Symantec Mail Security 4.6 for Microsoft Exchange (10324179)
Contents
1. ccee 156 About quarantined content Violations c ccc cceseseessesceseseceescescssceseseees 159 Contents 13 Chapter 7 Using Symantec Mail Security for Microsoft Exchange data Viewing Auto Protect Statistics occ ceececesceseseesseseeseeseeeseeseeseeeeseeaeeeeeeeeeens 162 Single server and multiserver statistics ccccesseesesseseeeseeeteeeeseees 163 Viewing spam statistics for Symantec Premium AntiSpam 006 164 Working with event data cccccecccssessssssesssseseeseseseeseseeeeseseseeseneeseseseeseeeeseees 165 Working with report data ccccccsssessssesessssesesseseseeeeseseeseseseseeseeesseseeeeseeeees 166 Working with report templates 00 0 cccccsesssseseeseceeeeeseseeeeseseeseeeeesees 166 Generating and Viewing reports ceeeceeseseseeseseeeeseeeceseeeeeeseeetseeeeeaes 167 Saving report data meieni eee earners 168 Viewing events in the Windows Event Log cccccseesesesseceteeseseeeeseseeeeeeaee 169 Chapter 8 Maintaining virus protection How Symantec Mail Security for Microsoft Exchange detects and prevents VITUSES ioris rnit eee rE oes EAEE NEERA 171 About virus definitions files c ceceeeseceseeseseseceseseeseseseseceseeteteeeeeseaeeees 172 About LiveUpdate and Rapid Release 0 cccceccecesescesseseeseneeseeseeseeees 172 Configuring your Internet connection for virus definitions updates 173 Keeping your virus protection current 2002. Working with report templates Report templates let you define a subset of the raw report data that is collected by Symantec Mail Security for Microsoft Exchange for a single server The goal of creating a template is to describe a set of data that summarizes rule violations and scanning information which can be saved and generated on demand Report templates can include different categories or combinations of security related statistics They are useful for summarizing virus rule violation and scanning information on a regular basis Using Symantec Mail Security for Microsoft Exchange data 167 Working with report data Work with report templates You can create different report templates to describe different subsets of the raw report data Once a report template is created the template is saved in the single server user interface which you can access to generate reports Report templates are only available through the single server user interface for individual servers You cannot create report templates for group data using the multiserver console To create a report template 1 In Symantec Mail Security for Microsoft Exchange for the single server in the left pane expand Statistics and Reports Click Report Templates In the right pane click Add Delete Report Templates Click Add a report template Click Next Type a name for the report template Select the data options that you want for the report template Clic
3. 2 Inthe left pane expand Configuration 3 Click Notification Alerts Settings 4 Inthe right pane under Email notifications do the following m Under Address of sender to use in email notification type the email address of the sender that you want to use for email notifications m Under Administrators or others to notify type the email addresses of administrators and users to notify Separate each entry by commas If you are including an email address that is not within your domain type the fully qualified email address for example user mycompany com 5 Under Messenger Service Alerts type the computers and users that will receive Messenger Service alerts when a rule is violated Separate each entry by commas Configuring Symantec Mail Security for Microsoft Exchange 117 Configuring automatic virus protection 6 Under AMS Alerts type the name of the AMS server that will receive alerts from the AMS agent that is on the server when a rule is violated 7 Under SESA alerts check Enable Logging and Alerting to SESA server If you enable this setting type the IP address for the SESA server 8 Click Save Configuring automatic virus protection LiveUpdate automatically updates virus definitions from the Symantec Web site By default LiveUpdate is enabled with a recommended schedule However you can reconfigure LiveUpdate If you are using the Symantec Mail Security for Microsoft Exchange console multiserver console
4. The Global group is the default server group You can keep all of your Microsoft Exchange servers that run Symantec Mail Security for Microsoft Exchange in the Global group If your network contains a large number of Exchange servers you can create server groups in addition to the Global group add servers to these groups and administer all of your servers that run Symantec Mail Security on a group basis To create a server group 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console right click Global or any server group node 2 Click All Tasks and then click Add group 3 Inthe Add Group dialog box type a name for the server group 74 Managing multiple server installations Managing servers and server groups Adding servers to a group If an installation of Symantec Mail Security for Microsoft Exchange is not under management control you may want to add the server to the console For example your organization might have run a single server installation of Symantec Mail Security on several Exchange servers that you now want to manage through the console along with your other managed servers You can add servers that run Symantec Mail Security to a managed group in the following ways m Add one or more servers to an existing group m Create a new server group during the Add process Note All servers are always added to the Global group in addition to any specified server group To add serve
5. symantec Mail Security for Microsoft Exchange Implementation Guide 9 symantec Symantec Mail Security for Microsoft Exchange Implementation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Documentation version 4 6 Copyright Notice Copyright 2004 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec the Symantec logo and LiveUpdate are U S registered trademarks of Symantec Corporation Symantec AntiVirus Symantec Mail Security and Symantec Security Response are trademarks of Symantec Corporation Microsoft Microsoft Exchange Server and Windows are registered trademarks of Microsoft Corporation in the U S an
6. For message body filtering to work the scan job that is associated with that policy must be configured to scan message bodies Select and configure content dictionary settings You can select a content dictionary and add and delete words and categories in the user dictionary See Content dictionaries on page 152 See Elements of a filtering rule on page 137 See Building custom categories and words on page 155 See Assigning scores to custom categories on page 156 To select a content dictionary 1 4 In Symantec Mail Security for Microsoft Exchange for the single server in the left pane expand Configuration Click Content Dictionary Settings In the right pane select one of the following m Symantec Dictionary m User Dictionary Both Click Save To add words and categories to the user dictionary 1 2 In Symantec Mail Security for Microsoft Exchange for the single server in the left pane expand Configuration Click Content Dictionary Settings 158 Using content filtering dictionaries Selecting and configuring content filtering dictionaries Optional In the right pane under Add user category type a new category and then click Add Commas are not allowed in the text that is entered for new categories Under Add new word select a language from the Language list Under Type do one of the following m To place the new word into your user defined category click User
7. SESA Console Log on to the SESA Console using a SESA Domain Administrator account The SESA user must belong to a Manager role that has rights to the SESA enabled Symantec Mail Security product On the SESA Console on the Events view tab in the left pane expand DomainName SES gt SESA DataStore gt Global Reports gt All events You named the SESA administrative domain when you installed SESA The domain is appended with SES In the right pane verify that Symantec Mail Security events are shown On the Configurations view tab in the left pane expand the SESA administrative domain Verify that Symantec Mail Security for Microsoft Exchange is listed Z Symantec management console ex3003 Microsoft Internet Explorer Fle Edt View Favortes Toos Help ar Q AA Osan frre Aua O S DA Address https 10 113 10 3 sesa servletAdmin login Eo mes Google v BPSearch Web go PaseFank Eh 34 blocked E Fa Options For Selection Console Het oonu B Symantec Mail Security for Microsoft Exchange E IBM R Directory Server 4 1 Version C IBM R DB2 R Universal Database Personal Editi v E BMR HTTP Server 1 3 ne a Tomcat ServietUSP Container 4 0 Description C LiveUpdate 1 0 Z3 Symantec Mail Security for Microsoft Exchange 46 Symantec Mail Security for Microsof Exchange This product does not contain any configurable components Installing Symantec Mail
8. along with Symantec Mail Security for Microsoft Exchange each managed server in a selected group runs LiveUpdate at the scheduled date and time See How Symantec Mail Security for Microsoft Exchange detects and prevents viruses on page 171 See Updating virus definitions for multiple servers on page 175 You can run Rapid Release virus definitions updates instead of LiveUpdate updates lsolating message bodies and attachments Symantec Mail Security for Microsoft Exchange lets you isolate problem message bodies and attachments by sending them to a quarantine directory on the local server Quarantined message parts are those that are either unscannable or unrepairable due to viruses Filtering rules can also quarantine message parts due to content 118 Configuring Symantec Mail Security for Microsoft Exchange Isolating message bodies and attachments Symantec Mail Security for Microsoft Exchange also lets you forward quarantined files to the Quarantine Server if one has been set up on your network Quarantine Server a component of Central Quarantine is included with Symantec Mail Security for Microsoft Exchange and is installed separately Files that are unscannable are not forwarded to the Quarantine server They remain in the local quarantine By forwarding the quarantined files to the Quarantine Server you can take advantage of its features which allow the sending of the problem files to Symantec for analysis and subs
9. and then select a category from the Category list m To place the new word into your selected Symantec supplied category click Symantec and then select a category from the Category list fle Edit View Favorites Tools Help eBack A A Qsearch Favorites Meda S Gy S My SB Adress http CET E A T EN Oy SE lal See Content Dictionary Settings f yScan Jobs Policies z S Tasks Dictionaries to use for content filtering 8g Configuration Symantec Dictionary fAGeneral Setting User Dictionary Spam Preventic Both eg Outbreak Settin Heartbeat Settir Add user category Delete user category ti Notification Aler Add x Delete sg LiveUpdate Sett g Content Diction Match Lists Add new word Quarantine Sett GReport Settings Language English European ta gy Statistics and Repc Type Category Word Score User Aaa Symantec Alcoho Tobacco Lolle User Dictionary word list Word Category Score Language 4 Main Save Cancel l Help one i internet dh Under Word type the new word that you want to add to the selected category Commas are not allowed Under Score type a score to represent the percentage weight that Symantec Mail Security for Microsoft Exchange should apply to the word as it filters content When you add a word to a Symantec supplied category that is also included in a user defined category Symant
10. csv file is generated for each server in the server group To save report data in the single server user interface 1 In Symantec Mail Security for Microsoft Exchange for the single server in the left pane expand Statistics and Reports 2 Click Reports 3 Inthe right pane click Generate CSV File 4 Right click Generated CSV File and then click Save Target As 5 Type a file name and then click Save To save report data in the multiserver console 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console click Global or a server group 2 Expand Statistics and Reports 3 Click Collect Report Data 4 Inthe right pane click Collect Report Data A separate file is generated for each server 5 Right click the file name and then click Save Target As 6 Type a file name and then click Save Viewing events in the Windows Event Log Symantec Mail Security for Microsoft Exchange server events are also reported in the Windows Event Log The Event Log is accessed on the computer on which Symantec Mail Security for Microsoft Exchange or the Symantec Mail Security for Microsoft Exchange console is installed To view events in the Windows Event Log 1 On the computer on which Symantec Mail Security for Exchange or the Symantec Mail Security for Microsoft Exchange console is installed in Administrative Tools click Event Viewer 2 Under Application Log in the Sources column view events for the following
11. means an employee contractor or other agent authorized by You as a user of an email mailbox account or an email address hosted by Your Email Service Email Service means Your email services provided to End Users for the purposes of conducting Your internal business and which are enabled via Your mail transfer agent 3 You may copy the Software onto Your computing devices as necessary to exercise the rights granted in Section B 1 above and 4 You may not use the Software after the End Date C If the Software You have licensed is Symantec Premium AntiSpam the following additional terms apply to Jikes a third party technology associated with the Software 1 Licensee is entitled to a copy of the source code for Jikes from http www 124 ibm com developerworks downloads detail php group_id 10 amp what rele amp id 501 The use of Jikes is governed by the IBM Public License the full text of which can be found at http www 124 ibm com developerworks opensource license10 html the IBM License 2 0OTHER THAN AS PROVIDED IN THIS AGREEMENT THE CONTRIBUTORS AS DEFINED IN THE IBM LICENSE MAKE NO REPRESENATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS IMPLIED OR STATUTORY EITHER IN FACT OR BY OPERATION OF LAW AND EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES INCLUDING WITHOUT LIMITATION WARRANTIES OF TILTE AND NON INFRINGEMENT THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE 3 Other than as othe
12. 103 See Understanding Symantec SCL values on page 95 Configuring Symantec Mail Security for Microsoft Exchange 105 Protecting your organization from spam with Symantec Premium AntiSpam To configure Symantec Premium AntiSpam to handle messages identified as spam 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Expand Spam Prevention Settings Expand Symantec Premium AntiSpam Click Spam Actions ao uu A U N Under If Message is SPAM select Reject the Message or Accept the Message A rejected message is not accepted by the SMTP server for delivery The SMTP service that sends the message receives an error message for each rejected message An accepted message is delivered as usual 7 Under Message delivery options check Prevent Delivery to Original Recipient s When this option is selected a message that is identified as spam is accepted by the SMTP server and is deleted It is not delivered to the addressees 8 Check Alternate Recipient s and type one or more fully qualified SMTP email addresses Addresses must be separated by a comma with no space before or after the comma Each recipient will receive a copy of the message that is identified as spam 9 Under Message delivery options check Add Subject Line
13. 3 License Symantec Premium AntiSpam Disable Symantec Premium AntiSpam Open a command window and change directories to the SMSMSE installation directory The default directory is C Program Files Symantec SMSMSE 4 6 Server Run register exe Usage register c config file l license_file p proxyserver proxyport a proxyuser proxypassword v Example register c SpamPrevention bmiconfig xml 1 Spam Prevention SPAlicense slf p proxyserver proxyport Symantec Premium AntiSpam licenses are placed in the SpamPrevention folder Set the following registry key to zero 0 HKEY LOCAL_MACHINE SOFTWARE Symantec SMSMSE 4 6 Licensing SPARunRegister Enable and configure Symantec Premium AntiSpam 102 Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam with Symantec Premium AntiSpam Configuring Symantec Premium AntiSpam to identify spam Through the reputation service Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate Email from those sources can then be blocked or allowed based on the source s reputation value as determined by Symantec Symantec Premium AntiSpam incorporates source information from the following types of IP address lists m Open proxy list Contains IP addresses that are open proxies that are used by spammers m Suspect list Contains IP addresses from which virtually all of the outgoing em
14. 9 assigned m Suspected spam messages with an existing SCL value have an SCL value of 8 assigned m Suspected spam messages without an existing SCL value have an SCL value of 6 assigned m Logging is disabled Note When Symantec Premium AntiSpam is licensed the heuristics spam detection feature is unavailable Outbreak m Outbreak management is enabled no active default triggers Outbreaks are checked for every 2 minutes Heartbeat Heartbeat system is disabled Frequency is 60 minutes Timeout is 5 minutes Heartbeat logging is disabled Messenger service alerts on failed Heartbeat is enabled Messenger service alert text is Symantec Mail Security for Microsoft Exchange Heartbeat Error lt error gt See the event log for details m Administrator email notification on failed Heartbeat is enabled m Administrator email notification text is Administrator Alert Symantec Mail Security for Microsoft Exchange detected a Heartbeat error Notification Alerts m Exchange administrators specify recipients and computers to notify when a rule is violated m SESA alerting is disabled 88 Configuring Symantec Mail Security for Microsoft Exchange Securing your network Table 4 1 LiveUpdate Rapid Release Default configuration settings LiveUpdate is enabled and set to run at a specific time default varies according to time of installation Rapid Release is disabled Content D
15. A manual scan is an on demand scan of public folders and mailboxes The policy that is linked to a manual scan job applies only to folders and mailboxes that are selected when you define the scan Scheduled scanning Scheduled scans are scans that run unattended usually at off peak periods The policy that is linked to a scheduled scan job applies only to folders and mailboxes that are selected when you define the scan Policy settings and scanning When a scan job detects a mail security violation the rule settings of the policy that is in effect for the scan determine which events will be triggered For example if a macro virus is detected and a Macro Virus rule setting is enabled for the current policy a specific action such as sending the message attachment to the Quarantine or deleting the whole message notifications and alerts such as an alert sent to the administrator s main computer are triggered upon detection of the macro virus You can create your own policies enable and disable subpolicies and rules modify the rules for a policy and link a policy to any scan job Note Only one policy can be in effect for a scan job 126 Establishing policies Understanding the Standard Policy and custom policies Switching policies You can reuse policies for different scan jobs and switch between policies Each scan job can share a policy or have its own set of policies For example a company might use scan jobs and
16. About LiveUpdate and Rapid Release LiveUpdate is a feature that automatically delivers the most up to date certified virus protection for your Microsoft Exchange mail servers With LiveUpdate which is integrated into Symantec Mail Security for Microsoft Exchange you connect automatically to a Symantec Web site that determines if the virus definitions on your Symantec products need to be updated If so LiveUpdate downloads the proper files and installs them Rapid Release is a feature that delivers definitions that have undergone basic quality assurance testing by Symantec Security Response but have not undergone the intense testing that is required for a certified LiveUpdate release These definitions are updated hourly Maintaining virus protection 173 Configuring your Internet connection for virus definitions updates Configuring your Internet connection for virus definitions updates LiveUpdate operation requires an Internet connection If you need to configure an Internet connection for LiveUpdate use the Symantec LiveUpdate option in the Windows 2000 or 2003 Control Panel To configure your Internet connection for virus definitions updates 1 Inthe Windows 2000 or 2003 Control Panel double click Symantec LiveUpdate 2 Modify your Internet connection settings if necessary Keeping your virus protection current Symantec Mail Security for Microsoft Exchange supports virus definitions updates through LiveUpdate and Rapid Rele
17. As an alternative you can specify a list of domains to determine if mail is inbound or outbound If a recipient s domain is in the list the message is considered to be inbound If a recipient s domain is not in the list the message is considered to be outbound Note A single message can be considered both inbound and outbound In this case inbound and outbound rules are applied to the message To configure inbound and outbound settings 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click General Settings Configuring Symantec Mail Security for Microsoft Exchange 91 Securing your network 4 Inthe right pane under Inbound Outbound Settings check Use List to Determine Inbound Outbound 5 Type the domain to use to determine if email messages are inbound or outbound If you type multiple domains separate the values with commas 6 Click Save Using Bloodhound heuristics technology The standard method of detecting a virus is to scan a file and match it against existing virus definitions For known viruses this methodology works well However the standard method cannot detect unknown viruses for which definitions do not exist To detect unknown viruses Symantec Mail Security for Microsoft Exchange uses Bloodho
18. Assigning scores to custom categories Part of the process of building custom categories involves assigning scores to words If you use custom categories of words you need to do the following m Assign scores that accurately reflect the extent to which the word is representative of the category A negative score can be used to offset the value of a prohibited word that is used in an appropriate context For example a negative score for the word cancer can offset the positive score of the word breast m Ensure that the threshold value for the filtering rule being applied is set appropriately You can use the following suggestions in choosing scores for custom words m When establishing a score for a word begin by searching for the word on several Internet search engines Examine each of the results to determine which ones match the expected category m Based on the search results consider assigning a score of 25 to 50 if you are certain the results will be found in the expected category where 50 represents absolute certainty Assign a score of between 0 and 25 based on the likelihood that a word will appear in the correct context m Test the words and categories against different threshold values in the filtering rule and adjust the new dictionary term scores or threshold values accordingly If the default value of 50 is never attained and you are aware of several content violations in a message that were passed over consider lowerin
19. Errors for more information When the server installation completes in the Status of Remote Server Installation pane click Done Install the Symantec content license file on the server See Installing or renewing a license file on page 44 Updating and distributing virus definitions Symantec Mail Security for Microsoft Exchange lets you centrally administer virus definitions updates You can update virus definitions by doing the following Connecting to the LiveUpdate site and updating virus definitions on the management console Updating virus definitions through Rapid Release Distributing updated definitions to all Exchange servers or to a group of managed servers You can also schedule virus definitions updates for managed servers See Updating virus definitions for multiple servers on page 175 Managing multiple server installations 81 Running a manual scan on a server group Update and distribute virus definitions You can manually distribute LiveUpdate virus definitions from the console to your servers The LiveUpdate virus definitions update applies to the console not to aserver group You cannot manually distribute Rapid Release virus definitions from the console to your servers To manually distribute virus definitions from the console to servers 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console do one of the following To distribute virus definitions to all manage
20. For example the basic rule for virus detection applies to all viruses while the macro virus rule applies only to macro viruses Note When adding replacement text to use when an item is quarantined or deleted do not use any words that violate your current filtering policies Working with virus subpolicies The Virus subpolicy specifies the action to take and the notifications and alerts to issue when a virus is detected It consists of the following rules Basic Virus Specifies the actions to take when any virus threat is detected You should always enable the Virus subpolicy and Basic Virus rule for virus protection The policy used by the Auto Protect scan job should have the Virus subpolicy and Basic Virus rule enabled Macro Virus Specifies the individual handling of macro viruses Bloodhound Virus Specifies the individual handling of unknown viruses that are detected with Symantec Bloodhound heuristics technology Mass Mailer Virus Specifies what to do when a mail generating virus is found The Macro Virus Bloodhound Virus and Mass Mailer Virus rules are override rules When any of these rules are enabled the policy regarding these rules override the Basic Virus Policy if Symantec Mail Security for Microsoft Exchange detects a Macro Bloodhound or Mass Mailer virus Work with virus subpolicies You can enable and edit Virus subpolicies To enable a virus subpolicy 1 Doone of the following m Open Symantec Mail Se
21. LiveUpdate 4 Inthe right pane click Update Servers The Group virus definitions box displays information about the latest virus definitions that are distributed to the current group Setting up your own LiveUpdate server The LiveUpdate Administration Utility which is available on the Symantec Mail Security for Microsoft Exchange CD lets you set up an intranet HTTP FTP or LAN server or a directory on a standard file server to handle LiveUpdate operations for your network For more information see the LiveUpdate Administrator s Guide on the Symantec Mail Security CD If you set up your own LiveUpdate server you must edit the LiveUpdate configuration for Symantec Mail Security for Microsoft Exchange to point to the local LiveUpdate server For more information contact Symantec Service and Support 178 Maintaining virus protection Setting up your own LiveUpdate server Managing virus outbreaks This chapter includes the following topics m About outbreak management m Defining outbreak triggers m Frequency of outbreak item About outbreak management An outbreak situation occurs when an excessive number of viruses or events that exhibit virus like behavior occur on a network When an outbreak is imminent prompt identification of the situation and notification of administrative staff is critical Symantec Mail Security for Microsoft Exchange lets you manage outbreaks by doing the following m Specify the criter
22. Maximum number of items and then type a number in the field 120 Configuring Symantec Mail Security for Microsoft Exchange Isolating message bodies and attachments 7 To limit the maximum size of the Quarantine check Maximum size of quarantine type a number in the field and then select MB or GB from the list To limit how long an item may be quarantined check Retain items in quarantine and then type the number of days in the field Click Save To specify an action to take when a Quarantine threshold is met 1 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Click Quarantine Settings Check Notify Administrator to send notification messages to an administrator list Check Notify others to send notification messages to a list Check Delete oldest items to remove items that have reached a specified quarantine threshold from the server If Delete oldest items is not checked and a Quarantine size threshold is reached the event is logged and a notification is sent to the recipients that are specified in the Quarantine Settings page Click Save To add notification text to the email message that is sent when a Quarantine threshold is met 1 Do one of the following m Open Symantec Mail Security for Microsoft Ex
23. Override rule 132 P policies custom 23 126 establishing 123 filtering 126 scan jobs and 125 Standard Policy 23 126 versus configuration settings 86 port number 43 Q Quarantine Server 27 30 117 121 Quarantine about 26 117 R RAM requirements 40 remote servers 47 report data Auto Protect statistics 162 creating 166 event log 165 Microsoft Excel 168 multiserver console 168 printing 168 saving 168 settings 121 templates 166 third party tools 28 168 Reputation service 99 response file 51 RTF encoding 136 rules Basic Virus 129 132 133 Bloodhound Virus 129 132 135 Encrypted File 129 examples of 124 Macro Virus 129 132 134 Mass Mailer Virus 129 132 135 Override 132 Unrepairable File 129 146 Unscannable File 129 145 S scans Auto Protect 24 depth 89 policies 125 scheduled 69 standard 21 scheduled scans 69 SCL value 94 scoring message 154 155 156 Secure Sockets Layer SSL 59 64 server groups adding servers to 74 creating 73 deleting 78 managing 73 Index 189 server groups continued manual scans for 81 moving a server to another group 75 reconfiguring 72 removing from console management 79 restoring default settings 77 sending group settings to a server 76 updating serversin 78 user defined 72 SESA Agent installing 61 log examining 61 startup verification 59 uninstalling Symantec Mail Security for Microsoft Exchange 63 SESA Console 60 SESA Integration Package 58 6
24. Policies and then expand a policy In the right pane check the subpolicies to enable The Exception Subpolicy is always enabled F Standard Policy Microsoft Internet Explorer H EN N A Idtest90 g Scan Jobs symantec Policies fgStandard Policy Scans using this policy Auto Protect Manual Subpolicies F Virus Subpolicy Edit Custom Policies Tasks z ER Configuration M Exception Subpolicy Edit E Statistics and Reports M Filter Subpolicy Edit Save Cancei Restore Defaults Help _ Click Save To edit a subpolicy 1 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Policies Establishing policies 131 Working with subpolicies 3 Doone of the following m Click Standard Policy m Expand Custom Policies and then expand a policy 4 Inthe right pane click Edit for the subpolicy that you want to edit 5 Click Edit for the rule that you want to edit 6 Inthe rule pane modify the rule settings By default rules are disabled in the single server interface You must enable the rule after it has been modified 7 Click Save How subpolicy rules work In Symantec Mail Security for Microsoft Exchange rules determine scanning behavior and consist of one or more settings Rules can be en
25. Security for Microsoft Exchange 61 Enabling event forwarding to SESA To examine the SESA Agent log 1 On the computer on which the SESA Agent is installed navigate to the location in which the SESA Agent files reside by default C SESA Agent 2 Ina text editor open Sesa agent log 3 Verify that the log contains the following entry SESA Agent Bootstrap successful Installing the SESA Agent manually Generally the SESA Agent and the JRE are installed as a setup option during Symantec Mail Security installation or after installation through the Configurations gt Notifications gt Alerts page To install them manually you must install and configure them on the computer on which Symantec Mail Security for Microsoft Exchange is installed For the SESA Agent to run the Java Runtime Environment JRE must also be installed on the same computer JRE versions 1 2 2 and later are supported Install the SESA Agent manually To install the SESA Agent you do the following m Install the JRE on the target computer if necessary m Install the SESA Agent m Start the SESA AgentStart Service m Enable event forwarding to SESA To install the JRE 1 On the computer that is running Symantec Mail Security in the AgtInst folder double click j2re 1_3_1_02 win i exe By default the file is located in the following folder C Program Files Symantec SMSMSE 4 6 Server AgtInst 2 Follow the on screen instructions 62 Installing Sym
26. Settings Symantec Policies aj gTasks Quarantine Server ga Configuration F Send quarantined items to Quarantine Server General Setting M Delete local quarantined items after forwarding to Quarantine Server wSpam Preventic Server Address m Outbreak Settin S Port 0 Heartbeat Settir ener t Notification Aler Network Protocol IP__ LiveUpdate Sett g Content Diction qgMatch Lists fi Quarantine Sett mM Maximum size of quarantine 500 MB Report Settings Retain items in quarantine 90 days gStatistics and Repc Quarantine Thresholds M Maximum number of items 1000 When a threshold is met F Notify Administrator F Notify others separate multiple values with commas F Delete oldest items Email Notifications Subject Line xl 4 Main Save I Cancel Help Done a tntemet 4 6 Inthe Server Address box type the IP address of the Quarantine server 7 Inthe Server Port box type the port number for the Quarantine server 8 Select which network protocol to use 9 Click Save To set thresholds for the local Quarantine 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click Quarantine Settings 4 To limit the number of quarantined items check
27. Symantec Security Response With LiveUpdate you connect automatically to a Symantec Web site that determines if the virus definitions for your Symantec products need to be updated If so LiveUpdate downloads the files to the proper location and installs them See Updating virus definitions for a single server on page 174 See Updating virus definitions for multiple servers on page 175 See Keeping your virus protection current on page 173 28 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security Gather and report data Symantec Mail Security for Microsoft Exchange gathers and reports on the following types of data m Statistics and report data m Event log data m Server request information Statistics and report data Symantec Mail Security for Microsoft Exchange collects and saves scan data on your Exchange servers You can create reports from the data which gives youa history of virus activity and rule violations You can download the raw data files that are generated by Symantec Mail Security for Microsoft Exchange for use with third party reporting tools See Working with report data on page 166 Event log data Symantec Mail Security for Microsoft Exchange logs virus configuration and server events It also logs content violations spam violations if enabled and outbreaks You can customize the event log by specifying date ranges and classes o
28. Virus rule 129 132 133 Bloodhound heuristics technology 21 135 Bloodhound Virus rule 129 132 135 bootstrap SESA Agent 61 c categories Symantec dictionary 153 clusters 35 53 Comm Status See Communication Status pane Communication Status pane 72 76 82 component locations 36 38 compressed files 24 27 141 145 configuration alerts 115 117 archive scan depth 89 content dictionary settings 156 HeartBeat settings 113 LiveUpdate 117 notifications 115 outbreak settings 108 report data 121 console See multiserver console 46 content dictionaries filtering content 23 25 settings 156 content filtering dictionary settings 156 dictionary based filtering 151 scoring messages 154 content license file 44 65 control panel 39 csv files 121 168 custom policies about 23 configuration 69 error 76 versus the Standard Policy 126 D data collection 28 162 denial of service attack 18 dictionaries adding words 156 categories 153 content filtering 151 custom categories 156 Filtering Rule 157 scoring messages 154 Symantec 152 156 user 152 Digital Immune System 171 E Encrypted File rule 129 event log data 28 165 Exception subpolicy 22 129 expressions 138 F filtering features 23 in policies 126 Filtering Rule 152 156 Filtering subpolicy 22 129 135 136 188 Index G Global server group 72 H HeartBeat settings 113 Help system 31 heuristic anti spam engine 94 HTML encoding 1
