the maximum number of repetitions For example X 3 7 matches from three to seven repetitions of X string Parentheses Groups parts of regular expressions giving the Gtring string inside the parentheses precedence over the rest lt Backslash followed by a less than sign Matches the beginning of an identifier defined as the boundary between nonalphanumeric and alphanumeric characters including the underscore character _ This expression matches no characters only the context gt Backslash followed by a greater than sign Matches the end of an identifier defined as the boundary between nonalphanumeric and alphanumeric characters including the underscore character _ This expression matches no characters only the context When multiple metacharacters are used in an express
218. rom Symantec and then install it When you have multiple servers you must distribute the license files to all of the servers on which Symantec Mail Security for Domino is installed See Activating a license file on page 56 See Distributing license files to multiple Domino servers on page 60 Virus definitions updates and scanning operations are limited to the period of time that is specified by the respective license When a license approaches its expiration date it enters the warning period During the warning period the product sends messages that remind you that your license needs renewing See Renewing licenses on page 60 Note The license period begins the day that you register the license with Symantec on the Symantec Web site Activating a license file To activate a license you must have the serial number that is required for activation Each license has a separate serial number The serial number is used to request a license file and to register for support The format of a serial number is a letter followed by 10 digits for example F2430482013 The serial number is printed on the Symantec Serial Number Certificate The Symantec Serial Number Certificate is not part of the Symantec Mail Security for Domino software distribution It is mailed separately and arrives in the same time frame as your software Activating your Symantec Mail Security for Domino licenses 57 Activating a license file I
219. ror message Waiting for response from server Click Check LiveUpdate Status again When no response occurs after 5 minutes a communication error with NNTASK might have occurred See documentation for more information When you receive this message one of the following events might have occurred m NNTASK might be under a heavy load and unable to immediately respond to the user s status request 50 Installing Symantec Mail Security for Domino Initiating tasks from the Domino console m NNTASK might not be running on the server m The network might be slow m Multiple LiveUpdate sessions might have been triggered on the same server LiveUpdate might take several minutes to complete LiveUpdate takes longer when multiple sessions are running on the same server After you resolve the issue close the LiveUpdate Status document and run LiveUpdate again If Symantec Mail Security for Domino can confirm that the connection with NNTASK has failed you receive the following error message Error communicating with NNTASK Click Close and try again When you receive this message close the LiveUpdate Status document and run LiveUpdate again Initiating tasks from the Domino console Symantec Mail Security for Domino lets you view manage and perform various functions directly from the Domino console From the console you can perform on demand scans that use your Settings database configurations You can also modify h
220. rver group on page 70 As an alternative you can view the default content filtering rule settings and then recreate the rule for another server group The following default rules display in the content filtering rule status along with any other rules that you create m Delete attachments greater than 5megs in size m Delete launchable attachments m Delete Visual Basic Script attachments m Quarantine documents with questionable content Content filtering is turned off by default To scan for content filtering rule violations you must enable rules processing in addition to enabling each rule that you want to use See Enabling the content filtering process on page 108 To enable default content filtering rules 1 Filtering spam and unwanted content Working with content filtering rules In the Group document on the Content Filtering tab on the Rules tab double click the rule that you want to enable Settings Document for Unassigned Servers Lotus Notes E O x File Edt View Create Actions Text Help UGHEARS GBI SBE 3 Workspace Symantec Mail Security for Domino is A cose save Delp ra showSewerstaus f ettings Document for Unassigned Servers X notes gt JAA O o Group Unassigned Servers fy Configuration Antivirus Anti spam Content Fitering Scan qi Match Lists Word Categories BR Enable miles processing Enabled Description EMail Writes S Scan M Scar
221. rver status You can check the status of the server on which the Settings database is installed Checking server status helps you determine if SESA logging is enabled disabled or disconnected or if mass mailer cleanup spam detection content filtering and outbreak detection are activated You can also check product license and content license expiration dates To check server status 1 Inthe Settings view double click a server group 2 Onthe Action bar click Show Server Status 3 On the Action bar click Check Statistics See Server status errors on page 47 4 If necessary click Reset Statistics to restart the status counter and prepare for the next status inquiry 5 Click Close to close the Server Status document Installing Symantec Mail Security for Domino 47 Troubleshooting status errors Troubleshooting status errors Symantec Mail Security for Domino relies on connections with the server and particularly on connections with the NNTASK process to provide server status If the server is unresponsive or if the connection with NNTASK has failed then Symantec Mail Security for Domino is unable to provide the current status You may receive status error messages in the following situations m Checking the server status See Server status errors on page 47 m Installing a license file See License installation status errors on page 48 m Checking a scan status See Scan status errors on page 49
222. s Because a scan error violation is unscannable when you release it from the Quarantine the document is not 190 Managing the Quarantine Managing quarantined documents rescanned before it is sent to its destination Use caution when you release scan error violation documents from the Quarantine because they may still be a threat for malicious attacks As a best practice ensure that the client is adequately protected For example an email message is quarantined because it contains an encrypted container file It is released from the Quarantine by the administrator and sent to its destination The recipient of the email message uses a valid password to open the encrypted file If the encrypted file contains a virus the client is now vulnerable to the virus infection if the client does not have adequate virus protection About multiple violation types When documents are scanned they might trigger more than one type of violation For example a document might be infected with a virus and it might contain a content filtering rule violation When a document is infected and contains one or more content filtering rule violations the document is quarantined as an infected document When you delete the infected attachment and release the document from the Quarantine the document is scanned again After it is rescanned if Symantec Mail Security for Domino is configured to quarantine content filtering rule violations the document is quara
223. s necessary See About tokens for customizing email message alerts on page 80 4 Inthe Body field type the body of the email message for the alert The default text is Please check the SMSDOM Log for more information Use tokens to customize the subject or body of the email message alert as necessary See About tokens for customizing email message alerts on page 80 88 Setting global scanning options Configuring global scanning options To include the action that was taken by Symantec Mail Security for Domino in the email message alert to the administrator click Report action taken by Symantec Mail Security for Domino This option is enabled by default To include information about the violation from the Log in the email message click Include violation information from the log This option is enabled by default On the Action bar click Save To set alert message options for the document author 1 In the Alert Notification document on the Alert Messages tab on the Document Author tab check Send following alert to document author Under Custom text to document author in the Subject field type the subject line of the email message for the alert The default text is SMSDOM detected a violation in a document you authored Use tokens to customize the subject or body of the email message alert as necessary See About tokens for customizing email message alerts on page 80 In the Body field type th
224. s program is provided on the Symantec Mail Security for Domino installation CD in the following folder ADMTOOLS JRE j2re 1_3_1_02 win exe To install the SESA Agent using the SESA Agent Installer that Symantec Mail Security for Domino provides run the Installer on all computers on which Symantec Mail Security for Domino is installed To install the local SESA Agent using the Agent Installer 1 On the computer on which you have installed Symantec Mail Security for Domino insert the Symantec Mail Security for Domino installation CD into the CD ROM drive The installation program launches automatically If it does not run cdstart exe from the installation CD 2 Inthe Installation window click Install SESA Agent to begin the installation process Progress through the Installation wizard by clicking Next at the bottom of each screen when you are ready to proceed 3 Indicate that you accept the terms of the Symantec license agreement You must accept the terms of the license agreement for the installation to continue 4 From the list of products to register with SESA choose Symantec Mail Security for Domino You can register only one product at a time If you are installing the SESA Agent to work with more than one Symantec product you must run the installer again for each product 5 Under Choose Destination Location select the location in which to install the local Agent The default location is C Program Files Symantec SESA If th
225. s from the Quarantine See Managing quarantined documents on page 184 To set access control for Symantec Mail Security for Domino databases 1 Logon to the account that you plan to use to administer Symantec Mail Security for Domino 2 Inthe Lotus Notes workspace right click the Settings database icon and then click Database gt Access Control 3 Inthe Access Control List window add yourself a group or other users as necessary to the Access Control List as Managers with Delete Documents rights In the Access Control List window click Default In the Access list click No Access Click OK N QD oO A Repeat steps 1 6 for the rest of the Symantec Mail Security for Domino databases Installing Symantec Mail Security for Domino 39 Post installation tasks When you set access control for the Quarantine database you must assign roles to those groups and users who use the Quarantine See Assigning Quarantine roles on page 186 Placing Symantec Mail Security for Domino database icons on your Lotus Notes workspace Symantec Mail Security for Domino is fully integrated with the Lotus Notes environment and can be accessed like any other database For easy access to the Symantec Mail Security for Domino databases you can install the database icons on your Lotus Notes workspace To place the Symantec Mail Security for Domino database icons on your Lotus Notes workspace 1 Onthe Lotus Notes workspace on the F
226. s of viruses Due to the potential volume of email messages during a mass mailer outbreak there is no alerting function for this type of virus detection See Configuring logging options on page 78 See Checking server status on page 46 Multipurpose Internet Mail Extensions MIME is the official Internet standard for encoding data that cannot be transmitted through email Symantec Mail Security for Domino lets you scan email messages for malicious code in native MIME message bodies Symantec Mail Security for Domino uses the default Windows TEMP directory to process files during scans If necessary you can specify a directory on another drive that has more space available You must have at least 100 MB of free space on the drive that contains this directory If you type a directory that is not valid Symantec Mail Security for Domino uses the Windows TEMP directory If you are using a third party antivirus product not a Symantec product with Symantec Mail Security for Domino you should configure the third party product not to scan this directory This prevents potential conflicts with Symantec Mail Security for Domino operation 96 Establishing antivirus protection Establishing antivirus scanning policies To set basic antivirus options 1 Inthe Settings view double click a server group 2 Inthe Group document on the Antivirus tab on the Basic tab under Bloodhound heuristic virus detection technology select the approp
227. s scoring is used for word context and for adjustments to the total score Only vendor supplied words and phrases use bonus scores When you add a custom word or phrase to a custom word category Symantec Mail Security for Domino requires that you assign a base score to the entry It does not require a bonus score for custom entries Assigning the threshold values for scoring Symantec Mail Security for Domino does not provide a default threshold value You must choose a value for the content score rule given the category or categories that you have configured for that rule For example you might choose a value of 50 for the threshold value and choose the Comparison gt greater than This means that Symantec Mail Security for Domino must evaluate an email message as having a score of 51 or greater to trigger a rule violation If you choose a threshold value of 20 for example and a lt less than Comparison then a message score of 19 or less is necessary to trigger a violation The meaningfulness of the threshold value can vary widely The content filtering engine correlates the total score with the total number of word matches in a document Therefore factors such as the number of word categories that you select for filtering and the file size affect the significance of the threshold value The more word categories that you select and the larger the file size the easier it is for a score to reach the threshold and trigger a content f
228. s to search for both single byte and multi byte character patterns Table 7 2 Metacharacters for in regular expressions Period Matches any single character of the input sequence Circumflex Represents the beginning of the input line For example A is a regular expression that matches the letter A at the beginning of a line The character is only special at the beginning of a regular expression or after the or characters Dollar sign Represents the end of the input line For example A is a regular expression that matches the letter A at the end of a line The character is only special at the end of a regular expression or before the or characters Table 7 2 Filtering spam and unwanted content 115 Working with content filtering rules Metacharacters for in regular expressions Asterisk Matches zero or more instances of the string to the immediate left of the asterisk For example A matches A AA AAA and so on It also matches the null string zero occurrences of A Question mark Matches zero or 1 instance of the string to the immediate left of the asterisk Plus sign Matches 1 or more instances of the string to the immediate left of the plus sign Escape Turns on or off the special meaning of metacharacters For example only matches a dot character matches a literal dollar sign character Note that matches a literal character Pipe Matches eith
229. sages and block unwanted content LiveUpdate This is the utility that lets you ADMTOOLS LUA Iuau exe Administration configure one or more intranet Utility FTP HTTP or LAN servers to act as internal LiveUpdate servers LiveUpdate lets Symantec products download program and virus definitions files updates directly from Symantec or from an intranet LiveUpdate server For more information see the LiveUpdate Administrator s Guide on the product CD 18 Table 1 2 SESA Agent installer Introducing Symantec Mail Security for Domino Components of Symantec Mail Security for Domino Symantec Mail Security for Domino components This program installs the SESA Agent which handles the communications between Symantec Mail Security for Domino and SESA SESA is an event management system that uses data collection services for events that Symantec and supported third party products generate ADMTOOLS SESA_Agent_ Installer sesa_agent_installer exe SESA Integration package The SESA Integration package extends SESA functionality to include Symantec Mail Security for Domino event data ADMTOOLS SESA_SIPI_for_ SMSDOM Java Runtime Before you install the SESA ADMTOOLS JRE j2re 1_3_1_02 Environment Agent you must install the Java win exe JRE Runtime Environment JRE version 1 3 1_02 on the server on which the SESA Agent will be installed Adobe Acrobat This is the software
230. sages from those addresses bypass anti spam scanning but an email message from mailer3 domain com would be scanned for spam Domain com is an example of a base domain name When added to the white list any email message from any domain com address bypasses anti spam scanning To manage a white list on the clients you can create a filtering rule in the mail client to place all tagged messages in a special folder for review The filtering rule would be based on a tag that the administrator selects for example Spam A process could be put in place to collect any false positives that are reported by users For example you could set up a special administrative email account such as notspam domain com to which users could forward false detections From this account each case can be analyzed and domains can be added to a white list to prevent false positives from these sources in the future The task of adding domains to the white list decreases over time as the system is configured for your email environment Manage a white list You can add addresses to or delete addresses from the white list Symantec Mail Security for Domino lists addresses alphabetically by the first letter To add an address to a white list 1 Inthe Settings view double click a server group 2 Inthe Group document on the Anti spam tab on the White List tab under Anti spam white list exclusion check Bypass heuristic anti spam using white list 3 To add a do