29. You can print the Settings Summary file which lists the Symantec Mail Security application settings Installing or renewing a license file You must install a license file on each server that is running Symantec Mail Security for Microsoft Exchange in order to activate a content license This lets you receive the latest virus definitions updates To install a content license you must have the serial number that is required for activation The serial number is listed on your purchase certificate The purchase certificate is mailed separately or sent by email if you requested that method when you purchased your software It arrives in the same time frame as your software The serial number is used to request a license file and to register for support The format of a serial number is a letter followed by 10 digits for example F2430482013 If you purchased Symantec Premium AntiSpam with Symantec Mail Security for Microsoft Exchange a second serial number is listed on the purchase certificate This serial number is needed to receive the latest spam definitions updates for the premium antispam service If only Symantec Premium AntiSpam was purchased then only that serial number is listed After the licenses files are installed content and spam updating is enabled for the duration of your maintenance contract When a content or spam license expires a new license must be installed to renew the subscription When no license is installed virus a
30. all servers within the selected groups Clicking on the Servers node within a group displays all servers that belong to that group 68 Installing Symantec Mail Security for Microsoft Exchange About the Symantec Mail Security for Microsoft Exchange console user interface Making selections in the multiserver console In the Symantec Mail Security for Microsoft Exchange console the actions that add or delete items from the tree are available by right clicking the appropriate node You can also delete items such as groups policies scan jobs and triggers from the tree by selecting the item and then pressing Delete Displaying individual servers If you expand an individual server node in the Symantec Mail Security for Microsoft Exchange console the single server user interface for that server appears in the center and right panes of the snap in You can then manage the server individually Configuring and running scans Scans examine messages on your Microsoft Exchange servers for known viruses prohibited content and files that exhibit behaviors that are associated with viruses Scans can belong to one of the following categories m Auto Protect scans Monitor incoming messages in real time and provide continuous protection against threats The Auto Protect scan job applies to everything on the Exchange server including items in all public folders and mailboxes You can run only one Auto Protect scan job on Symantec Mail Security
31. and keep the default text or type replacement text for the subject line of the spam message 10 Check Add X Header 11 Inthe X Header Name box accept the default X Bulk or type a new X Header name 12 Inthe X Header Value box accept the value Spam or type a new X Header value 106 Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam with Symantec Premium AntiSpam 13 14 15 16 Check Tag for Spam Folder Agent Delivery You must have the Agent installed An X header will be added to allow the Agent to move the message to the user s spam folder You cannot modify this X header Check Assign SCL value of to the message and select a number from the menu This option is available only in Exchange 2003 If the incoming message has an existing SCL value the one you specify will replace it Check Log Click Save To configure Symantec Premium AntiSpam to handle messages identified as suspected spam with an existing SCL value gt threshold 1 ao uu A W N Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Expand Spam Prevention Settings Expand Symantec Premium AntiSpam Click Spam Actions Under If Message is SUSPECTED SPAM and existing SCL value select R
32. by an outbreak trigger can belong to one of the following categories m Virus events Same virus total viruses or unrepairable viruses that are detected within a specified time period m Heuristic events Same subject same attachment name filtering violations or unscannable files that are detected within a specified time period Creating a virus outbreak trigger Virus events are those directly related to the presence of a virus When specifying a virus as an outbreak item only known virus signatures are used You can use the following virus related events to detect an outbreak m Occurrences of the same virus m Total number of viruses m Unrepairable viruses Managing virus outbreaks 181 Defining outbreak triggers To create a virus outbreak trigger 1 N OF wo Ff Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration gt Outbreak Settings gt Virus Triggers Do one of the following m Inthe single server user interface click Add Delete Virus Trigger In the right pane click Add a virus outbreak trigger and then click Next m Inthe console user interface right click Virus Triggers and then click All Tasks gt Add Trigger Type a name for the virus trigger and then click OK Check Enable trigger In the Event
33. enable Outbreak Management and specify the interval during which you want to check for Outbreaks By default the interval is set to every two minutes To enable Outbreak Management 1 uo fF U N Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Click Outbreak Settings In the right pane check Enable Outbreak Management Type the interval in minutes that Symantec Mail Security for Microsoft Exchange should wait between checks for viruses or occurrences of a specified file behavior Click Save Managing virus outbreaks 185 Frequency of outbreak item Clearing outbreak notifications You can end outbreak notifications at any time Otherwise the notifications will continue until the outbreak is no longer in effect To clear outbreak notifications 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration gt Outbreak Settings 3 Click Clear Outbreak Frequency of outbreak item When defining an outbreak you must specify the number of occurrences of the monitored item that are necessary to trigger the outbreak and the time span with
34. list select a virus event to use for the trigger In the Occurrences box type the number of occurrences of the virus event that are required for an outbreak In the Time Period box type the amount of time that must elapse between each occurrence of the virus event before declaring an outbreak Under Administrator email notifications do the following m Click Enable to select whether to enable email notifications to the specified administrator list when the outbreak trigger is activated m Inthe Subject line box type the subject line for the email message that notifies administrators of the outbreak m Inthe Message body box type the message body for the email message that notifies administrators of the outbreak Variables are specified by the percent sign and the text that follows it and are automatically filled in when the message is sent m Under Subsequent Notifications in the Subject Line box type the subject line for the follow up email message that notifies administrators of the outbreak m Inthe Message Body box type the follow up message 182 Managing virus outbreaks Defining outbreak triggers 10 Under Alerts do the following m Enable the Messenger Service Alert m Under Initial Alert specify the text that is displayed when the Messenger Service Alert is triggered m Under Subsequent Alert specify the text that is displayed for any follow up messages 11 Enable the AMS Alert This will send an AMS Al
35. margin To generate a report 1 In Symantec Mail Security for Microsoft Exchange for the single server in the left pane expand Statistics and Reports 2 Inthe right pane click Report Templates 3 Select the name of a saved report template 4 Click Generate Report To view an existing report 1 In Symantec Mail Security for Microsoft Exchange for the single server in the left pane expand Statistics and Reports 2 Inthe right pane click Reports 3 Select the name of a saved report Saving report data The generated reports include only a subset of the report data that is available However you can save the entire set of available data as a comma delimited csv file You can use the raw data files to do the following m View or print the complete report data in an application such as Microsoft Excel Import the data into a third party reporting application to generate custom charts and reports If you are using the multiserver console you can view a list of the report data from all of the servers in a selected group After you collect the report data you can access the csv files that contain the data Using Symantec Mail Security for Microsoft Exchange data 169 Viewing events in the Windows Event Log Save report data for use with other applications Report data can be saved for a single server or you can generate a comma delimited csv file for a server group using the multiserver console A separate
36. match a virus against an existing virus definition Bloodhound heuristics technology copies the suspicious executable program into its own virtual computer It then tests the program and assesses suspicious file behavior such as whether the file has replicated itself in a period of time You can set the Bloodhound Virus rule to send files to the Quarantine for further examination and possible repair at a later date See Securing your network on page 88 Mass Mailer Virus rule Because email mass mailer viruses do not need to attach to a host file to infiltrate a network they can spread very quickly The Mass Mailer Virus rule specifies what to do when an email mass mailer virus is detected By default the entire message is deleted Working with filtering subpolicies The Filtering subpolicy contains rules that let you filter messages for specific words phrases subject lines and senders and take action when the specified content is found Symantec Mail Security for Microsoft Exchange lets you create filtering rules to apply to Auto Protect scans on demand scans and scheduled scans The rules provide a front end defense in real time against spam email messages and new or unidentified viruses These rules expand the control that administrators have to block objectionable email messages and attachments You can set up edit or delete as many filtering rules as needed Each rule specifies the email attributes to search for examp
37. multiserver console on page 36 To install the Symantec Mail Security for Microsoft Exchange console 1 Start the Symantec Mail Security for Microsoft Exchange console Setup program Setup exe This file is located in the SMSMSE Console folder on the product CD 2 Inthe License Agreement panel check I accept the Terms in the license agreement and then click Next 3 Optional If you are upgrading the console from a previous version in the Upgrade Options panel check one of the following and then click Next m Transfer settings from previous installation m Install using Factory default settings See Upgrading from a previous version on page 52 4 Doone of the following m Inthe Setup Type panel click Complete to install to the default location and then click Next m Click Custom to specify a different location 5 Inthe Notification Email Address panel verify or change the address that is used to send not receive notifications and then click Next Type a valid Active Directory display name only Installing Symantec Mail Security for Microsoft Exchange 47 Installing on multiple servers 6 Inthe Ready to Install the Program panel click Install The installation may take several minutes 7 Click Finish Installing Symantec Mail Security on remote servers You can install the Symantec Mail Security for Microsoft Exchange server component on remote servers Remote servers are installed with default installation sett
38. not as thoroughly tested as certified LiveUpdate definitions because they are designed for a quick response to emerging threats 20 Introducing Symantec Mail Security for Microsoft Exchange Components of Symantec Mail Security Components of Symantec Mail Security Table 1 2 lists the components of Symantec Mail Security for Microsoft Exchange Table 1 2 Software components Symantec Mail This is the software that you install to protect your Exchange Security for servers It protects your servers from viruses messages that Microsoft Exchange overload the system inappropriate message content spam and denial of service attacks Adobe Acrobat This is the software that makes it possible to read documentation Reader in Portable Document Format pdf Outlook Plug in As a part of the premium antispam service this is the software that lets you submit missed spam and false positives to Symantec It lets you administer lists for allowed senders and blocked senders and block email messages based on language identification Spam Folder Agent Asa part of the premium antispam service this is the software for Exchange that lets you automatically route unwanted messages to a spam folder in each user s mailbox This agent is available only for Microsoft Exchange 2000 installations LiveUpdate LiveUpdate lets Symantec products download program and virus Administrator definitions files updates directly from S
39. obtain Content Updates Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You provided however that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase This License does not otherwise permit the licensee to obtain and use Content Updates 3 Limited Warranty Symantec warrants that the media on which the Software is distributed will be free from defects for a period of thirty 30 days from the date of delivery of the Software to You Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error free TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTU
40. rule that you are about to create to go into effect 112 Configuring Symantec Mail Security for Microsoft Exchange Configuring settings to handle an outbreak 10 11 12 13 14 15 In the Event list select whether the trigger is activated by occurrences of the same subject the same attachment name filtering violations or unscannable files In the Occurrences field type the number of occurrences of the selected event that define an outbreak In the Time period field select the unit of time and then type the number of minutes hours or days over which Symantec Mail Security for Microsoft Exchange should detect the outbreak before starting the process again Under Actions to take check Add Subject Attachment name to Triggered Match List The option to add to a match list is available only for Same Subject and Same Attachment Name triggers Under Administrator email notifications check Enable to notify administrators upon activation of the heuristic trigger For administrators to receive email notifications during an outbreak the notification email address must be a valid Active Directory email account Under Initial Notifications type the Subject Line and Message Body text to be used in the administrator notification Under Subsequent Notifications type the Subject Line and Message Body text to be used for follow up notifications Under Alerts check Enable to send a Messenger Service Alert upon activatio
41. select a server group In the left pane expand Configuration Expand Spam Prevention Settings Click Symantec Premium AntiSpam Click Symantec Premium Settings ao uu A U N Under Language ID select whether you want to enable language identification 7 Click Save Configuring Symantec Premium AntiSpam to handle spam Once you configure Symantec Premium AntiSpam settings you configure actions for handling spam suspected spam with an existing SCL value gt threshold available only with Exchange 2003 and suspected spam without an existing SCL value or lt threshold You must specify a spam threshold for identifying suspected spam in order to configure actions for suspected spam A message that is identified as spam is handled according to how you have configured Symantec Mail Security for Microsoft Exchange to handle spam messages If a message is identified as suspected spam it is examined to determine if an SCL value exists If so the message is handled according to how you have configured Symantec Mail Security for Microsoft Exchange to handle suspected spam messages with an existing SCL value gt threshold This option is available only with Exchange 2003 If a message is identified as spam and there is no existing SCL value or gt threshold it is handled according to how you have configured Symantec Mail Security for Microsoft Exchange to handle suspected spam See To configure a spam threshold on page
42. select whether to enable email notifications to the specified administrator list when the outbreak trigger is activated m Inthe Subject line box type the subject line for the email message that notifies administrators of the outbreak m Inthe Message body box type the message body for the email message that notifies administrators of the outbreak Variables are specified by the percent sign and the text that follows it and are automatically filled in when the message is sent m Under Subsequent Notifications in the Subject Line box type the subject line for the follow up email message that notifies administrators of the outbreak m Inthe Message Body box type the follow up message 184 Managing virus outbreaks Defining outbreak triggers 11 12 13 Under Alerts do the following m Enable the Messenger Service Alert to send a Messenger Service Alert when the outbreak trigger is activated m Under Initial Alert specify the text that is displayed when the Messenger Service Alert is triggered m Under Subsequent Alert specify the text that is displayed for any follow up messages Enable the AMS Alert This will send an AMS Alert if AMS is available when the outbreak trigger is activated Click Save See Working with subpolicies on page 129 Enabling Outbreak Management After you have created virus and heuristic triggers and have ensured that associated content filtering rules are enabled you can
43. stamped messages in the user s Junk Email folder when the SCL of the message is greater than the SAT value By default the SAT value is not set and all messages with an SCL value are moved to the Junk Email folder If the SAT value is set and a message has an SCL value that is higher than the SAT value Exchange puts the message in the Junk Email folder If the SCL value is lower than or equal to the SAT value the message goes into the inbox as usual To view the current SAT setting 1 On the Windows taskbar click Start gt Run 2 Inthe Open box type the following SMSMSESAT value to set H hostname 3 Click OK 98 Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam without Symantec Premium AntiSpam To change the SAT setting in Exchange 2003 1 On the Windows taskbar click Start gt Run 2 In the Open box type the following smsmsesat value for SAT for example 8 symantec com The value for SAT that you type sets the SAT in Exchange 2003 3 Click OK Bypassing RBL blocking and spam detection for sender and recipient whitelists To minimize false positives you can set up a list of sender domains that will not undergo RBL blocking and spam detection You can also specify fully qualified email addresses to create a recipient whitelist Messages that are sent to those addresses are not evaluated by the real time blacklist or the heuristic antispam engine If both RB
44. the following as necessary m Check Send Administrator email on failed Heartbeat to send email notification to the administrator upon a heartbeat failure m Type the Message subject text 9 Click Save Configuring notifications and alerts When you configure notifications and alerts you specify the administrators users and computers that receive email notifications Windows 2000 2003 alerts and AMS alerts when a rule violation occurs when an outbreak trigger is activated or when a critical service failure occurs Note Email notifications are sent only to names and addresses that can be resolved against Active Directory objects When defining a policy you specify the actual text of the message and alerts that are sent to the list of administrators users and computers that are specified in the notification and alerts configuration settings for when a rule is violated See How subpolicy rules work on page 131 Symantec Mail Security for Microsoft Exchange provides the following mechanisms for issuing alerts to administrators m Messenger Service alerts which are issued by Microsoft Windows 2000 2003 XP m The Alert Management System AMS which is managed and configured through Symantec AntiVirus Corporate Edition m Symantec Enterprise Security Architecture alerts You should restrict the issuing of alerts to a small list of interested administrators or specific computers to avoid unnecessary interruption
45. to manage single instances of Symantec Mail Security The left pane of the console contains a standard tree view with nodes for server groups and the right pane contains settings You access most actions with the right click menu in the left pane tree The nodes common to both the single server user interface and the console are Scan Jobs Policies Tasks Configuration and Statistics and Reports _lolx SA Console window Help lelx Action view gt lm 2 Tree Sym P Group Main Page Symantec itec MS for Exchange Summary data 8 Configuration Group Name Global Statistics and Reports g all Servers SOET a O O Server status OOOO O a Scan Jobs m f Policies Total servers Rcerthert Successes Failures OR Tasks enabled e Configuration 0 0 0 o Statistics and Repo E Servers Virus infection violations Total Lastday Peakday Lasthour Peak hour e t a l ge J o N g LiveUpdate Manual Scan Auto Protect z Auto Protect Stats About Refresh Comm Status Help j The Symantec Mail Security for Microsoft Exchange console includes a parent layer of group nodes for each named server group and a root node called Global that consists of all server groups Each group contains a Servers node The Global group node contains an All Servers node Clicking on the All Servers node Global gt All Servers displays
46. under Microsoft Clustering Service A small number of Exchange You can install and use the multiserver management servers but future mail console at a later date However because you expect server growth is expected future mail server growth you could begin using the multiserver console now and add servers and server groups as they are installed and activated Many Exchange servers or Install and use the multiserver management console Exchange servers at several which will simplify the management of mail security locations across the enterprise Create administrative groups for the Exchange servers so that mail servers for a particular organizational or mail function can be managed together Before you install on an Exchange server Review the following information before you install Symantec Mail Security for Microsoft Exchange on a Microsoft Exchange server m Verify that Microsoft Exchange 2000 with Service Pack 3 or Microsoft Exchange 2003 is installed m Verify the IP address and port number of the Symantec Mail Security Web site for all servers on which you install the product Note To install Symantec Mail Security components correctly you must be logged on as a Windows domain administrator 36 Installing Symantec Mail Security for Microsoft Exchange Before you install Before you install the multiserver console If your organization is using multiple Microsoft Exchange servers and you want to manage mail s
47. undesirable message content Safeguard the email security system Manage virus outbreaks Isolate infected message bodies and attachments Keep virus protection up to date Gather and report data Send notifications when a threat or violation is detected Manage single and multiple Exchange servers Protect against computer viruses Symantec Mail Security for Microsoft Exchange scans message bodies and attachments that are sent to mailboxes and public folders on Exchange servers including files in compressed and encoded formats such as MIME and Zip The Auto Protect feature detects viruses in real time as email messages are routed through the Exchange server You can configure Symantec Mail Security to handle viruses as follows Repair infected attachments to eliminate viruses automatically on detection Quarantine infected message parts body or attachment for administrator review Delete message bodies and attachments and replace with text Introducing Symantec Mail Security for Microsoft Exchange 25 What you can do with Symantec Mail Security Deliver the email message but log the virus detection Delete the entire message Log the detection Filter undesirable message content Symantec Mail Security for Microsoft Exchange lets you filter undesirable content with the following Match lists To filter content that applies to a specific situation you can create a match list that includes words and phrases that are
48. with scan jobs Understanding the Standard Policy and custom policies Working with subpolicies Working with Match List settings Outbreak Triggered Attachment Names and Subject Lines Match List options About policies Policies are solutions for detecting and resolving security threats to your Exchange servers Symantec Mail Security for Microsoft Exchange provides a default Standard Policy that includes the most frequently used rules for protecting your Exchange servers You can also configure and save custom policies that address the unique security needs of your organization A policy consists of a set of subpolicies Each subpolicy represents a security category and a set of rules that belong to that category for example the Macro Virus Rule belongs to the Virus subpolicy Each subpolicy rule specifies an action to take and the notifications and alerts to issue when the rule is violated 124 Establishing policies About policies Policy The relationship between policies subpolicies and rules in Symantec Mail Security for Microsoft Exchange is shown in Figure 5 1 Figure 5 1 Policies subpolicies and rules Subpolicy Virus Filtering Exception Rules LV TET AY EE MY AYE AY sd AY NNN I NNN NNN TM NNN TM MAY IT Mw ANT TY NNN TM NN NN NN NNN NNN NNN NNN NNN NNN For example you can define a policy that contains the following sets of rules m Upon detection of any virus repair the infected file
49. 0 txt 669 aif aiff amd amm ams au far gdm it mid midi mod mtm med png rmi stm stx s3m xm Note Symantec Mail Security for Microsoft Exchange only scores attachments that consist of text txt and structured storage files doc xls ppt and shs The Message body Subject and Attachment Name attributes interpret their value fields as regular expressions This means that even if you typed a number in the value field Symantec Mail Security for Microsoft Exchange would 140 Establishing policies Working with subpolicies consider it text not a number Text strings because they allow for regular expressions give you flexibility in extending your text searches to find more than just a direct match Regular expressions include metacharacters to help you broaden the search capabilities of a given rule See Regular expressions on page 141 Selecting Body Content Score or Attachment Content Score as the Attribute instructs Symantec Mail Security for Microsoft Exchange to use its Dynamic Document Review technology to analyze the content based on a score and one or more dictionary content categories that you specify for that rule Symantec Mail Security for Microsoft Exchange considers any message with a score that exceeds your specified threshold value to be a content violation and takes the action that you have specified for the rule The threshold for a content violation may be a single
50. 32 Working with filtering subpolicies oo cece eeeseteteeseseeseeseseseseseeees 135 Elements of a filtering rule oo ecesesesesesesesesesseseseseseseseseseseetseeeenes 137 DOS wildcard style expressions cccesesesesssseseeseceseeeeseseeseseeseeeseeeeseees 140 Regular expressions ccceecessesscessesesesseseseeceseseeseseeceseseeceseeeeseeeeseseereseaes 141 Examples of regular expressions that filter mail 0 144 Setting an Exception SUDPOLICY 2 0 eecseeseseeseceseeceseeeeseseeeeseteeeeseeees 145 Unscannable fil rule scener EE ER 145 Unrepairable file rule oo ceccccccscsssscsessescscseescsscecsesscseseecseessesesscseaes 146 Encrypted file r len a rE E N AEE 146 Working with Match List settings cccccesessesesseseseseeceseeseseseeeeseeesseseeees 146 Outbreak Triggered Attachment Names and Subject Lines Match List OPULOM EE seston he ah a ee een 148 Using content filtering dictionaries About dictionary based content filtering How content filtering dictionaries work Content dictionarieS iesi enei a r RTE E AER AES Symantec dictionary categories ceccessesssesseseseeseseeeseceseeeeseeeteeseees Scoring Messages honnn cease A E R RR O Matching words and evaluating content sssesesessesessssesesssestssreresee 154 Base and bonussCoreS nuoi a E A R ERRi 155 Building custom categories and words cccceeeceseeseseteeeeseeeteeseeeesenes 155 Selecting and configuring content filtering dictionaries
51. 36 installation about 34 component locations 36 38 customizing 51 guidelines 35 Internet Explorer 40 IP address 35 43 Microsoft Clustering Service 35 53 Microsoft Internet Information Services 43 Microsoft Management Console MMC 46 multiple servers 45 51 multiserver console 46 47 port number 43 remote servers 47 51 requirements 40 response file 51 setup iss file 52 single server 42 Internet connection 173 Internet Explorer 40 65 IP address 35 43 J JRE Java Runtime Environment installing 61 L Language identification 100 licensing 44 65 LiveUpdate configuration 117 connection 173 multiple servers 175 settings 117 single server 174 Start menu shortcuts 39 logs SESA Agent 61 Macro Virus rule 129 132 134 manual scans 81 Mass Mailer Virus rule 129 132 135 Match List creating 147 filtering content with 24 outbreak triggers 148 settings 146 message scoring See scoring message Messenger Service alerts 115 Microsoft Clustering Service 35 53 Microsoft Excel 168 Microsoft Internet Information Services 43 Microsoft Management Console MMC 46 MIME format 24 multiserver console adding servers 74 administration 73 creating server groups 73 deleting server groups 78 Global server group 72 73 78 installation 45 reconfiguring groups 72 notifications configuring 115 117 O outbreak management about 26 108 179 185 defining outbreak triggers 148 180 heuristic events 182 virus events 180
52. 4 SESA Integration Wizard 58 settings failure from console 76 setup iss file 52 shortcuts Start menu 39 single server user interface about 29 basics 65 components 66 installation 42 spam 92 Standard Policy 23 69 126 Start menu shortcuts 39 statistics Auto Protect data 163 status information 82 subpolicies Exception 22 129 145 Filtering 22 129 135 Virus 22 129 132 133 Symantec AntiVirus Corporate Edition 30 Symantec dictionary 152 Symantec Premium AntiSpam 99 Symantec System Center 29 115 system requirements 40 T templates report 166 triggers 148 Trojan horses 17 190 Index U uninstalling SESA Agent Symantec Mail Security for Microsoft Exchange 63 SESA Integration Package 64 unrepairable files Unrepairable File rule 129 146 unscannable files about 26 Unscannable File rule 89 129 145 user dictionary 152 user defined server groups 72 V verification of SESA installation 59 virus definitions files about 172 distributing 80 scheduling updates for multiple servers 176 sharing 30 updating regularly 27 Virus subpolicy 22 129 132 viruses about 16 macro 17 outbreaks 26 179 185 payloads 16 program 17 unknown 21 W wildcard characters 140 Windows 2000 40 Windows Control Panel 39 Windows Start menu 39 Z Zip format 24
53. 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 United States of America 6 Export Regulation Certain Symantec products are subject to export controls by the U S Department of Commerce DOC under the Export Administration Regulations EAR see www bxa doc gov Violation of U S law is strictly prohibited Licensee agrees to comply with the requirements of the EAR and all applicable international national state regional and local laws and regulations including any applicable import and use restrictions Symantec products are currently prohibited for export or re export to Cuba North Korea Iran Iraq Libya Syria and Sudan or to any country subject to applicable trade sanctions Licensee agrees not to export or re export directly or indirectly any product to any country outlined in the EAR nor to any person or entity on the D
54. AL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY 4 Disclaimer of Damages SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software 5 U S Government Restricted Rights RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227
55. E 4 6 Server logsbm AntiSpam Symantec directory that contains C Program matchlist files Files Symantec SMSMSE 4 6 Server MatchLists Symantec directory that contains C Program Files Symantec SMSMSE 4 6 Server Symantec Premium AntiSpam SpamPrevention configuration files Symantec directory that contains the C Program rule update log file for Symantec Files Symantec SMSMSE 4 6 Server stats Premium AntiSpam 38 Installing Symantec Mail Security for Microsoft Exchange Before you install Console component locations By default Symantec Mail Security for Microsoft Exchange multiserver console components are installed in the following locations Multiserver console program files C Program Files Symantec SMSMSE 4 6 Console Symantec Mail Security Event Log files C Program and data Files Symantec SMSMSE 4 6 Console EventLogs Files used for rolling out Symantec C Program Mail Security to remote servers Files Symantec SMSMSE 4 6 Console Remote contains the remote installation Install Files Setup iss file that is used for rolling out custom installations of Symantec Mail Security Downloaded console report data files C Program Files Symantec SMSMSE 4 6 Console ReportDownloads Component to update virus definitions C Program Files Symantec LiveUpdate Symantec directory to which new virus C Program Files CommonFiles Symantec definitions are installed Shared VirusDefs Directory for user interface files C Documents and Set
56. L processing and sender whitelist processing are activated the whitelist takes precedence and all addresses that are included in the list are allowed Whitelists Email messages from addresses that are included in the whitelist are still processed for content violations and viruses To configure a sender whitelist 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click Spam Prevention Settings 4 Inthe right pane under Sender White List type the domains and email addresses one per line for which spam processing will be bypassed Domain names must begin with either at symbol or an asterisk before the at symbol for example mail com or mail com You can also type domains for example mail com You can use DOS wildcard characters 5 Click Save Configuring Symantec Mail Security for Microsoft Exchange 99 Protecting your organization from spam with Symantec Premium AntiSpam To configure a recipient whitelist 1 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Click Spam Prevention Settings In the right pane unde
57. Mail Security for Microsoft Exchange 4 6 using the Symantec Mail Security for Microsoft Exchange console See Upgrading from a previous version on page 52 To install Symantec Mail Security to remote servers 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console right click Global or any server group node and then click All Tasks gt Add Servers 2 Inthe Add Servers pane click Next 3 Inthe Choose Server Group dialog box select a server group 4 Type the TCP port number of the server Port 8081 is the default 80 Managing multiple server installations Updating and distributing virus definitions 10 11 12 13 14 Click Next In the Choose Servers pane under Available Servers select the Exchange server that you want to add to the group Alternatively in the Server Name text box type the server name or IP address Click Add Repeat steps 6 7 for each Microsoft Exchange server to which you want to install Symantec Mail Security Check Install SMSMSE to these servers Check Send group settings to server s If checked group settings are applied to the newly installed server If unchecked the server is installed with default settings Future changes that are made to the server group however will be applied to the server Click Finish The Status of Remote Server Installation pane displays the installation status for each server If any installation errors occurred click
58. OC Denied Persons Entities and Unverified Lists the U S Department of State s Debarred List or on the U S Department of Treasury s lists of Specially Designated Nationals Specially Designated Narcotics Traffickers or Specially Designated Terrorists Furthermore Licensee agrees not to export or re export Symantec products to any military entity not approved under the EAR or to any other entity for any military purpose nor will it sell any Symantec product for use in connection with chemical biological or nuclear weapons or missiles capable of delivering such weapons 7 General If You are located in North America or Latin America this Agreement will be governed by the laws of the State of California United States of America Otherwise this Agreement will be governed by the laws of England and Wales This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software The disclaimers of warranties and damages and limitations on liability shall survi
59. S IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY OR LOADING THE SOFTWARE YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK THE I DO NOT AGREE OR NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE 1 License The software and documentation that accompanies this license collectively the Software is the proprietary property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software You will have certain rights to use the Software after Your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to You Except as may be modified by an applicable Symantec license certificate license coupon or license key each a License Module that accompanies precedes or follows this license and as may be further defined in the user documentation accompanying the Software Your rights and obligations with respect to the use of this Software are as follows You may A use the number of copies of the Software as have been licensed to You by Symantec under a License Module If the Software is part of a suite containing multiple Software titles the number of copies You may u