231. scan native MIME message bodies and the dates and time to perform incremental scans m Actions Specifies how to dispose of infected documents found during the scan To create or modify a scheduled scan 1 Inthe Settings view double click a server group 2 Inthe Group document on the Scan tab on the Scheduled Scans tab do one of the following m Double click an existing scan to modify it m Onthe Action bar click New Scheduled Scan to set up a new scheduled scan To configure scheduled scan basic settings 1 Inthe Scheduled Scan document on the Basics tab under Description type a meaningful description of the scan so that you can easily identify it in the list of scheduled scans 2 To enable the scheduled scan that you are configuring check Enable this scan This option is enabled by default 145 146 Scanning for viruses spam and content filtering rule violations About scheduled scanning 3 4 Under Servers This scan is valid for select one of the following m All servers in this group Scans every server in the selected server group This option is enabled by default m The following servers Scans only the servers that you specify Select the servers from the drop down list Separate multiple entries with commas On the Action bar click Save To configure scheduled settings for scheduled scans 1 4 In the Scheduled Scan document on the Schedule tab under Days of the week to run check the
232. scan type such as antivirus content filtering or anti spam scanning must be made on the tab for that scan type For example the option to scan all file name extensions is a global setting that applies to all scans and is configured on the Configuration tab The heuristic virus detection level option only applies to antivirus scanning and is configured on the Antivirus tab 74 Setting global scanning options Configuring global scanning options Configuring global scanning options Symantec Mail Security for Domino has several global scanning options that you can configure Inclusions Define which databases and file attachments to scan Hclusions See Specifying what to scan on page 74 Native MIME Customize the MIME message text See Customizing the native MIME message on page 76 Backup Set rules for creating backups before repairing or deleting infected documents See Creating backup documents on page 76 Disclaimers Define the disclaimer mark and header and footer text See Configuring disclaimer options on page 77 Logging Select which information to log and choose the logging destinations See Configuring logging options on page 78 Trusted Server Select which servers can bypass scanning processes See Configuring trusted server options on page 79 Alerts Configure rules for sending alert notifications See Configuring alerts on page 80 Specifying what to scan
233. scheduled scanning ceee Configuring scheduled scans cecscsessssesssessseseseseseseessseseeseeseseseseeeeees Configuring LiveUpdate AbDOUtEI VEU Pate aimera aoni E RET E T REE 149 About shared virus definitions files oo ccesesesesesesesesessesessseseseseseseseeees 150 Configuring LiveUpdate on a proxy Server oo eeecesesesesseseseseeeeeeesesesessseeeeees 151 Using LiveUpdate with a firewall oo ccccccsesesesesesesesesseseseseeeseseseseseseeseees 152 Updating virus protection ccccccsescssesessssesesssseseeeeseseeeeseeeeseseeecseseeeeseeeesees 153 Updating virus protection with LiveUpdate 00 0 0 eeeeeeeteteeeeeees 153 Updating virus protection without LiveUpdate eects 157 Checking the status of your content license oo cceseseseseseeesesesesetetseeteees 158 Managing the Definitions database c cccccseseseesesssesseseseseseseseseseseeseeeees 159 Creating a new Virus definitions Set ceeeseseeseseseeeseeesesesesetseeeeees 160 Selecting the active definitions Set cccccssesesssseseceseseseeteteesteseeeees 161 Enabling the Definitions purge agent 0 ccceseseseseseesetetetseeeeeeeeeeees 161 Using the Symantec Mail Security for Domino Log Aboutlog ging serao E E E NE nen ane 163 Understanding the Log Views sessssesesessssesessssesestsreresesneseseseessseseserseseseeseses 165 Managing th Log seora eae EEA E ok AEE EAE ENT 168 Viewing message and incident docu
234. se from growing too large Symantec Mail Security for Domino can routinely purge documents from the Log views A purge agent runs every night at 1 00 A M when enabled By default virus incidents are purged after 365 days Other Log entries are purged after 30 days If you Log a large volume of items you should modify the purge agent settings to purge documents more often To enable the Log purge agent you must have rights to run unrestricted agents in the Server Document for the Domino Directory Public Address Book that belongs to the server If you do not have the appropriate rights when you click Enable Purge Agent in the Purge Options dialog box the following error Using the Symantec Mail Security for Domino Log 173 Managing the Log message appears You do not have execution access privileges for this agent on lt Server gt agent will not run Contact your system administrator to set the appropriate purge agent rights See Granting rights to run unrestricted agents on page 41 To enable the Log purge agent 1 Open the Log database using a Notes ID that has the appropriate rights to disable or enable the Log purge agent 2 On the Action bar click Set Purge Options Purge Options Purge agent is currently DISABLED Co OK Enable Purge Agent Set Server to Execute Agent Cancel Server Messages Discard after days Incidents Discard after days Scan Reports Discard after days 3 Inthe Purge Opt
235. se sensitive Omit commas when adding words or categories or unpredictable results might occur Filtering spam and unwanted content Filtering content with word categories To add a word or phrase to a word category 1 In the Group document on the Content Filtering tab click Word Categories ioj xi File Edt View Create Actions Text Help e gt GAA O gee ch E E OSDA GBI SBREZ SHEER LER S Workspace Symantec Mail Securit for Domino L Settings Documentfor Unassigned Servers X notes A Fycioce sae Delp iF Show Serer Status hy New Word in Category 0 Group Unassigned Servers symantec 4 t Configuration Antivirus Anti spam Content Fitering Scan LiveUpdate Licensing ail Rules Match Lists word Categories Category Word Phrase Base Score ALANO RP H Notes Admin I Vendor supplied word categories do not appear in this view If you have not added any words or categories the view is empty On the Action bar click New Word in Category In the Content Filtering Word document in the Category box do one of the following m Inthe drop down list select a vendor supplied category m Type your own custom word category In the Word field type a custom word or phrase for the category In the Base Score field type a base score See Calculating base and bonus scores on page 129 Select one of the following m All servers in this group Applies the word to all s
236. st computer viruses eee eceeeeceseeceeeeeeeeeeseeeeeeeeeeneeeees 23 Identifying unwanted email messages ceeeceseseseseeeessesseseeseseseaesesees 24 Filtering undesirable message content cceceeseseseeseeeseeseeeeeeeaeeteees 24 Managing Virus outbreaks 0 eecsceseseseeseseeeeseseeceseeesceseeeeecseeesaeseeesaeseees Isolating infected attachments Keeping virus protection definitions up to date 0 0 cece 26 Analyzing data orense A E E 26 Sending notifications when a threat or violation is detected 27 Managing single and multiple Lotus Domino servers c00 27 Where to get more information about Symantec Mail Security fOr DOMINO serena E E AERAR 28 Installing Symantec Mail Security for Domino Before you itistallll 22 05 csssgeseveescisatsesnsnseves ceeaastsevesades aestseaiee reese devas EEN S 29 System requireMents pnn n ican Hoi R nieve 30 Installing Symantec Mail Security for Domino 0 cc eeeseseseeeseeseteseeeeees 31 Upgrading Symantec Mail Security for Domino 00 ccseseseseeeeeseseseseeeeees 33 10 Contents Post installation tasks nesnenin aoa an s 36 Signing Symantec Mail Security for Domino databases 0068 37 Setting access control for Symantec Mail Security for Domino database Si E E R aikin tara d cecal GORE RRN 38 Placing Symantec Mail Security for Domino database icons on your Lotus Notes workspace ccceessssesessesesesseceseeeesese
237. st have the CFViewer or VirusViewer roles to save attachments Add Attachment Adds the file that you select as an attachment to the quarantined document Before you release a document from the Quarantine you can adda newly repaired compressed file replace an infected file with a known good copy or add a procedural file with instructions to scan a workstation You must have the CFViewer or VirusViewer roles to add attachments Delete Attachments Deletes the attachments Symantec Mail Security for Domino prompts you to confirm the action before deleting each one When you delete attachments the quarantined document remains in the Quarantine view without the attachments You must have the CFViewer or VirusViewer roles to delete attachments Managing the Quarantine 189 Managing quarantined documents Table 11 3 Quarantined Document actions Release virus infections only Releases the document from the Quarantine When you release a document Symantec Mail Security for Domino changes the Restored field from No to Yes The quarantined document remains in the Quarantine until Symantec Mail Security for Domino purges it or you delete it from the view You must have the VirusReleaser role to release infected documents View Content Violation content filtering rule violations only Opens an expanded view of the content filtering rule violation document to show the content that triggered
238. sted server options Symantec Mail Security for Domino lets you use trusted servers to reduce scanning redundancy and increase performance A trusted server is one that you know is safe from outside security breaches by means of a firewall or similar protection device or software or one that is already scanning email traffic for viruses spam and content filtering rule violations For example inside a firewall you might have a number of servers set up to route the same stream of email messages If every one of those servers scans the same mail stream you might have unnecessarily redundant scanning processes in place You can eliminate some of the redundancy by designating servers that Symantec Mail Security for Domino does not have to scan In this way you take on a minimal security burden while increasing email delivery performance Warning When you enable the trusted server option your system might be vulnerable to malicious code attacks It is important that you maintain current antivirus protection on the trusted servers See Configuring LiveUpdate on page 149 80 Setting global scanning options Configuring global scanning options To configure trusted server options 1 2 In the Settings view double click a server group In the Group document on the Configuration tab on the Trusted Server tab under Trust all messages from the following servers select one of the following m Trust no servers Scans all emai
239. t type TELL SAV lt command gt Table 2 2 lists the commands that you can use from the Domino console Table 2 2 Console commands em ea HELP Lists Symantec Mail Security for Domino console commands INFO Provides a summary of Symantec Mail Security for Domino operations STAT RESET Clears processing details JOBS Lists upcoming scheduled scans by job name The job name is the description given to the scheduled scan About scheduled scanning on page 143 SCAN lt database gt Initiates a scan of the specified databases A number is displayed in the console to identify each scan When no databases are specified only databases in the default data directory are scanned No subdirectories are scanned You can specify databases with long file names but the file names must not have spaces 52 Installing Symantec Mail Security for Domino Initiating tasks from the Domino console Table 2 2 Console commands STOP lt n gt Stops a specific scan When you perform a scan the scan is assigned a number You can find the scan number in the Log in Server Messsages or in the Domino server console QUIT Stops the Symantec Mail Security for Domino server process Type LOAD NNTASK at the console command prompt to reload Symantec Mail Security for Domino Performing on demand scanning from the Domino server console When you perform an on demand scan from the server console Symantec Mail Security for Domino us
240. t of the document which indicates that it is selected for deletion To unselect the document click it and then on the Action bar click Delete 4 Press F9 to refresh the view 5 Inthe confirmation dialog box click Yes Managing quarantined content filtering rule violation documents You can manage content filtering rule violations from the All Quarantined Documents By Recipients By SMTPOriginator and Content Filtering Violations views Ensure that you have at least CFViewer roles before you open the Quarantine or you will not see any quarantined documents See Assigning Quarantine roles on page 186 When the quarantined document has a content filtering rule violation you can release it or any attachment without changing or replacing the document or attachment When you are assigned a CFContentViewer role you see the text that triggered the content filtering rule violation which can help you decide whether to release the document It can also help you fine tune the content filtering rule or rules that caused the document to be quarantined Documents that contain content rule violations are not rescanned when they are released from the Quarantine Manage quarantined content filtering rule violations You can manage quarantined content filtering rule violation documents in any of the following ways m View a Quarantined Document The Quarantined Document contains basic information about a specific violation which includes
241. t style The following values are available Normal bold italic underlined strikeout superscripted subscripted effect shadowed emboss and extruded For example bold 82 Setting global scanning options Configuring global scanning options Table 5 1 Email message alerts tokens lt font color gt Value of the font color The following values are available Black white red green blue magenta yellow cyan dkred dkgreen dkblue dkmagenta dkyellow dkcyan gray and Itgray For example magenta lt font face gt Value of the font face The following values are available Times helvetica and courier For example times lt font size gt Value of the font size in whole numbers For example 24 Configuring alert options Symantec Mail Security for Domino lets you define individual alerts for different conditions For example you can configure Symantec Mail Security for Domino to notify you when it cannot eliminate a virus and has quarantined the document but not to notify you when it is able to repair a file In addition you can specify a user address for the return address for alerts so that the server is not the recipient of return messages that require action When the server is the recipient for alerts the alerts are often undeliverable and result in Delivery Failure Reports dead mail You can log individually named alert statistics to the Alerts and Events page
242. tabases from the hub server to the additional server Then install Symantec Mail Security for Domino on the additional server and choose to keep the existing databases when the setup program prompts you m Install Symantec Mail Security for Domino on the additional server and then replicate the Settings Log and Quarantine databases from the hub server to the additional server Administering Symantec Mail Security for Domino on multiple servers Managing multiple servers If you intend to replicate updated virus definitions to your additional servers you must also configure Lotus Domino to replicate the Definitions database To create replica databases when Symantec Mail Security for Domino is not installed on the additional server 1 Select a server in your organization to be the hub for the Symantec Mail Security for Domino server 2 Install Symantec Mail Security for Domino on the server and then start the Domino server on that computer 3 Create a server group See Creating a server group on page 69 4 Ensure that you the administrator and LocalDomainServers are in the Access Control List of sav nsf and savlog nsf with Manager access and that Delete Documents is enabled The LocalDomainServers group contains all of the servers to which you plan to replicate See Setting access control for Symantec Mail Security for Domino databases on page 38 5 Create replicas of the newly installed sav nsf savlog nsf and i
243. tachment You are prompted to type the path of the file that you want to add After adding the attachment press F9 to refresh the document m Delete Attachments For each attachment you are prompted to confirm the action before the attachment is deleted After deleting the attachment press F9 to refresh the document Managing the Quarantine 193 Managing quarantined documents To release a document from Quarantine after viewing it 1 2 3 In the Quarantined Document on the Action bar click Release In the Confirm release of quarantined documents dialog box click Yes In the confirmation dialog box click Yes Released documents remain in the Quarantine until Symantec Mail Security for Domino purges them or you delete them To release a document from the Quarantine without viewing it 1 4 In the Quarantine view in the left pane under Quarantined Documents click Virus Infections Symantec Mail Security for Domino Quarantine Lotus Notes laj xj File Edit View Create Actions Help Workspace G Symantec Mail Security for x 4 symantec f open EY Delete TY close gf Set Purge Options DHelp Q Release from Quarantine Symantec Mail Security Date Restored Database gt Author Violation Recipients ino Y docs info amp 01 15 2004 12 22 PM no c docs notes admin info Another World 707 a docs info dev p 004 12 22 PM Do DOCS Maiba notes admin info Anoth
244. tec Mail Security searches the subject lines or contents of email messages and their attachments for offensive language confidential information and content with potential legal consequences Introducing Symantec Mail Security for Domino 25 What you can do with Symantec Mail Security for Domino To scan for unwanted content create content filtering rules When the content of a document or some attribute of an attached file violates a rule Symantec Mail Security for Domino disposes of the email message according to the settings that you supplied for that rule You can set up as many content filtering rules as needed Each rule specifies the condition that triggers a content filtering rule violation See Filtering unwanted content on page 105 Managing virus outbreaks A virus outbreak occurs when the number of virus detections over a period of time exceeds a specified limit This outbreak potentially could be the result of a mass mailer worm or virus A mass mailer worm or virus can infiltrate a computer by exploiting security vulnerabilities and spread by sending copies of itself by email through the Internet or a network For example a single mass mailer worm can infect one computer in an organization and then spread by sending copies of itself through email to everyone in the company s global address book Symantec Mail Security for Domino helps you manage virus outbreaks quickly and effectively by setting outbreak rules a