60. SA cccccessssssssesececesesesesssesseseeessseseseseseaees 57 SESA COMPONENTS sederetan iritare SN ee EEE AA A Ea OENE 57 Installing the SESA Integration Package on the SESA Manager 58 Verifying the SESA installation 0 ceseesssesesesesetsesesseeeecseesesesesesseees 59 Installing the SESA Agent manually cceececeseseesesseceseeseeeseeeeseseeeees 61 Uninstalling the SESA Agent s ssssssnssssseesesesseseseseeseseserseseserersssrsesssnenesesse 63 Uninstalling the SESA Integration Package s esssssssesssseseseseesesessseesesee 64 After yowinstall arenira i E EERE EAE ETE 65 Accessing the single server user interface 65 Single server panel components s ssssssessssesesessrststssrsestsrsnesesesseseseseesesest 66 About the Symantec Mail Security for Microsoft Exchange console user interface o hee E E E E E RN 67 Making selections in the multiserver console Displaying individual servers ccceeeeeeees Configuring and running scans Managing multiple server installations About the multiserver console oo ceesseseseseeteeeeeeeecececeseseeeececeeeeeceseseneneneeees 71 Global server group s e ssssessesssssessssesesesssreseseserstsesestesssrsesessrstseseeneseseneesesest 72 User defined server groups c cccesesesssesesesesessssesssssecesesesesesesseesesesecseseaees 72 Reconfiguring settings ccecccsesesssecesesesesesessesesssecesesesesesseseseeseesesesesees 72 Chapter 4 Contents Managing serve
61. Symantec Mail Security for Microsoft Exchange console reduces administrative overhead because you change the settings for groups of servers at once rather than make individual settings changes at each server You can organize servers into administrative groups based on organizational categories or mail functions Base your decision of whether to use the console on an assessment of the benefits that it provides See About the multiserver console on page 71 Using Symantec Mail Security with other Symantec products If the Symantec AntiVirus Corporate Edition client is installed on a server that is running Symantec Mail Security for Microsoft Exchange you can share virus definitions between products You can also roll out virus definitions to individual servers that are running Symantec Mail Security provided that both products have current licenses This eliminates the overhead of making multiple connections to update virus definitions If your organization has the Symantec Central Quarantine Server installed on the same network as Symantec Mail Security for Microsoft Exchange you can forward items that were quarantined by Symantec Mail Security for Microsoft Exchange to the Symantec Central Quarantine Server The Quarantine Server Setup program is available on the Symantec Mail Security for Microsoft Exchange CD You must install the Symantec Central Quarantine Server separately For more information see the Symantec Central Quar
62. The message was delivered by an authenticated SMTP session and the DoAntiSpamOnAuthSessionsBool registry key is either missing or set to non zero An internal error occurred This can happen if the SPAM NET or SPAM DAT files are missing or corrupt Configure antispam protection Symantec Mail Security for Microsoft Exchange can be configured to use the heuristic antispam engine to detect spam To configure the heuristic antispam engine settings 1 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Click Spam Prevention Settings In the right pane under Heuristic AntiSpam Engine Settings check Enable heuristic spam detection Check Reject message if Symantec SCL and existing SCL value are __ and then fill in a value for If SCLs do not match use ___ This option is available only for Exchange 2003 users Check Reject message if SCLis __ and choose an appropriate value Check Log rejected messages To configure actions to take for accepted messages 1 Under Action s to take for accepted messages check Prevent delivery to original recipient s if SCL is __ and choose an appropriate value Check Deliver to alternative recipient s ifSCLis __ and choose an appropriate value In the Alternative recipient s box type one or
63. a specified threshold value within a specified amount of time For example if 10 occurrences of the same virus are detected during a two minute interval an outbreak is triggered Configuring Symantec Mail Security for Microsoft Exchange 109 Configuring settings to handle an outbreak You can configure different settings for different outbreak situations For example you can create one virus outbreak trigger for the total number of viruses detected and another virus outbreak trigger for occurrences of a specific virus You can also create and configure heuristic triggers for managing outbreaks Rather than identifying known viruses heuristic triggers identify message attributes or events in your server environment that are frequently associated with an outbreak such as the number of occurrences of a specific subject line Note The following procedures apply to the single server user interface although in most cases the multiple server console uses the same steps The options that you configure are the same regardless For procedures that require you to add or delete items you access configuration options differently In the multiple server console you must right click an item in the left pane rather than clicking it to access the configuration options for the node Configure outbreak settings You can configure the global outbreak management settings and add and delete virus and heuristic triggers You must enable a filterin
64. abled or disabled for a subpolicy except for the Exception subpolicy rules which are always enabled For a rule to become operational its subpolicy must also be enabled All rules have the following settings m Action to take when the rule applies Notifications to send including the enabling of the notification and the notification text m Alerts to send including enabling the alert and specifying the alert text m Replacement text to use when an item is quarantined or deleted In addition filtering rules can be applied to the following types of scanning m Store scanning All internal mail for an organization used to enforce internal mail policies m SMTP inbound scanning Mail coming into an organization used to reduce incoming spam messages SMTP outbound scanning Mail that is leaving an organization used to enforce mail policy for external communications SMTP inbound and outbound rules should be applied on a gateway computer if possible SMTP Inbound rules should be used to block mail with unwanted senders and subjects block forbidden file types and prevent undesirable mail from entering the system SMTP outbound rules can be used to enforce external mail policies Store filter rules should be run with virus rules on mailbox public folder servers to enforce internal mail policies 132 Establishing policies Working with subpolicies Some policy rules specify general behavior while other rules are more specialized
65. ages for words in those categories to help ensure confidentiality and reduce possible legal liability You can also filter messages based on subject line as an indicator of a virus and filter spam email messages See Working with subpolicies on page 129 How content filtering dictionaries work When enabled the Symantec Mail Security for Microsoft Exchange content filtering feature matches text in Exchange message bodies against words that belong to a set of selected categories from a content dictionary These words have predefined scores The more strongly representative the word or phrase is of a particular category the higher the score Each message is assigned a score The score is based on the total number of target words found and their weights If the score exceeds a specified threshold setting the message is flagged as violating a filtering rule An automated action is then taken based on the settings supplied by the administrator for the disposition of flagged messages Content dictionaries Acontent dictionary is a repository for categories of words or phrases to be filtered Symantec Mail Security for Microsoft Exchange uses the following types of dictionaries m Symantec This content dictionary is generated by Symantec and contains commonly filtered words and phrases which are organized into categories m User supplied This dictionary consists of all words and phrases that are added by the user The user suppli
66. ail is spam Email messages from addresses that are contained in the suspect list are always blocked You can choose to have email from addresses on the open proxy list blocked and email from addresses on the safe list allowed m Safe list Contains IP addresses from which virtually no outgoing email is spam See To configure the reputation service on page 103 Symantec identifies a message as spam when the antispam engine scores the message between 90 and 100 A message that scores below 25 is not considered spam You can specify that a message be considered suspected spam if it scores between 25 and 90 You can modify the lower end of the range If a message is received that falls within the range it is handled based on your spam action settings for suspected spam See To configure a spam threshold on page 103 If you use Microsoft Outlook you can use the Symantec Outlook plug in to specify that email that is written in certain languages be treated as spam See To enable language identification on page 104 Configure Symantec Premium AntiSpam Once you enable the Symantec Premium AntiSpam service you can configure it to identify spam based on the reputation service spam scoring and language identification Configuring Symantec Mail Security for Microsoft Exchange 103 Protecting your organization from spam with Symantec Premium AntiSpam To configure the reputation service 1 ao uu A U N Do one of
67. ailable for Exchange 2000 installations You can install the Symantec Spam Folder Agent from the product CD The Spam Folder Agent should be installed on Exchange servers where mailboxes physically reside The Agent creates a spam folder in each user s mailbox When spam messages are tagged for Spam folder agent delivery the messages are delivered to the spam folder If the Agent detects that the user s spam folder has been deleted or moved it will recreate the subfolder Note Install the Agent on the server on which Symantec Mail Security for Microsoft Exchange is installed To install the Spam Folder Agent for Exchange 1 On the product CD click Install Spam Folder Agent 2 Read the license agreement click I accept the terms of this license agreement and then click Next Installing Symantec Mail Security for Microsoft Exchange 55 Implementing SSL 3 Select a setup type and then click Next Setup options are Complete and Custom The Complete option installs all software in a predefined set of folders and files The Custom option lets you tailor installation options 4 Under Service Account specify an account to be used by the Agent 5 Type the Active Directory or NT Domain and the user name and password The account must have full access to the mailbox that is specified in the Mailbox box 6 Inthe Mailbox box type the mailbox alias of a valid mailbox for the Agent to use Alias is the name by which a user is identif
68. am Configuring settings to handle an outbreak Monitoring Symantec Mail Security for Microsoft Exchange functionality Configuring notifications and alerts Configuring automatic virus protection Isolating message bodies and attachments Configuring report data settings Configuring Symantec Mail Security for Microsoft Exchange About configuring Symantec Mail Security for Microsoft Exchange About configuring Symantec Mail Security for Microsoft Exchange When you configure Symantec Mail Security for Microsoft Exchange you set product wide values that apply to all users and across all sessions They are unlike settings for a specific policy which are in effect only when that policy is enabled See How policies work with scan jobs on page 125 Although you can configure or reconfigure Symantec Mail Security for Microsoft Exchange at any time you generally configure the product immediately after installation customizing settings with values that work best for your environment Configuration settings Symantec Mail Security for Microsoft Exchange supplies a basic set of product defaults that are designed to eliminate the need for regular maintenance and to minimize configuration time These defaults are set at the individual server level For many installations these values do not have to be reset Table 4 1 lists the default configuration settings Table 4 1 Default configuration settings General Maximum scan tim
69. amples of regular expressions that filter mail on page 144 8 Click Save Outbreak Triggered Attachment Names and Subject Lines Match List options The Outbreak Triggered Attachment Names and Outbreak Triggered Subject Lines display names and subjects that are generated from Outbreak Heuristic Triggers Triggered Attachment Names are added to the Outbreak Triggered Attachment Names Match List Triggered Subject Lines are added to the Outbreak Triggered Subject Lines Match List You can edit the text that is displayed under Match List Filter but you should leave these as literal strings See Creating a heuristic outbreak trigger on page 182 After you configure an outbreak trigger you can define a filtering rule that specifies the triggered Match List See Working with Match List settings on page 146 Establishing policies 149 Outbreak Triggered Attachment Names and Subject Lines Match List options The options for Outbreak Triggered Attachment Names and Outbreak Triggered Subject Lines are the same and are described in Table 5 5 Table 5 5 Outbreak Trigger Match List options Match list description This specifies where the Outbreak Triggered Match List was generated Outbreak Triggered Attachment Names m Outbreak Triggered Subject Lines This list contains m Literal strings This is the default You should leave these as literal strings m Regular expressions m DOS wildcard style expressions Match l
70. andle spam 104 Configuring settings to handle an outbreak cceesesesessesssessseeesesesesesees 108 Monitoring Symantec Mail Security for Microsoft Exchange functionality ooo eee esesesesesesescsesesssseseccsesesesessseesseeceesesesessseseseeesseseaees Configuring the heartbeat settings 11 12 Contents Chapter 5 Chapter 6 Configuring notifications and alerts oo cecceseesesessssesesesseesesesesetsessseeees 115 Configuring automatic virus protection occ eesesseseseseeeeeeeseesetseeeeees 117 Isolating message bodies and attachments cccscesssesseceseeseeeteeeeseeeeeees 117 Configuring report data Settings 0 ccccsssesssssecssesesesesetsesssessesseseseseseeeeeees 121 Establishing policies About POLICIES sisa ceases asso acaba eee ASSN Sea oreo dae eae How policies work with scan jobs Policy settings and scanning Switching policies 0 ccccceseseeceseseeeeseeeeseseeeeseeeeseeeeees Understanding the Standard Policy and custom policies 0 126 Using the Standard Policy ccccececcesssessssesesseceseeeeseseeeeseeeeeeseeeeseeeeseseees 126 Customizing policies ereen ere aa ETEEN EREE EAF 127 Working with subpolicies c cccccccccescssesssseseseeceseseeceseeeeseseseeseeeseeseeeeseeesseseees 129 How subpolicy rules Work ccccceecesssseseseeceseseeceseeeeceseeeeseeeeeseseeseseeeeseees 131 Working with virus SubpolicieS 0 ccccesesesesceseseeeeceseeeeseeeeseseeeeseeeeeees 1
71. ange Protecting your organization from spam with Symantec Premium AntiSpam Language Symantec can determine the language in which a filtered message identification is written When used with the optional plug in for Microsoft Outlook software you can use this feature to treat messages that are written in certain languages as spam Spam actions You can create spam actions to handle the following categories of messages m Spam m Suspected spam with an existing SCL value gt threshold This option is available only in Exchange 2003 m Suspected spam with no existing SCL value or lt threshold Filters m URL filtering Symantec builds its known spammer list based on URLs that appear in spam The list contains over 20 000 URLs m Heuristic filtering Heuristic filters scan the headers and the body of a message to test for characteristics that are usually inherent in spam such as opt out links specific phrases and forged headers m Signature filtering Messages that flow into the Symantec Brightmail Logistics and Operations Center BLOC are characterized using a unique signature that is added to the database of known spam Using this signature Symantec can group and match seemingly random messages that originated from a single attack See Blocking by real time blacklists on page 93 See Bypassing RBL blocking and spam detection for sender and recipient whitelists on page 98 Enabling Symantec Premium AntiSpa
72. antec Mail Security for Microsoft Exchange Enabling event forwarding to SESA To install the SESA Agent 1 On the computer on which Symantec Mail Security is installed at a command prompt change to the AgtInst folder By default C Program Files Symantec SMSMSE 4 6 Server AgtInst At the command prompt type the following java jar agentinst jar a3009 Optionally you can append any of the following parameters debug Writes logging information to the screen log Turns off the installation log and instructs the SESA Agent to write logging information to the Agntinst log file in the local Temp directory To start the SESA AgentStart Service 1 On the computer on which you installed the SESA Agent on the Windows taskbar click Start gt Settings gt Control Panel In the Control Panel window double click Administrative Tools In the Administrative Tools window double click Services In the Services dialog box right click SESA AgentStart Service and then click Start To enable event forwarding to SESA 1 On the computer on which you installed the SESA Agent open Symantec Mail Security Click Configuration gt Notifications Alert Settings In the right pane under SESA alerts check Enable Logging and Alerting to SESA server In the IP address of SESA server box enter the IP address of the SESA Manager on which the SESA Integration Package SIP is installed See Installing the SESA Integration Package o
73. antec Mail Security for Microsoft Exchange and you specify an SCL value if both SCLs are greater than the value specified the message is rejected You can specify which SCL to use the highest SCL the lowest SCL the average of the two SCLs the Symantec SCL or the existing SCL when either or both SCLs do not exceed the value By default the higher SCL value is used Configuring Symantec Mail Security for Microsoft Exchange 95 Protecting your organization from spam without Symantec Premium AntiSpam Symantec Mail Security for Microsoft Exchange handles accepted messages based on how you have configured the product The following is an example of the criteria that might be met in order for a message to be accepted logged and delivered m Heuristic spam detection is enabled m You have checked the Reject message if Symantec SCL and existing SCL value are__ check box and have provided gt 8 as the value m Either the Symantec SCL or the SCL value that is provided by another mail screening tool is not greater than 8 m In Symantec Mail Security for Microsoft Exchange you have selected Average SCL to use when neither SCL is greater than the specified value m The average of both SCLs is 8 m You have checked the Reject message if SCL is __ check box and have provided gt 8 as the value m Under Action s to take for accepted messages you have checked only the Log if SCLis__ check box and have provided gt 7 as the value Th
74. antine Server documentation See Preventing conflicts with other antivirus software on page 39 Introducing Symantec Mail Security for Microsoft Exchange Where to get more information about Symantec Mail Security 31 Where to get more information about Symantec Mail Security Symantec Mail Security for Microsoft Exchange includes a comprehensive Help system that contains conceptual procedural and context sensitive information Use the Help button at the bottom of the right pane to access information about the pane in which you are working If you want more information about features that are associated with the pane select a Related Topics link in the Help pane or use the Table of Contents Index or Search tabs in the Help viewer to locate a topic If there are procedures that are associated with a feature or topic the How To folder for the Help topic is displayed Click that folder to display the procedures If you are connected to the Internet you can visit the Symantec Security Response Web site securityresponse symantec com to view the Virus Encyclopedia which contains information about all known viruses and virus hoaxes You can also find white papers about viruses and virus threats in general 32 Introducing Symantec Mail Security for Microsoft Exchange Where to get more information about Symantec Mail Security Installing Symantec Mail Security for Microsoft Exchange This chapter includes the followi
75. ase If Symantec Mail Security for Microsoft Exchange is installed on only one Microsoft Exchange server use the single server user interface to update virus definitions If Symantec Mail Security for Microsoft Exchange is installed on several Exchange servers and you are using the Symantec Mail Security for Microsoft Exchange console you can use the console to enable Rapid Release downloads However the console will download only LiveUpdate updates and will distribute only the LiveUpdate updates to the servers 174 Maintaining virus protection Keeping your virus protection current Updating virus definitions for a single server The following options are available through the single server user interface for updating virus definitions on a single server m Manually start a LiveUpdate or Rapid Release session Download the virus updates when the session is started m Schedule automatic LiveUpdates for the Exchange server Schedule days of the week and a time to run LiveUpdate During installation of Symantec Mail Security for Microsoft Exchange a default LiveUpdate schedule is set You can reconfigure the LiveUpdate schedule Once this option is saved LiveUpdate sessions take place automatically at the specified times without administrator intervention m Enable Rapid Release for the Exchange server Configure and save the Rapid Release option Updates will occur hourly without administrator intervention Update virus definit
76. ased on message body content attachment name attachment size sender subject lines and attachment and body content scores Exception subpolicy Contains rules for handling unscannable unrepairable and encrypted files Introducing Symantec Mail Security for Microsoft Exchange 23 How Symantec Mail Security works Policies and scan jobs A policy which is assigned to a scan job determines the types of threats that the scan job identifies the actions to take when a threat is detected and how to manage the email notifications about the threat Any Symantec Mail Security for Microsoft Exchange scan job can use one of the following policies The Standard policy default which is designed to address the most common email security threats A custom policy which covers unique situations such as the following m Scanning message archives during off hours m Filtering content to protect confidential information m Detecting messages that contain a specific subject line m Taking action against messages that contain encrypted attachments You can also change the policy that a scan job uses and apply a policy to more than one scan job See Understanding the Standard Policy and custom policies on page 126 Filtering features The filtering features of Symantec Mail Security for Microsoft Exchange let you do the following Use content dictionaries to search email messages and some types of attachments for offensive language c
77. ast time the statistics were refreshed multiserver console only To view Auto Protect statistics 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Statistics and Reports 2 Click Auto Protect Statistics Single server and multiserver statistics Statistics about Symantec Mail Security for Microsoft Exchange that are displayed on the single server user interface are different than statistics that are displayed on the multiserver console Statistics that are displayed in the single server user interface browser hosted are only for the server that is being monitored Statistics that are displayed in the multiserver console MMC hosted are calculated across all Exchange servers that belong to the selected group The multiserver console also includes server status information 164 Using Symantec Mail Security for Microsoft Exchange data Viewing spam statistics for Symantec Premium AntiSpam Viewing spam statistics for Symantec Premium AntiSpam Symantec Mail Security for Microsoft Exchange lets you display spam statistics by the domain from which spam messages were received and by category When Symantec Premium AntiSpam is licensed and enabled spam statistics are reported on the following categories Confirmed spam Suspected spam with an existing SCL value gt threshold Suspected spam with no existing SCL value or lt threshold Not spam N A This is a message that the anti
78. at a time You should always keep Auto Protect scanning enabled m Manual scans Runs scans on an as needed basis You can run a manual scan in response to an immediate threat such as the suspected presence of a new virus or during times when no scan jobs are scheduled A manual scan job applies only to folders and mailboxes that are selected when you define the scan You can only run one manual scan job on Symantec Mail Security at a time m Scheduled scans Runs scan jobs at specific days and times A scheduled scan job applies only to those folders and mailboxes that are selected when you define the scan You can run several scheduled scans on Symantec Mail Security at a time Installing Symantec Mail Security for Microsoft Exchange 69 About the Symantec Mail Security for Microsoft Exchange console user interface Scan jobs must be linked to policies or sets of rules before they can be run The Standard Policy is the default rule setting however custom policies can also be configured to run with a particular scan See Understanding the Standard Policy and custom policies on page 126 See Scheduling and deleting scans on page 69 See Running a manual scan on page 70 Scheduling and deleting scans In addition to Auto Protect scanning which is set to run by default you can schedule additional scans to look for different types of rule violations than those that are covered by the Auto Protect scan Rule viola
79. ate a Match List you can define a filtering rule that specifies the Match List To create or add to a Match List 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Doone of the following m Inthe single server user interface in the left pane click Configuration m Inthe console user interface double click Configuration 3 Doone of the following m Inthe single server user interface in the left pane expand Match Lists and then click Add Delete Match Lists In the right pane click Adda Match List and then click Next m Inthe console user interface in the left pane right click Match List Settings and then click All Tasks gt Add Match List 4 Type a name for the Match List or select an existing Match List When you apply a Match List to a filtering rule you can also specify whether to ignore the case and specify whether to use whole words only 5 Inthe Match List Description box type a description for the Match List 148 Establishing policies Outbreak Triggered Attachment Names and Subject Lines Match List options 6 Under This List Contains select one of the following m Literal strings m Regular expressions m DOS wildcard style expressions 7 Inthe Match List filter box type a literal string regular expression or DOS wildcard style expression See Ex
80. ate for the new policy Click Save Policy Customize the policy by enabling or disabling its subpolicies and changing the settings for the subpolicy rules 10 Click Save To delete a policy in the single server user interface 1 uo A UU N In Symantec Mail Security for Microsoft Exchange in the left pane expand Policies gt Custom Policies gt Add Delete Custom Policy In the right pane click Delete a custom policy Click Next In the Policy list select the policy to delete Click Delete Policy Establishing policies 129 Working with subpolicies General guidelines for custom policies You can apply custom policies in a wide range of situations For example custom policies are useful when a limited number of notifications need to be issued If manual scanning of the information store takes place at night and messages in the store have already been checked with an Auto Protect scan you might want to issue a minimal number of notifications and alerts You can create as many custom policies as your site needs The following are examples of business scenarios for custom policies m A message with a particular attachment name is associated with a known problem A custom policy whose only rule is to locate the attachment is linked with a manual scan and run immediately m To save overhead the Auto Protect scan logs encrypted archives as they come into the Exchange store from the Internet but does not take any other ac
81. ategories Some of the Symantec dictionary categories are as follows m Crime m Drugs Advocacy m E Games m Finance m Gambling m Sex Acts m Sex Personals m Violence m Weapons Note You can create user categories and words using Hi ASCII and double byte character format 154 Using content filtering dictionaries Scoring messages Scoring messages To score messages Symantec Mail Security for Microsoft Exchange matches the individual words of a message body against entries in the Symantec supplied content dictionaries and the custom dictionary if a custom dictionary has been set up If a match is found points are added to the message score Symantec Mail Security for Exchange examines successive words for use of contextual words and adjusts the score accordingly The sum total of points for the matches and surrounding words is the score for the email message Note You can create user categories and words using Hi ASCII and double byte character format If the filtering rule is enabled for the scan job in effect Symantec Mail Security for Microsoft Exchange compares the message score against the threshold setting that you specify in the rule If the message score is equal to or exceeds the threshold setting the expression in the rule is violated Matching words and evaluating content After the content filtering engine divides the text block into words it compares the extracted words in successive o
82. be scanned it is quarantined by default For example some highly compressed files are designed to defeat mail security by overwhelming the scanner Quarantined items can also be forwarded to the Symantec Central Quarantine if it is installed The Symantec Central Quarantine setup program is available on the Symantec Mail Security for Microsoft Exchange CD See Isolating message bodies and attachments on page 117 For more information see the Symantec Central Quarantine documentation Keep virus protection up to date Symantec Mail Security for Microsoft Exchange relies on up to date information to detect and eliminate viruses One of the most common reasons that virus problems occur is that virus definitions files are not updated regularly Symantec regularly supplies updated virus definitions files that contain information about all newly discovered viruses Note Virus definitions are shared with Symantec AntiVirus Corporate Edition You have the following virus definitions update options m Rapid Release Rapid Release updates are released every hour Rapid release definitions have undergone basic quality assurance testing by Symantec Security Response but have not undergone the intense testing that is required for certified LiveUpdate definitions After more testing they may be added to a certified LiveUpdate m Certified LiveUpdate Certified LiveUpdates are the most up to date virus definitions that are certified by
83. bfmad Filtering Content Score Se lt Message Body gt hb fmad ms1 frank mail acme com mstjInbox testddr 99 More T 5 1 2003 hbfmad Filterin Content Score 8 55 PM lt Message Body gt hb fmad ms1 frank mail acme com NA mstjinbox Herm 100 More o Filt anoo lt Message Body gt hbfmadmst fark meilacmecom NA sme fet NA tests ag P s023 sage hos BHM95UR DOT hb fmac ms1 frank meil ecme com No A EE alinak NA 2 a ie Main SelectAll _ Deselect All Delete Release By Mail Release To File Help Epone B PB toca intranet y 160 Using content filtering dictionaries About quarantined content violations The Quarantine displays the following information Timestamp Message Part Recipient Sender Sent to QServer Original Location Rule Violated Details More The time and date when the item arrived at the mail server The portion of the message that contained the violation The intended recipient of the message The sender of the message Whether the file has been forwarded to the Quarantine Server if installed The name of the server that first received the item The name of the rule that detected the violation Additional information on the item if it is available If content filtering is used to detect the violation the score of the violation is displayed If a content filtering violation is detected click More to open the Quarantine Details dialog box which co
84. bpolicies Table 5 1 Attributes Comparisons and Values Attachment Content Greater Than Numerical value Categories Score Less Than Attachment Name Contains Text value Does Not Contain A member of Match Match List Equals List Does Not Equal Attachment Size Greater Than Numeric Value Bytes KB or MB Less Than Equals Does Not Equal Suspicious Equals True or False Attachment Name The attribute that you select determines which comparisons you can use Some attributes have more comparisons than others For example if you select sender as the attribute then the available comparisons are Contains Does not contain Equals and Does not equal The Sender Attribute also recognizes DOS wildcard characters in its value field However if you choose Suspicious Attachment Name then only the Equals comparison is available If you select Message Body or Subject you can select whether to ignore the case and whether to use whole words only The Suspicious Attachment Name comparison is used to compare the extension of an attachment to its detected type The flag is true if the extension and type do not match The flag is false if the extension and type match or if they cannot be compared The supported file types include the following ace amg ani arc arj avi bag bmp cab exe dll gho gif gz gzip hqx jpeg lha lzh 1z doc xls ppt shs rar rtf tar tga uue wav zip z0
85. ced in the quarantine directory during its quarantine process Reporting data C Program Files Symantec SMSMSE 4 6 Server Reports User interface files C Program Files Symantec SMSMSE 4 6 Server ROOT Installing Symantec Mail Security for Microsoft Exchange 37 Before you install Location where Symantec Mail C Program Security scans items Files Symantec SMSMSE4 6 Server Temp Note You should configure all antivirus file system scanners to exclude scanning of the Temp directory Those system scanners may try to scan and delete Symantec Mail Security files that are placed in the Temp directory during its scanning process Component to update virus definitions C Program Files Symantec LiveUpdate Symantec directory to which new virus C Program Files Common Files Symantec definitions are installed Shared VirusDefs Symantec directory in which license C Program Files Common Files Symantec files are stored Shared Licenses Symantec directory that contains the C Program dynamic link library for Symantec Files Symantec SMSMSE 4 6 Server bin Premium AntiSpam Symantec directory that contains C Program manual scan configuration data Files Symantec SMSMSE 4 6 Server config Symantec directory that contains C Program configuration files for allowed blocked Files Symantec SMSMSE 4 6 Server etc senders for Symantec Premium AntiSpam Symantec directory that contains C Program component logs for Symantec Premium Files Symantec SMSMS
86. change for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Click Quarantine Settings Configuring Symantec Mail Security for Microsoft Exchange 121 Configuring report data settings 4 Doone of the following m Inthe single server user interface under Email Notification in the Subject Line field use the default text or type your own subject line text m Inthe console user interface under Administrator Notification in the Subject Line field use the default text or type your own subject line text 5 In the Message Body field use the default text or type a message to send to an administrator list 6 Click Save Configuring report data settings Symantec Mail Security for Microsoft Exchange generates various types of data on virus scanning virus definitions viruses detected and virus related events on a system In addition Symantec Mail Security for Microsoft Exchange generates data about violations for the different rules You have the option of creating and saving custom reports that include subsets of this data You can configure Symantec Mail Security for Microsoft Exchange so that this data is retained for different periods of time You can also manually clear all report data on an as needed basis if the amount of report data saved is too large or if it is no longer needed Symantec Mail Securit