245. ted from documents that originate from the Internet The document violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified Attribute is Internet Domain Notes Selects the alerts that are generated from documents that originate from a local Domino server or domain The document violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified Attribute is Domino Domain or Domino Server All alert conditions are enabled by default Select all selects every option under each alert condition Deselect all clears every option under each alert condition 6 Onthe Action bar click Save To set alert message options for administrators 1 Inthe Alert Notification document on the Alert Messages tab on the Administrator tab click Send following alerts to specified administrators This option is enabled by default 2 Under Specified administrators in the drop down list select the administrators and others to notify when Symantec Mail Security for Domino detects a virus or rule violation 3 Under Custom text to specified administrators in the Subject field type the subject line of the email message for the alert The default text is SMSDOM detected a violation in a document authorized by Author Use tokens to customize the subject or body of the email message alert a
246. tering rule violations on the Scheduled Scan gt What to Scan tab Filtering spam and unwanted content 111 Working with content filtering rules Manual Scans Applies the content filtering rule to scan now scans You must also enable the option to scan for content filtering rule violations on the Scan Now gt What to Scan tab 4 Under Servers This rule is valid for select one of the following m All servers in this group Applies the rule to all servers in the server group This option is enabled by default m The following servers Applies the rule to the servers that you select In the drop down list select the servers for which this rule applies Use commas to separate multiple servers 5 On the Action bar click Save Understanding content filtering rule expressions A content filtering rule consists of one or more expressions that you define For example the following content filtering rule contains three expressions If Content Score gt 50 using categories sex drugs alcoholism OR Content Score gt 90 using categories politics UNLESS Sender Fred Smith WestRegion AcmelInc An expression consists of one or more expression phrases Expression phrases can be IF OR AND or UNLESS phrases The rule in the example consists of an IF an OR and an UNLESS phrase Symantec Mail Security for Domino evaluates a rule logically as either an OR or AND rule but not in combination You can have a rule that contains an
247. that makes it DOCS ar60enu exe Reader 6 0 possible to read electronic documentation in Portable Document Format PDF Symantec Mail This is a PDF version of the DOCS SMSDOM SMSDOM__ Security for Implementation Guide which WinSvr pdf Domino comes with this product Implementation Guide Symantec Mail This text file contains usage tips ReadMe txt Security for Domino ReadMe file late breaking news and compatibility information about Symantec Mail Security for Domino Introducing Symantec Mail Security for Domino 19 How Symantec Mail Security for Domino works How Symantec Mail Security for Domino works In a typical configuration Symantec Mail Security for Domino scans documents that are written to the Lotus Domino server and scans email messages as they pass through the server Symantec Mail Security for Domino scans first for viruses then for spam detection and then for content filtering rules Symantec Mail Security for Domino logs all of the violations that are detected during the scan You can configure Symantec Mail Security for Domino to stop the scanning process after the first content filtering rule violation is detected to reserve system resources See Setting the action options for a content filtering rule on page 122 About scan error violations When Symantec Mail Security for Domino is unable to scan a document because it is an encrypted container file it exceeds one or more container li
248. that score higher than your threshold value are considered content rule violations If you select lt messages that score lower than your threshold value are considered rule violations In the Value box type a threshold value Values can be positive or negative integers Under Categories select one or more word categories that contain the repository of words against which the Content Score rule compares and matches and then click Add The list provides both vendor supplied and custom word categories On the Action tab set the action options See Setting the action options for a content filtering rule on page 122 On the Action bar click Save When you are ready to process the rule ensure that rules processing is enabled on the Rules tab See Enabling the content filtering process on page 108 136 Filtering spam and unwanted content Filtering content with word categories Scanning for viruses Spam and content filtering rule violations This chapter includes the following topics m About scanning m About auto protect scanning m About scan now scanning m About scheduled scanning About scanning Symantec Mail Security for Domino uses several antivirus technologies to scan documents for viruses It looks for known viruses by comparing segments of your documents to the sample code inside of a virus definitions file The virus definitions file contains nonmalicious bits of code or virus definitions fo
249. tine roles CFViewer Lets the user see backup and quarantined documents that contain content filtering rule violations and lets the user add save or delete attachments in those documents CFContentViewer Gives the user the same access as the CFViewer plus the rights to see the content that triggered the violation CFReleaser Gives the user the same access as the CFViewer plus the rights to release quarantined documents that contain content filtering rule violations Virus Viewer Lets the user see backup and quarantined documents that contain the infected or scan error violations and lets the user add save or delete attachments VirusReleaser Gives the user the same access as the VirusViewer plus the rights to release quarantined documents that contain virus infections provided the infected attachment is deleted from the document and scan error violations Only users who have the appropriate role assignments can view manage or release quarantined documents You must manually add the appropriate persons or groups to the Access Control List of the Quarantine database and assign them the appropriate Quarantine roles Assign all Quarantine roles to the LocalDomainServers group and the current server or add them to the groups that you are using Otherwise the database does not replicate properly To assign Quarantine roles 1 Logon to the account that you plan to use to administer Symantec Mail Security for Domin
250. ting the online form You must have the license serial number to complete the online form If you are requesting a license file for both a content license and a product license you will need both serial numbers when you request the license file from Symantec After you complete the online form you receive the appropriate license file by email from Symantec m Install the license file using the Symantec Mail Security for Domino user interface If you are registering a content license and a product license simultaneously Symantec will send you a single license file that installs both licenses If you are registering your content license and product license separately Symantec will send you a separate license file for each license Each license file must be installed separately The license file that Symantec sends to you is contained within an attached zip file This file must be opened using a decompression utility such as WinZip or WinRAR The slf file that is contained within the zip file is the actual license file 58 Activating your Symantec Mail Security for Domino licenses Activating a license file After the license is activated you can check the license status and configure the product to notify you when the license is about to expire To obtain the license file 1 Ina Web browser type the following address https licensing symantec com 218 x File Edit View Favorites Tools Help Heak gt O A A
251. tion Removed W95 Horn 1862 Hydra 1 Jeru 1808 Frere Jac in database DOCS Mailbox document Critical Violation Remaining NT90000316 author notes adminnfo components world707 amg jeru amg gergana amg horn 862 amg hydra amg frere amg The document was QUARANTINED 01 15 2004 12 18 PM Critical SMSDOM detected the virus Movie Pif Worm in database DOCS Mailbox document C If you are using Internet Explorer tabs in the Lotus Notes user interface are represented as hyperlinks in the Web client This guide uses the Lotus Notes client for its procedural examples Granting rights to run unrestricted agents Symantec Mail Security for Domino contains agents to help you manage database size and run scheduled queries The agents are as follows Log purge agent Purges events from the Log database By default virus incidents are purged after 365 days Server messages and other incidents are purged every 30 days See Enabling the Log purge agent on page 172 41 42 Installing Symantec Mail Security for Domino Post installation tasks m Quarantine purge agent Purges items from the Quarantine database By default all items in the Quarantine are purged after 30 days See Purging the Quarantine on page 199 m Definitions purge agent Purges virus definitions from the Definitions database By default only the five most current virus definitions are saved The remaining are purged See Enabling