87. ck Symantec Mail Security for Exchange and then click Properties On the Directory Security tab under Secure communications click Server Certificate Follow the instructions in the Web Server Certificate Wizard to install the certificate After the certificate is installed on the Directory Security tab under Secure communications click Edit In the Secure Communications dialog box check Require secure channel SSL Click OK On the Web Site tab under Web Site Identification in the IP Address text box type the IP address of the Symantec Mail Security server In the SSL Port text box type the port to use for SSL communications The default port for SSL communications is 636 Click OK to close the Symantec Mail Security for Microsoft Exchange Properties window After SSL is implemented you must enable SSL and specify the SSL port for each server from the Symantec Mail Security multiserver console See Changing the Transmission Control Protocol TCP port and using Secure Sockets Layer SSL on page 76 To access the Symantec Mail Security single server interface after SSL is implemented you must use https and the SSL port in the URL for example https lt IP Address gt Port Installing Symantec Mail Security for Microsoft Exchange 57 Enabling event forwarding to SESA Enabling event forwarding to SESA Symantec Mail Security for Microsoft Exchange supports event forwarding to Symantec Enterprise Secur
88. ckets matches a single character or collating element as in a list The string inside the brackets is evaluated literally as if an escape character were placed before each character in the string If the initial character in the bracket is a circumflex gt then the expression matches any character or collating element except those inside the bracket expression If the first character after any potential circumflex gt is a dash or a closing bracket then that character matches only a literal dash or closing bracket string string Parentheses Groups parts of regular expressions which gives the string inside the parentheses precedence over the rest The order of metacharacters from highest to lowest precedence is as follows 0 Precedence override List Escape Start with 144 Establishing policies Working with subpolicies Examples of regular expressions that filter mail You can link several regular expressions to form a larger one to match certain content in email Table 5 4 lists examples of regular expressions that show how pattern matching is accomplished with the use of metacharacters and alphanumeric characters Table 5 4 Regular expressions abc Matches any line of text that contains the three letters abc in that order Your results may differ depending on the comparison that you use to create the filtering rule For example if you build a rule to match the word Fre
89. cts the SESA Agent to write logging information to the Agntinst log file in the local Temp directory 64 Installing Symantec Mail Security for Microsoft Exchange Enabling event forwarding to SESA Uninstalling the SESA Integration Package To uninstall the SESA Integration Package for Symantec Mail Security for Microsoft Exchange run the SESA Integration Wizard for Symantec Mail Security on the SESA Manager To uninstall the SESA Integration Package 1 On the SESA Manager computer insert the Symantec Mail Security for Microsoft Exchange CD into the CD ROM drive At the command prompt change directories to ADMTOOLS SESA_SIPI_ for SMSMSE Type the following command to launch the SESA Integration Wizard java jar setup jar uninstall Follow the on screen instructions until you see the SESA Domain Administrator Information window In the SESA Domain Administrator Information window do the following SESA Domain Administrator Type the name of the SESA Domain Administrator Name account SESA Domain Administrator Type the password for the SESA Domain Password Administrator account Host Name or IP Address of Type one of the following SESA Directory m If SESA is using default anonymous SSL communication the IP address of the computer on which the SESA Directory is installed may be the same as the SESA Manager IP address if they are both installed on the same computer m If SESA is using authenticated SSL communicati
90. curity for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Policies Establishing policies 133 Working with subpolicies Do one of the following m Click Standard Policy m Expand Custom Policies and then expand a policy Click Virus Subpolicy In the right pane check the rules that you want to enable Click Save To edit a virus subpolicy 1 O O N DOD UH fF Do one of the following m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Policies Do one of the following m Click Standard Policy m Expand Custom Policies and then expand a policy Click Virus Subpolicy In the right pane click Edit for the rule that you want to edit Modify the rule settings and then click Save In the left pane click Virus subpolicy Check the rule that you edited to enable it Click Save Basic Virus rule The Basic Virus rule contains settings that determine which actions to take when a virus is detected You can use the Basic Virus rule for coverage against all viruses but it is most often used to find messages that contain known viruses 134 Establishing policies Working with subpolicies To edit the Basic Virus rule 1 Doone of the follo
91. d other countries Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Printed in the United States of America 10 9 8 765 43 2 1 Technical support As part of Symantec Security Response the Symantec global Technical Support group maintains support centers throughout the world The Technical Support group s primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion For example the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include m A range of support options that give you the flexibility to select the right amount of service for any size organization m Telephone and Web support components that provide rapid response and up to the minute information m Upgrade insurance that delivers automatic software upgrade protection m Content Updates for virus definitions and security signatures that ensure the highest level of protection m Global support from Symantec Security Response exper
92. d attaches itself to other programs and documents In addition to replicating a virus is generally programmed to deliver a payload a destructive action performed on the infected computer Some viruses display a message on a trigger date Some however are programmed to damage data by corrupting programs deleting files or reformatting disks Introducing Symantec Mail Security for Microsoft Exchange 17 About Symantec Mail Security for Microsoft Exchange The following classes of viruses present the greatest threats in the email environment m Macro viruses Infect word processing and spreadsheet documents m Program viruses Infect executable files The viruses spread as email attachments that are routed through the mail servers Trojan horses are malicious programs that are disguised as useful programs such as utilities or games An important distinction between Trojan horses and viruses is that Trojan horses do not replicate themselves When you install and run a Trojan horse it appears to be performing a helpful function while it is actually damaging your computer s operating system Mass mailers are programs that propagate from computer to computer often by placing copies of themselves in each computer s memory Macro viruses usually exist inside of other files such as Microsoft Word or Excel documents A mass mailer can replicate itself many times on one computer which causes the computer to crash Messages that overl
93. d servers expand Global m To distribute virus definitions to servers in a server group expand the server group 2 Expand Tasks 3 Click Run LiveUpdate 4 Inthe right pane click Update Servers Running a manual scan on a server group Manual scans are useful when you want to conduct scans of mail stores for specific purposes For example you can run a manual scan to filter rule violations against messages on a group of servers where message stores of those servers are not normally examined for content violations during Auto Protect scanning or scheduled scans To run a manual scan on a server group 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console do one of the following m Toscan all managed servers expand Global m Toscan servers in a server group expand the server group 2 Expand Scan Jobs 3 Click Manual Scan 4 Inthe right pane in the Policy in use field select the policy to link to the manual scan job 5 If necessary configure the remaining options and then click Save if changes are made If options are changed and not saved they are lost and will not be used for the scan Instead local server settings will be used 6 Click Run Manual Scan Managing multiple server installations Viewing status information Viewing status information Requests are issued to servers from the Symantec Mail Security for Microsoft Exchange console through HTTP Therefore you may find it us
94. ding A A managed server can only belong to one user defined group See Moving a server to another group on page 75 Reconfiguring settings When you reconfigure a user defined server group any changes that you make are propagated to all servers that belong to that group The reverse is not true If you change the settings for an individual server the changes are not recognized at the server group level or at the Global level In that case the information that is displayed by the console does not reflect the changes to the individual server Note Use the Communication Status pane to verify that requests that are made to servers have completed before you close the multiserver console Closing the multiserver console before a server request is completed can cause errors See Viewing status information on page 82 Managing multiple server installations 73 Managing servers and server groups Managing servers and server groups You can perform the following administration tasks with the Symantec Mail Security for Microsoft Exchange console m Creating a server group m Adding servers to a group m Moving a server to another group m Changing the TCP port and enabling SSL for a server m Sending group settings to a server m Deleting a server group m Removing servers from console management Creating a server group There are two general categories of server groups the Global group and user defined groups
95. e and use the Contains comparison then the filtering engine will detect all words that contain the word Free instead of an exact match for example Freedom However if you use the Equal comparison then the filtering engine will detect only exact matches of the word Free with no other surrounding text If you use the Contains comparison with Whole words only then the filtering engine will detect Free as a stand alone word even if there are other words present in the text that is being searched a c Matches any string that begins with the letter a followed by any character followed by the letter c gt Matches any line that contains exactly one character The newline character is not counted a b c d Matches any string beginning with the letter a followed by either zero or more instances of the letter b or zero or more instances of the letter c followed by the letter d Ns No Matches any file name that has two three letter extensions for example Filename gif exe This regular expression is helpful in blocking email attachments with double extensions For example If Attachment Name 0 9a zA Z lt gt 0 9a zA Matches an embedded comment in the middle of Z meaningful HTML text Embedding comments within HTML text is a trick that spam senders use to bypass some pattern matching software Establishing policies 145 Working with subpolicies Setting an Exception subpolic
96. e message would be accepted because the SCL value used for processing average SCL is 8 the value used for rejecting messages is gt 8 but the average is only 8 and the SCL value used to determine if a message is logged is gt 7 The average 8 is greater than 7 Because the action selected for accepted messages is Log the message would be logged and delivered See To configure the heuristic antispam engine settings on page 96 Understanding Symantec SCL values There are 11 Symantec SCL values The heuristic antispam engine assigns a value of 0 to messages that are not spam Messages that are determined to be spam are assigned a value in the range of 1 extremely low likelihood that the message is spam to 9 extremely high likelihood that the message is spam Some messages are exceptions to the rule and fall under the N A category A message will be put under the N A category under the following circumstances m The message is an internal Microsoft Exchange message that has already been assigned a special reserved SCL value of 1 m The message was whitelisted by Symantec Mail Security for Microsoft Exchange on this server 96 Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam without Symantec Premium AntiSpam The message was whitelisted by some other entity either another antispam product or Symantec Mail Security for Microsoft Exchange running on a different server
97. e per file is 300 seconds Maximum archive scan depth number of levels is 10 Inbound Outbound setting is disabled Degree of Bloodhound heuristic detection is medium Number of VSAPI scanning threads is figured using the equation 2xP 1 where P is the number of processors Number of scan processes is figured using the equation 2xP 1 where P is the number of processors Spam prevention without Symantec Premium AntiSpam RBL blacklist blocking is disabled Heuristic antispam engine is disabled All SCL boxes are set to gt greater than 8 Text to prepend to subject line to tag spam is Spam colon Sender whitelisting is disabled Recipient whitelisting is disabled Configuring Symantec Mail Security for Microsoft Exchange 87 About configuring Symantec Mail Security for Microsoft Exchange Table 4 1 Default configuration settings Spam prevention with Symantec Premium AntiSpam licensed RBL blacklist blocking is disabled Sender whitelisting is disabled Recipient whitelisting is disabled Symantec Premium AntiSpam is disabled Open Proxy List and Safe List are enabled Suspect List is enabled and cannot be disabled Messages to be flagged as suspected spam is set to No Language identification is disabled All spam and suspected spam messages are accepted by the recipient SMTP server and delivered as usual no message delivery options are enabled Spam messages have an SCL value of
98. e user s spam folder You cannot modify this X header Check Assign SCL value of to the message and select a number from the menu This option is available only in Exchange 2003 If the incoming message has an existing SCL value the one that you specify will replace it Check Log Click Save To configure Symantec Premium AntiSpam to handle suspected spam with no existing SCL value or lt threshold 1 ao uu A U N Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Expand Spam Prevention Settings Expand Symantec Premium AntiSpam Click Spam Actions Under If Message is SUSPECTED SPAM select Reject the Message or Accept the Message A rejected message is not accepted by the SMTP server for delivery The SMTP service that sends the message receives an error message for each rejected message An accepted message is delivered as usual 108 Configuring Symantec Mail Security for Microsoft Exchange Configuring settings to handle an outbreak 10 11 12 13 14 15 16 Under Message delivery options check Prevent Delivery to Original Recipient s When this is selected a message that is identified as suspected spam when an SCL value does not exist is accepted by the SMTP server and is deleted It is not deliver
99. ec Mail Security for Microsoft Exchange always uses the score of the duplicate word in the user defined category Using content filtering dictionaries About quarantined content violations 8 Click Add Symantec Mail Security for Microsoft Exchange displays the word and its category score and language in the Word List 9 Click Save To delete categories and words from the user dictionary 1 In Symantec Mail Security for Microsoft Exchange for the single server in the left pane expand Configuration 2 Click Content Dictionary Settings 3 Inthe right pane under Delete user category select a category and then click Delete 4 Under Word List select the word to delete and then click Delete 5 Click Save About quarantined content violations When messages that violate content filtering rules are sent to the Quarantine you can view information about the violation under Manage Quarantine You can find details about the violation by clicking More which appears in the Details column F Quarantine Management Microsoft Internet Explorer loj x Ele Edit View Favorites Tools Help Back gt OA A Qsearch Favorites Meda Ge S Address https fmad ms1 8081 index2 htm es Links Wimadal z i e msc amp Manage Quarantine O symantec fgPo Displaying 19 of 19 Quarantine items gt g B nesenas Sent To Original Rule E Timestamp Message Senner QServer Location Violated F 54 2003 h
100. ec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate Email from those sources can then be blocked or allowed based on the source s reputation value as determined by Symantec m Language identification Symantec can determine the language in which a filtered message is written When used with the optional plug in for Microsoft Outlook software you can use this feature to treat messages that are written in certain languages as spam m URL filtering Symantec builds its known spammer list based on URLs that appear in spam The list contains over 20 000 URLs m Heuristic filtering Heuristic filters scan the headers and the body of a message to test for characteristics that are usually inherent in spam such as opt out links specific phrases and forged headers m Signature filtering Messages that flow into the Symantec Brightmail Logistics and Operations Center BLOC are characterized using a unique signature that is added to the database of known spam Using this signature Symantec can group and match seemingly random messages that originated from a single attack Rapid Release virus Rapid release virus definitions are created when a new threat is definitions updates discovered They are distributed hourly These definitions are useful for perimeter defenses for example a gateway front end server to mitigate fast spreading virus outbreaks These definitions are
101. ecurity from the Symantec Mail Security for Microsoft Exchange console multiserver console you should have an implementation plan that includes the following information m The server names and total number of Exchange servers on which you plan to install Symantec Mail Security m The number of servers on which you plan to add future installations of Symantec Mail Security How you plan to group your Exchange servers for email security management by the multiserver console One way to group servers and manage them is by location For example if your Exchange servers are located in Chicago New York City and San Francisco you could create a Chicago server group a New York server group and a San Francisco server group Server component locations By default Symantec Mail Security for Microsoft Exchange server components are installed in the following locations Symantec Mail Security program files C Program Files Symantec SMSMSE 4 6 Server AMS alert files C Program Files Symantec SMSMSE 4 6 Server AMS Symantec Mail Security report files in C Program comma delimited file csv format Files Symantec SMSMSE 4 6 Server Downloads Quarantined items in encrypted format C Program Note You should configure all antivirus Files Symantec SMSMSE 4 6 Server Quarantine file system scanners to exclude scanning of the quarantine directory Those system scanners may try to scan and delete Symantec Mail Security files that are pla
102. ed as allowing spam to originate or relay through them Symantec Mail Security for Microsoft Exchange refuses the connection attempt of mail servers that are identified on RBLs that you have configured the product to recognize You must subscribe to the third party real time blacklist providers before configuring Symantec Mail Security for Microsoft Exchange to perform RBL blocking Note Symantec does not provide a list of RBL providers To block by real time blacklists 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click Spam Prevention Settings 94 Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam without Symantec Premium AntiSpam 4 Inthe right pane under Real time Blacklist Blocking in the Domains of providers supporting IP based lookup box type the domains of the RBL providers Separate domains with commas with no spaces between entries RBL providers are queried in the order in which you list them The first RBL provider to return a match during an SMTP connection results in the message being rejected and no other RBL providers are queried 5 Click Save Assigning a Spam Confidence Level SCL to messages using the heuristic antispam engine The heuristic antispa
103. ed dictionary lets an administrator supersede words and phrases in the Symantec dictionary or add words and phrases The user supplied dictionary always takes precedence over the Symantec dictionary if the same words and phrases are used in both dictionaries Using content filtering dictionaries 153 How content filtering dictionaries work The Symantec dictionary is part of Symantec Mail Security for Microsoft Exchange and does not require a separate installation The user supplied dictionary is also installed with Symantec Mail Security for Microsoft Exchange but the words and phrases must be added by a user with the proper credentials All customizing of the user supplied dictionary is accomplished through the Symantec Mail Security for Microsoft Exchange single server interface Before adding words to the user supplied dictionary the Content Dictionary Settings must be configured so that the dictionaries to use for content filtering are set to User Dictionary or Both See Selecting and configuring content filtering dictionaries on page 156 Symantec dictionary categories Whether you use the Symantec supplied categories or your own words and categories you can select which categories of words to enable and disable for scoring in a filtering rule If Symantec Mail Security for Microsoft Exchange finds a word in a category that is not enabled it ignores it for the purposes of scoring A custom word cannot exist in multiple custom c
104. ed successful m Ifthe message never arrives or the attachment contents are incorrect an error results and the system has failed the heartbeat Configuring the heartbeat settings By default the heartbeat settings are not enabled If you elect to use the heartbeat feature in most cases you should not need to change the frequency and timeout settings You should either select or create a mailbox for the heartbeat feature that is a special account that is only accessible by administrators The heartbeat mailbox must physically reside on the server on which heartbeat is enabled Heartbeat will run only when Auto Protect is enabled To configure the heartbeat settings 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Configuration Click Heartbeat Settings In the right pane check Enable Heartbeat System Optionally change the heartbeat frequency and heartbeat timeout settings Type the name of the heartbeat mailbox ao uu A U N Optionally check Log Heartbeat Success Checking Log Heartbeat Success creates extra Event Log entries Configuring Symantec Mail Security for Microsoft Exchange 115 Configuring notifications and alerts 7 Under Administrator Alerts do the following as necessary m Check Send Message Service Alerts on failed Heartbeat to send an alert to the administrator upon a heartbeat failure m Type the Messenger Service alert text 8 Under Administrator email Notification do
105. ed to the addressees Check Alternate Recipient s and type one or more fully qualified SMTP email addresses Addresses must be separated by a comma with no space before or after the comma Each recipient will receive a copy of the message that is identified as suspected spam when an SCL value does not exist Under Message delivery options check Add Subject Line and keep the default text or type replacement text for the subject line of the spam message Check Add X Header In the X Header Name box accept the default X Bulk or type a new X Header name In the X Header Value box accept the value Spam or type a new X Header value Check Tag for Spam Folder Agent Delivery You must have the Agent installed An X header will be added to allow the Agent to move the message to the user s spam folder You cannot modify this X header Check Assign SCL value of to the message and select a number from the menu This option is available only in Exchange 2003 If the incoming message has an existing SCL value the one that you specify will replace it Check Log Click Save Configuring settings to handle an outbreak Symantec Mail Security for Microsoft Exchange lets you define thresholds for virus and heuristic outbreaks on your Exchange servers and configure the notifications and alerts to issue when an outbreak is detected An event is considered a virus outbreak when the number of infected files on a system exceeds
106. ee ececeecesceseeeceseeeseeseeceeeeneeaeeneeee 173 Updating virus definitions for a single server cceeeseseseseseeeseeeees 174 Updating virus definitions for multiple Servers cccccceeeseeeseeees 175 Setting up your own LiveUpdate Server ceececessesescsseseseeseseseeceseeeeeseeeesees 177 Chapter 9 Managing virus outbreaks About outbreak management 0 cccccsseseseseeseseeeeseseeeeseseeceseeeeseeeeeseeeeaeees 179 Defining outbreak triggers 0 cecsesssssssesssssesessssssessseseseesseseseseseeseseeesecsesees 180 Creating a virus outbreak trigger ccceesesesseceseeeeseeeeeeseseeeeseeeeseees 180 Creating a heuristic outbreak trigger ccecsseseeseceteeeeseeseeeseeeeseees 182 Enabling Outbreak Management cccccccessseseeseseeseseseeeeseeeeseeseeseeeens 184 Clearing outbreak notifications 00 0 ccccesessssessseeeeeseseseseseseeeseeeseeeess 185 Frequency of outbreak item 0 ceccsesssssesssesesesessssscecesescseseseseseseseseeeseesesees 185 Index 14 Contents Introducing Symantec Mail Security for Microsoft Exchange This chapter includes the following topics About Symantec Mail Security for Microsoft Exchange What s new in Symantec Mail Security Components of Symantec Mail Security How Symantec Mail Security works What you can do with Symantec Mail Security Using Symantec Mail Security with other Symantec products Where to get more information about Symantec Mail Security 16 In
107. ee or less servers through a user interface that works with Microsoft Internet Explorer To access the single server user interface Doone of the following m On the desktop double click Symantec Mail Security for MS Exchange m On the Windows taskbar click Start gt Programs gt Symantec MS for Microsoft Exchange gt Symantec Mail Security for Exchange m Open a Web browser to http lt server_name gt 8081 66 Installing Symantec Mail Security for Microsoft Exchange Accessing the single server user interface Single server panel components The single server user interface consists of the following m A left pane which contains a standard tree view The topmost or main node is the name of the monitored server You select management operations from the nodes beneath the top node m A right pane which consists of an information pane with settings actions and information about the operation that is selected in the tree view F Symantec Mail Security for Microsoft Exchange Microsoft Internet Explorer Ble Edt wew Favorkes Tools Hel QO O x A CD Psn Pr raoe Aua O S I j address hip E BAR e vpo e YR Ex3016 Sg Scan Jobs AOA Ex3016 Malin s symantec a Auto Protect Za Scheduled Scans Summary data ug Manual Scan Sener name Ex3016 fHPolicies SMSMSE serice state Started 10 26 2004 4 32 PM Hg Standard Policy Exchange store state Started sf Custom Policie
108. eful to have information about the status of a request For example if an attempt is made to collect statistics from a server on which Symantec Mail Security is not running you may want to receive status information immediately The Symantec Mail Security for Microsoft Exchange console displays the Communication Status pane after a request is made You can also display the pane from the Symantec Mail Security for Microsoft Exchange console LSA Console Window _ Hep Hex ation view e gt am e Tree 4 Communication Status wh Symantec MS for Exchange EP Global mog la E Scan Jobs D Production Worm Virus Rule Success 5 Policies ID Production Unscannable File Rule Success i coc ID Production Unrepairable File Rule Success E Statistics and Reports ID Production Encrypted File Rule Success E EE All Servers 1D Production Update Product Files Success ID Production General Settings Success ID Production Outbreak Settings Success ID Production Notifications Alerts Settings Success ID Production LiveUpdate Settings Success ID Production Content Dictionary Settings Success ID Production Quarantine Settings Success ID Production Report Settings Success ID Production Auto Protect Success ID Accounting Manual Scan Success ID Accounting Manual Scan Results Success ID Production Server Check Retrieving data ID Accounting Server Chec
109. eject the Message or Accept the Message A rejected message is not accepted by the SMTP server for delivery The SMTP service that sends the message receives an error message for each rejected message An accepted message is delivered as usual Under Message delivery options check Prevent Delivery to Original Recipient s When this option is selected a message that is identified as suspected spam when an SCL value exists is accepted by the SMTP server and is deleted It is not delivered to the addressees Check Alternate Recipient s and type one or more fully qualified SMTP email addresses Addresses must be separated by a comma with no space before or after the comma Each recipient will receive a copy of the message that is identified as suspected spam when an SCL value exists 10 11 12 13 14 15 16 Configuring Symantec Mail Security for Microsoft Exchange 107 Protecting your organization from spam with Symantec Premium AntiSpam Under Message delivery options check Add Subject Line and keep the default text or type replacement text for the subject line of the spam message Check Add X Header In the X Header Name box accept the default X Bulk or type a new X Header name In the X Header Value box accept the value Spam or type a new X Header value Check Tag for Spam Folder Agent Delivery You must have the Agent installed An X header will be added to allow the Agent to move the message to th
110. elete To delete a heuristic trigger in the console 1 Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration gt Outbreak Settings gt Heuristic Triggers 3 Right click a trigger and then click Delete Monitoring Symantec Mail Security for Microsoft Exchange functionality When enabled the Symantec Mail Security for Microsoft Exchange Heartbeat feature verifies at regular intervals the functioning of the application across each Exchange server on which it is installed Heartbeat settings can only be enabled for an Auto Protect scan job You must use the single server user interface to configure and enable the heartbeat for each instance of Symantec Mail Security for Microsoft Exchange that you want to test 114 Configuring Symantec Mail Security for Microsoft Exchange Monitoring Symantec Mail Security for Microsoft Exchange functionality At the start of each heartbeat a series of preliminary system checks are performed which includes the sending of mail detecting the version of VSAPI that is used by Exchange 2000 2003 and testing whether the SMSMSE service is running After the preliminary tests are completed a test message is passed through the system and sent to a mailbox that was specified by an administrator Once the test message has completed m Ifthe message successfully passes through the system the heartbeat is consider
111. equent issuing of new virus definitions You can configure the Quarantine settings to do the following m Forward quarantined files to the Quarantine Server m Delete local quarantined items after forwarding them to the Quarantine Server m Set the Quarantine thresholds m Specify an action to take when a Quarantine threshold is met m Add notification text to the email message that is sent when a Quarantine threshold is met Configure Quarantine settings You can forward quarantined files to the Quarantine Server and configure thresholds for the local Quarantine To forward quarantined files to the Quarantine Server 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click Quarantine Settings 4 Inthe right pane under Quarantine Server check Send quarantined items to Quarantine Server Configuring Symantec Mail Security for Microsoft Exchange 119 Isolating message bodies and attachments 5 Check Delete local quarantined items after forwarding to Quarantine Server optional Quarantine Settings Microsoft Internet Explorer Ah Ele Edit Wew Favorites Tools Help e Back v OA A Qsearch GiFavorites PMeda J Br Sy d Address http z 60 Links Sj2kej Es eet obs Quarantine
112. er to stop IIS during installation In the Component Location panel do one of the following and then click Next m Verify that the default destination directory is appropriate C Program Files Symantec SMSMSE 4 6 Server Click Browse and then select a different destination directory 10 11 Installing Symantec Mail Security for Microsoft Exchange 43 Installing on a single server In the User Interface Server panel verify or change the following values and then click Next m IP Name By default the computer name resolves to the primary external network identification card NIC Alternatively an IP address can be used The IP address can be used to validate the availability of the port The user interface can be accessed through any IP address that is assigned to the computer m Port Port 8081 is the default port number for the Web site that is used by Symantec Mail Security for Microsoft Exchange If port 8081 is being used by another application a different default port number appears If you change the port number do not use a port number that is used by another application and do not use port 80 Port 80 is the port number that is used by the default Web site which is hosted by Microsoft Internet Information Services IIS After installation instruct your administrators to point their browsers to the computer or IP address and port to access Symantec Mail Security In the Notification Email Address pane
113. ersion or copy of the Software after You have received and installed a disk replacement set or an upgraded version Upon upgrading the Software all copies of the prior version must be destroyed E use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and or upgrade insurance or have otherwise separately acquired the right to use such later version F use if You received the software distributed on media containing multiple Symantec products any Symantec software on the media for which You have not received permission in a License Module nor G use the Software in any manner not authorized by this license 2 Content Updates Certain Software utilize content that is updated from time to time including but not limited to the following Software antivirus software utilize updated virus definitions antispam software utilize updated antispam rules content filtering software utilize updated URL lists some firewall software utilize updated firewall rules and vulnerability assessment products utilize updated vulnerability data these updates are collectively referred to as Content Updates You shall have the right to obtain Content Updates for any period for which You have purchased maintenance except for those Content Updates that Symantec elects to make available by separate paid subscription or for any period for which You have otherwise separately acquired the right to
114. ert if AMS is available when the outbreak trigger is activated 12 Click Save Creating a heuristic outbreak trigger Heuristic events are events that are related to the presence of a virus and are used to help detect viruses for which no known definition exists For example inappropriate and obscene language is sometimes associated with the presence of a virus Therefore you could use a filtering rule violation as a heuristic indicator for an outbreak condition if these types of messages begin to occur with greater frequency You can use the following heuristic events to specify an outbreak Same Subject Counts repetitions of the same subject line Same Attachment Name Counts repetitions of the same attachment name Filtering Violations Counts messages in which the filtering subpolicy has been violated To use this event the filtering rule for the policy in effect must be enabled Unscannable Files Counts the number of file attachments that cannot be scanned Note Using heuristic triggers that monitor string type values attachment names or subject lines can place large demands on server memory These demands are caused by the fact that each unique string and the count of its occurrences is retained in memory for at least the time period for which the trigger is defined For example if a heuristic trigger is defined as 50 occurrences of the same subject line in an hour the server stores each unique subject line and the nu