252. tion is not enabled and you have selected the Repair the infected attachment option on any of the scan tabs auto protect scan now or scheduled scans Symantec Mail Security for Domino handles the ID signed document according to the configuration settings on the scan tab Note Symantec Mail Security for Domino attempts to repair ID signed documents but not X 509 Certificate signed documents To define antivirus action policies 1 Inthe Settings view double click a server group 2 Inthe Group document on the Antivirus tab on the Actions tab under When a virus is detected select one of the following Log only Logs the detection but takes no action Delete the infected Deletes the infected attachment attachment Deleted attachments are not recoverable Symantec Mail Security for Domino adds explanatory text to the attachment icon Quarantine the Holds the infected document in the Quarantine database for document administrator review You must have the appropriate Role assignments to view quarantined documents See Managing quarantined documents on page 184 See Assigning Quarantine roles on page 186 Repair the infected Automatically deletes the virus and repairs any damage document This option is enabled by default If Symantec Mail Security for Domino cannot repair the document the selected If unable to repair option applies 3 Ifyou select Repair the infected attachment under If unable to repair select
253. ts the scanning process stops a scan error violation is logged to the specified logging destinations and the file is disposed of according to the antivirus action policies See Defining antivirus action policies on page 97 The default values are the minimum values Symantec Mail Security for Domino does not accept any values that are less than the minimum values The maximum values are limited by 32 bit data size If you type an incorrect value Establishing antivirus protection 97 Establishing antivirus scanning policies you receive an error message that indicates the allowable minimum and maximum values Warning Container value maximums are based on operating system and hardware limitations Increasing the container limit values without full knowledge of your specific system limitations could result in a system failure If you are uncertain about how an increase to the values might affect your Domino server you should maintain the default minimum values To set container limits 1 Inthe Settings view double click a server group 2 Inthe Group document on the Antivirus tab on the Container Limits tab under Messages that exceed any set container limit will be reported as scan errors modify any of following m Attachment that takes more than 300 seconds to extract m Attachment that contains more than 10 levels of nested containers m Attachment where any one file extracts to more than 50 MBs in size C Atta
254. ts of detections It shows quarantined and cleaned documents and violations that were only logged It also shows the name of the virus and content filtering rule violation and the spam score Scan Type Displays cumulative data from incidents sorted by the scan type column in the Log The All view displays the violation count and the names of the particular scan types Viruses virus statistics only Displays cumulative virus incidents sorted by the virus column in the Log The All view displays the virus names and the count for each Spam Score spam detection statistics only Displays cumulative spam detection incidents sorted by the spam score column in the Log The All view displays the spam scores and the count for each Violations content filtering statistics only Displays cumulative content filtering incidents sorted by the content filtering violation column in the Log The All view displays the names of the content filtering rule violations and the count for each You can select yearly or monthly to add additional sort columns to the view You can sort data by any column Reporting Displays queries and completed reports that you create See Customizing queries on page 174 168 Using the Symantec Mail Security for Domino Log Managing the Log Managing the Log You can manage the Log in any of the following ways m View message and incident documents Open documents which provide details about server m
255. u can open a Quarantined Document in any view For content filtering rule violations you can also open an additional document that contains the content that triggered the violation which can help you determine whether to release the document It can also help you fine tune your content filtering rules For example you might decide after you view the content of a quarantined message that the content filtering rule that found the violation is too restrictive You might want to reduce the applicable threshold value for that rule See Creating a content filtering rule on page 109 To view or take action on any Quarantined Document you must have the appropriate Quarantine role assigned in the Access Control List of the Quarantine database Assigning Quarantine roles The Quarantine database uses roles to restrict access to documents that are in the Quarantine You assign roles to Symantec Mail Security for Domino users through the Access Control List These roles determine who can see the documents in the Quarantine and who can perform actions on them For example many of your users might be assigned roles that let them view all documents that contain content filtering rule violations or virus infections but restrict them from viewing the offending content of the content filtering rule violations Managing the Quarantine 187 Managing quarantined documents Table 11 2 lists the Quarantine roles that you can assign Table 11 2 Quaran
256. uage of the computer Custom word category names are case sensitive The words or phrases that you add to a category are not case sensitive Filtering spam and unwanted content 129 Filtering content with word categories Scoring messages To score messages Symantec Mail Security for Domino matches the individual words in a document against entries in the word categories When a match is found points are added to the message score In addition Symantec Mail Security for Domino examines successive words for use of contextual words and adjusts the score accordingly The sum total of points for the matches and surrounding words is the score for the document When the content filtering rule is enabled for the scan job in effect Symantec Mail Security for Domino compares the message score against the threshold setting that you specify in the rule When the message score is equal to or exceeds the threshold setting the expression in the rule is violated Matching words and evaluating context After the content filtering engine breaks the text block into words it compares the extracted words in successive order to words in the word categories Whenever a match with a word category entry occurs a new process begins The content filtering engine builds a word chain which starts with the word that matches the word category entry The purpose of building a word chain is to further evaluate the meaning of a matched word by examining its cont
257. uarantine To enable the Quarantine purge agent you must have rights to run unrestricted agents in the Server Document for the Domino Directory Public Address Book that belongs to the server If you do not have the appropriate rights when you click Enable Purge Agent in the Purge Options dialog box the following error message appears You do not have execution access privileges for this agent on lt Server gt agent will not run Contact your system administrator to set the appropriate purge agent rights See Granting rights to run unrestricted agents on page 41 To purge the Quarantine 1 Open the Quarantine database using a Notes ID that has the appropriate rights to disable or enable the Quarantine purge agent On the Action bar click Set Purge Options In the Purge Options dialog box under Quarantine Items do any of the following m Type the number of days to wait to purge virus infections from the Quarantine view m Type the number of days to wait to purge scan error and content filtering rule violations from the Quarantine Documents view Under Backup Items do any of the following m Type the number of days to wait to purge virus infections from the Backup Documents view m Type the number of days to wait to purge scan error and content filtering rule violations from the Backup Documents view In the Purge Options dialog box click Set Server to Execute Agent In the Choose Server To Run On dialog box sele
258. uments You can manage backup documents by viewing the Backup Document saving attachments and deleting documents You must have at least the CFViewer role and the VirusViewer role to see backup documents Managing the Quarantine 199 Purging the Quarantine To view a Backup Document 1 Inthe Quarantine in the left pane click Backup Documents 2 Under Backup Documents select one of the following views All Backup Documents By Recipient By SMTPOriginator Virus Infections Content Filtering Violations 3 Inthe right pane double click a document To save attachments Inthe Backup Document click Save Attachments You are prompted to save each attachment separately to a location that you select To delete a document 1 In any Backup Document view in the right pane select the document that you want to delete 2 Onthe Action bar click Delete A black X appears to the left of the document which indicates that it is selected for deletion To unselect the document click it and then on the Action bar click Delete 3 Press F9 to refresh the view 4 Inthe confirmation dialog box click Yes Purging the Quarantine A purge agent runs every night at 1 00 A M when enabled By default Symantec Mail Security for Domino purges entries after 30 days If you have a large volume of quarantined documents you can modify the purge agent settings to purge documents more often 200 Managing the Quarantine Purging the Q
259. updated virus definitions you must have a valid content license and have enabled LiveUpdate See Activating your Symantec Mail Security for Domino licenses on page 55 See Configuring LiveUpdate on page 149 You can also specify which databases and directories to scan which exclusions to apply how to handle attachments whether to scan for content filtering rule violations and native MIME message bodies whether to scan all documents or only those that were modified since the last scheduled scan and how to respond when a virus is detected You can enable or disable a scheduled scan and specify which servers to scan in a server group To scan for content filtering rule violations you must first specify that the content filtering rule applies to Scheduled Scans on the Content Filtering gt Basics tab when you create or modify a rule See Setting the basic options for a content filtering rule on page 110 Warning Scanning for content filtering violations is not safe for most databases Only apply content filtering rules to databases that need to be scanned for a specific type of content filtering rule violation By default the Unassigned Servers server group is configured to run scheduled scans daily between 04 00 A M and 06 00 A M but you can modify these settings This scan is turned off by default 144 Scanning for viruses spam and content filtering rule violations About scheduled scanning You ch
260. user name and password and configure LiveUpdate to use the FTP proxy server LiveUpdate can then pass the same user name and password to both the proxy server and the firewall To use LiveUpdate with an internal LiveUpdate server 1 When a firewall rule cannot be configured to permit the LiveUpdate connection use LiveUpdate Administrator LUAdmin to create an internal LiveUpdate server 2 Manually download virus definitions updates from the Symantec Security Response Web site and apply them to the internal LiveUpdate server For more information see the separately supplied LiveUpdate Administrator documentation Tools LiveUpdate_Admin LiveUpdate_Admin pdf Updating virus protection You can automatically update virus protection using LiveUpdate LiveUpdate can be configured to run on a scheduled basis or you can run it on demand See Updating virus protection with LiveUpdate on page 153 You can also update virus definitions files without using LiveUpdate To update virus definitions files without LiveUpdate you will need a Web browser See Updating virus protection without LiveUpdate on page 157 Updating virus protection with LiveUpdate Symantec Mail Security for Domino lets you perform LiveUpdate on demand or automatically on a regular schedule You can also configure other LiveUpdate options such as whether to save virus definitions in the Definitions database how often to reattempt connections with LiveUpd
261. ut leaves the virus untreated Delete the infected Strips the infected attachment making it unrecoverable attachment Quarantine the Holds the infected document in the Quarantine for document administrator review Repair the infected Automatically eliminates the virus and repairs any damage attachment When Symantec Mail Security for Domino cannot repair the document the selected If unable to repair option applies This option is enabled by default Under If unable to repair select one of the following m Log only m Delete the infected attachment m Quarantine the document This option is enabled by default On the Action bar click Save Scanning for viruses spam and content filtering rule violations 143 About scheduled scanning To scan now 1 Inthe Settings view double click a server group 2 Inthe Group document on the Scan tab click Start the Scan 3 Onthe Scan Status document click Check Scan Status See Scan status errors on page 49 4 If you need to stop the scanning process before it finishes on the Action bar click Stop the Scan 5 Toreturn to the Scan Now tab click Close About scheduled scanning You can schedule scans to repeat at the same time on specified days or at a specified interval on specified days To configure a scheduled scan you specify the days and times to run the scan including whether to run it after a successful virus definitions update with LiveUpdate To receive
262. ve definitions set To select the active definitions set 1 Inthe Definitions database view select the definitions set that you want to use for scanning 2 Onthe Action bar click Set as Active Definitions A green check mark appears to the left of the definitions set Enabling the Definitions purge agent LiveUpdate is most effective when you configure it to run automatically at set intervals Depending on how often you run LiveUpdate the number of virus definitions sets can quickly accumulate See Updating virus protection on page 153 To prevent the definitions database from growing too large Symantec Mail Security for Domino can routinely purge virus definitions sets By default Symantec Mail Security for Domino keeps the active set of definitions plus the five most recent virus definitions sets All others are purged To enable the Definitions purge agent you must have rights to run unrestricted agents in the Server Document for the Domino Directory Public Address Book that belongs to the server If you do not have the appropriate rights when you click Enable Purge Agent in the Purge Options dialog box the following error message appears You do not have execution access privileges for this agent on lt Server gt agent will not run Contact your system administrator to set the appropriate purge agent rights See Granting rights to run unrestricted agents on page 41 To enable the Definitions purge agent
263. vendor Symantec supplied word categories Any custom words 132 Filtering spam and unwanted content Filtering content with word categories and categories that you create are added to a database that is separate from the vendor supplied one You can add any number of custom word categories and words You build custom word categories by adding new words their scores and the categories to which the words belong You can assign words to a new custom category or to an existing vendor supplied category New words that are assigned to a vendor supplied category are considered part of the custom word category and are stored separately from the vendor dictionary In cases in which the same word is found in both dictionaries the custom dictionary always takes precedence Symantec Mail Security for Domino uses the threshold value of the rule that contains the custom word category and it ignores the threshold value that is supplied in the rule that contains the vendor category Build a custom word category You view add edit and delete custom words and categories and you can add words to vendor supplied categories You must type a custom word category in ASCII characters Category names cannot contain multi byte characters Category names are case sensitive You can type custom words in English or in single byte or multi byte international characters but the words must be in the default language of the computer Custom words are not ca
264. ver load Disk space to install 70 MB Available disk space 300 MB minimum for processing The location for temporary files is an option that you can change after installation See Setting basic antivirus options on page 94 Hardware CD ROM drive Internet browser for Internet Explorer 6 0 SP1 use as a Web access client Installing Symantec Mail Security for Domino Symantec Mail Security for Domino installs with default but customizable settings that reduce routine maintenance For example certain LiveUpdate settings are configured by default so that the administrator does not have to manually set up a notification for virus definitions update failures Another example is outbreak management An outbreak management threshold limit is set during installation so that administrators receive notification when too many suspicious documents are detected on the Lotus Domino server over a set interval These default settings can be changed You must purchase and activate a content license and product license to receive updated virus definitions files through LiveUpdate after installation and to operate any of the Symantec Mail Security for Domino scanning functions For more information about how to obtain and install your license file after installation open the Settings database and select the Licensing tab See About licensing on page 55 If you are installing over a previous version use the procedure to upgrade Syma
265. virus infections Incidents are reported with the following severities m Information blue No violation occurred with the event m Warning green A violation occurred with the event but the violation is not deemed critical m Critical red A violation occurred with the event and it remains You can access the Quarantine database through the Lotus Notes client or through a Web client See Accessing Symantec Mail Security for Domino on page 39 Managing quarantined documents You can access information about quarantined documents through Quarantine views Views categorize the quarantined documents to make it easier to view and manage the Quarantine See About Quarantined Documents views on page 185 You must be assigned the appropriate roles to access information and to perform specific functions within the Quarantine For example to release a content filtering rule violation document from the Quarantine the user must have the CFReleaser role You assign user roles to the Symantec Mail Security for Domino Quarantine by using the Access Control List See Assigning Quarantine roles on page 186 With the appropriate Quarantine role assignments you can perform specific tasks within the Quarantine such as releasing documents from the Quarantine viewing the content that triggered a content filtering rule violation or deleting an infected document attachment See Actions to manage quarantined documents