115. ettings gt Virus Triggers Do one of the following m Inthe single server user interface click Add Delete Virus Trigger and then in the right pane click Add a virus outbreak trigger and then click Next m Inthe console user interface right click Virus Triggers and then click All Tasks gt Add Trigger Do one of the following m Inthe single server user interface in the right pane type a name for the virus trigger m Inthe console user interface in the Add Trigger dialog box type a name for the virus trigger and then click OK Check Enable trigger if you want the rule that you are about to create to go into effect In the Event list select whether the trigger is activated by occurrences of the same virus the total number of viruses or unrepairable viruses In the Occurrences field type the number of occurrences of the selected event that defines an outbreak In the Time period field select the unit of time and then type the number of minutes hours or days over which Symantec Mail Security for Microsoft Exchange should detect the outbreak before starting the process again 10 11 12 13 14 Configuring Symantec Mail Security for Microsoft Exchange 111 Configuring settings to handle an outbreak Under Administrator email notifications check Enable to notify administrators upon activation of the virus outbreak trigger For administrators to receive email notifications during an outbreak the notif
116. events to SESA run the SESA Integration Wizard on the computer on which the SESA Manager is installed You must run the SESA Integration Wizard on each SESA Manager computer to which Symantec Mail Security events are forwarded To install the SESA Integration Package on the SESA Manager 1 On the computer on which the SESA Manager is installed insert the Symantec Mail Security for Microsoft Exchange CD into the CD ROM drive 2 At the command prompt change directories to ADMTOOLS SESA_SIPI_ for SMSMSE 3 Atthe command prompt type java jar setup jar The SESA Integration Wizard starts 4 Follow the on screen instructions until you see the SESA Domain Administrator Information window 5 Inthe SESA Domain Administrator Information window do the following SESA Domain Administrator Type the name of the SESA Domain Administrator Name account SESA Domain Administrator Type the password for the SESA Domain Password Administrator account Host Name or IP Address of SESA Directory Secure Directory Port Installing Symantec Mail Security for Microsoft Exchange Enabling event forwarding to SESA Type one of the following m If SESA is using default anonymous SSL communication the IP address of the computer on which the SESA Directory is installed may be the same as the SESA Manager IP address if they are both installed on the same computer m If SESA is using authenticated SSL communication the host name of the SESA Direct
117. f events See Working with event data on page 165 Server request information For multiserver installations the Symantec Mail Security for Microsoft Exchange console reports on the status of requests made to Symantec Mail Security for Microsoft Exchange managed servers This lets administrators track server communications and isolate the source of a server communication problem See Viewing status information on page 82 Introducing Symantec Mail Security for Microsoft Exchange 29 What you can do with Symantec Mail Security Send notifications when a threat or violation is detected Symantec Mail Security for Microsoft Exchange supplies several options for notifying administrators and email senders of threats and for issuing alerts You can send alerts to the Windows 2000 Server 2003 Server Event Log and to the Symantec Alert Management System AMS server if Symantec AntiVirus Corporate Edition is installed AMS is a Symantec AntiVirus Corporate Edition component that supports Simple Network Management Protocol SNMP alerts from computers that are running the AMS server and client The AMS server is included on the Symantec Mail Security for Microsoft Exchange CD You can also create secondary follow up notifications See Configuring notifications and alerts on page 115 Manage single and multiple Exchange servers Symantec Mail Security for Microsoft Exchange can protect one or more Exchange servers If you
118. f minutes hours or days within which the event and occurrences happen You can configure Symantec Mail Security to send notifications and alerts in the case of an outbreak Once an outbreak based on subject line or attachment name is detected a rule can be created to prevent the same mail from clogging the system See About outbreak management on page 179 Isolate infected message bodies and attachments Symantec Mail Security for Microsoft Exchange includes a Quarantine that stores infected message bodies and attachments that are detected during scans Message bodies and attachments are placed in the Quarantine under the following circumstances m A filtering rule is configured to quarantine message parts body or attachment that match specific content m A virus is detected in a message body or attachment and your scan is configured to withhold delivery of the message part rather than let Symantec Mail Security for Microsoft Exchange repair or delete the infected part Introducing Symantec Mail Security for Microsoft Exchange 27 What you can do with Symantec Mail Security m Your scan is configured to let Symantec Mail Security for Microsoft Exchange repair infected bodies and attachments and Quarantine is selected for the message part that cannot be repaired Sometimes message parts cannot be properly repaired because they are corrupted or damaged by a virus that causes irreversible damage m Ifa message part cannot
119. fications m Stop Start of IIS Howto handle previous installations of Symantec Mail Security Installation settings are contained in the Setup iss response file which is located in the SMSMSE Server folder To create a customized Setup iss file you can edit an existing Setup iss file or generate a new Setup iss file interactively Before performing a custom installation on remote servers save a copy of the original Setup iss file After the customized Setup iss is created and placed on the Symantec Mail Security for Microsoft Exchange console in the Remote Install folder you can perform a custom installation to the remote Exchange servers on which you want the custom settings See Installing Symantec Mail Security on remote servers on page 47 Customize the response file You can use the following methods to create a customized Setup iss file m Edit an existing Setup iss file m Generate a new Setup iss file interactively 52 Installing Symantec Mail Security for Microsoft Exchange Installing on multiple servers To edit an existing Setup iss file 1 2 Using a text editor such as Notepad open the Setup iss file Review the Setup iss file to find which values can be changed and how to enter new values Copy the modified Setup iss file to the Program Files SMSMSE Management Console Remote Install Files folder on the management console computer To generate a new Setup iss file interactively 1 I
120. for a single server installation You do not need to install a separate console application See Installing on a single server on page 42 If your organization is running multiple Exchange servers you can manage Symantec Mail Security from the Symantec Mail Security for Microsoft Exchange console To do so you install the multiserver console which is a separate component and then use the console to roll out the product installations to your Exchange servers See Installing on multiple servers on page 45 If your organization has only one Exchange server you should use the single server user interface to manage Symantec Mail Security If your organization has several servers that are running Symantec Mail Security you should evaluate whether to manage each installation of Symantec Mail Security individually using the single server user interface or whether to manage installations of Symantec Mail Security at a group level using the multiserver console Installing Symantec Mail Security for Microsoft Exchange 35 Before you install Consider the guidelines in Table 2 1 when deciding whether to use the multiserver console or the single server user interface Table 2 1 Guidelines for managing installations A small number 1 3 of Manage the servers individually using the single server Exchange servers and mail user interface server growth is not expected An Exchange cluster that Use the multiserver console runs
121. g the threshold until the message is triggered adding or rescoring the custom words or removing existing words Investigate which words set off the filtering rule and their scores Use this investigative work to fine tune the filtering rule settings so that the rule is reliably triggered when the targeted content is passes through the message store Selecting and configuring content filtering dictionaries Symantec Mail Security for Microsoft Exchange supplies a default content dictionary for filtering message bodies This default dictionary filters message body content on categories such as sex gambling violence and crime Using content filtering dictionaries 157 Selecting and configuring content filtering dictionaries You can also create your own content dictionary to use with Symantec Mail Security for Microsoft Exchange by adding your own categories words and scores When you add a user supplied dictionary the content categories that are covered by that dictionary become available Note User dictionaries are created only in the single server user interface When you configure the content dictionary setting you instruct Symantec Mail Security for Microsoft Exchange whether to use the Symantec dictionary the user dictionary that you created or both You enable and disable dictionary based message body filtering and choose the categories on which to filter message content through the filtering rule for a specific policy
122. g is 300 seconds You can choose to change this default to a value between 10 and 500 000 seconds You can adjust this setting upward but in most cases the default settings are sufficient Configuring Symantec Mail Security for Microsoft Exchange 89 Securing your network If the maximum scan time is reached for an item the item is treated according to the settings of the Unscannable File Rule The scan depth refers to the number of levels within an archive for which Symantec Mail Security for Microsoft Exchange completes a scan The default value is 10 levels If a file contains over 10 levels of archiving the file is categorized as unscannable and an unscannable file rule violation is triggered To configure maximum scan time and depth 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click General Settings 4 Inthe right pane under Maximum Scan Time in seconds type the number of seconds to run all scans 5 Under Maximum Archive Scan Depth number of levels type the number of levels to use when archiving scans 6 Click Save Blocking by attachment file names Symantec Mail Security for Microsoft Exchange can be configured to match words and phrases that are in a match list against the names of files Names of both n
123. g subpolicy for a heuristic trigger to work You can end outbreak notifications at any time Otherwise the notifications will continue until the outbreak situation is no longer in effect To configure the global outbreak management settings 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Click Outbreak Settings In the right pane check Enable Outbreak Management oO A WwW N Type the interval in minutes to wait between checks for viruses or occurrences of a specified file behavior 6 Click Save 110 Configuring Symantec Mail Security for Microsoft Exchange Configuring settings to handle an outbreak To clear outbreak notifications 1 2 3 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration gt Outbreak Settings Click Clear Outbreak To add a virus trigger 1 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration gt Outbreak S
124. hange console expand Global or a server group Do one of the following m Inthe Global group expand All Servers m Ina server group expand Servers In the right pane select the server to display the single server user interface For the single server expand Tasks Click Install License If necessary follow steps 1 and 2 of the Install Renew Licenses panel to request a license file from Symantec Installing Symantec Mail Security for Microsoft Exchange 51 Installing on multiple servers 7 Instep 3 of the Install Renew Licenses panel do one of the following m Type the fully qualified path to the license file and then click Next If the license file does not reside on the same computer as the Symantec Mail Security for Microsoft Exchange console you can specify a mapped drive or UNC path to the file m Click Browse select the license file and then click Next If the license file does not reside on the same computer as the Symantec Mail Security for Microsoft Exchange console you can locate the file using My Network Places 8 Click Install to install the license file to the server group Customizing the installation of remote servers There may be cases in which you want to customize the installation of Symantec Mail Security for Microsoft Exchange on a remote Exchange server For example you may need to change the following settings m Installation location m Default HTTP port m Default email address for noti
125. hat are associated with a new virus and then run the scan immediately See Customizing policies on page 127 To run a manual scan 1 In the left pane of the Symantec Mail Security for Microsoft Exchange console expand Scan Jobs Click Manual Scan In the right pane under Manual Scan in the Policy in use box select the policy to link to the manual scan job either the Standard Policy or a custom policy Configure the remaining options if necessary Click Save Click Run Manual Scan Managing multiple server installations This chapter includes the following topics m About the multiserver console m Managing servers and server groups m Installing Symantec Mail Security to remote servers m Updating and distributing virus definitions m Running a manual scan on a server group m Viewing status information About the multiserver console Symantec Mail Security for Microsoft Exchange includes a console application for managing installations of Symantec Mail Security on multiple Exchange servers The Symantec Mail Security for Microsoft Exchange console is installed separately from the server component of Symantec Mail Security and is typically installed on a separate computer that is used for administration The Symantec Mail Security for Microsoft Exchange console is a Microsoft Management Console MMC snap in Configuration information for each server is stored on the remote server Configuration informati
126. ia for an outbreak These criteria consist of the event being monitored and the number of times that the event must occur during a specified time interval m Define the email notifications and alerts to send to administrators when the criteria for an outbreak are met m End the outbreak event once the situation has been managed 180 Managing virus outbreaks Defining outbreak triggers Defining outbreak triggers The set of defining criteria for an outbreak is called an outbreak trigger Each outbreak trigger only monitors one event and defines an outbreak as the frequency of the specified event within a given time period If you want to use different events as outbreak indicators you must create a separate outbreak trigger for each event You can create as many outbreak triggers as you need to ensure the safety of your system For example one outbreak trigger could be defined as the occurrence of 50 or more unscannable files within one hour Another outbreak trigger could be defined as 30 or more filtering rule violations within 15 minutes If you have configured multiple outbreak triggers and a message is received that violates more than one of them Symantec Mail Security for Microsoft Exchange goes into outbreak mode and stops looking for additional outbreaks Only one outbreak rule will be triggered Outbreak triggers apply only to Auto Protect They are configured and enabled independently of policies The event that is used
127. ication email address must be a valid Active Directory email account Change the Subject Line and Message Body text to be used in the administrator notification if necessary Enter a Subject Line and Message Body text to be used for subsequent notifications Under Alerts check Enable to send a Messenger Service Alert upon activation of the virus outbreak trigger If you enable this alert type the alert and subsequent alert text Under Alerts check Enable to send an AMS Alert upon activation of the virus outbreak trigger Click Save To add a heuristic trigger 1 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration gt Outbreak Settings gt Heuristic Triggers Do one of the following m Inthe single server user interface click Add Delete Heuristic Triggers and then in the right pane click Add a heuristic outbreak trigger and then click Next m Inthe console user interface right click Heuristic Triggers and then click All Tasks gt Add Trigger Do one of the following m Inthe single server user interface in the right pane type a name for the heuristic trigger m Inthe console user interface in the Add Trigger dialog box type a name for the heuristic trigger and then click OK Check Enable trigger if you want the
128. ictionary Dictionaries to use is set to Both Symantec and user Type of dictionary defaults to User Match Lists Sample match lists are created by default Quarantine No actions are set by default Maximum number of items is set to 1000 Maximum size of quarantine is set to 500 MB Retain items in quarantine is set to 90 days Notify Administrator is selected for when a threshold is met Delete oldest items is selected Email notification subject line text is Administrator Alert The Symantec Mail Security for Microsoft Exchange Quarantine has exceeded a set limit Email notification message body text is You should manage the Quarantine to remove files or change the Quarantine settings Report Store data for 12 months is enabled Securing your network The general settings in Symantec Mail Security for Microsoft Exchange help ensure the best security for your network Protecting against denial of service attacks Denial of service attacks are associated with overly large container files that take a long time to decompose and with files that contain multiple compressed files To protect your network from denial of service attacks configure Symantec Mail Security for Microsoft Exchange to limit processing of large files by setting a maximum scan time and depth The scan time setting fixes the maximum amount of time that Symantec Mail Security for Microsoft Exchange scans a file By default the settin
129. ied in Active Directory To find this alias click Active Directory Users and Computers right click on the user with the valid mailbox click Properties and then click the Exchange General tab 7 Inthe Spam expiration box select the number of days that you want to retain spam messages and then click Next The default is 30 days 8 Click OK 9 Click Install to begin the installation process 10 Click Finish The Installer configures the spam folder agent as a Windows service that will run automatically Implementing SSL You can configure Symantec Mail Security for Microsoft Exchange to use Secure Sockets Layer SSL communications which requires a server certificate You can create your own server certificate using Microsoft Certificate Services 2 0 or request one from a Certificate Authority To implement SSL you complete the following tasks m Install Symantec Mail Security so that the Web site is created and available for modification m Apply a server certificate to the Web site and require SSL m Open the Symantec Mail Security multiserver console to specify SSL communications and the SSL port 56 Installing Symantec Mail Security for Microsoft Exchange Implementing SSL To implement SSL 1 10 11 12 On the computer on which Symantec Mail Security is installed open Internet Services Manager In the server list expand the folder for the server that is hosting Symantec Mail Security Right cli
130. iltering rules to identify spam See Protecting your organization from spam without Symantec Premium AntiSpam on page 92 See Protecting your organization from spam with Symantec Premium AntiSpam on page 99 Denial of service attacks Threats to your Microsoft Exchange servers can include attacks that hamper or disable the ability to send or receive email messages and in some cases completely disable the email server These attacks are called denial of service attacks Denial of service attacks can occur in many ways including the following m Avery large number of messages from one or many locations m Messages that are designed to attack the buffer characteristics of the email program by exploiting program weaknesses m Files that are designed to fill disk space on the mail servers m Messages with huge attachments that are distributed to everyone in the organization This type of attack can be intentional or unintentional such as an employee sending a message with large graphics attachments to a large distribution list Introducing Symantec Mail Security for Microsoft Exchange 19 What s new in Symantec Mail Security What s new in Symantec Mail Security Table 1 1 lists the new and enhanced features in Symantec Mail Security for Microsoft Exchange Table 1 1 New and enhanced features Symantec Premium The premium antispam service includes the following features AntiSpam m Reputation service Symant
131. in the left pane do one of the following m Right click Global Selecting Global migrates servers that exist only in the Global group A server that also exists in a user defined server group will be migrated only when that user defined server group is migrated m Right click a user defined server group 3 Click All Tasks gt Migrate Servers 4 Inthe Select Servers panel the list of servers from the equivalent 3 0 or 4 0 4 5 group appears and you are prompted to confirm the upgrade By default the servers retain the previous settings during the migration After migration new server group settings can be sent to a server or the entire server group can be reset to factory defaults See Sending group settings to a server on page 76 See Restoring default settings to a server group on page 77 5 Click Finish The success or failure of the upgrade is displayed Servers that are successfully upgraded are added to the 4 6 group and removed from the previous group Once all of the servers are upgraded you may uninstall the previous console using the Add Remove Programs control panel Installing to Exchange servers with Microsoft Clustering Service You can install Symantec Mail Security for Microsoft Exchange to Exchange servers that are running Microsoft Clustering Service Note the following m The Symantec Mail Security for Microsoft Exchange service is cluster aware but does not require its own cluster resource m Syma
132. in which the occurrences can take place Although there are no standard numbers to use when specifying frequencies you should take into consideration the threat potential of the event category that is being monitored the size of your mail system the amount of mail that is typically processed and the stringency with which you want to define an outbreak As your outbreak triggers are tested you should fine tune the values that you use Notifications and alerts are issued whenever an outbreak trigger is triggered The notifications and alerts are re issued every two minutes or whatever interval you have chosen while the outbreak condition remains Therefore you should strike a balance between catching outbreaks and issuing notifications based on incorrect identification of an outbreak If a string property such as an attachment name is selected as a monitored item for an outbreak Symantec Mail Security for Microsoft Exchange stores in memory every attachment name that it scans for the specified time span Once the time span elapses the attachment names or other specified string property are no longer held in memory 186 Managing virus outbreaks Frequency of outbreak item A Alert Management System See AMS alerts 115 117 AMS 29 115 anti spam engine 94 archived files 89 attachments Attachment Name attribute 139 Attachment Size attribute 139 blocking by file name 89 outbreak triggers 148 Auto Protect scans 24 Basic
133. ings By default Setup iss retains settings if Symantec Mail Security is already installed on a remote server If you want to customize the installation settings and apply them to a remote server create a customized server installation response file and run the response file See Customizing the installation of remote servers on page 51 Before you begin the installation you must successfully complete the steps for installing the Symantec Mail Security for Microsoft Exchange console See Installing the Symantec Mail Security for Microsoft Exchange console on page 46 You must be logged on as a member of the administrator group on the local computer and have domain administrator privileges on all remote computers on which you want to install Symantec Mail Security See About the multiserver console on page 71 To install Symantec Mail Security on remote servers 1 Review preinstallation information See System requirements on page 40 See Server component locations on page 36 See Before you install on an Exchange server on page 35 See Before you install the multiserver console on page 36 2 Doone of the following m On the desktop double click Symantec MS 4 6 Console for Exchange m On the Windows taskbar click Start gt Programs gt Symantec MS Console for Exchange gt Symantec MS 4 6 Console for Exchange 3 Inthe management console in the left pane do one of the following m Right c
134. ion m Delete attachment message body replace with text description m Delete entire message m Log Only attachment message body available m Add tag to beginning of subject option valid only for SMTP inbound rules Administrators can also notify senders and others of content filtering violations by using messages with customizable text To set up notifications administrators must configure an alert See Configuring notifications and alerts on page 115 Elements of a filtering rule A filtering rule consists of one or more expressions that you define For example the following filtering rule contains three expressions If Body Content Score Greater Than 50 using categories sex drugs alcoholism OR Message Body Contains a member of Spam_Subject UNLESS Sender Equals fredsmith acme com This filtering rule blocks messages that have a content score higher than 50 in the dictionary categories of sex drugs and alcoholism The rule also blocks message bodies that contain items that are members of the Spam_Subject match list If the sender is fredsmith acme com however the messages are not blocked 138 Establishing policies Working with subpolicies An expression consists of one or more expression phrases Expression phrases can be IF OR and AND phrases Symantec Mail Security for Microsoft Exchange evaluates a rule logically as either an OR or AND rule but not in combination You can have a rule that contains an IF phra
135. ions for a single server You can manually update virus definitions and you can schedule virus definitions updates for the single server installation of Symantec Mail Security for Exchange To manually update virus definitions for a single server 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Tasks 2 Click Run LiveUpdate Rapid Release 3 Inthe right pane select one of the following m LiveUpdate Certified Definitions m Rapid Release Definitions To schedule virus definitions updates for a single server 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Configuration 2 Click LiveUpdate Rapid Release Settings 3 On the LiveUpdate Rapid Release Settings page check Enable automatic virus definitions updates 4 Select one of the following m Use Certified LiveUpdate definitions m Use Rapid Release definitions Maintaining virus protection 175 Keeping your virus protection current 5 Ifyou select Rapid Release updates you must disable the following features on servers that have a message store m Enable Exchange background scanning or On virus definition update force rescan before allowing access to information store You must turn off one of these features if you are running Auto Protect When both of these options are enabled the message store is rescanned each time the virus definitions are updated Because Rapid Release issues updated virus definitions every ho
136. iple server installations Managing servers and server groups Deleting a server group If a user defined server group is no longer needed you can delete it If you delete a user defined server group that contains managed servers the servers that belong to the group are not deleted from management control The servers still exist in and can be managed through the Global group The server group settings however are retained on the servers until they are updated or new settings are pushed out Note You cannot delete the Global server group To delete a server group 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console right click the server group to delete and then click Delete 2 Click OK to confirm the deletion Updating servers in a server group If an update of Symantec Mail Security for Microsoft Exchange is released you can update all previous installations in a server group To update servers in a server group 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console right click Global or a server group and then click All Tasks gt Update Servers 2 Inthe Add Servers pane click Next The Select Servers pane lists the servers in the server group 3 Check Send group settings to server s If checked the group settings are applied to the updated servers If unchecked default settings are applied to the updated servers 4 Click Finish 5 When the update comp
137. ist filter This lists the Attachment Names or Subject Lines that are added by the heuristic trigger 150 Establishing policies Outbreak Triggered Attachment Names and Subject Lines Match List options Using content filtering dictionaries This chapter includes the following topics About dictionary based content filtering How content filtering dictionaries work Scoring messages Selecting and configuring content filtering dictionaries About quarantined content violations About dictionary based content filtering Content filtering is typically used to monitor the mail system and block messages that contain specific types of content Dictionary based content filtering lets you filter messages by comparing their message body content against words that belong to dictionary categories For example in most organizations sending messages with explicit sexual or violent content would not be considered an appropriate use of the mail system and may violate corporate conduct guidelines Dictionary categories such as Violence and Sex Acts are designed to flag these types of messages by matching words in the message against words in the dictionary 152 Using content filtering dictionaries How content filtering dictionaries work In addition an organization may want to prevent the spread of confidential legal information outside the organization You can create custom categories that include the confidential terms and monitor mess
138. ity Architecture SESA SESA is an event management system that employs data collection services for events that Symantec security products generate When a product is SESA enabled you can use the SESA Console to view the events that it forwards to SESA The SESA Console provides a central location from which to view and manage the reporting of event data across multiple SESA enabled security products For more information on SESA see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator s Guide SESA components The following components are required to enable event forwarding to SESA m SESA Agent The SESA Agent must be installed on the same computer as Symantec Mail Security for Microsoft Exchange The SESA Agent installation includes the Java Runtime Environment JRE m SESA Integration Package The SESA Integration Package must be installed on the same computer as the SESA Manager SESA Agent A SESA Agent must be installed and configured on each computer on which Symantec Mail Security for Microsoft Exchange is installed The SESA Agent handles the communication between Symantec Mail Security and SESA If you have more than one SESA enabled product installed on a single computer these products can share a SESA Agent However each product must register with the Agent If an Agent has already been installed on the computer for another SESA enabled secur
139. ity product you must install the SESA Agent specifically for Symantec Mail Security to register it correctly The SESA Agent is preconfigured to listen on IP address 127 0 0 1 and port number 8086 Symantec Mail Security uses this information to communicate with the Agent If you must change the IP address or port number for the Agent you must do so through the SESA Console Once an Agent is installed it is controlled through the SESA Console even though it is running on the computer that is running the security product 58 Installing Symantec Mail Security for Microsoft Exchange Enabling event forwarding to SESA Generally the SESA Agent is installed as a setup option during Symantec Mail Security installation See Installing on a single server on page 42 See Customizing the installation of remote servers on page 51 If Symantec Mail Security is already installed the SESA Agent can be installed manually See Installing the SESA Agent manually on page 61 SESA Integration Package A SESA Integration Package SIP for Symantec Mail Security for Microsoft Exchange must be installed on each computer that runs a SESA Manager The SIP extends SESA functionality to include Symantec Mail Security event data See Installing the SESA Integration Package on the SESA Manager on page 58 Installing the SESA Integration Package on the SESA Manager To enable Symantec Mail Security for Microsoft Exchange to send
140. k Retrieving data ID Marketing Server Check Retrieving data TE Main Normal View Clear Help The pane lists all recent requests to servers and identifies the target server the type of request made and the status of the request for example Success or Comm Error View status information You can display the Communication Status pane using the Comm Status button or from the menu To display the Communication Status pane button method At the bottom of the right pane click Comm Status Managing multiple server installations 83 Viewing status information To display the Communication Status panel menu method 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console expand a group 2 Select any task oriented node Scan Jobs Policies Tasks Configuration or Statistics and Reports and then do one of the following m On the console View menu click View Server Comm Status m Right click the task oriented node and then click View gt View Server Comm Status 84 Managing multiple server installations Viewing status information Configuring Symantec Mail Security for Microsoft Exchange This chapter includes the following topics About configuring Symantec Mail Security for Microsoft Exchange Securing your network Protecting your organization from spam without Symantec Premium AntiSpam Protecting your organization from spam with Symantec Premium AntiSp
141. k Save oO N Oo UU A W N To delete a report template 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Statistics and Reports Click Add Delete Report Templates Click Delete a report template Select the report template to delete from the list Click Delete uo A U N Generating and viewing reports After you create a report template you can use it to generate reports of policy violation information for a single server Report templates are saved by Symantec Mail Security for Microsoft Exchange in the single server user interface for an individual server and can be used multiple times Symantec Mail Security for Microsoft Exchange automatically appends the current date and time to the name of your report template when it names the report This lets you run the same report on different dates and compare the data 168 Using Symantec Mail Security for Microsoft Exchange data Working with report data The multiserver console cannot display reports Instead you collect the report data and save it as a comma delimited csv file which can then be used with third party reporting applications See Saving report data on page 168 Generate and view reports Once a report is generated you can view it through the Symantec Mail Security for Microsoft Exchange single server user interface Note You should print reports in landscape mode to prevent the data from being cut off at the right