266. written to the server Note To perform any scanning operation you must have a valid product license See About licensing on page 55 You can configure Symantec Mail Security for Domino to do any of the following when it detects a virus m Log the violation only does nothing with the infected document m Delete the infected document m Repair the infected document to eliminate viruses automatically on detection m Quarantine infected documents for administrator review See Establishing antivirus protection on page 91 Identifying unwanted email messages Spam is unsolicited bulk email most often advertising messages for a product or service It wastes productivity time and network bandwidth Symantec Mail Security for Domino provides a heuristic anti spam detection engine to identify unwanted email messages You can select the sensitivity level of the anti spam engine prepend the email message subject line with customized text to alert the message recipient that the message is identified as spam and add a new header field See Filtering spam on page 102 The white list feature lets you specify domains that are permitted to bypass the anti spam scan thereby reducing the incidents of false positives See Managing a white list on page 104 Filtering undesirable message content To enhance protection Symantec Mail Security for Domino blocks email messages and documents based on content Syman
267. x This is necessary to run all of the database agents See Granting rights to run unrestricted agents on page 41 m The ID used to sign the databases should appear on the workstation s Execution Control List ECL In the Execution Control List of your Notes client ensure that this trusted Notes ID is listed with the following rights m Access to current database m Access to environment variables m Access to external code 38 Installing Symantec Mail Security for Domino Post installation tasks m Access to external programs m Ability to read other databases m Ability to modify other databases m Ability to export data For more information on signing databases see the Domino Administrator documentation Setting access control for Symantec Mail Security for Domino databases To maintain antivirus security in your Lotus Domino environment restrict access to the Symantec Mail Security for Domino databases to administrators by setting the Access Control List ACL for the databases as follows m Symantec Mail Security for Domino Settings sav nsf m Symantec Mail Security for Domino Log savlog nsf m Symantec Mail Security for Domino Quarantine savquar nsf m Symantec Mail Security for Domino Definitions savdefs nsf if used The Quarantine database requires that you also assign Roles to Quarantine database users These roles restrict access to various Quarantine views and control who can release document
268. y for Domino To upgrade to Symantec Mail Security for Domino 1 8 9 Insert the Symantec Mail Security for Domino installation CD into the CD ROM drive The installation program launches automatically If it does not run cdstart exe from the installation CD In the Symantec Mail Security for Domino installation screen click Install Symantec Mail Security for Domino to begin the installation process Read the on screen instructions and then click Next to continue Indicate that you agree with the terms of the Symantec software license agreement and then click Next You must accept the terms of the license agreement for the installation to continue If you have multiple Lotus Domino partitions on the same server in the Select Servers dialog box select the partitioned drives on which to install Symantec Mail Security for Domino To optionally select additional partitions click Add Additional Partitions and then in the Select data directory dialog box type the partition path or navigate directories to select a path and then click OK During installation when you are prompted whether to keep settings from the previous versions of the databases select the databases that you want to keep The option to keep the Definitions database settings is available only when Symantec Mail Security for Domino detects that a Definitions database exists on the server on which you are installing the product All available databases are
269. y for Domino backs up documents before deleting them or attempting to repair infected attachments See About the Quarantine on page 183 Definitions database The Symantec Mail Security for Domino Definitions database stores updated virus definitions You create the Definitions database only if you plan to replicate updated virus definitions to additional servers When you replicate the Definitions database only a single LiveUpdate is required to maintain current antivirus protection on all of your servers See About LiveUpdate on page 149 The Domino server that will download new virus definitions through LiveUpdate must be the hub for the Definitions database The Definitions database stores the active definitions set as well as the most recent downloaded definitions Symantec Mail Security for Domino virus definitions are operating system specific Creating replica databases on an additional server When setting up an additional server you must create replicas of the Symantec Mail Security for Domino databases on each server During the replication process the hub server copies the data from its databases to the databases of the same name on the additional servers Create replica databases on an additional server To create replicas of the Settings Log and Quarantine databases on an additional server select one of the following methods m Replicate Symantec Mail Security for Domino Settings Log and Quarantine da
270. y violations that are found during auto protect database writes scans To specify the parts of documents for the alert under Violation Area select any of the following Attachment Subject Body Selects the alerts that are caused by violations in email message attachments Selects the alerts that are caused by violations in the email message subject line The violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified attribute is Subject Selects the alerts that are caused by violations in the body of email messages The violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified attribute is Body Setting global scanning options 85 Configuring global scanning options To specify the nature of the violation under Violation Type select any of the following File Name Selects the alerts that are caused by file name violations The violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified attribute is Attachment name Document Size Selects the alerts that are caused by violations in document size The violation must match the conditions that are specified in the content filtering rule on the Content Filtering gt Rule tab where the specified attribute is
271. ymantec Mail Security for Domino is installed create a folder for the SESA Agent files for example C Agent 2 Insert the SESA CD1 SESA Manager CD into the CD ROM drive 3 Copy the files from the Agent folder on the CD and paste them in the newly created folder on the Symantec Mail Security for Domino computer 4 Inatext editor open the Agent settings file for example C Agent Agent settings 5 Change the value of the mserverip setting to the IP address of the SESA Manager to which Symantec Mail Security for Domino forwards events 6 Save and close the Agent settings file To install the SESA Agent by command line 1 On the computer on which Symantec Mail Security for Domino is installed at the command prompt change to the folder in which the SESA Agent files reside for example C Agent 2 Atthe command prompt type the following java jar agentinst jar a3008 3008 is a unique product ID to install the Agent for Symantec Mail Security for Domino To remove the SESA Agent you must use the same product ID parameter for Symantec Mail Security for Domino 3008 Optionally you can append any of the following parameters debug Writes logging information to the screen 210 Integrating Symantec Mail Security for Domino with SESA Configuring logging to SESA log Turns off the installation log and instructs the SESA Agent to write logging information to the Agntinst log file in the local Temp directory To start the
272. ypted When a container file is encrypted Symantec Mail Security for Domino is unable to decompose the file and scan its contents This means that infected files within the container would go undetected Encrypted container files are only logged by default but you can modify this configuration See Defining antivirus action policies on page 97 Table 1 1 Introducing Symantec Mail Security for Domino Components of Symantec Mail Security for Domino New features 17 Scan error disposition You can specify how to dispose of a document that cannot be scanned Documents that result in scan error violations are quarantined by default but you can modify this configuration See Defining antivirus action policies on page 97 Enhanced Dynamic Document Review DDR dictionary To enhance the detection of unwanted content this release contains additional words and categories in the DDR dictionary and several existing word scores are modified See Filtering content with word categories on page 127 Components of Symantec Mail Security for Domino Symantec Mail Security for Domino consists of several components that work together to protect your Lotus Domino server See Table 1 2 Table 1 2 Symantec Mail Security for Domino components Symantec Mail This is the software that you SMSDOM setup exe Security for install to protect your Lotus Domino Domino server from viruses detect unwanted email mes
Download Pdf Manuals
Related Search