142. l verify or change the address that is used to send not receive notifications and then click Next Type a valid Active Directory display name only In the Symantec Enterprise Security Architecture panel do one of the following and then click Next m If you do not want to log events to SESA click No m Ifyou do want to log events to SESA click Yes and then type the IP address of a SESA server In the Setup Summary panel click Next The setup program installs and configures the software 44 Installing Symantec Mail Security for Microsoft Exchange Installing on a single server 12 Inthe Install Content License File panel do one of the following m Type the fully qualified path to the license file and then click Next If the license file is located on another computer you can specify a mapped drive or UNC path m Click Browse select the license file and then click Next If the license file is located on another computer you can locate the file using My Network Places m Click Next to skip file selection and add the license information later from the console You can install the virus content and the Symantec Premium AntiSpam license one after the other See Installing or renewing a license file on page 44 13 Inthe Setup Complete panel select whether to view the Readme file and Settings Summary and then click Finish The Readme file contains information that is not available in the product documentation
143. le subject line sender or attachment size and defines the condition that should trigger a content violation 136 Establishing policies Working with subpolicies For example you can set up arule to filter email messages with attachments that exceed 3 MB in size Symantec Mail Security for Microsoft Exchange would then catch any email messages that exceed 3 MB and like other scans would process the email messages according to your configuration settings You can enable or disable filtering at any time Note When message body scanning takes place for the filtering rule and a violation occurs in some cases more than one rule violation may be triggered for a single message This occurs if the mail client from which the message originated used RTF or HTML encoding In that case both the plain text and formatted versions of the message body are sent by the mail client to the Exchange server The plain text and formatted versions of the message body are scanned as separate message bodies by Symantec Mail Security for Microsoft Exchange To edit a filtering subpolicy 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Policies 3 Doone of the following m Click Standard Policy m Expand Custom Policies and then expand a policy Click Filtering Sub
144. letes do one of the following m Ifan error occurs click Errors for more information m Click Done Managing multiple server installations 79 Installing Symantec Mail Security to remote servers Removing a server from console management When a server is deleted from the Symantec Mail Security for Microsoft Exchange console it is removed from group management Symantec Mail Security protection however remains operational on the server itself To remove a server from console management 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console expand Global or a server group 2 Doone of the following m Inthe Global group expand All Servers m Ina server group expand Servers 3 Right click a server and then click Delete 4 Inthe confirmation dialog box click OK Installing Symantec Mail Security to remote servers From the Symantec Mail Security for Microsoft Exchange console you can install Symantec Mail Security to remote servers that run Exchange 2000 There may be cases in which you want to customize the installation of Symantec Mail Security to one or more remote Exchange servers To customize and roll out the Symantec Mail Security installation to one or more remote servers create a response file that contains the custom installation steps See Customizing the installation of remote servers on page 51 You can also upgrade existing version 3 0 4 0 or 4 5 installations to Symantec
145. lick Global m Right click a user defined server group m Right click the Servers node under any server group 48 Installing Symantec Mail Security for Microsoft Exchange Installing on multiple servers 10 11 12 Click All Tasks gt Add Servers In the Add Servers panel click Next In the Choose Server Group panel do one of the following m Click the Global group m Select a user defined server group m Type a name to create a new user defined server group You will be adding remote servers to the group that you select All servers are always added to the Global group in addition to a specified user defined server group Click Next In the Select Servers panel in the left pane select the remote Exchange server to which you want to install the product and then click Add Alternatively in the Server Name text box type the server name or IP address You can also select a server group or domain of Exchange servers instead of individual computers When you click Add all computers are selected for the installation Repeat this step for each server that you want to add to the group Check Install SMSMSE to server s Optionally check the following m Send group settings to these servers If checked and the server group is already configured through the console the group settings are applied to the server If this option is unchecked the servers are installed with default settings m Keep installation files on
146. llations Managing servers and server groups Changing the Transmission Control Protocol TCP port and using Secure Sockets Layer SSL After a server is added to management control you can change the TCP port and specify whether to use SSL for communication between the console and a server See Implementing SSL on page 55 To change the TCP port and use SSL 1 In the left pane of the Symantec Mail Security for Microsoft Exchange console expand Global or a server group Do one of the following m Inthe Global group expand All Servers m Ina server group expand Servers Right click a server and then click All Tasks gt Properties Type the new TCP port number for the server To enable SSL check Use SSL for communication If SSL communication is enabled a different TCP port must be specified The same port cannot be used for non secure and SSL communications Usually the default port for SSL is 636 Click OK Sending group settings to a server Settings on a particular server might not be synchronized with its server group settings This can occur for example if a server is configured both from its single server user interface and the console Note If a server is added to a server group but the group settings are not yet applied to the new server changes to custom policy settings that are applied to the server group may result in a Comm Status report of application failure for the new server until the se
147. m You must license and enable Symantec Premium AntiSpam To enable the service you must have an active Internet connection and allow outbound secure HTTP traffic through your firewall port 443 If your connection uses an HTTP proxy you must manually register the service See Downloading premium antispam updates through a proxy server on page 101 Once Symantec Premium AntiSpam is enabled and registered spam rules are continually downloaded from Symantec To keep your antispam service current Symantec Mail Security for Microsoft Exchange checks for updates every minute and receives new rule sets every 10 15 minutes Configuring Symantec Mail Security for Microsoft Exchange 101 Protecting your organization from spam with Symantec Premium AntiSpam To enable Symantec Premium AntiSpam 1 ao uu A U N Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Expand Spam Prevention Settings Click Symantec Premium AntiSpam Check Enable Premium Settings Click Save Downloading premium antispam updates through a proxy server You can configure Symantec Mail Security for Microsoft Exchange to download updates to Symantec Premium AntiSpam through a proxy server To download premium antispam updates through a proxy server 1 2
148. m Version and patch level Network topology Router gateway and IP address information Problem description m Error messages log files m Troubleshooting performed prior to contacting Symantec m Recent software configuration changes and or network changes To contact Enterprise Customer Service online go to www symantec com select the appropriate Global Site for your country then choose Service and Support Customer Service is available to assist with the following types of issues Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language availability local dealers Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec s technical support options Nontechnical presales questions Missing or defective CD ROMs or manuals Symantec Software License Agreement Symantec Mail Security for Microsoft Exchange SYMANTEC CORPORATION AND OR ITS SUBSIDIARIES SYMANTEC IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE THI
149. m Server Symantec Mail Security m Console Symantec Mail Security Console 170 Using Symantec Mail Security for Microsoft Exchange data Viewing events in the Windows Event Log Maintaining virus protection This chapter includes the following topics m How Symantec Mail Security for Microsoft Exchange detects and prevents viruses m Configuring your Internet connection for virus definitions updates m Keeping your virus protection current m Setting up your own LiveUpdate server How Symantec Mail Security for Microsoft Exchange detects and prevents viruses The Digital Immune System is Symantec s unique technology for automatic detection and repair of security threats The Digital Immune System lets a computer network instantly identify potentially harmful agents or abnormal conditions and take protective measures as needed The Digital Immune System automates the submission of potential threats and automatically delivers repairs to the problem computer or the entire enterprise Symantec Mail Security for Microsoft Exchange works with the Digital Immune System to do the following m Allow submission of unrepairable new and user specified files to Symantec for analysis m Automate and strip submitted messages of non virus content in the case of Microsoft Word and Excel 172 Maintaining virus protection How Symantec Mail Security for Microsoft Exchange detects and prevents viruses m Track submissions in real time
150. m engine is not activated by default When activated the engine performs an analysis of incoming email messages looking for key characteristics of spam It weighs its findings against characteristics of legitimate email messages to determine a confidence level that the message is in fact spam The confidence level is used to determine actions to take for accepted messages and whether to reject or log messages The Symantec heuristic antispam filter engine assigns a spam confidence level SCL to each message The SCL is a normalized value that indicates the likelihood that the message is spam based on the message s characteristics such as the content and message header Once the SCL is set the heuristic antispam engine takes the specified action on any message with an SCL that exceeds the set value for that action If you have Microsoft Exchange 2003 installed you can configure Symantec Mail Security for Microsoft Exchange to compare the Symantec SCL to the SCL that is already provided by another mail screening tool To have Symantec Mail Security for Microsoft Exchange compare its SCL to that of another screening tool the other tool must be configured not to take action based on its SCL For example if the other mail screening tool is Microsoft Intelligent Message Filter IMF IMF must be set to No Action in order for the SCL comparison to take place Once you enable the option to reject messages based on SCL comparison in Sym
151. mber of occurrences of the subject lines for an hour If the Microsoft Exchange server runs with high loads you should minimize the time span for Subject Line and Attachment Name outbreak triggers Managing virus outbreaks 183 Defining outbreak triggers To create a heuristic outbreak trigger 1 N OO oO A 10 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration gt Outbreak Settings gt Heuristic Triggers Do one of the following m Inthe single server user interface click Add Delete Heuristic Triggers In the right pane click Add a heuristic outbreak trigger and then click Next m Inthe console user interface right click Heuristic Triggers and then click All Tasks gt Add Trigger Type a name for the heuristic trigger and then click OK Check Enable trigger In the Event list select a heuristic event to use for the trigger In the Occurrences box type the number of occurrences of the heuristic event that is required for an outbreak In the Time Period box type the amount of time that must elapse between each occurrence before an outbreak is declared Under Actions to take check Add Subject Attachment Name to Triggered Match list Under Administrator email notifications do the following m Click Enable to
152. more addresses separated by commas to which messages that meet the SCL criterion will be delivered Check Add subject tag if SCLis ___ Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam without Symantec Premium AntiSpam 5 In Text to prepend on subject box type the text that you want to prepend to the subject line of messages that are suspected of being spam 6 Check Add X header containing SCL value if SCLis __ and then choose an appropriate value 7 Check LogifSCLis and choose an appropriate value 8 Click Save Understanding how the Store Action Threshold SAT works with an SCL value The Store Action Threshold SAT in Microsoft Exchange 2003 works with the SCL value that is stamped on an email message to determine the destination of the message With heuristic detection Symantec Mail Security for Microsoft Exchange internally determines the SCL value of messages With Symantec Premium AntiSpam you specify an SCL value Note Products other than Symantec Mail Security for Microsoft Exchange may also set an SCL value on a message See Understanding Symantec SCL values on page 95 When the heuristic spam detection feature of Symantec Mail Security for Microsoft Exchange is enabled or when SCL assignment is enabled along with Symantec Premium AntiSpam Symantec Mail Security for Microsoft Exchange stamps messages in Exchange 2003 with an SCL Exchange 2003 places
153. n Auto Protect scanning starts for the first time it follows the Standard Policy rule settings Establishing policies 127 Understanding the Standard Policy and custom policies You cannot delete the Standard Policy but you can set all of your scan jobs to use a custom policy instead You can restore the default Standard Policy settings if necessary Note Restoring the default settings will not delete any custom Filtering Rules that you have created To restore the default Standard Policy settings 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Policies 3 Click Standard Policy 4 Inthe lower right pane click Restore Defaults Customizing policies Symantec Mail Security for Microsoft Exchange lets you create custom policies When you create a custom policy you use an existing policy as a template save the policy under a new name and then modify the settings To use a custom policy you must link it to a scan job enable it and run the scan If you delete a custom policy all scan jobs that use that custom policy revert to the Standard Policy Work with custom policies You can create edit and delete custom policies For more information on editing custom policies see Working with filtering subpolicies on page 135 To c
154. n of the heuristic outbreak trigger If you enable this alert type the alert and subsequent alert text Under Alerts check Enable to send an AMS Alert upon activation of the heuristic outbreak trigger Click Save To delete a virus trigger for a single server 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Configuration gt Outbreak Settings gt Virus Triggers gt Add Delete Virus Triggers In the right pane click Delete a virus outbreak trigger Click Next In the right pane under Virus trigger name select the virus trigger that you want to delete Click Delete Configuring Symantec Mail Security for Microsoft Exchange 113 Monitoring Symantec Mail Security for Microsoft Exchange functionality To delete a virus trigger in the console 1 Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration gt Outbreak Settings gt Virus Triggers 3 Right click a trigger and then click Delete To delete a heuristic trigger for a single server 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Configuration gt Outbreak Settings gt Heuristic Triggers gt Add Delete Heuristic Triggers 2 Inthe right pane click Delete a heuristic outbreak trigger 3 Click Next 4 Inthe right pane under Heuristic trigger name select the heuristic trigger that you want to delete 5 Click D
155. n the Run box type the following command using the full directory path to the Symantec Mail Security for Microsoft Exchange Setup program Setup r This records the installation selections in a response file Respond to the Install Wizard prompts with the selections that you want for the custom installation Do not press the Back button during the creation of the response file as this records the keystroke and causes the installation process to fail When Setup completes copy the Setup iss file from the WINNT directory on the Microsoft Exchange Server to the Program Files SMSMSE 4 6 Console Remote Install Files or to the directory where the console was installed Upgrading from a previous version If you are upgrading from a previous version and you transferred settings during the console installation the new console has the same groups and settings as the previous console However the version 4 6 groups do not contain servers until they are migrated See Installing the Symantec Mail Security for Microsoft Exchange console on page 46 To upgrade from a previous version 1 Do one of the following m On the desktop double click Symantec MS 4 6 Console for Exchange m On the Windows taskbar click Start gt Programs gt Symantec MS Console for Exchange gt Symantec MS 4 6 Console for Exchange Installing Symantec Mail Security for Microsoft Exchange 53 Installing on multiple servers 2 Inthe management console
156. n the SESA Manager on page 58 Click Save You can configure the Enable Logging and Alerting to SESA server and IP address of SESA server options for a single server or a server group from the multiserver console Installing Symantec Mail Security for Microsoft Exchange 63 Enabling event forwarding to SESA Uninstalling the SESA Agent You uninstall the SESA Agent for Symantec Mail Security for Microsoft Exchange from a command prompt Uninstall the SESA Agent To uninstall the SESA Agent you do the following m Stop the SESA AgentStart Service m Uninstall the SESA Agent for Symantec Mail Security To stop the SESA AgentStart Service 1 On the computer on which you installed the SESA Agent on the Windows taskbar click Start gt Settings gt Control Panel 2 Inthe Control Panel window double click Administrative Tools 3 Inthe Administrative Tools window double click Services 4 Inthe Services dialog box right click SESA AgentStart Service and then click Stop To uninstall the SESA Agent for Symantec Mail Security 1 On the computer on which you installed the SESA Agent at a command prompt change to the folder in which the SESA Agent files reside by default C SESA Agent 2 At the command prompt type the following java jar agentinst jar u a3009 Optionally you can append any of the following parameters debug Writes logging information to the screen log Turns off the installation log and instru
157. nd spam definitions that are needed to keep protection current are not downloaded Installing Symantec Mail Security for Microsoft Exchange 45 Installing on multiple servers If you have questions about licensing contact Symantec Customer Service at 800 721 3934 or your reseller to check the status of your order To install or renew a license file on a single server 1 Open Symantec Mail Security 2 Expand Tasks 3 Click Install Renew License 4 If necessary follow steps 1 and 2 of the Install Renew Licenses panel to request a license file from Symantec 5 Instep 3 of the Install Renew Licenses panel do one of the following m Type the fully qualified path to the license file and then click Next If the license file does not reside on the same computer you can specify a mapped drive or UNC path to the file m Click Browse select the license file and then click Next If the License File does not reside on the same computer you can locate the file using My Network Places 6 Click Install to install the license file to the server You can install the virus content and Symantec Premium AntiSpam license one after the other Installing on multiple servers You can install Symantec Mail Security for Microsoft Exchange on multiple Exchange servers by doing the following m Installing the Symantec Mail Security for Microsoft Exchange console m Installing Symantec Mail Security on remote servers m Customizing the installati
158. ng topics Before you install System requirements Security and access permissions Installing on a single server Installing on multiple servers Installing the Symantec plug in for Outlook Installing the Symantec Spam Folder Agent for Exchange Implementing SSL Enabling event forwarding to SESA After you install Accessing the single server user interface About the Symantec Mail Security for Microsoft Exchange console user interface 34 Installing Symantec Mail Security for Microsoft Exchange Before you install Before you install You can use Symantec Mail Security for Microsoft Exchange to monitor mail security on one or more Exchange servers Before you install Symantec Mail Security ensure that all preinstallation and system requirements are met Review the information that describes where key files are located and how security is set up In addition ensure that you have an installation plan that best matches your organization s needs See System requirements on page 40 See Server component locations on page 36 See Security and access permissions on page 41 If you are running Brightmail AntiSpam on the same server on which you want to install Symantec Mail Security for Microsoft Exchange you must uninstall Brightmail AntiSpam before installing Symantec Mail Security for Microsoft Exchange If you are installing Symantec Mail Security on a single Exchange server follow the instructions
159. ngs Unrepairable file rule If the Basic Virus rule cannot repair an item and the Basic Virus rule is set to Repair the infected attachment then the item is passed to the Unrepairable Virus rule and the appropriate action is taken An email message or attachment may be unrepairable for the following reasons m The virus definitions that were in use at the time the file was attacked were out of date m Too much damage has been done to the item by a virus If the problem was caused by out of date virus definitions and the unrepairable message or attachment is important it may be possible to restore the item from a backup and rescan it using up to date virus definitions Then it may be possible to repair the file If a file has been severely compromised for example by a virus that attacks the file allocation table it may be unrepairable The default Standard Policy setting for an unrepairable message or attachment is to quarantine the item and replace it with a text description Encrypted file rule An attachment may not be scannable due to encryption or password protection These files may contain viruses or other malicious content The Encrypted File rule lets you implement your organization s policy on allowing encrypted files into the email system An encrypted file may be a legitimate means of securing confidentiality between the sender and recipient or it could contain malicious code that is designed to harm your email
160. ntains the name of the file that is assigned by the Quarantine the violation that was detected and the context in which the violation appears You can release files from the Quarantine in two ways m Release By Mail File is sent to the intended recipient m Release To File File is sent to the Quarantine directory A pop up window displays the location of the directory You will have the option to remove the files from the Quarantine when they are released Chapter Using Symantec Mail Security for Microsoft Exchange data This chapter includes the following topics m Viewing Auto Protect statistics m Viewing spam statistics for Symantec Premium AntiSpam m Working with event data m Working with report data m Viewing events in the Windows Event Log 162 Using Symantec Mail Security for Microsoft Exchange data Viewing Auto Protect statistics Viewing Auto Protect statistics Symantec Mail Security for Microsoft Exchange collects usage and event information while your system is running Symantec Mail Security for Microsoft Exchange lets you use this information in several ways You can view auto protect statistics and event log data and generate reports Table 7 1 provides information about the statistics that Symantec Mail Security for Microsoft Exchange generates for Auto Protect scans Table 7 1 Auto protect statistics Status single server m Server name user interface only m Service star
161. ntec Mail Security for Microsoft Exchange should be installed to all nodes of a cluster m The name of the server is usually used when installing to a cluster but you can use an IP address to specify the computer If you are using IP addresses use the IP address of the computer and not the IP address of the cluster or virtual server Note Use the Symantec Mail Security console to schedule LiveUpdate and scans for each server in the cluster 54 Installing Symantec Mail Security for Microsoft Exchange Installing the Symantec plug in for Outlook Uninstalling Symantec Mail Security You can uninstall Symantec Mail Security for Microsoft Exchange through Add Remove programs Installing the Symantec plug in for Outlook The Symantec plug in for Outlook lets you do the following m Submit missed spam and false positives to Symantec m Administer blocked and allowed senders lists m Specify languages in which you do not want to receive email For the language identification feature to work you must have the feature enabled The plug in is available on the Symantec Mail Security for Microsoft Exchange installation CD Upon installation it adds a toolbar to the Outlook window The plug in can be used with Outlook 2000 2002 2003 XP on Windows 98 Me NT Windows 2000 XP Installing the Symantec Spam Folder Agent for Exchange The Agent lets you route spam messages to a spam folder in each recipient s mailbox This option is av
162. oad the system Some viruses and types of email messages can overload the mail system which causes severe degradation of system performance For example some viruses are designed to replicate a message to all of the entries in an address book Messages with large attachments can also overload the mail system Inappropriate message content Some types of email messages can be legal liabilities contain offensive content or be a nuisance such as the following m Inappropriate content such as gambling Web sites or sites of an explicit sexual nature m Confidential company information or trade secrets for example the use of project code words and technology names to recipients outside of the company m References to topics that are currently in litigation that should not be discussed or messages with potential legal liabilities You can create rules to filter messages for inappropriate content See Working with filtering subpolicies on page 135 18 Introducing Symantec Mail Security for Microsoft Exchange About Symantec Mail Security for Microsoft Exchange Spam Spam is unsolicited bulk email most often advertising messages for a product or service It wastes productivity time and network bandwidth Symantec Mail Security handles spam in the following ways m Block by real time blacklists RBLs m Identify suspected spam using the heuristic antispam engine or the Symantec Premium AntiSpam service m Create content f
163. on the host name of the SESA Directory computer For example mycomputer com For more information on the SESA default anonymous SSL and upgrading to authenticated SSL see the Symantec Enterprise Security Architecture Installation Guide Secure Directory Port Type the number of the SESA Directory SSL port by default 636 The SESA Integration Wizard removes the SESA Integration Package for Symantec Mail Security Installing Symantec Mail Security for Microsoft Exchange 65 After you install After you install After you install Symantec Mail Security for Microsoft Exchange you should perform the following administrative tasks m Install the license file if it was not installed during setup See Installing or renewing a license file on page 44 m Update virus definitions See Keeping your virus protection current on page 173 m Configure notification and alert recipients See Configuring notifications and alerts on page 115 m Schedule a scan See Scheduling and deleting scans on page 69 m Run a manual scan See Running a manual scan on page 70 Some additional tasks are required if you are managing multiple servers using the Symantec Mail Security for Microsoft Exchange console See Managing multiple server installations on page 71 Accessing the single server user interface The management of single installations of Symantec Mail Security for Microsoft Exchange is done for thr
164. on for each group in the console is stored on the console system Note Avoid using multiple copies of the multiserver console if possible Configuration information is stored on the local computer 72 Managing multiple server installations About the multiserver console Global server group The Global server group contains all of the Microsoft Exchange servers on which Symantec Mail Security for Microsoft Exchange is installed and running This group includes servers that are added to user defined groups as well as servers that are added to multiserver management control but are not assigned to a specific server group When you reconfigure the Global server group changes are propagated to all servers in all groups If you change a setting on an individual server or at the group level and subsequently change the same setting at the Global server level the change made at the Global server level overrides the change made at the individual server or group level User defined server groups User defined server groups can be created dynamically when installing servers when adding servers to console management or at any time through the console A user defined server group is a physical server grouping that simplifies server management For example a server group might be all mail servers that are used by a department for example marketing or the physical location of a group of mail servers for example third floor servers in Buil
165. on of remote servers See About the multiserver console on page 71 Note You are prompted whether to save previous settings or to use default settings when you upgrade Symantec AntiVirus Filtering 3 0 or Symantec Mail Security for Microsoft Exchange 4 0 4 5 to the Symantec Mail Security for Microsoft Exchange 4 6 console 46 Installing Symantec Mail Security for Microsoft Exchange Installing on multiple servers Installing the Symantec Mail Security for Microsoft Exchange console The Symantec Mail Security for Microsoft Exchange console is a Microsoft Management Console MMC snap in application that lets you manage local and remote installations of Symantec Mail Security from a single computer You can use the management console user interface to roll out installations of Symantec Mail Security to other Exchange servers Before you install the console you should fully understand its purpose and have an implementation plan Note Symantec Mail Security supports upgrades from Symantec AntiVirus for Microsoft Exchange 3 0 and Symantec Mail Security for Microsoft Exchange 4 0 4 5 If you are upgrading the console from a previous version to retain the previous settings and to update and migrate servers to the new console you must install the new version on the same computer on which the previous installation resides Before you begin you should review the preinstallation requirements See Before you install the
166. oncontainer files individual files without embedded files which may be embedded within a container file and container files files with embedded files are examined See Working with Match List settings on page 146 If a match is found the prohibited file is blocked If the prohibited file is within a container file the entire container file is blocked 90 Configuring Symantec Mail Security for Microsoft Exchange Securing your network For example if an incoming Zip file named sample zip contains three executable files a exe b doc and c bat sample zip would be blocked if any of the following occurs m Match list contains one of the literal strings sample zip a exe b doc or c bat m Match list contains one of the DOS wildcard expressions zip exe doc or bat m Match list contains one of the regular expressions sample w 3 a w 3 b w 3 or c w 3 The blocked file is treated like an unrepairable file and will have the virus name UNAUTHORIZED FILE By default if you have not changed the unrepairable virus rule the attachment is quarantined and replaced with a text description An email notification is sent to the administrator Message Service and Alert Management System AMS alerts are also sent See Unrepairable file rule on page 146 Determining inbound outbound settings Inbound and outbound email is defined by whether each recipient has a mailbox in the Exchange organization
167. onfidential information and content with potential legal consequences Each message is scanned and a score is calculated for the message based on the number of target words that are detected If the score exceeds a threshold value a rule violation is triggered Symantec Mail Security includes a default content dictionary but you can supply your own categories and words for example for confidential technologies The Symantec supplied dictionary contains proprietary information and cannot be viewed However you can create your own dictionary to ensure that the words that you want to include and the weight of those words are used for processing Filter email messages based on attributes such as sender subject attachment size attachment name and attachment and body content scores Filter suspicious email attachments 24 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security Create filtering rules that apply to SMTP inbound and SMTP outbound mail in addition to the Exchange Information Store Create match lists to use in filtering content A filtering rule can refer to one or more match lists Match lists can consist of literal strings to match regular expressions or DOS wildcard expressions What you can do with Symantec Mail Security Symantec Mail Security for Microsoft Exchange secures your Exchange servers in the following ways Protect against computer viruses Filter
168. or message and send an email message to the sender and to the administrator list to notify them of the infected message m Screen mail content for racist or sexual content and log messages that exceed a specified threshold for these categories m Delete message attachments that are over a specified size m Quarantine unscannable and unrepairable files Within a policy all subpolicies and rules can be enabled or disabled except for the subpolicy that handles unrepairable encrypted and unscannable messages which is always enabled Establishing policies 125 How policies work with scan jobs How policies work with scan jobs For a policy to be implemented it must be linked with a scan job and enabled In Symantec Mail Security for Microsoft Exchange you can run any scan job using the Standard Policy or a custom policy The scan job applies the rules of the policy to the scan Generally you use the Standard Policy for the Auto Protect scan job and custom policies for manual and scheduled scan jobs Every scan job that runs on Symantec Mail Security for Microsoft Exchange belongs to one of the following categories Auto Protect scanning In this mode violations are scanned and detected in real time The policy that is linked to the Auto Protect scan job applies to everything on the Exchange server items in all public folders and mailboxes and messages that are processed by the Microsoft Exchange SMTP service Manual scanning
169. orer 6 0 Note To manage Symantec Mail Security using the multiserver console all Symantec Mail Security servers must be in the same domain as the console You should use the multiserver console whenever more than one server has the same settings Installing Symantec Mail Security for Microsoft Exchange 41 Security and access permissions Security and access permissions By default Symantec Mail Security for Microsoft Exchange creates the following user groups and assigns them access rights m SMSMSE Admins Read and write access to all Symantec Mail Security components and features Users in this group can change settings for Symantec Mail Security through the user interface A Windows 2000 Server 2003 Server administrator level account is not necessary for an SMSMSE Admin account m SMSMSE Viewers Read only access to Symantec Mail Security components and features Users in this group cannot change settings for Symantec Mail Security but can run reports view event logs and view settings through the user interface These user groups are domain wide for Active Directory Use the Active Directory Users and Computers MMC snap in to change membership in these groups During the security set up process security is set for the Symantec Mail Security registry key and file folders Note For the security setup to succeed you must have administrator access to the local servers and domain administrator rights User grou
170. ory computer for example mycomputer com For more information on the SESA default anonymous SSL and upgrading to authenticated SSL see the Symantec Enterprise Security Architecture Installation Guide Type the number of the SESA Directory SSL port by default 636 Follow the on screen instructions to install the SESA Integration Package and complete the SESA Integration Wizard Repeat steps 1 through 6 on each SESA Manager computer to which you are forwarding Symantec Mail Security events Verifying the SESA installation After installation you can verify that the appropriate components are installed and working properly Verify the installation To verify the installation you do the following Verify that the SESA AgentStart Service has started Verify that Symantec Mail Security for Microsoft Exchange is shown on and sending events to the SESA Console Examine the SESA Agent log as necessary To verify that the SESA AgentStart Service has started On the computer on which you installed the SESA Agent open the Services Control Panel and verify that the SESA AgentStart Service is installed 59 60 Installing Symantec Mail Security for Microsoft Exchange Enabling event forwarding to SESA To verify that Symantec Mail Security for Microsoft Exchange is sending events to the SESA Console 1 On the SESA Manager computer on the Windows taskbar click Start gt Programs gt Symantec Enterprise Security gt
171. ote When pushing out definitions to managed servers the license file must be current or the definitions will not be applied to the servers See Installing or renewing a license file on page 44 To schedule virus definitions updates for all servers or servers in a group 1 In the Symantec Mail Security console in the left pane expand Configuration for the Global group or for a server group Click LiveUpdate Settings In the right pane check Enable automatic LiveUpdate operation Select one of the following m Run every n hours Select the interval in hours that you want to run LiveUpdate m Runata Specific Time Type the time of day and the day of the week that you want LiveUpdate to run Maintaining virus protection 177 Setting up your own LiveUpdate server 5 Click Enable Decomposer Update to have LiveUpdate check for decomposer engine updates The decomposer engine is used to scan compressed files 6 Click Save To manually update virus definitions in the multiserver console 1 Inthe Symantec Mail Security console in the left pane expand Global gt Tasks 2 Click Run LiveUpdate 3 Inthe right pane click LiveUpdate The Console virus definitions box displays information about the latest virus definitions To manually update virus definitions for a group of managed servers 1 Inthe Symantec Mail Security console in the left pane expand Global and select a server group 2 Click Tasks 3 Click Run
172. p assignments and setup You are automatically added to the SMSMSE Admins group when you set up a single Symantec Mail Security server If you do not already belong to the SMSMSE Admins group you are not automatically added to SMSMSE Admins when you install remote servers using the multiserver management console Use the Active Directory Users and Computers MMC snap in to verify and add membership to SMSMSE Admins if necessary 42 Installing Symantec Mail Security for Microsoft Exchange Installing on a single server Installing on a single server You can install Symantec Mail Security for Microsoft Exchange on a single Microsoft Exchange server If you plan to install Symantec Mail Security on multiple servers use the Symantec Mail Security for Microsoft Exchange console instead See Installing on multiple servers on page 45 Before you begin you should review the preinstallation information See Before you install on an Exchange server on page 35 To install on a single server 1 VN OO wo F amp F U Start the Symantec Mail Security for Microsoft Exchange Setup program Setup exe This file is located in the SMSMSE Server folder on the product CD In the Symantec Mail Security for Microsoft Exchange Setup panel click Next In the Setup Preview panel click Next In the next Setup Preview panel click Next In the Software License Agreement panel click Yes In the IIS Reset Options panel select wheth
173. policies as follows m A manual scan job is linked to a new custom policy that only searches for attachment files with vbs js and exe file extensions The manual scan runs immediately Scheduled Scan Job 1 which runs every Monday and Friday evening using a different custom policy is linked to this new custom policy and runs on the same schedule m Scheduled Scan Job 2 and Scheduled Scan Job 3 use the same custom policy This policy searches for content violations in all public folders The scans run at midnight on a weekly basis with minimal notifications and alerts Understanding the Standard Policy and custom policies Symantec Mail Security for Microsoft Exchange includes a default policy called the Standard Policy You can also create custom policies Each policy the Standard Policy and any custom policy consists of the following subpolicies Virus Contains rules for detecting a virus and the actions to take when one is detected Filtering Contains rules for message body content filtering It flags mail according to words in the subject line and filters spam Exception Contains rules for handling unscannable and unrepairable files and encrypted files Using the Standard Policy The Standard Policy contains default settings to protect your Microsoft Exchange servers You may alter these settings depending on the needs of your organization Auto Protect scanning is installed using the Standard Policy That is whe
174. policy In the right pane click Edit for the rule that you want to edit Modify the rule settings and then click Save In the left pane click Filtering Subpolicy oN OO WU A In the right pane check the rule that you edited if you want to enable it Rules are enabled by default in the multiserver console 9 Under Order in which the filtering rules should be applied move the rule by selecting it and clicking Up or Down as necessary 10 Click Save See Customizing policies on page 127 Establishing policies 137 Working with subpolicies Content evaluation Email or scanned content that matches an expression in a filtering rule might violate that rule depending on whether the rule contains AND expressions or OR expressions Specifically if the rule contains AND expressions then all expressions must evaluate to true to trigger a content violation for the entire rule However if the rule contains OR expressions only one expression must evaluate to true to trigger a content violation for the rule See Elements of a filtering rule on page 137 You can specify a filtering rule to apply to Store scanning SMTP inbound scanning or to SMTP outbound scanning Symantec Mail Security for Microsoft Exchange handles content violations according to the action that you configure for the rule You can select any of the following actions one action per rule m Quarantine attachment message body replace with text descript
175. r Recipient White List type the fully qualified email addresses one per line for which spam processing will be bypassed You can list up to 50 email addresses Click Save Protecting your organization from spam with Symantec Premium AntiSpam In addition to providing real time blacklisting and sender and recipient whitelisting Symantec Premium AntiSpam uses the following to identify and handle spam Reputation service Symantec monitors email sources to determine how much of the email messages that are sent from those sources is legitimate Email from those sources can then be blocked or allowed based on the source s reputation value as determined by Symantec Symantec uses the following lists to filter your messages m Open Proxy list A dynamic database that contains IP addresses of identity making relays including proxy servers with open or insecure ports m Safe list A list of IP addresses from which virtually no outgoing email is spam m Suspect list A list of IP addresses from which virtually all of the outgoing email is spam Suspected spam Symantec calculates a spam score from 1 to 100 for each message threshold If a message scores from 90 to 100 it is defined as spam For more aggressive filtering you can define a spam threshold below 90 and above 24 to identify suspected spam You specify actions for handling spam and suspected spam separately 100 Configuring Symantec Mail Security for Microsoft Exch
176. r organization has multiple Exchange servers you can manage the servers individually from the single server interface that is installed on each computer or you can manage all of the servers centrally from a multiserver console You can also access each server interface from the console Single server user interface The single server user interface is hosted by Internet Information Server IIS Every Microsoft Exchange server on which Symantec Mail Security for Microsoft Exchange is installed contains an instance of the single server user interface You can access the single server user interface from the local server from the console or from any remote server that is running Internet Explorer and has external access and a firewall that is configured to provide access Multiserver console The Symantec Mail Security for Microsoft Exchange console or multiserver console provides central management of multiple Exchange servers that are running Symantec Mail Security for Microsoft Exchange You can manage remote servers if the following conditions are met m You can access the server by HTTP or HTTPS across the network including through any firewall or router that exists on the network The default port number is 8081 m The computer satisfies all of the operating system and service pack requirements 30 Introducing Symantec Mail Security for Microsoft Exchange Using Symantec Mail Security with other Symantec products Using the
177. r own dictionary to ensure that the words that you want to include and the weight of those words are used for processing See Content dictionaries on page 152 26 Introducing Symantec Mail Security for Microsoft Exchange What you can do with Symantec Mail Security Safeguard the email security system Symantec Mail Security for Microsoft Exchange protects against denial of service attacks by isolating the scanning process and running it separately If a scan is unsuccessful more than once or takes longer than a specified time limit the scan quits and the file is considered unscannable See Unscannable file rule on page 145 Manage virus outbreaks A virus outbreak occurs when the number of threats to the Microsoft Exchange system that are detected over a period of time exceeds a specified limit Symantec Mail Security for Microsoft Exchange lets you manage outbreaks quickly and effectively by setting outbreak rules and sending notifications and alerts when an outbreak is detected You can also select an action to take when an outbreak is detected such as delete the entire message log the event or quarantine the attachment or message body You can set rules to define an outbreak based on event same virus occurs a specified number of times total number of viruses or number of unrepairable viruses occurrences the number of times that the event occurs attachment name and subject line and time period the number o
178. rder to words in the Symantec supplied or custom categories Whenever a match with a dictionary entry Symantec supplied or custom occurs a new process begins The content filtering engine builds a word chain starting with the word that matches the dictionary entry The purpose of building a word chain is to further evaluate the meaning of a matched word by examining its context For example if the word cancer succeeds breast in a word chain it is likely that the message is about a medical condition and is not inappropriate By creating and evaluating word chain structures the content filtering engine catches these differences in meaning and adjusts scoring accordingly Each word that follows the matched word is added to a chain until the following occurs m Two successive nondictionary words are found At that point the comparison process continues with the next word in the text block m The end of the block is reached At that point the processing of the next text block begins Using content filtering dictionaries 155 Scoring messages Base and bonus scores After Symantec Mail Security for Microsoft Exchange processes the message text it calculates the total score for the message This total score is cumulative across all enabled categories The content filtering feature does not produce scores for individual dictionary categories Symantec Mail Security for Microsoft Exchange uses the following categories of scores when as
179. reate a custom policy in the multiserver console 1 Inthe Symantec Mail Security for Microsoft Exchange console in the left pane expand Policies 2 Right click Custom Policies and then click All Tasks gt Add Policy 3 Inthe Add Custom Policy dialog box under Policy Name type the name of the custom policy 128 Establishing policies Understanding the Standard Policy and custom policies 8 Under Policy Template select a policy to use as a template for the new policy Click OK In the left pane select the new custom policy In the right pane customize the new policy by enabling or disabling its subpolicies and changing the settings for the subpolicy rules Save every rule and subpolicy that you modify Rules in the multiserver console are enabled by default Click Save To delete a policy in the multiserver console In the Symantec Mail Security for Microsoft Exchange console in the left pane right click the policy that you want to delete and then click Delete To create a custom policy in the single server user interface 1 2 3 4 5 6 7 oe In Symantec Mail Security for Exchange in the left pane expand Policies Click Custom Policies In the right pane click Add Delete Custom Policy Click Add a Custom Policy Click Next Under Policy name type a name for the new policy Under Policy Template select a policy either the Standard Policy or an existing custom policy to use as a templ
180. ring its scanning process See Server component locations on page 36 If you are running a desktop antivirus product on the server on which you want to install Symantec Mail Security for Microsoft Exchange you must configure the desktop product not to scan the Temp and quarantine directories that are used by Symantec Mail Security for Microsoft Exchange Scanning these directories will cause significant operational problems with the software 40 Installing Symantec Mail Security for Microsoft Exchange System requirements System requirements Symantec Mail Security for Microsoft Exchange runs on Microsoft Windows 2000 2003 on the Intel platform You must have domain administrator level privileges to install Symantec Mail Security The server system requirements are as follows Operating system m Windows 2000 Server Advanced Server SP4 m Windows Server 2003 Standard Enterprise SP1 Exchange platform m Exchange 2000 Server SP3 Enterprise Server Minimum system requirements m Exchange 2003 Server Enterprise Server Intel Server class 32 bit processor 1GB RAM 190 MB available disk space for installation 260 MB available disk space for remote installation Microsoft Internet Explorer 6 0 The multiserver console system requirements are as follows Windows 2000 SP4 2003 XP 140 MB available disk space for Mail Security Console installation Microsoft Management Console MMC 1 2 Microsoft Internet Expl
181. rosoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 92 Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam without Symantec Premium AntiSpam 3 Click General Settings 4 Under Bloodhound Detection select a level of protection Setting the level to high increases the risk of false positives 5 Click Save Maximizing bandwidth for scanning To ensure that your network has adequate bandwidth for scanning Symantec Mail Security for Microsoft Exchange lets you set the number of VSAPI scanning threads and the number of scan processes The default is configured using the following formula number of processors x 2 1 You should accept the default unless you have a compelling reason to do otherwise To configure scanning threads and number of scan processes 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click General Settings 4 Inthe right pane in the Number of VSAPI Scanning Threads box type the number of threads to use for VSAPI scanning 5 Inthe Number of Scan Processes box accept the default or type the number of scan processes The defaul
182. rs and server groups cseeseseseeseseseeseseeeeceseeceseseeceseseeseeeeaeaes 73 Creating a server groupon e ea AA cdeyavacasei seed avareeeeiateess 73 Adding servers to a group oo e ceeeescesesessesesesseseseeceseseeeeseeeeseseeeeseseeecseeeeaesees 74 Moving a Server to another group 0 cccessesssessecesesseeeseeceseseeeeseeseeseeeeaees 75 Changing the Transmission Control Protocol TCP port and using Secure Sockets Layer SSL ccccceccssesesesseceseseeeeseeeeseseeeeseneeeeseeeeseeees 76 Sending group Settings tO a Server ececcscscesesesseseseeceseeeeceseeeeseseeeeseeeees 76 Restoring default settings to a server group ccecsesesessssesssseeseeseesesees 77 Restoring default settings to a server cceesesessesesesesesetstsesseeeeseseeesesees 77 Deleting a S rVer SOUP cccececssesesesseseseeceseseeseseeceseseeeeseeeeseseeeeseeeeseseeaesees 78 Updating servers in a server group sceescesssesesseseseeeeseseeeeseeeeeeseeeseseneees 78 Removing a server from console management ecseseceeeeeeeeeeeeees 79 Installing Symantec Mail Security to remote servers cceceeeeseeeeeteeeeees 79 Updating and distributing Virus definitions 0 0 sceseseseceeeseseeeseseeees 80 Running a manual scan ON a server group ou eeeeseeseseceeeeeeeseeescececececeetetseaenees 81 Viewing status information ceessssssssececesesesesesessesesesscesesesesesesessesseseeens 82 Configuring Symantec Mail Security for Micro
183. rs to a group 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console right click Global or a server group and then click All Tasks gt Add Servers 2 Inthe Add Servers pane click Next 3 Inthe Choose Server Group pane select an existing server group for example Global You can also type a name to create a new group 4 Type the TCP port number for the server or group of servers that you want to add The port number must be the same for all servers that you want to add Port 8081 is the default The port number and SSL setting must be identical to that of the server in order for the console to communicate with the server 5 Click Next 6 Inthe Select Servers pane under Available Servers select the server that you want to add or select a domain of servers Alternatively in the Server Name text box type the server name or IP address 7 Click Add 8 Repeat steps 6 7 for each server that you want to add to the group 10 Managing multiple server installations 75 Managing servers and server groups Check Send group settings to server s If checked the group settings are applied to a newly added server If unchecked server settings are retained Future changes that are made to the server group however will be applied to the server Click Finish If you add a server that is not running Symantec Mail Security for Microsoft Exchange 4 6 or that is running Symantec AntiVirus Filtering for Micro
184. rver group settings are applied to the new server Managing multiple server installations 77 Managing servers and server groups To send group settings to a server 1 Inthe left pane of the Symantec Mail Security for Microsoft Exchange console do one of the following m For the Global group expand All Servers m For a server group expand Servers 2 Right click the server and then click All Tasks gt Send Group Settings The settings of the server group are sent to the selected server Restoring default settings to a server group You can restore all settings for a server group to their initial default states To restore default settings to a server group Inthe left pane of the Symantec Mail Security for Microsoft Exchange console right click a server group and then click All Tasks gt Restore to Factory Defaults Restoring default settings to a server You can restore the default settings for Symantec Mail Security for Microsoft Exchange on a server by running the SAVFMSEReset exe utility that is installed in the Server folder This causes the Symantec Mail Security service to stop and restart which can take a minute or more in some situations To restore default settings to a server On the computer that is running Symantec Mail Security in the Server folder double click SAVFMSEReset exe By default the file is located in the following folder C Program Files Symantec SMSMSE 4 6 Server 78 Managing mult
185. rwise provided in this Agreement in no event will any of the Contributors be liable for damages including direct indirect special incidental and consequential damages such as lost profits 4 Any provisions in this License Agreement that differ from the IBM License are offered by Symantec alone and not by any other party Contents Technical support Chapter 1 Introducing Symantec Mail Security for Microsoft Exchange About Symantec Mail Security for Microsoft Exchange ou 16 Understanding mail security threats 2 0 0 ceescesesesceceseeeeseeeeeseseeeesees 16 What s new in Symantec Mail Security 00 0 ccecesesesseseseeeeseeeeeesceeeseseeeeseeees 19 Components of Symantec Mail Security 0 0 eeseseseseseseseseseessseeseeeeseseseeees 20 How Symantec Mail Security works ccccecsseeseceseeeeseseeeeseeeeeseeeeseeeeeseeeeees 21 What happens during a scan eeeceseseseeseseseecesceeeeeseeeeseseeeeseeeeeseeeeaeeees 21 How Symantec Mail Security monitors events ceceeseeseeeeeeteeeees 21 Types Of Scanning arenan nn EE eis 22 Policies and subpolicies 0 2 eee esccsscscesesseseseeeseesecsesseseesecaeeseeececaeeseeeees 22 Filtering features 2 2 i0221ecetesccsascvsevenitlsye cect dete ness ansteteneeentveebens 23 What you can do with Symantec Mail Security 00 0 0 ceeeeeesseeeseeeeeeteeeees 24 Protect against computer viruses 00 ee eect eeeeseeeeeceseeceeeeeeeaeeceeceaeeateneeees 24 Filter undesirable mes
186. s Although AMS alerts are generally managed through Symantec AntiVirus Corporate Edition you can install the AMS Administration Utility to manage alerts directly for Symantec Mail Security for Microsoft Exchange The setup 116 Configuring Symantec Mail Security for Microsoft Exchange Configuring notifications and alerts program resides in Admtools DIS AMS on the Symantec Mail Security for Microsoft Exchange distribution media After installation you can configure AMS alerts which include broadcasts email messages message boxes pages and SNMP traps For more information see the AMS online Help If you have installed Symantec Enterprise Security Architecture SESA you can enable SESA alerts Although SESA is not part of Symantec Mail Security for Microsoft Exchange it allows security information such as virus detection and content filtering violations to be logged and analyzed across an entire organization Selecting Enable SESA Logging enables the reporting of security events to the SESA Manager where the events are sent to the SESA DataStore When Enable SESA Logging is selected you specify the IP address of the SESA server which sends events to a designated SESA Manager computer To configure notifications and alerts 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group
187. s Stared S pgTasks ___ Standard Enabled a Run LiveUpdate Disabled S Install Renew License Virus definitions date 10 23 2004 Rev 19 B Manage Quarantine Symantec Premium AntiSpam Disabled Sf Configuration EE General Settings 2 Spam Prevention Settings ge Outbreak Settings QP Heartbeat Settings ET Notification Alerts Settings ap LiveUpdate Settings E Content Dictionary Settings fs EgMatch Lists _ Peak hour a o LiveUpdate Manual Scan Auto Protect e mev Auto Protect Statistics B Quarantine Settings G Repor Settings m Statistics and Reports Management operations are grouped into the following categories which are represented by the following main nodes in the tree view m Scan Jobs Used to create schedule and implement scans m Policies Used to create and configure sets of rules to be implemented by specific scan jobs m Tasks Includes actions to update virus definitions and quarantine problem messages m Configuration Lets you configure global product settings m Statistics and Reports Lets you use data that is collected by Symantec Mail Security Installing Symantec Mail Security for Microsoft Exchange About the Symantec Mail Security for Microsoft Exchange console user interface 67 About the Symantec Mail Security for Microsoft Exchange console user interface The Symantec Mail Security for Microsoft Exchange console is similar to the single server user interface that is used
188. sage content ceeecesseseseeseceseesececeseseeeeseeeseesees 25 Safeguard the email security system ec seseseseseseseseseseetseeseseeeseesesees 26 Manage Virus outbreaks 0 ee ecceceseseeseseseeseseeeeceseeceseseeceseeeeeeseeesaeseeeeseeeees 26 Isolate infected message bodies and attachments cccceseeeeeees 26 Keep Virus protection up to date c ccccecscssesscsscsseseescessseeseescseseeseesees 27 Gather and report data cccccecesccssssesscssesccscssessesccscsscscsscsessesscesaeesceeees 28 Send notifications when a threat or violation is detected 29 Manage single and multiple Exchange servers sccccccseeseeseseeeeeees 29 Using Symantec Mail Security with other Symantec products 0 30 Where to get more information about Symantec Mail Security 31 Chapter 2 Installing Symantec Mail Security for Microsoft Exchange Before you install cscssessssssssssscscssssssssssssssssssescsesesessssssssssssesesesesesesesesesseaees 34 Before you install on an Exchange server ccccscsessssssessseseceseseseseeeeees 35 Before you install the multiserver console cceeeesesesetseseeeeeeeeeeesesees 36 Server component locations oo ecescsseseesessessessessescssesscssescsscseceeseeases 36 Console component locations cceescsceseesesseseescescsscssesecseesesscsecsseseeeees 38 Start men SHOTCCUES serp aiian iria E E R ERRE S 39 Preventing conflicts
189. scans Symantec Mail Security first decodes and decompresses files and then scans them for viruses using a virus definitions file of known virus signatures The virus definitions file contains non malicious bits of code or virus definitions for thousands of viruses If Symantec Mail Security finds a match the file is considered infected and the document is handled according to the scanning configuration settings repair delete quarantine or log and deliver Symantec Mail Security also uses Symantec Bloodhound heuristics technology to scan for viruses for which no known definitions exist Bloodhound heuristics technology scans for unusual file behaviors such as self replication to target potentially infected files How Symantec Mail Security monitors events Symantec Mail Security uses a heartbeat function optional setting that monitors scan threads to ensure that they are working When problems occur Symantec Mail Security posts the events to the Windows Event Log You can also configure Symantec Mail Security to post events to the Symantec Enterprise Security Architecture SESA DataStore an event management system that uses data collection services for events that Symantec and supported third party products generate 22 Introducing Symantec Mail Security for Microsoft Exchange How Symantec Mail Security works Symantec Mail Security sends a subset of security and application events to SESA The events that Symantec Mail Securit
190. se any number of AND phrases and any number of UNLESS phrases but it cannot contain an OR phrase if it already has an AND phrase Likewise if you start with an OR phrase you can add more OR phrases or UNLESS phrases but you cannot include an AND phrase An expression phrase consists of the following elements Attribute Comparison Value The part or characteristic of the email message that you want to scrutinize for violations The comparison that you want to make between the Attribute and the value that when matched to the Attribute constitutes a content violation The numeric value or alphanumeric text string that you enter as the criteria to match The Attachment Size and Content Score are numeric values The Suspicious Attachment Name is a Boolean True or False value while the rest are alphanumeric text strings The Attributes with their corresponding Comparisons and Values are shown in Table 5 1 Table 5 1 Attributes Comparisons and Values Message Body Contains Text value Ignore case Does Not Contain A member of Match Whole words only List Message Body Greater Than Numerical value Categories Content Score Less Than Sender Contains Text value Does Not Contain A member of Match Match List Equals List Does Not Equal Subject Contains Text value Ignore case Does Not Contain Amember of Match Whole words only Equals List Match List Does Not Equal Establishing policies Working with su
191. se may not exceed the aggregate number of copies indicated in the License Module as calculated by any combination of licensed Software titles Your License Module shall constitute proof of Your right to make such copies If no License Module accompanies precedes or follows this license You may make one copy of the Software You are authorized to use on a single computer B make one copy of the Software for archival purposes or copy the Software onto the hard disk of Your computer and retain the original for archival purposes C use the Software on a network provided that You have a licensed copy of the Software for each computer that can access the Software over that network D use the Software in accordance with any written agreement between You and Symantec and E after written consent from Symantec transfer the Software on a permanent basis to another person or entity provided that You retain no copies of the Software and the transferee agrees in writing to the terms of this license You may not A copy the printed documentation that accompanies the Software B sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software C use the Software as part of a facility management timesharing service provider or service bureau arrangement D use a previous v
192. servers If this option is unchecked the installation files are removed from the servers after installation Click Finish Complete the logon prompt and then click OK The Status of Remote Server Installation s panel indicates the progress of the remote installation Installing Symantec Mail Security for Microsoft Exchange 49 Installing on multiple servers 13 Do one of the following m Ifan error occurs during the installation click Errors for more information m When all remote installations are complete click Done 14 Repeat steps 1 13 to remotely install Symantec Mail Security to servers in other administrative groups If the option to send group settings to servers is selected do not close the console after the remote installation completes until the settings have been propagated to the servers Check the Comm Status panel to verify that the console to server communications have succeeded Installing or renewing a license file to remote servers You must install a license file on each server that is running Symantec Mail Security for Microsoft Exchange in order to activate a content license This lets you receive the latest virus definitions updates To install an antivirus content license you must have the serial number that is required for activation The serial number is listed on your purchase certificate The purchase certificate is mailed separately or sent by email if you requested that method when you purchased
193. servers or overwhelm your mail security system Symantec Mail Security for Microsoft Exchange handles encrypted attachments according to the actions and notifications that you specify The default Standard Policy setting for an encrypted file is to log only attachment message body available Working with Match List settings You can create a Match List that includes words email addresses or domains that you want to filter Match lists support DOS wildcard style expressions literal strings or regular expressions After you create a Match List you can define a filtering rule that uses the Match List The rule will catch any word or phrase that is in the Match List Match Lists provide a way to filter content that applies to a specific situation Establishing policies 147 Working with Match List settings Outbreak triggers are used to add a subject line or an attachment name of a possible virus to a triggered Match List on the server This lets you create a rule that automatically blocks suspicious subjects and file names See Defining outbreak triggers on page 180 If you want to filter a specific set of extensions you can create a Match List of those extensions and then reference the list from the filtering rules You can add more extensions to the Match List The filtering rules are updated automatically You can create new Match Lists add to an existing Match List or delete or edit words in a Match List After you cre
194. signing values m Base score The primary value that is assigned to a word or phrase Base scores can be positive or negative integers The severity of a word s base score should be relative to the scores of the other words in the category m Bonus score A secondary value that is assigned to a word or phrase A bonus score can be positive or negative Bonus scoring is used for word context and for adjustments to the total score Only Symantec supplied words and phrases use bonus scores When you add a custom word or phrase to a custom category Symantec Mail Security for Microsoft Exchange requires that you assign a base score to the entry It does not require a bonus score for custom entries however Building custom categories and words Symantec Mail Security for Microsoft Exchange lets you build custom categories of words to supplement the Symantec dictionary You build custom categories of words by adding new words their scores and the categories to which the words belong You can either assign words to a new category or to an existing Symantec supplied category New words that are assigned to a Symantec supplied category are considered part of the custom dictionary and are stored separately from the Symantec dictionary In cases in which the same word is found in both dictionaries the custom dictionary always takes precedence 156 Using content filtering dictionaries Selecting and configuring content filtering dictionaries
195. soft Exchange 3 0 or Symantec Mail Security for Microsoft Exchange 4 0 or 4 5 the server is added to the group without warning After a minute or so an error message appears that says the server is not responding to communications In the case of a 3 0 4 0 or 4 5 server although the server may be visible in the right pane it cannot be managed In either case delete the server from the console and then install or upgrade the server as appropriate Moving a server to another group A server that is going to be moved from one server group to another can be selected either from the Global group which contains all managed servers or from a server group Unless Send group settings to server is checked moving a server to another group does not affect the current server settings even if its settings differ from those of its new group Future changes made to the server group however will be applied to the server To move a server to another group 1 In the left pane of the Symantec Mail Security for Microsoft Exchange console expand Global or a server group Do one of the following m Inthe Global group expand All Servers m Ina server group expand Servers Right click a server and then click All Tasks gt Move Server Select the target server group or create a new Server group To apply the settings of the new server group to the server check Send group Settings to server Click OK 76 Managing multiple server insta
196. soft Exchange About configuring Symantec Mail Security for Microsoft Exchange 86 Configuration settings ccccccceessssssssssesesesesesessesseeeesesesesesesssesseeseseesesess 86 Securing your network O E E criti E ENTS 88 Protecting against denial of service attacks cccecesesesseseseeeeeeeeeseeees 88 Blocking by attachment file names cceeeseseseseseseseseseseseeseeseeseesesees 89 Determining inbound outbound settings 0 0 eeseseseseeeseseeteteeseseees 90 Using Bloodhound heuristics technology e ssssseessssssesesssseseseseeseseseeseses 91 Maximizing bandwidth for scanning 0 c cccceeesesesesesetsessseeeeesesesesees 92 Protecting your organization from spam without Symantec Premium ANtiS pain st22 Mth te tt eh it Aa eee tM pt 92 Blocking by real time blacklists cceecsesesseseseeeeseseeeeseeeeeseeeeseseeenes 93 Assigning a Spam Confidence Level SCL to messages using the heuristic antispam engine 00 cescessseseeseseeeeeseeeeeeseeeeseseeeeseetees 94 Bypassing RBL blocking and spam detection for sender and recipient WhiteliSts a ea eNA E Pe aan EE ARE VNS 98 Protecting your organization from spam with Symantec Premium AE Spa ek ON N 99 Enabling Symantec Premium AntiSpam cccceeseeseeeeeeeseseteeeeees 100 Downloading premium antispam updates through a proxy server 101 Configuring Symantec Premium AntiSpam to identify spam 102 Configuring Symantec Premium AntiSpam to h
197. spam engine scores between 90 and 100 You can specify a range between 25 and 90 Messages that are assigned a value within this range are considered suspected spam A suspected spam message that also has an SCL value falls in this category See To configure a spam threshold on page 103 You can specify a range between 25 and 90 Messages that are assigned a value within this range are considered suspected spam A suspected spam message that does not have an SCL value falls in this category See To configure a spam threshold on page 103 This is a message that scores below 25 A message is placed in the N A category under the following circumstances m The message is an internal Microsoft Exchange message that has already been assigned a special reserved SCL value of 1 m The message was whitelisted by Symantec Mail Security for Microsoft Exchange on this server m The message was whitelisted by some other entity either another antispam product or Symantec Mail Security for Microsoft Exchange running on a different server m The message was delivered by an authenticated SMTP session and the DoAntiSpamOnAuthSessionsBool registry key is either missing or set to zero When the Symantec Premium AntiSpam license is not installed or is invalid only the By Domain statistics display The By Category statistics do not display Using Symantec Mail Security for Microsoft Exchange data 165 Working with event data To vie
198. standard for or particular to your company or industry and for which you may want to filter content After you create a Match List you can define a filtering rule that specifies the Match List A filtering rule can refer to one or more match lists Match lists can consist of literal strings to match regular expressions or DOS wildcard expressions See Working with Match List settings on page 146 Content filtering rules Create filtering rules that apply to SMTP inbound and SMTP outbound mail in addition to the Exchange Information Store The Filtering subpolicy contains rules that let you filter messages for specific words phrases subject lines and senders and take action when the specified content is found See Working with filtering subpolicies on page 135 Dictionary based content filtering Use content dictionaries to search email messages and some types of attachments for offensive language confidential information and content with potential legal consequences Each message is scanned and a score is calculated for the message based on the number of target words that are detected If the score exceeds a threshold value a rule violation is triggered Symantec Mail Security includes a default content dictionary but you can supply your own categories and words for example for confidential technologies The Symantec supplied dictionary contains proprietary information and cannot be viewed However you can create you
199. t date and time m Exchange store state Started or Stopped m Auto protect status Started or Stopped Auto protect policy in use Standard or Custom Enabled or Disabled m Heartbeat Enabled or Disabled m Virus scanning Enabled or Disabled m Symantec Premium AntiSpam Enabled or Disabled Virus definitions m Date of virus definitions being used m Number of virus definitions License m License feature Virus definitions Symantec Premium AntiSpam m License status Active Not Licensed Expired Expiration date m Days left before expiration date Scan data m Number of files scanned by VSAPI m Number of messages scanned by SMTP m Number of files scanned by SMTP m Total number of violations m Number of virus infection violations m Number of filtering violations m Number of encrypted items m Number of unscannable items For each total the count for the last day the peak day the last hour and the peak hour is available RBL data m Number of RBL provider lists checked m Number of rejected connections based on RBL match Using Symantec Mail Security for Microsoft Exchange data 163 Viewing Auto Protect statistics Table 7 1 Auto protect statistics Last virus detected m Name of the last virus that was detected on the server single server user m Time that the last virus was detected on the server interface only m Specific locations of the last virus that was detected on the server Refresh status m Data about the l
200. t is configured during installation using the formula 2 times the number of processors plus 1 6 Click Save Protecting your organization from spam without Symantec Premium AntiSpam Symantec Mail Security for Microsoft Exchange can protect your organization from spam in the following ways m Block by real time blacklists RBLs m Identify suspected spam using the heuristic antispam engine m Create spam content filtering rules to identify spam Configuring Symantec Mail Security for Microsoft Exchange 93 Protecting your organization from spam without Symantec Premium AntiSpam You can configure Symantec Mail Security for Microsoft Exchange to bypass RBL blocking and heuristic spam detection by enabling and configuring sender and recipient whitelists See Blocking by real time blacklists on page 93 See Assigning a Spam Confidence Level SCL to messages using the heuristic antispam engine on page 94 See Working with filtering subpolicies on page 135 See Bypassing RBL blocking and spam detection for sender and recipient whitelists on page 98 Blocking by real time blacklists One way of preventing spam is to reject connections that come from mail servers known or believed to send spam To limit potential spam Symantec Mail Security for Microsoft Exchange supports real time blacklist RBL blocking RBL blocking works by denying mail servers access to your system if those servers have been identifi
201. ter descriptions Period Matches any single character of the input sequence gt Circumflex Represents the beginning of the input line For example gt A is a regular expression that matches the letter A at the beginning of a line The gt character is only special at the beginning of a regular expression or after the or characters Dollar sign Represents the end of the input line For example A is a regular expression that matches the letter A at the end of a line The character is only special at the end of a regular expression or before the or characters Asterisk Matches zero or more instances of the string to the immediate left of the asterisk For example A matches A AA AAA and so on It also matches the null string zero occurrences of A Question mark Matches zero or one instance of the string to the immediate left of the question mark Plus sign Matches one or more instances of the string to the immediate left of the plus sign Escape Turns on or off the special meaning of metacharacters For example only matches a dot character matches a literal dollar sign character Note that matches a literal character Pipe Matches either expression on either side of the pipe For example exe com zip matches exe com or zip Table 5 3 Establishing policies 143 Working with subpolicies Metacharacter descriptions string Brackets Inside the bra
202. the Symantec Mail Security for Microsoft Exchange event log to view only the events in which you are interested 166 Using Symantec Mail Security for Microsoft Exchange data Working with report data To view the event log 1 2 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group Click Event Log To filter the Symantec Mail Security for Microsoft Exchange event log 1 uo A U N Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group Click Event Log In the List field select a category on which to filter the event data Select a start date from which to begin displaying event data Click Display to show the filtered data Working with report data Symantec Mail Security for Microsoft Exchange collects extensive report data on policy rule violations You can use this data to do the following Generate summary reports based on different subsets of the data When you define a report you specify criteria such as the time span of the collected data and whether to show virus rule violations or all violations View or print report data in a third party reporting application such as Microsoft Excel or Crystal Reports
203. the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Expand Spam Prevention Settings Click Symantec Premium AntiSpam Click Symantec Premium Settings Under Reputation Service check only the check boxes for the lists that you want to use Suspect list is enabled by default and cannot be disabled Click Save To configure a spam threshold 1 ao uu A U N Do one of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Configuration Expand Spam Prevention Settings Click Symantec Premium AntiSpam Click Symantec Premium Settings Under Spam Scoring select whether you want messages identified as suspected spam Under Select a Suspected Spam Threshold between 25 and 89 type a number above 24 and below 90 Click Save 104 Configuring Symantec Mail Security for Microsoft Exchange Protecting your organization from spam with Symantec Premium AntiSpam To enable language identification 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane
204. tings All Users Application Data Symantec SMSMSE 4 6 Console Installing Symantec Mail Security for Microsoft Exchange 39 Before you install Start menu shortcuts Shortcuts are placed in the following Windows Start menu groups Symantec MS for Symantec Mail Security for Exchange Launch the Symantec Microsoft Exchange Mail Security single server user interface The single server user interface is also available from a desktop shortcut Run LiveUpdate Update virus definitions on the local server immediately Symantec MS Console for Symantec MS 4 6 Console for Exchange Launch the Symantec Exchange Mail Security multiserver console if the Symantec Mail Security for Microsoft Exchange console is installed The multiserver console is also available from a desktop shortcut In addition a LiveUpdate properties control panel is placed in the Windows Control Panel group to manually configure the LiveUpdate connection method if necessary Preventing conflicts with other antivirus software You must stop any other antivirus software on the server on which you want to install Symantec Mail Security for Microsoft Exchange After installation you should re enable the antivirus protection If another antivirus product is installed on the Symantec Mail Security for Microsoft Exchange server the competing product may try to scan and delete Symantec Mail Security for Exchange files that are placed in the Temp and quarantine directories du
205. tion A separate custom policy that searches for these encrypted messages and deletes them is run off hours A custom policy that filters mail for company executives is run on a scheduled basis Working with subpolicies A subpolicy is a collection of rules that addresses a type of malicious content A rule is an element of a subpolicy which is an element of a policy When you make changes to a subpolicy you are changing the settings that are associated with one or more subpolicy rules Symantec Mail Security for Microsoft Exchange uses the following subpolicies m Virus subpolicy Contains the Basic Virus rule Macro Virus rule Bloodhound Virus rule and Mass Mailer Virus rule m Filtering subpolicy Can contain any number of user defined filtering rules Note Filtering subpolicy rules do not appear by default in the multiserver console They must be added m Exception subpolicy Contains the Unscannable File rule Unrepairable File rule and Encrypted File rule 130 Establishing policies Working with subpolicies Work with subpolicies You can enable and edit subpolicies To enable a subpolicy 1 5 Do one of the following m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group In the left pane expand Policies Do one of the following m Click Standard Policy m Expand Custom
206. tions are configured through policy settings which are linked to each scan job In most cases you modify the Standard Policy or create a custom policy to use with a scheduled scan See Customizing policies on page 127 Schedule or delete a scan You can create and delete scheduled scans To schedule a scan 1 Inthe Symantec Mail Security for Microsoft Exchange console in the left pane expand Scan Jobs 2 Right click Scheduled Scans and then click All Tasks gt Add Scheduled Scan 3 Inthe Add Scheduled Scan pane type a scan job name and then click OK 4 Inthe right pane under Scheduled Scan Jobs select a policy to use with the new scan either the Standard Policy or a custom policy that was created 5 Select the time of day for the scheduled scan in 24 hour format days of the week dates of the month and any additional options 6 Click Save To delete a scheduled scan 1 Inthe Symantec Mail Security for Microsoft Exchange console in the left pane expand Scan Jobs gt Scheduled Scan 2 Right click the scan that you want to delete and then click Delete 70 Installing Symantec Mail Security for Microsoft Exchange About the Symantec Mail Security for Microsoft Exchange console user interface Running a manual scan Manual scans are useful in situations in which you want to scan messages for specific purposes For example you could create a policy to flag a particular category of subject line violations t
207. troducing Symantec Mail Security for Microsoft Exchange About Symantec Mail Security for Microsoft Exchange About Symantec Mail Security for Microsoft Exchange Symantec Mail Security for Microsoft Exchange protects your Exchange mail servers from viruses messages that overload the system inappropriate message content spam and denial of service attacks It lets you create and save multiple sets of criteria to identify threats and violations and it lets you specify the actions to take and notifications and alerts to issue when a threat or violation is detected You can configure the Symantec Mail Security console to manage one or more Exchange servers The Exchange environment is only one avenue by which a virus can penetrate a network For complete virus protection ensure that every computer and workstation is protected by an antivirus solution Understanding mail security threats Mail security is the protection of email servers from threats that originate from various sources including the following m Computer viruses Trojan horses and mass mailers m Messages that overload the system m Inappropriate message content m Spam m Denial of service attacks Computer viruses Trojan horses and mass mailers A computer virus is a program that when run attaches a copy of itself to another computer program or document Whenever the infected program is run or the document is opened the attached virus program is activated an
208. ts which is available 24 hours a day 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program m Advanced features such as the Symantec Alerting Service and Technical Account Manager role offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs The specific features available may vary based on the level of support purchased and the specific product that you are using Licensing and registration If the product that you are implementing requires registration and or a license key the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www symantec com certificate Alternatively you may go to www symantec com techsupp ent enterprise html select the product that you wish to register and from the Product Home Page select the Licensing and Registration link Contacting Technical Support Customers with a current support agreement may contact the Technical Support group via phone or online at www symantec com techsupp Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www secure symantec com platinum When contacting the Technical Support group please have the following Customer Service Product release level Hardware information Available memory disk space NIC information Operating syste
209. ular expressions let you perform pattern matching in text For example many email messages contain a trailing number at the end of the subject line text as in the following sample subject line Here s a hot stock pick 43234 To write a rule to match email subject lines that have trailing numbers compare the subject against the following regular expression gt 0 9 This regular expression contains the normal alphanumeric characters 0 9 and the metacharacters gt and By using the subject attribute the operator and the regular expression as the value you can build a content filtering rule to catch any email messages whose subject lines end with a trailing number This is a possible sign that the message is spam See Metacharacters on page 142 Note For filtering only first level attachments refer to the outer most file attachment The filtering engine does not evaluate any file extension names that are inside the outer attachment for example the compressed files in a zip file 142 Establishing policies Working with subpolicies Metacharacters Table 5 3 lists the metacharacters that you can use in regular expressions to build filtering rules Some characters are not considered special unless you use them in combination with other characters Note You can use metacharacters in regular expressions to search for both single byte and multi byte character patterns Table 5 3 Metacharac
210. und heuristics technology Heuristic methods of virus detection are designed to detect viruses for which no known definitions exist by matching file behaviors against the behaviors that are usually exhibited by infected files Symantec Mail Security for Microsoft Exchange lets you customize your level of protection against unknown viruses If you select a high level of protection Symantec Mail Security for Microsoft Exchange alerts you to executable files that exhibit the behaviors of infected files This increases protection of your Exchange system however system performance may be affected At lower levels of protection the possibility that an unknown virus may escape detection increases but the trade off for system performance decreases Symantec Bloodhound heuristics technology copies a suspicious executable file into its own virtual computer It then runs the file probing for and assessing suspicious behavior such as whether the file has replicated itself a number of times in a specified period of time Because the problem file runs within a separate virtual computer that replicates the operating system environment the potentially infected file cannot harm other files on the computer Based on occurrences of suspect behaviors the heuristic scanner assigns a score to the problem file which indicates the probability of infection To configure Bloodhound scanning options 1 Doone of the following m Open Symantec Mail Security for Mic
211. ur this can impact overall mail throughput m On virus definition update force rescan before allowing access to information store You must turn off this feature for all scheduled scans If this option is enabled in a scheduled scan the scheduled scan will run when virus definitions are updated Because definitions are delivered more frequently with Rapid Release definitions the scan may not complete before new definitions are available This can impact overall mail throughput 6 For LiveUpdate under Schedule Settings select one of the following m Runevery hours Select the interval in hours that you want to run LiveUpdate m Runata Specific Time Type the time of day and the day of the week that you want LiveUpdate to run 7 Click Save Updating virus definitions for multiple servers The management console lets you update virus definitions across all of your Exchange servers You can run LiveUpdate immediately from the management console if you are between scheduled LiveUpdate sessions For example you may learn of a new virus that attacks mail servers and want to manually distribute the latest virus definitions as soon as possible When virus definitions are distributed from the management console to servers the virus definitions are always copied to the server The server selects the latest definitions whether they are distributed from the management console or whether they already exist on the server See Config
212. uring automatic virus protection on page 117 Note The console does not download Rapid Release virus definitions 176 Maintaining virus protection Keeping your virus protection current Update virus definitions for multiple servers You can use the Symantec Mail Security console to update virus definitions across all managed servers as follows Configure the scheduling of LiveUpdates for all managed servers or only for servers in a specific administrative group Each server in the group will connect to the LiveUpdate site and make a LiveUpdate connection according to the schedule to download the latest virus definitions Note When using the management console to configure the schedule for multiple Exchange servers LiveUpdate will run at the specified time in the local time zone of each server For example if you schedule a LiveUpdate session for every Saturday at 10 P M and push that setting from a console in Sydney to an Exchange server in Manila and to one in San Francisco LiveUpdate will run for the Manila server every Saturday at 10 P M their local time and LiveUpdate will run for the San Francisco server every Saturday at 10 P M their local time Manually update virus definitions on the console and push the updated definitions to the managed servers You can use the console to immediately download the latest definitions to the management console and then distribute those updates to a server group N
213. using HTTPS communications between the Quarantine Server and the Digital Immune System Automatically distribute repairs new virus definitions to the Quarantine Server as soon as possible The Quarantine Server is available with Symantec Mail Security for Microsoft Exchange and is installed separately If installed virus quarantined messages can be forwarded to the central Quarantine Server for use with the Digital Immune System For more information see the Symantec Quarantine Server documentation m If the Norton AntiVirus Corporate Edition 7 5 or later client resides on an Exchange server repairs can automatically be sent back to the originating Exchange server as well as all other servers that are configured in the Quarantine server Note Messages that do not contain a virus but violate policies or rules are not sent to Central Quarantine About virus definitions files Symantec Mail Security for Microsoft Exchange relies on up to date information to detect and eliminate viruses One of the most common reasons that virus problems occur is that virus definitions files are not updated after installation Symantec regularly supplies updated virus definitions files that contain the necessary information about all newly discovered viruses Regular updates of that information maximize security and guard your organization s Exchange mail system against virus infections and the downtime that is associated with a virus outbreak
214. ve termination Software and documentation is delivered Ex Works California U S A or Dublin Ireland respectively ICC INCOTERMS 2000 This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec Should You have any questions concerning this Agreement or if You desire to contact Symantec for any reason please write to i Symantec Customer Service 555 International Way Springfield OR 97477 U S A ii Symantec Customer Service Center PO BOX 5689 Dublin 15 Ireland or iii Symantec Customer Service 1 Julius Ave North Ryde NSW 2113 Australia 8 Additional Uses and Restrictions A If the Software You have licensed is Symantec Mail Security for a corresponding third party product or platform You may only use that Software for the corresponding product or platform You may only use the Software for the number of users set forth in the License Module B If the Software You have licensed is Symantec Premium AntiSpam the following terms and conditions apply 1 You may use the Software in the quantity licensed to You by Symantec under a License Module until the end date indicated on the License Module the End Date solely on computing devices owned by you to filter incoming email sent to Your End Users on Your Email Service 2 You must have a license for each End User for whom you use the Software to filter email End User
215. virus definitions updates 50 Installing Symantec Mail Security for Microsoft Exchange Installing on multiple servers Install licenses to remote servers You can install a license file for a remote server group or for a remote single server To install a license file for a remote server group 1 In the left pane of the Symantec Mail Security for Microsoft Exchange console expand Global or a server group Expand Tasks Click Install Licenses If necessary follow steps 1 and 2 of the Install Renew Licenses panel to request a license file from Symantec In step 3 of the Install Renew Licenses panel do one of the following m Type the fully qualified path to the license file and then click Next If the license file does not reside on the same computer as the Symantec Mail Security for Microsoft Exchange console you can specify a mapped drive or UNC path to the file m Click Browse select the license file and then click Next If the license file does not reside on the same computer as the Symantec Mail Security for Microsoft Exchange console you can locate the file using My Network Places Click Install to install the license file to the server group If a server within the server group is already licensed the license file is reapplied The license file with the latest expiration date is applied To install a license file for a remote single server 1 In the left pane of the Symantec Mail Security for Microsoft Exc
216. w spam statistics by domain 1 6 In Symantec Mail Security for Exchange in the left pane expand Statistics and Reports Expand Spam Statistics Click By Domain In the right pane under Display Settings in the Number of rows to display per page box type the number of rows that you wish to display per page The default is 10 In the Messages with SCL values equal or larger to this value are considered Spam list select an SCL value This displays when Exchange 2003 is installed and Symantec Premium AntiSpam is not licensed Click Save To display spam statistics by category 1 In Symantec Mail Security for Microsoft Exchange in the left pane expand Statistics and Reports Expand Spam Statistics Click By Category Working with event data The Symantec Mail Security for Microsoft Exchange event log records all virus configuration rule violation and server events The log lists entries in chronological order with the most current event at the top The event log displays information warning and error events You can filter event data by categories such as rule violation virus LiveUpdate and Quarantine You can also select a start date from which to begin displaying event data Work with event data The Symantec Mail Security for Microsoft Exchange event log lets you view and sort event data that is generated by Symantec Mail Security for Exchange and written to the Windows Event Log You can also filter
217. wing m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Policies 3 Doone of the following m Click Standard Policy m Expand Custom Policies and then expand a policy Click Virus Subpolicy In the right pane for the Basic Virus rule click Edit Edit the settings for the rule Click Save N OO wo A Macro Virus rule Amacro is an instruction that carries out program commands automatically Many common applications for example word processing spreadsheet and slide presentation applications make use of macros Macro viruses are macros that self replicate If a user accesses a document that contains a viral macro and unwittingly executes this macro virus the virus can then copy itself into that application s startup files The computer is infected and a copy of the macro virus resides on the computer You can set up different rules for handling macro viruses For example you might want to repair the file and send the complete message to the recipient rather than delete the message that is carrying the virus or send the attachment to the Quarantine Establishing policies 135 Working with subpolicies Bloodhound Virus rule Bloodhound viruses are detected with Symantec Bloodhound heuristics technology The standard method of detecting a virus is to scan a file and
218. with other antivirus software cccseeeeeeees 39 10 Contents Chapter 3 System requirements nieas e E sted E E E 40 Security and access permissions ccccesesssesseseeeeseeeceseeeeseseeeeseeesseseeeeseseseees 41 User group assignments and setup cccccsesesesseseseseeseeecesececeseeeeseeeeeees 41 Installing on a single server s s sessssssssesseseseesssseresssesesesstsesesnesesereesesesereeseses 42 Installing or renewing a license file 0 0 esessseseeeceseseseseseseseeeeeeeeeees 44 Installing on multiple servers s s esssesesesssessssssssesesssnesesessesesesersrseseseesrssseseeses 45 Installing the Symantec Mail Security for Microsoft Exchange CONSOLE O AE EA dine ERRAR 46 Installing Symantec Mail Security on remote servers cceceeeeeee 47 Installing or renewing a license file to remote servers ccccceeeeees 49 Customizing the installation of remote servers cccceseeeeseteeeeeees 51 Upgrading from a previous version ccssssesesesssesesesesesessesssssessscsesesees 52 Installing to Exchange servers with Microsoft Clustering Service 53 Uninstalling Symantec Mail Security ccccceesseseesseeeeeseseseeeeseeeteees 54 Installing the Symantec plug in for Outlook cceeeeesesssesseeeseeeeeseseseseeees 54 Installing the Symantec Spam Folder Agent for Exchange cccseeees 54 Implementing SSL eresie iiieoo a e AA REARS EEN 55 Enabling event forwarding to SE
219. word phrase or name that might appear in the subject line or body of a message or it may be multiple occurrences as determined by the content score engine See Scoring messages on page 154 DOS wildcard style expressions DOS wildcard style expressions and provide you with a convenient way to specify file names similar to the way in which DOS wildcard characters are used For example Match Lists of type DOS wildcard are typically used with the Attachment Name Attribute to specify file names such as exe In addition a DOS wildcard expression allows you to easily specify files without extensions DOS wildcard style expressions are similar to Regular expressions with some exceptions as shown in Table 5 2 Table 5 2 DOS wildcard expressions m Zero or more of any character D J Any one character except the period N Literal period character 7 D Does not contain a period but can end with one Establishing policies 141 Working with subpolicies Regular expressions A regular expression is a set of symbols and syntactic elements that is used to match patterns of text Symantec Mail Security for Microsoft Exchange performs matching on a line by line basis It does not evaluate the line feed newline character at the end of each input expression phrase You can build regular expressions using a combination of normal alphanumeric characters and metacharacters Reg
220. y The Exception subpolicy which is always enabled consists of the following rules for handling files that cannot be scanned or repaired Unscannable File Specifies which actions to take when a message or attachment cannot be scanned for viruses Unrepairable File Specifies which actions to take when an infected message or attachment cannot be repaired Encrypted File Specifies what to do when a file is unscannable due to encryption or password protection To set an Exception subpolicy 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for a single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Policies 3 Doone of the following m Click Standard Policy m Expand Custom Policies and then select a policy 4 Inthe right pane click Edit for the Exception subpolicy the Unscannable File rule or the Unrepairable File rule 5 Modify the rule settings and then click Save Unscannable file rule An email message or attachment may be unscannable for the following reasons m The item contains too many levels of compression or embedding m The item takes too long to scan m The item is too large to scan The default Standard Policy setting for an unscannable message or attachment is to quarantine the item and replace it with a text description 146 Establishing policies Working with Match List setti
221. y for Microsoft Exchange lets you save report dataina comma delimited file csv for use with external applications and reporting tools See Working with report data on page 166 To configure data report settings 1 Doone of the following m Open Symantec Mail Security for Microsoft Exchange for the single server m Inthe Symantec Mail Security for Microsoft Exchange console in the left pane select a server group 2 Inthe left pane expand Configuration 3 Click Report Settings 122 Configuring Symantec Mail Security for Microsoft Exchange Configuring report data settings 4 Inthe right pane select one of the following m Store all data Keep all data indefinitely m Store no data Retain no data reports cannot be run m Store data for a specified number of months The data is cleared after the specified time period If you choose to retain the data for a specified time period in the box type the number of months of data to store No spam related data is stored unless the Include Spam Data checkbox is checked 5 Optionally check Include Spam Data Checking this box causes all spam related events to be stored This increases the time required to generate reports and affects system performance If used it should be for a short term for example a few weeks to evaluate spam related issues 6 Click Save Establishing policies This chapter includes the following topics About policies How policies work
222. y generates include failed virus definitions updates unscannable files and spam events See Enabling event forwarding to SESA on page 57 For more information about SESA see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator s Guide Types of scanning Table 1 3 lists the categories of scans which are referred to as scan jobs Table 1 3 Categories of scans Auto Protect scan Viruses and other items that trigger violations are detected in real time as messages are routed through the Exchange server This function can be enabled or disabled Scheduled scan These are scans that run automatically according to a schedule You can run many scheduled scan jobs Manual scan These are on demand scans that administrators can run at any time Only one manual scan job can run at a time You must link a scan job to a policy in order for that policy to be implemented See How policies work with scan jobs on page 125 Policies and subpolicies A policy is comprised of rules for detecting and resolving security threats to your Microsoft Exchange mail system Policy rules belong to categories called subpolicies Each policy contains the following subpolicies Virus subpolicy Contains rules for detecting known viruses and messages and attachments with virus like characteristics Filtering subpolicy Contains rules for specifying violations b
223. ymantec or from an utility intranet LiveUpdate server With the LiveUpdate Administration Utility you can configure one or more intranet FTP HTTP or LAN servers to act as internal LiveUpdate servers For more information see the LiveUpdate Administrator s Guide on the CD SESA Integration This is the software configuration package that must be installed Package SIP on each computer that runs a SESA Manager The SIP extends SESA functionality to include Symantec Mail Security event data Introducing Symantec Mail Security for Microsoft Exchange 21 How Symantec Mail Security works How Symantec Mail Security works In a typical configuration Symantec Mail Security for Microsoft Exchange scans documents message headers bodies and attachments that are sent to mailboxes and public folders on Exchange servers It scans first for spam when heuristic or Symantec Premium AntiSpam settings are configured and then for content filtering rules and viruses based on configuration settings When a violation is detected or if a scan error occurs Symantec Mail Security stops scanning and handles the document based on the scanning configuration settings When you create a Filtering subpolicy and apply it to a scan items that you specify are matched against message contents and attributes Attributes include the sender subject attachment file name and attachment file size What happens during a scan When you perform standard
224. your software It arrives in the same time frame as your software The serial number is used to request a license file and to register for support The format of a serial number is a letter followed by 10 digits for example F2430482013 If you purchased Symantec Premium AntiSpam a second serial number is listed on the purchase certificate This serial number is needed to receive the latest spam definition updates for the premium antispam service If only Symantec Premium AntiSpam is purchased only that serial number is listed After you install the license files for antivirus content and Symantec Premium AntiSpam content and premium spam updating are enabled for the duration of your maintenance contract When a content license expires a new license must be installed to renew the subscription When no license is installed virus and spam definitions that are needed to keep protection current are not downloaded If you have questions about licensing contact Symantec Customer Service at 800 721 3934 or your reseller to check the status of your order You must install the license file on each server on which Symantec Mail Security for Microsoft Exchange is installed regardless of whether the computer is partitioned or is a cluster member The same license file supports all servers that are covered by the content license You must install one license file on each member of an Exchange cluster You cannot replicate a license file like you can
Download Pdf Manuals
Related Search